Identity Ownership and Security in the Wake of the Pandemic
Employers and consumers have embraced digital in the wake of the global pandemic. Enterprises have responded by rapidly pivoting to digital-first experiences, such as online shopping, telehealth and remote employee onboarding, to keep pace with customer expectations and maintain a competitive edge. Underpinning it all is digital identity, which ensures secure and more personalized, streamlined user experiences.
But in this world, identity is far more intricate and risky than the little card in your pocket or the family name you inherited. It’s data, and that makes identity both powerful and vulnerable—especially when the amount of data collected is growing exponentially.
Has identity security kept up during this historic rise of digital interactions? Ping Identity’s CEO, Andre Durand, recently joined me for an episode of Hello User, our podcast on how identity creates our world. In “How Does the Rise in Digital Affect Identity Security?” we explore how the pandemic has opened up an opportunity to shape the future of personal identity. Here are the highlights of that conversation.
Takeaway #1: We digitized much of our economy during the pandemic but neglected one important aspect: identity.
“Tremendous amounts of our economy have been able to move into digital pathways. The one thing that we forgot to move was people.”
Although the massive uptick in online interactions during the pandemic is indisputable—in the U.S. alone, e-commerce grew an estimated 18% in 2020 while interactions with companies are now roughly 60% online—it wasn’t accompanied by a corresponding effort to shift human identity online. There was no large-scale movement of people’s identities, giving them a way to be able to prove that they are who they say they are. Instead, the online ecosystem essentially just handed individuals a bunch of accounts and passwords and said, "Good luck." We didn't really finish the digital journey for its most important component: the user.
This may not be all that surprising since, as Andre puts it, water always finds the path of least resistance and humans tend to find the path of least resistance as well. But unfortunately, the number of actors that can abuse identity is boundless and not confined to someone who happens to be next to you. These days, fraudsters can steal your identity by stealing your shared secret (your password) and getting into your account, moving money or performing some other nefarious activity. It’s critical that we address identity online, beginning with the notion of how we authenticate and whom we are authenticating to on our behalf.
Takeaway #2: Third parties have much more control over digital identity than individuals.
“You own your identity, but others own the verified record of your behavior. – Esther Dyson”
What parts of your digital identity that have validity can you actually project? And if all of your claims are self-asserted, how much credence do they have?
During our chat, Andre relayed a conversation he had recently with Esther Dyson in which she said, “You own your identity, but others own the verified record of your behavior." In other words, if you tell someone you’re a million-miler on a particular carrier, it doesn’t have as much validity as the airline saying you’re a million-mile flyer. You might own your identity, and you might be able to make a claim that you’re a million-miler. But that assertion is more credible when you share the carrier’s record of your flight behavior.
In this sense, outside organizations have more control over identities than individuals do. Being able to self-declare is problematic, because the history and the information isn’t just about who you are but is also the form of relationship that you have with each of these different organizations, services, products, etc.,—and you don't keep that information in one place. When we think about this new universe of complexity, it's married up with a vast amount of information that is now aggregated on every human being.
Takeaway #3: We’re on the cusp of a tectonic shift in the notion of digital identity.
“Bring-your-own identity—the notion that you show up with an identity that's pre-verified—is a new concept.”
For decades the notion of digital identity has often been expressed in the context of workforce identity, which is fundamentally different from customer identity. You don’t own and control your workforce identity. You may “volunteer” yourself into an employment situation, but your digital identity gets granted to you via the credentials that get you into the network, a corporate email address, or other identity feature. Your only control in that identity is choosing to stay employed at the company.
But in the consumer world, just because you might choose to be forgotten from the customer system doesn't mean that you disappear. Your digital identity, which exists in all of your relationships with companies today, persists beyond your relationships with the organizations you interact with. Furthermore, describing someone as a workforce user or as a customer user is a company's way of describing the person, not the individual’s way of describing themselves.You interact with governments, you interact with employers, you interact with companies you do business with, and there is currently no way to represent that long-lived identity in a digital sense.
The totality of your behavior probably exists somewhere in the digital exhaust of the identity management systems of all the organizations and companies you interact with. The existential question is: What's my digital identity that I control, the one that’s separate from my interaction with another third party? And what is its role in the future of the digital world and maybe the future of my identity and privacy management?
Takeaway #4: The pandemic has accelerated the changes needed to shape the future of digital identity security.
“One of the biggest objections to changing identity security is based on preconceived ideas about user behavior. But people’s behavior during 2020 has shattered those notions.”
Here at Ping, companies frequently used to tell us things like “I can't trust my users to do that” or “My users will never figure out how to use a digital interface.” But with the pandemic, a lot of those paradigms have been shattered because we ended up in a situation where there were no alternatives other than digital channels. The mobile phone has become one of the most powerful digital identity devices. This always-on, always-connected device can be unlocked with a biometric that's not shared outside of the secure platform on the mobile phone, and it is allowing individuals to have some empowerment in the execution of their own security.
The darker side of the pandemic, however, has been a solid, real-time exposure of the massive security fractures that we have not just in our individual corporate or government infrastructures, but in the connection points between organizations. We saw massive losses in the unemployment space, small business loans and identity theft. The upside is that when you experience a once-in-a-several-generations event, you have the opportunity to take those lessons learned and act upon them.
Takeaway #5: Moving control of digital identity to the individual will dramatically change our current identity and access management systems.
“The house of cards of strong identity cannot be built upon weak identity verification.”
All of our identity systems are only as good as the level of assurance associated with verification. We could have strong authentication, behavioral analytics, real-time access control and risk signals galore, but if they’re associated with the wrong user who first created the account, we're in trouble. So we need to get the identity verification right in order to fully leverage the identity control plane that we're building.
And it’s critical to get this right because outside of the user experience, companies are most concerned with the negative consequences of fraud. Fraud costs money, and it’s rooted in the inability for us to digitally verify people with a certain level of assurance, consistently and in all forms of interaction, especially remote digital-to-digital interactions. Furthermore, most fraud comes on the heels of identity fraud and/or self-asserted claims that are not verified and not true. I anticipate that identity for individuals might progress in the future to create a better, more secure experience with companies.
The Hello User Podcast
Thanks for joining me in this discussion illustrating how digital identity shapes our world. I invite you to listen to the full broadcast and find out about upcoming episodes at the Hello User podcast page.
