A mandate for digital identity

Article

A mandate for digital identity

Organisations need to re-think their security approach to digital identity including password verification, says Trey Gannon, Partner at Deloitte Australia.

How many different digital accounts do you have today? Ten, fifty, one hundred? Now how many unique passwords do you have? Five, twenty?

Worried? You should be, because this is not just an issue for you and your accounts; it is an issue for each of your customers; and it’s getting worse.

According to recent research, by 2020, users will have an average of 200 digital accounts.

But it isn’t just passwords that are a challenge for identi­ty. In a digital identity system each digital account requires two key elements:

  • Verification – proof that the person presenting is who they say they are
  • Authentication – information ensuring that the person is the actual owner of the digital account.

However, despite significant advances in most aspects of our increasingly digital life, these two elements are stuck in the 20th century.

Verification – paper-based and manual

The processes used to verify your identity have not sig­nificantly changed over the past 28 years when required to follow the procedures introduced by the Financial Trans­action Reports Act in 1988, which outlined the 100-point identity check.

For digital transactions requiring high assurance such as opening a bank account or paying taxes, verification still requires you to prove your identity by presenting one or more physical documents (e.g. driver’s license, passport, utility statement).

The review and capture of these documents remains a highly manual process, which does little to communicate your digital prowess to a new customer.

What continues to complicate the issue is that typically we have to provide similar verification for each separate or­ganisation with which we transact. This slow, manual pro­cess gets repeated multiple times.

Verification is ripe for disruption.

Authentication – passwords don’t scale

Passwords have two key challenges: they are hard to remember and they are getting easier to crack. We all know that we should have a unique password for each separate account.

However, it is hard to remember dozens of unique passwords, especially when many ac­counts are only accessed a couple times per year (e.g. car rego). So, most of us reuse our favour­ite passwords across many of our accounts.

Hackers love this – if they break one ac­count, they get access to many.

To make matters worse, as processing power advances, it takes less time for hackers to crack passwords.

Note: The reason most organisations have settled on a 60 to 90 day password change policy, is that using today’s com­putational power, a high-powered hack­er would require an average of 77 days to crack an eight character password, the in­dustry standard.

Requiring longer passwords would just ex­acerbate the issue of reuse. So, to truly scale in terms of number or digital accounts while still providing reasonable security, passwords need to go.

Where’s the innovation?

In order to provide scalable digital platforms, we need better paradigms for digital identity.

A recent report by the World Economic Fo­rum in collaboration with Deloitte, provides a point of view on how digital identity systems could be configured to drive maximum value.

And why large financial services institutions are unique­ly well positioned to drive the creation of new robust digital identity systems.

A centralised provider for digital identity would allow a user to present documentation one time only, but be able to use that identity across a multitude of organisations.

From an automation perspective, taking the manual document review and capture out of new customer acqui­sition would be gold.

There are some examples of such centralised digital identity providers.

  • In Canada the Digital ID and Authentication Council (DIACC), working in a public and private sector partnership, is developing a roadmap for digital identity
  • Finland is another country where the public sector outsourced to the private sector, giving banks tenure
  • Estonia has successfully implemented a government owned and mandated centralised digital identity system
  • In Australia the Digital Transformation Office is creating a trusted digital identity framework, which is a pre-cursor to advancement of a centralised digital identity solution.

We are seeing innovations in passwords as well

Biometrics, geolocation, and behaviours, among other signals, have the capability of enhancing the authentication process. New login credentials are going well beyond sim­ple passwords the ‘what you know‘, to include ’who you are’, ‘what are you doing,’ and even, ‘how you interact’.

An example is authentication based on analytics of how you type your account ID into your device, such as key speed and pressure. Many existing solutions are based on the ubiquity of the mobile phone; such as one-time pass­words, fingerprint, voice, and push technology.

Such solutions can potentially replace the need for pass­words. And can be layered to provide enhanced assurance, as users move through a session, known as adaptive authen­tication.

How does blockchain fit into digital identity?

We see blockchain and digital identity as living in sym­biosis. Digital identity is a critical enabler to broaden block­chain application. And blockchain appears to offer powerful capabilities to digital identity systems, such as unforgeable and publicly verifiable identity proofing via distributed ledger.

What next?

Digital transformation is a ‘when’ not ‘if’ process for most Australian organisations, public and private. Scale, speed and ultimately customer experience are all hampered by today’s limited digital identity systems. To truly trans­form, organisations need to treat digital identity as a strate­gic capability, tightly aligned with their digital agenda.

This article was first published in Asia-Pacific Banking & Finance.

Did you find this useful?