We are born without Digital Identity. We are doing quite well for the first 20 years of our lives. But then we need to get a Digital Identity and use it carefully every day, everywhere we go. Indeed- bad actors are preying on our Digital Identity for the rest of our lives. Multiply these by 3 billion people and you get the problem's scope.
Two trivial conclusions: Digital Identities are created. Digital Identities must be protected.
Many scholars are debating what Digital Identity is. At this point, it is sufficient to say that we may not know what Digital Identity is, but we know when we see it.
Digital Identities must be stored somewhere. But this contradicts our common-sense knowledge that neither Centralized systems nor endpoints are protected enough. Many attributes of our Digital Identities are already in the public domain. We are not worried about their protection because they cannot harm us in any way. Many people know your name and your phone number (just by looking into a phone book), but it does not worry you since this data does not authorize anyone for anything. (If it does - you should immediately close this relationship/business account).
So let's decide that the minimal set of Digital Identity attributes or our Digital Persona will comprise the set of harmless, public-domain parameters.
But Digital Identity is created to be used in mission-critical circumstances. Therefore, we must be sure that Digital Persona is verified online by third parties. Third parties include Social Networks (Facebook), Payment networks (PayPal), enterprises, Governments, Banks, Mobile operators, Healthcare Providers, etc. It is clear that these third parties are legally free to share, upon consumer's consent, non-sensitive Digital Persona attributes such as First Name, Last Name, Gender, Photo URL, Email, Confirmed Address, Enterprise ID#, IBAN#, National ID#, Mobile Phone #. Third parties have verified this info, and a Centralized service for Digital Persona aggregation can leverage it without any danger to the consumer.
In practice -one would need Digital Persona to open a new account at some service provider due to Know Your Customer (KYC) or Anti-Money Laundering (AML) regulation. This may be a good starting point to establish a relationship and provide additional info later.
Another essential use case is P2P apps., such as online apartment rentals, the used-car marketplace, rides-share, babysitter, or dating, where Digital Persona may be required until a reputation is established.
But once we create a new account, we do not carry our Digital Persona. We could store all this on our smartphones, but what if the smartphone is stolen, lost, or destroyed? We need to verify our Digital Persona wherever it is stored. The data proves nothing; its verification proves everything. This process is commonly called authentication. Digital Persona and its authentication must be bound together, like Public and Private Key.
If Digital Persona is online, then one must assign it parameters of Knowledge (for example, PIN), Ownership (for example, smartphone), or Inherence(for example, behavioral biometrics).
We can safely say that no "silver bullet" has emerged, as the best of the breed, for authentication. Our rule of thumb: use as many authentication parameters, as possible, in a time as short, as possible to reduce consumer friction.
But our real goal, as consumers, is to get some online service (financial, healthcare, government, etc.). For example – money transfer. Are we authorizing it correctly? This is where things get even more complicated. Our endpoints (PCs, smartphones) are unsafe and can be infected with malware. The authentication process is generally out of context with the user's intent (authorization request), and malware can modify it. "What You See is not What You Get."
Therefore, authentication must be in-context, thus binding it with authorization.
We can safely say that no "silver bullet" has emerged, as the best of the breed, for authentication. Our rule of thumb: use as many authentication parameters, as possible, in a time as short, as possible to reduce consumer friction.
What we finally get is the following Triangle:
Why can't we have three best-of-breed vendors for each of the three sides of this Triangle?
Securing Digital Identity is a formidable task. The experience shows that the "security dress" weakest link is its "stitches."
Suppose we have good authentication and good endpoint protection. Do they work together to protect from "man-in-the-browser" attacks, resulting in stolen money transfer transactions?
Suppose we have an excellent "Verified Digital Persona" solution. Does it provide a secure and scalable assignment of Knowledge, Possession, and Inherence authentication parameters?
To summarize: Digital Identity for Consumers can be achieved by binding of Verified Digital Persona, Optimized Multi-Factor Authentication, and Secured Intent for Authorization.
Comments