Is it time to drop our identity to become frictionless?

In the identity and access management (IAM) space, we talk a lot about identity. There is an historic reason for this as well as a psychological one. After all, when we do something online, we are doing it as a digital version of ourselves, aren’t we?

As a fan of reductionism, I’d like to turn the idea of digital identity on its head. The tasks we do, even simple ones like signing into an account, are done using data, not identity. It is this data that we need to focus on to move away from some of the more annoying aspects of getting hold of a digital identity.

Moving the discussion from online identity to data

If you have ever registered for an online account that requires you to be identity checked, you will be able to answer the question, “What is the barrier to getting an online identity? Going through a process to apply an assurance level to an identity is a pain. You get caught up in multiple sections, each designed to drill down into the question, “Are you really who you claim to be?”

One of the biggest annoyances for users in this process is the dreaded knowledge-based verification (KBV), which consists of a series of personal questions. This concept of asking questions related to an individual’s life–for example, “Who was the company you took out a loan in 2000 with?” (yes, I really did get asked that)–seem great on paper, but in reality, they are almost as easy for fraudsters to acquire an answer as for you to remember or search for.

Thankfully, standards bodies, such as the National Institute of Standards and Technology (NIST), either have or are moving toward updating their idea of levels of assurance (LOAs). They recognize that the old prescriptive way of making a user go through a laborious process to reach an acceptable level of assurance had serious flaws. This includes a more granular approach to KBV and other aspects of an identity level.

The old idea that an identity is a static object, needing to be checked, might soon be a thing of the past. This move toward sanity is being driven by the commercial world where you need to engage customers and give them a great experience with your brand. Taking a customer down an LOA route does not equate to a great experience. There must be a better way.

Trust in data

When we engage with a customer on a digital platform, we are usually offering them some form of service. That could be, in its simplest form, a message about a service, and in its fuller form, a service that provides goods and takes payment. Whatever task we perform, we need to have data to drive it.

To get the best out of a service, the customer and the service host need to feel secure in their ability to transact. I use the word security in its widest sense: secure in the knowledge the person/host are true, secure web services, secure extended touchpoints–you get the picture. This has to be a perfect two-way street to work in the long term.

Security is a holistic state. It has to cover every single aspect of the journey, from the first touchpoint of the customer to their full engagement with your service. Security, in fact, is the key to great customer experiences and to customer retention.

It comes at a cost, however, if you follow the remit of prescriptive levels of assurance. We must move away from the expectation that a consumer must be identity proofed during initial registration. Sometimes this has to be done, but more often than not, proof I am really me is an evolving and dynamic thing and can be done over time, bit by bit or byte by byte.

If we reduce identity to a set of data, then we can more easily accommodate this idea.

Real world vs. digital world: Who will win?

In the real world, I am me because I am made up of a set of identifying things. I look like me, I dress like me, I am called Susan Morrow. I live at a certain address and I am aged over 25. I can also use paper documents, under certain circumstances, to show a third party has proven this at some juncture in the past. When I go into a shop to buy a loaf of bread, I hand over money but no identity. If, instead, I turn up to an airport as Susan Morrow to fly to Chicago, sure, I have to prove I am me — but, then again, only certain aspects of me.

Let’s look at passports as a good example. In the UK, to apply for a passport, you send off various details to the passport authority (HMPO) along with some photos that have been signed by a “person of good standing in their community.” This is a very wide remit for a ‘trusted third party.” I have signed several of those photos for friends, for example. I have never ever had anyone check that I am who I say I am in being that signatory.

In the online identity realm, the “person of good standing in their community” digital equivalent is usually a credit reference agency, or similar. This small but crucial difference in expectations might be the reason why assured identity in an online context is complicated and has a poor customer experience.

Things to consider when building an identity-data-driven service

Fortunately, there are some very forward-thinking tech companies in the consumer identity space. Some have learned the hard way how not to do identity and are moving to a more data-led ecosystem where identity is just part of an extended layering of technology-bound ideas and remits. What types of ideas and practical solutions can help us to drive services by using personal data? Here is my take on some of the moving parts of the data-driven model of consumer services:

• Don’t force users to meet prescriptive and static levels of assurance. NIST, as mentioned previously, is moving away from the LOA 1,2,3 type system, recognizing that meeting the criteria neither serves the consumer nor the service.
• If you need an identity, build it up over time. The identity ecosystem has many use cases and the digital equivalent of an identity might be needed. If you can build the identity over time, do so. This method can be a good way to prevent fraud, too, as fraudsters might not have the stamina to wait for long periods to get the golden egg.
• Decouple identity and data — the two can be mutually exclusive. Accommodate situations where a service can ask for a specific attribute without having an identity associated with it. This can help to improve privacy across the ecosystem and allow third party services to play in the overall scheme without needing to federate.
• Remove single points of failure and attack. “Data stores” offer the potential to facilitate the data-driven service ecosystem, but storage can be an issue from a number of perspectives: It costs money; it offers a cybersecurity attack point; it is not dynamic enough to represent human lives. Data stores should, instead, be designed as transaction facilitators that act as a conduit between the user and the service. By doing so, you can more easily build in consent models that are user-centric.
• Data re-use is everyone’s friend. Wherever possible design for data to be reused across the system. This again can be facilitated using a data store (data facilitator) centric model rather than an identity provider model. This helps extended ecosystem service members because they do not have to pay for data to be checked each time it is used, and it helps the user because they don’t have to keep re-asserting data (unless it has changed, of course, but that’s a discussion for another time).

A data-driven future?

Doing jobs online is all about transacting information; I’ll give you this, if you give me that. By adding a layer of identity complexity into the process, we are making consumers unhappy and preventing innovation.

We have to be smarter in the way we design the data-driven services we offer our customers and clients. We have to move the monolith of identity into the microlith age of data and free up our thinking. The golden chalice of a frictionless customer experience is in our grasp. We just have to make sure that we plan it out correctly and remove our own friction-ridden belief in what actually drives our services.