Americas

  • United States

Asia

Oceania

Contributor

Can the re-use of identity data be a silver bullet for industry?

Opinion
May 24, 20196 mins
AuthenticationIdentity Management SolutionsSecurity

The ability to re-use identity data for individuals across different systems would greatly simplify authentication. Here's what it would take to make it happen.

file sharing / data sync / shared records / eliminating redundancy of multiple identities
Credit: Pictafolio / Dem10 / Getty Images

The number of conferences that focus on digital identity has increased several-fold since I first became involved in the space. Yet at a recent conference, a colleague heard someone say, “…here we are, 20 years on, and we are still no further forward in creating a digital identity usable by all.”

The elusive nature of the identity “silver-bullet” — how to make identity accessible for all and usable across a complicated ecosystem of stakeholders — continues to haunt the industry. Identity specialists the world over are talking at conferences, in meetings, on social media trying to pull together ideas on a solution.

But the problem continues. Why is digital identity still a hornet’s nest of interoperability issues and disparate systems?

What’s going on with the identity landscape?

The current identity landscape can be described as “fluid,” with many approaches across many different use cases. It really is a mixed bag of solutions. If an organization puts out a tender for an identity solution, they best make sure that their requirements list closely reflects what they want, as they will get a rainbow of options in response.

In a very general way, you can break down the identity landscape like this:

  • Citizen identity: A lot of governments either already play in the citizen ID space or are preparing to. In the UK, for example, the Verify scheme is now about six years old and has over 4 million users who use it with about 19 government services. There it stays; it has yet to find any commercial re-use.
  • ID mobile apps: Apps like Yoti offer a mobile device-based identity that participants in their ecosystem can use. Yoti had over 7 million users as of May 2019 and hundreds of relying parties consuming the Yoti ID. Quite a few other ID apps are appearing, including Verified.me from SecureKey.
  • Another effort that is worth mentioning but is in the early stages is a collaboration between Mastercard and Samsung to deliver a “…better way for people to conveniently and securely verify their digital identity on the mobile devices.” Again, apps have specific use cases and tend to stay in a confined ecosystem but have great potential for re-use.
  • Social and federated accounts: Facebook, Google, Amazon and the like are not really thought of as identities but often contain some or all the data needed when creating a digital identity elsewhere. These accounts have massive potential for re-use across a wider ecosystem.
  • Customer identity and access management (CIAM) platforms: Players in this area include Okta, Ping, Janrain and Forgerock. Their platforms cover a mix of customer marketing and analytics alongside more traditional IAM requirements. They are usually based on standard protocols, so they could work in a wider ecosystem.
  • Identity services and APIs: This can cover a lot of ground, but one of the more promising areas being offered is in the connectivity of all of the players in an identity landscape. Companies like Avoco Secure and SecureKey offer technology that can link ecosystem components together to build the interoperability layer.
  • Self-sovereign identity (SSI): Coming up on the inside is SSI. This decentralized approach to identity is all about putting identity back in the hands of the user. However, questions around the commercial use of SSI are still left unanswered.

How can we solve the identity problem?

As you can see, the identity landscape is complex with a lot of moving parts. The main hurdle to creating a Shangri-La for the identity space is the very disparate, disconnected, non-interoperable playground that we see today.

We have created a situation where a digital identity, which is a reflection of an individual, is being split into thousands of fractions, each disconnected, often siloed and placed into closed systems. The result is thousands of repeated data snippets. This is one of the reasons why personal data theft is so easy and so rife.

This was recently summed up by Alastair Campbell of HSBC bank at an OIX event in London where he said:

“Creating a vibrant marketplace together rather than a ‘winner-takes-all’ — that’s what we should all be interested in.” 

We have to move from this fractured place to a culture of re-use.

The old “make do and mend” ethos needs to find its digital counterpart in the world of digital identity. Here are some ideas on making this work:

  • Federation and re-use: The identity world is made up of silos of offerings across multiple vendors. Digital identity should not work like this. Digital identity really is an ecosystem. Any identity should be transferable across any relying party that needs it. Creating a “closed-shop” in digital identity is doomed to fail. Ecosystems should be built to allow existing identities and identity data to be drawn in and re-used. Apps like Yoti and digi.me, platforms including Ping, and citizen ID such as Verify and eIDAS, can be plugged in and offered to whoever needs the data.
  • Uplift: The ecosystem needs to accommodate new data that adds weight to the re-used IDs if needed.
  • Events: Often it isn’t about who you are but what it is you’re trying to do. Identity allows us to do jobs online, and these can be event driven.
  • Frameworks and rules: The legal basis for allowing re-use of existing identity needs to be looked at. This should focus on the interoperability layer. There are bound to be cases where competitors need to block the use of certain identity apps or platforms. This does not negate the general use of reusable identities within a wider ecosystem, but it does allow for micro-ecosystems to be created.

The identity ecosystem should be about creating flexible IDs around achievable business models that offer value to the user and the service consuming the ID. After all, it isn’t very often you want an actual ID. Usually, you just need the answer to a question — e.g., “Are you over 18 so you can buy this age-restricted product?”

Finding a cure for identity

The re-use of existing identity accounts may well hold the key to solving the issue of a disparate identity world. Allowing all to play will act to open up this closed system. Government identity initiatives will be able to find a commercial use case and even an ROI. What’s key is collaboration via the likes of industry bodies such as Open Identity Exchange (OIX) and Kantara. Organizations like Kantara do sterling work on creating standards in the identity space, but this work needs to be augmented with a holistic view of how to pull identity out of the silos and into the wider world.

A final word from Analyst Martin Kuppinger at the recent European Identity & Cloud Conference 2019  sums up the situation:

“Aim to connect to identities – not manage them yourself. Orchestrate services and don’t invent what already exists. Segregate data from applications so that it can be used and is not locked.”
Contributor

Formerly a scientist working in the field of chemistry, Susan Morrow moved into the tech sector, co-founding an information security company in the early 1990s. She have worked in the field of cybersecurity and digital identity since then and helped to create award winning security solutions used by enterprises across the world.

Susan currently works on large scale, citizen and consumer identity systems. Her focus is on balancing usability with security. She has helped to build identity solutions that are cutting edge and expanding the boundaries of how identity ecosystems are designed. She has worked on a number of government based projects in the EU and UK. She is also interested in the human side of cybersecurity and how our own behavior influences the cybercriminal.

The opinions expressed in this blog are those of Susan Morrow and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author