A mandate for digital identity
Organisations need to re-think their security approach to digital identity including password verification, says Trey Gannon, Partner at Deloitte Australia.
How many different digital accounts do you have today? Ten, fifty, one hundred? Now how many unique passwords do you have? Five, twenty?
Worried? You should be, because this is not just an issue for you and your accounts; it is an issue for each of your customers; and it’s getting worse.
According to recent research, by 2020, users will have an average of 200 digital accounts.
But it isn’t just passwords that are a challenge for identity. In a digital identity system each digital account requires two key elements:
- Verification – proof that the person presenting is who they say they are
- Authentication – information ensuring that the person is the actual owner of the digital account.
However, despite significant advances in most aspects of our increasingly digital life, these two elements are stuck in the 20th century.
Verification – paper-based and manual
The processes used to verify your identity have not significantly changed over the past 28 years when required to follow the procedures introduced by the Financial Transaction Reports Act in 1988, which outlined the 100-point identity check.
For digital transactions requiring high assurance such as opening a bank account or paying taxes, verification still requires you to prove your identity by presenting one or more physical documents (e.g. driver’s license, passport, utility statement).
The review and capture of these documents remains a highly manual process, which does little to communicate your digital prowess to a new customer.
What continues to complicate the issue is that typically we have to provide similar verification for each separate organisation with which we transact. This slow, manual process gets repeated multiple times.
Verification is ripe for disruption.
Authentication – passwords don’t scale
Passwords have two key challenges: they are hard to remember and they are getting easier to crack. We all know that we should have a unique password for each separate account.
However, it is hard to remember dozens of unique passwords, especially when many accounts are only accessed a couple times per year (e.g. car rego). So, most of us reuse our favourite passwords across many of our accounts.
Hackers love this – if they break one account, they get access to many.
To make matters worse, as processing power advances, it takes less time for hackers to crack passwords.
Note: The reason most organisations have settled on a 60 to 90 day password change policy, is that using today’s computational power, a high-powered hacker would require an average of 77 days to crack an eight character password, the industry standard.
Requiring longer passwords would just exacerbate the issue of reuse. So, to truly scale in terms of number or digital accounts while still providing reasonable security, passwords need to go.
Where’s the innovation?
In order to provide scalable digital platforms, we need better paradigms for digital identity.
A recent report by the World Economic Forum in collaboration with Deloitte, provides a point of view on how digital identity systems could be configured to drive maximum value.
And why large financial services institutions are uniquely well positioned to drive the creation of new robust digital identity systems.
A centralised provider for digital identity would allow a user to present documentation one time only, but be able to use that identity across a multitude of organisations.
From an automation perspective, taking the manual document review and capture out of new customer acquisition would be gold.
There are some examples of such centralised digital identity providers.
- In Canada the Digital ID and Authentication Council (DIACC), working in a public and private sector partnership, is developing a roadmap for digital identity
- Finland is another country where the public sector outsourced to the private sector, giving banks tenure
- Estonia has successfully implemented a government owned and mandated centralised digital identity system
- In Australia the Digital Transformation Office is creating a trusted digital identity framework, which is a pre-cursor to advancement of a centralised digital identity solution.
We are seeing innovations in passwords as well
Biometrics, geolocation, and behaviours, among other signals, have the capability of enhancing the authentication process. New login credentials are going well beyond simple passwords the ‘what you know‘, to include ’who you are’, ‘what are you doing,’ and even, ‘how you interact’.
An example is authentication based on analytics of how you type your account ID into your device, such as key speed and pressure. Many existing solutions are based on the ubiquity of the mobile phone; such as one-time passwords, fingerprint, voice, and push technology.
Such solutions can potentially replace the need for passwords. And can be layered to provide enhanced assurance, as users move through a session, known as adaptive authentication.
How does blockchain fit into digital identity?
We see blockchain and digital identity as living in symbiosis. Digital identity is a critical enabler to broaden blockchain application. And blockchain appears to offer powerful capabilities to digital identity systems, such as unforgeable and publicly verifiable identity proofing via distributed ledger.
Digital transformation is a ‘when’ not ‘if’ process for most Australian organisations, public and private. Scale, speed and ultimately customer experience are all hampered by today’s limited digital identity systems. To truly transform, organisations need to treat digital identity as a strategic capability, tightly aligned with their digital agenda.
This article was first published in Asia-Pacific Banking & Finance.