Opinion: It's time for modern digital identitiesBy Bob O'Donnell 7 comments
It used to be so simple.
Essentially, you could verify your identity by providing some kind of unique piece of information that---in theory, at least---only you or other trusted parties would know. Like, for instance, your social security number.
Of course, those days are now gone, and last week's monumental hack of credit reporting firm Equifax put a thundering exclamation point onto the end of that era. Throw in all the other high-profile hacks into companies like Home Depot, Target, etc. and it's not too far a stretch to say that not only the social security number, but a great deal of other identifying information on nearly anyone in the US is now readily available. (In fact, paradoxically, the value of that once very important information has likely dropped dramatically.)
Identity verification without being physically in front of someone is still an incredibly important way in which we interact with the world around us, however, so what do we do? The problem is that we don't really have a clear, universal alternative moving forward.
Yes, there are numerous efforts designed to move away from the more traditional "analog" methods of identity to digital ones, but none of them work across all the environments or interactions in which we find ourselves engaging. Ironically, the notion of moving to very basic forms of digital identity---usernames and passwords---has actually exacerbated today's identity problem, and by a huge amount.
... you could verify your identity by providing some kind of unique piece of information that only you or other trusted parties would know (...) of course, those days are now gone
Today's digital identities are essentially a horrendous conflagration of good intentions gone wrong, because none of them is truly complete. Part of the reason is that, while moving towards a single digital identity---such as a government sponsored system---offers some clear benefits, it also opens up potential risks as a single, critical point of attack. Lose that one identity, and you could potentially lose everything.
Important steps forward are being taken, however. First, we've seen tremendous growth in the use of multi-factor authentication, where you need to provide at least two forms of digital ID to verify your identity. The problem with this is that not all methods of providing a second or third factor, or "form" of digital identity are equally strong, and several have been discovered to be much weaker than initially thought. Texting your temporary or special log-in codes via SMS, for example, has serious limitations that weren't initially identified.
Second, we are seeing much more use of different types of biometric authentication, which uses physical characteristics of your body to identify you. From fingerprint readers on notebooks and smartphones, to iris scanning, and if rumors about Apple's new iPhone are to be believed, facial recognition on smartphones, the availability of these generally much more secure methods of ID verification is becoming more widespread. Now, some worry that biometric data, as with a single universal ID, represents a security concern because you can't "change" your biometric data and if it's somehow stolen, you have a security challenge. However, biometric data in combination with the requirement for multiple factors of authentication (even, in some cases, multiple forms of biometric identification) is generally considered very secure.
Third, we're starting to see more efforts to form industry-wide collaborations to help drive the "universality" of these identity concepts. The FIDO Alliance, for example, is working with a variety of major tech, credit card, banking, and other financial services companies to develop a standard that will interoperate across websites, devices, services and more.
In addition, just last week, the four major US carriers---in an extremely rare show of complete unity---announced the development of the Mobile Authentication Taskforce. This group will be responsible for developing a single, consistent method of authentication that both consumers and businesses can use to accurately identify people using mobile devices on any US telecom network. First results won't be showing up until 2018, but this sounds like an enormously positive development.
The challenges of creating a viable, secure, and modern form of digital identity are extremely difficult, and even in spite of all the positive efforts I've listed here, there's no guarantee we will have a viable option anytime soon. But as the events of the last week have hammered home, it is absolutely time to move past old ideas and embrace the opportunities that a digital identity can enable.
Bob O'Donnell is the founder and chief analyst of TECHnalysis Research, LLC a technology consulting and market research firm. You can follow him on Twitter @bobodtech. This article was originally published on Tech.pinions.