The great identity re-architecture: enabling trust and interoperable credentials

What happens to all of the consumer and employees accounts online that are created but seldom used? Today digital identity information is replicating faster than the plastic waste in our landfills and oceans, and the harmful side effect is a global data breach epidemic that threatens the digital economy. But if we can reuse identity by designing our systems and applications to use interoperable credentials, we can not only protect individual privacy and inspire trust we can make the digital world a safer place.

login credential - user name, password - administrative controls
Thinkstock

Last week Andreessen Horowitz launched a $300M crypto fund aimed at fueling innovation in blockchain solutions and while the fund only addresses use cases for blockchain, of which Identity Management is a subset, the goal is to solve a problem every organization today is struggling with – how to build trust in a world where every business runs on software?

Businesses written in software are more customer-centric, service-oriented and interconnected but, to inspire trust, identity architects will have to address new requirements including the growing sprawl of identity data, the ever-increasing mass of dormant and disposable online accounts that create points of attack for credential theft.

Today, 80% of data breaches utilize lost stolen or weak credentials from the systems, applications and web sites we use to get things done – reducing unnecessary and redundant credentials would not only increase privacy but also make us safer online. To provide an environmental analogy, the volume of digital identity which is used infrequently and mostly dormant is replicating faster than all of the plastic debris floating in the oceans and littering the landscape.

The harmful side effect is that combined these digital identities increase the attack surface of our institutions and destabilize our global economy.  Consider that about 70% of data breaches hit a secondary target first as a means to staging an attack on a primary source – dormant accounts leave behind valuable identity data and passwords that have value on the criminal black market.

But there is cause for confidence because harnessing the potential of digital identity data securely, can inspire trust and elevate an organization’s brand in a very crowded digital economy. According to Forrester, “today technology has enabled consumers to have a say in what a company stands for - enterprises must shift from a company-centric view to a customer-centric view that creates emotional brand experiences.”

Simply put, consumers, employees, business partners want to work with companies that they trust. Successful organizations are using identity management to not only inspire trust but also reduce friction, become more "agile" and shape the behavior or consumers and employees – if you make it easy, people will participate more, and that is good for your business. But building trust will require more sophistication in the way companies proof and resolve the user identity, especially in complex service-oriented transactions.

Today every organization manages one or multiple identities for every customer relationship. Much of this is redundant and creates a sprawl of identity data that is mostly dormant. As a result, identity architects need to plan for the consumption of identity from a broader array of sources and be prepared to assert and securely share identity information to a wide range of potential business partners.

The world is drowning in identity information

Today consumers can easily be induced to surrender data for coupons and discounts – the proliferation of online consumer accounts index on the plethora of online loyalty programs. Loyalty programs in the US provide an excellent example of the explosion because most consumers participate in multiple programs - loyalty program memberships in 2017 hit a record 3.8B and continues to grow at 15% annually. As an example, Staples, one of the largest retailers online, found that when a customer could be signed up on multiple retail channels, as part of an omnichannel strategy, they purchased 2x to 3x more. This correlates with a recent Nielsen study which showed that 67% of loyalty customers shop more and are repeat purchasers.

Considering the US population is about 326M people that would mean about 11 memberships per every individual (a low ratio realizing that not everyone is a shopper). To provide some cost information, using an estimate from OIX (Open Identity Exchange), it costs the retail industry approximately 12.20 cents to credential a user ($12 seems high and perhaps is actually lower, but even at 60% reduction in the result is significant). As a “guesstimate,” if we multiply the 3.8B loyalty memberships by the $12 per user cost of credentialing, the total cost would come to $45B.

Consider If we were able to have a single interoperable credential for every citizen in the US alone, the price of credentialing could be 90% lower. The redundancy is not just an American phenomenon but rather a global phenomenon, and the challenge is not isolated to the retail industry. As more enterprises deliver digital goods and services, the more redundant online accounts get created, and the higher the strain of managing the information.

The growth of online college education demonstrates a similar result - every university is moving to deliver curriculums online to attract digital students. Today, Coursera’s online learners alone exceeds 30M users growing 30% annually – as a point of comparison in the fall of 2017, there were only slightly over 20M students attending all American colleges combined. The examples demonstrate not only the expansion but also the potential economic value at stake for organizations that can reduce the sprawl of identity and design for interoperable credentials.

Identity is not free – redundancy has a price  

NIST (National Institute of Standards) conducted a more thorough study of the problem at the IRS (Internal Revenue Service) as part of research effort to support NSTIC (National Strategy for Trusted Identities in Cyber-Space).  The IRS is an excellent example because over 150M Americans pay taxes every year and assert their identity with the IRS. The study examined eight applications provided to corporations and citizens in the taxation process - the finding was that if the IRS were to use a shared brokered credential exchange in place of credentialing these applications independently, the potential savings would exceed $635M annually. This is only the tip of the iceberg in an economy that increasingly depends on a user’s digital identity to enable everything from driver’s license renewal to finding a spouse.

The “coase effect” – identity data activates the digital economy

Across every industry, the demand and creation of more digital goods and services is driving more credentialing and identity creation. First, consumers are no longer limited to shopping within national borders. According to Forrester, global cross-border retail will triple in the next six years. These cross-border shoppers are more difficult to credential, and retailers have to expand the use of identity proofing to accommodate the increasing demand. Second, the digital economy creates more on-demand labor sources – a recent study in the UK showed that more than 25% of UK organizations employ free-lancers for core tasks and a survey by Intuit suggests that by 2020 43% of the US workforce will participate in the on-demand gig economy.

The result is more specialized workers that turn-over more frequently – more access with shorter lifecycle than the typical employee – basically an IT security nightmare. In fact, free-lance work is growing three times faster than regular jobs – this increases the population of digital workers vs. physical workers. To unlock this potential, companies that can dynamically build trust, proof and credential on-demand labor quickly will not only reap the economies of scale but also reduce their security risk.

Lastly, the digital economy motivates tighter collaboration across businesses. It is not enough for partners to access information on a corporate partner portal, deep digital cooperation connects partners as part of the extended value chain. For example, a health delivery network will need to digitally trust many primary-care and general practitioners to accelerate referrals appointment flow and accurate billings. A study by HHS (Health and Human Services) showed that advanced access could not only reduce wait times and patient satisfaction but create better clinical outcomes and follow up appointments. From an economist perspective, the “Coase Effect” is making digital trust more critical because the more stratified the digital economy becomes, increasingly specialized partners emerge that reduce cost and economize how we work and create economic output.  As a result, every company will increase the radius of trusted partners to achieve competitive economies of scale.

Achieving economies of scale will require economies of trust

Consumers, employees, and businesses can’t keep up - the more credentials users are forced to create, the more risk they incur. In a 2017 case at Wells Fargo, the pressure to grow new consumer accounts resulted in the deliberate fraudulent creation of 3.4M fake bank accounts creating a massive violation of public trust. Wells Fargo is not alone - we can look at the recent Facebook scandal and many other examples where companies have failed to exercise good behavior.

Fortunately, there are industries solving the problem that we can learn from. The banking industry, facing multiple technology disruptions, is leading the way in expanding digital trust. Today 80% of a bank’s wallet share is determined by the primacy of relationship – the retail bank’s goal is to become the primary source of service to consumers. When a consumer registers for a checking account, the bank can sell the consumer mortgages, credit cards, and wealth management offerings. Unfortunately, very specialized fin-tech companies using mobile applications and social communities are dis-intermediating these banking relationships by providing consumers with very specialized digital-first offerings.

For example, if you are a new college graduate saving for your first car, there is a mobile banking app specialized just for you. As a result, 74% of banks are engaged in digital identity initiatives to maintain share-of-wallet. For banks, the point of entry of customer identity is not only a physical branch but also Facebook, Linked-in, investment clubs and any online community that acts as a point of consideration for banking offerings – this increases the radius of touchpoints to enroll and proof identities. To engage with the growing digital consumer, Banca La Caxia, one of the largest banks in Spain, is enhancing their systems to handle a wider range of customer enrollment – Banca La Caxia can customers directly from Facebook but also conduct payments from Facebook.

Digital government has an answer to interoperability

Driven by higher citizen expectations, lower millennial participation and the need for inter-agency information sharing, the public sector (federal and state institutions) is leading the way with solutions for enrollment and credentialing. As an example, the US federal agencies are designing for interoperable credentials on a massive scale. Today the US federal government employs approximately 2.79M non-military workers across 400+ agencies. Driven by HSPD 12 and requirements for inter-agency collaboration and information sharing, the FICAM (Federal Identity Credentialing and Access Management) is a framework that provides a template for how agencies should think holistically about interoperable identity. FICAM provides each agency with a language and service level specification to manage identity and share credentials.

The framework is extendable for commercial organizations as well because commercial relationships exhibit similar requirements. As a parallel, many companies can seamlessly provide employee access to corporate 401K plans today without and additional login step. This is the kind of seamless interaction that needs to scale more dynamically. When companies enable employee access to the third-party 401K plans, they require similar identity proofing and attribute exchange as the federal agencies. At any point in a transaction, the 401K provider needs to resolve the user identity to the exact person the identity maps to and finally when the employee separates, the sponsoring company needs to auto-deactivate the employee globally across all the partnering benefit providers. Similar to the FICAM model, the 401K provider has to provide the plan subscriber control and consent for any data sharing.

Start with the experience and work back to the technology

To provide another pragmatic example, US state governments are working to enable citizen services that span multiple agencies. If a citizen has a different identity when renewing a driver’s license, applying for a hunting license, fishing permit, paying taxes and many other services, they simply can’t keep up with the passwords and the state’s burden to proof, synchronize and protect the data becomes more difficult. To address this problem, the State of Louisiana designed a single identity service which all agencies could share – a single identity is safer and helps the state streamline the user experience.

1 2 Page 1
Page 1 of 2
SUBSCRIBE! Get the best of CSO delivered to your email inbox.