Who are you? The tricky case of verifying online identity
A panel of cybersecurity and privacy experts debate the rising stakes of confirming digital identity and which of the authentication solutions is the most viable
Although more than 90% of UK consumers own a smartphone, our ability to confidently identify whom we interact with online – businesses and individuals – is relatively poor. Digital pioneer Estonia has been joined by Vietnam, Brazil and China in issuing digital ID cards and a working group of eight nations, which includes the UK, is drafting principles for mutually recognised digital ID systems. This would go some way to confirming online identity but there are many other steps to consider.
Matthew Moynahan, president and CEO at OneSpan, uses the acronym CIA – confidentiality, integrity and availability – to explain why establishing a singular digital identity is so desirable. “We’ve largely solved the confidentiality issue. Availability has also been solved, mostly by the cloud. It is the integrity that’s under attack. Digital identity solves the integrity issue associated with end users and can potentially do wonderful things for user experience.”
Are tools enough?
But if digital IDs are the solution to ensure data integrity, how soon before they too are compromised? Kavin Mistry, head of digital marketing and personalisation at TSB Bank, explains: “Fraud has always existed. Social engineering or phishing are the most common types. Hacks in organisations are relatively few and far between.”
In what can often seem to be a somewhat futile game of whack-a-mole, organisations are frustrated that despite working to ensure cyber security breaches sometimes occur. “When you look at operational failure events, the single common denominator is that organisations are failing despite their investments,” says Stewart Room, partner and global data protection and cybersecurity leader at DWF. “I’ve never seen a case where you find a vacuum of risk management activity. It’s normally stacked to the gills.”
Digital identity solves the integrity issue associated with end users and can potentially do wonderful things for user experience
Karen Jacks is chief technology officer at international law firm Bird & Bird and agrees that secure forms of identity can help. But she observes that even the most secure tools fail if people’s behaviour doesn’t change alongside it and points to the fact that the changing workplace has created new security challenges. “We have a duty of care with many obligations on us as a law firm. We have to balance that with allowing people to work where they want to work, when they want to work.” She suggests a need to “change behaviours and how people look at their security posture, and accept that things aren’t the same as they were 20 years ago.”
Jacks says clients and suppliers should at least match the effort Bird & Bird makes to stay as cyber-healthy as possible: “We spend a lot of time defending our perimeter, multiple factor authentication, for example. If we collaborate with our clients, we expect that they will do the same. We’re continually educating.”
TSB’s Mistry adds that it’s all too easy today to make customers unwitting collaborators in the acts of fraud themselves: “Fraudsters are finding new and innovative ways to reach targets, using some of the techniques that banks themselves use. We find increasingly sophisticated networks of fraudsters using multiple channels that make them look legitimate.”
Balancing security with convenience
No one wants to fall victim to fraud but we live in a ‘convenience-first’ world. Even if they have our best interests at heart, companies that make it difficult for us to buy from are often shunned for those that ‘wave us through’. “In the B2B world, how do we understand who is coming to us through digital channels, while also improving that buying journey and avoiding throwing up too many hurdles? There must be some information exchange to build up trust,” insists Yuri Jurgens, global head of measurement and EMEA digital lead at State Street Global Advisors.
While that trust is important, it makes sense not to abuse it. Establishing some kind of central identity resource or unique digital ID means there is potential for them to hold a wealth of information, making every interaction from popping into a shop to visiting a hospital for a procedure utterly seamless. But the data available to commercial or institutional partners must also be appropriate and unique to that interaction.
“The convenience factor does improve everything but there is the risk of how it’s going to be used. I don’t want everyone knowing my blood type if I’m just buying a hat,” Jurgens notes. “I have nothing to hide, but I don’t know what they might do with that information. I like the idea of having control over how data is used because the cat is already out of the bag.”
The data landscape is changing all the time. The deprecation of cookies means companies will be keener than ever to find ways of identifying their customers. There are new platforms that consumers are keen to use, and the public has a varying appetite and ability to share their information. “Once you put customers through security hurdles, they won’t tolerate going through it a second time. Hard-core identity verification is where it must start,” Moynahan insists.
Mistry agrees that usability, relevancy and security have to be at the heart of any form of privacy compliance framework: “Nursing customers up the digital adoption curve is important. There are risks to having a single way of authenticating transactions, even though the market is headed that way. Signing in using Facebook is one example. But having all your security tied to a single login does make people uncomfortable and can raise other vulnerabilities.”
Who do you trust tomorrow?
This is one of the biggest challenges ahead. Who owns the identity landscape? There are certainly many worthy contenders but equally, the general lack of understanding of data security from the general populace and many companies means we could be sleepwalking into future problems.
Who is defending the defenders? And who owns the digital ID?
“The general position is that a cloud service provider has better economies of scale, insights and is ultimately a better risk choice than doing things yourself. But we’ve adjusted our opinion without forming real risk assessments around it,” warns Room. “Microsoft, Google and others can perform with a level of credibility, but a few notches down and cloud is not as good as what people have on-premise.”
Jacks is more wary that we are about to put our identities in the hands of private entities with no social mandate:
“It makes me slightly nervous that a tech giant could end up being responsible for a digital ID. It’s frightening and reassuring all at the same time. Who is defending the defenders? And who owns the digital ID? If you have a passport error, the government owns that. Does the government give us a digital ID? Or is it a global thing? How does this work on an international level? That’s the bit I don’t know enough about.”
Moynahan agrees that the balance between simple interactions and overall protection will be one that’s hard to strike. “Everyone wants a good user experience. That’s why Apple and Amazon’s one-click checkouts are so successful. The driver of digital identity, I agree, is around how you create a good user experience in a world that’s increasingly global. But it’s also increasingly balkanised. How do I do what I want to do across the internet when everyone has their own digital ID system?”
So, there are options for organisations to deliver better experiences while providing the tools for consumers to keep themselves, and the businesses they interact with, safe. But it would be a stretch to say that the issue has been resolved. Indeed, Room’s closing comments come with a warning for all concerned:
“People aren’t engaged with the topic. They’re the frog in boiling water. They aren’t protesting about some developments. They’ll happily take more efficient delivery of goods in exchange for their data because it’s better than an inefficient one.” Room concludes: “There needs to be better policy development so that we end up with outcomes that are right for society. But no one’s doing it yet. We’re missing all the angles.”
This article was first published on raconteur.net, on July 14, 2023.