I attended the K(NO)W Identity Conference last week, which has emerged in the last year as the premier event for the identity industry.
What is the identity industry one may ask?
I myself am intrigued with the digital identity concept, having spent nearly two decades in this space, yet this was the first time I really saw all the different pieces of the ecosystem come together. In the past, one would find bits in risk management, access management, cybersecurity, transaction monitoring, and other related areas.
In the L-1 days, we promoted the “Circle of Identity” concept, but not many enterprises fully embraced the notion of linking the applicant vetting or onboarding process to physical and logical access control. I would argue that at one point the US Department of Defense got the farthest into adopting the concept, but even they stopped short on the information security side. The Indian Aadhaar Universal ID program may be the closest now, but gaps remain.
The stakes are high and the damage from data breaches, and identity mismanagement hits every single one of us, affecting the core fabric of our society and the trust that we have in our institutions:
- What does it mean when the social media networks that we use every day does not ensure that real people are behind the various accounts that are created?
- What are we supposed to think when we don’t receive our paycheck only to find out that someone has used stolen credentials to log into our payroll provider and change the receiving bank information?
- Who are we supposed to believe when the help desk gets a phone call from an “employee” on an internal line saying they cannot access some files on the network?
- How are we supposed to be able to convey that we really are who we claim to be in a remote controlled world?
Digital Identity and Security
This is not about “fraud prevention”. In fact, I don’t think I heard the term uttered at the conference at all. At the KYC (Know Your Customer) panel, which was standing room only (with several people sitting on the floor), one of the most compelling comments was “the rules around KYC never contemplated the fact that a person could be using valid credentials that would not belong to the person.”
My reaction was that the same could be said for authentication frameworks as well.
So for me, as compelling as the conference was, I believe there is still enormous confusion around what constitutes digital identity and a huge opportunity to shape it and guide this “industry” to answer one of the most pressing questions of our day.
For the purpose of continuing the conversation, I’ll pose 3 thoughts for now:
1. Device ID is NOT identity
There is a fascination with the mobile phone. After all, there are more than 9 billion mobile connections in the world, according to the GSMA. It’s compelling to think about the mobile device as the identity carrier. There are two major problems with this, though.
First, there is no standardized KYC process for obtaining a mobile subscription, and given that 9 billion (yes, same number) records have been stolen in the last 5 years, it is not clear how many of those mobile connections belong to people whose identities can be trusted.
Second, there are simply too many ambiguities for a device to be equated to an identity, which by definition is easily definable, recognizable and fixed - the frequency that users change devices; the fact that many devices are used by more than one person; and finally, the ability for imposters to mask device IDs, caller IDs and install automated malware scripts that direct specific actions to occur from the device on behalf of the user.
There are some places, especially in the developing world, where biometrics and other stringent registration processes are in place to obtain a SIM card; in theory, the biometrics can be stored or linked to the SIM either on the chip or in the cloud and be used for authentication.
Combining different modalities can ensure single point authentication like at a point of sale, or continuous authentication to ensure the integrity of an online session from login to logout. This is quite different from a biometric added to the device as a method of convenience to bypass the PIN entry.
2. Behavioral analytics is NOT identity.
Behavioral analytics looks at what kind of actions users took in the past to either enable predictions on how they will act in the future or to understand if a particular activity that is being conducted does not match what would be expected from that particular user.
Behavioral analytics utilizes data like navigation path, clicks, interactions, purchasing decisions, network or file access history, time spent between different actions, financial metrics, etc. All of these things may point to an overall demographic or “type” of user, but don’t provide a definitive link to an individual. This is quite different than a biometric, for example, which is a digital representation of a person’s unique physical or behavioral features that can be specifically tied back to them.
3. Sovereign identity is great – in theory.
Sovereign identity is the idea that a person is in full control of the creation and ownership of their digital identity and then how, when and to whom their identity is revealed using blockchain technology.
But it is hard to see in practice how this takes off with no global standard, no single non-profit or independent agency who will build the capacity to foster and ensure its widespread use and support, and no assurance especially in today’s climate that the initial creation of the sovereign identity is a legitimate one. (Important note: this is not a wholesale denunciation of blockchain.)
I invite my LinkedIn friends to add to the discussion.