Digital Identities: Validation for the Online World
Posted September 22, 2017
In the anonymous digital world, our identity is comprised of all of our daily activity.
For me, I have a Facebook account to keep in touch with family and friends back home in Montreal. I browse and buy sneakers on eBay because I collect sneakers. I manage my credit card online, and have online accounts at dozens of websites and mobile apps too!
And, just like everyone else online, I have to re-introduce myself to these sites on every visit. With all of my daily online activity, that can be a fairly cumbersome chore.
What if all these sites could validate my identity by using other trustworthy sources?
Who Am I?
This is not a unique concept. Diligent companies perform background and reference checks prior to hiring new employees. They use trustworthy sources outside of their own company to confirm or invalidate the information listed on a perspective employee’s resume.
Why not have this same level of validation while interacting with businesses online? Why can’t a site I visit look at my activity on Facebook, eBay and others to verify that I am who I claim to be? My history at Facebook, eBay, and all the other sites I frequent are all contributing factors into my identity’s validity.
This contextualized history should be evaluated as a whole; not as disparate fragments of behavioral history that have no correlation to one another. That’s the only way to attain a full, accurate picture of my online identity.
Beyond User Authentication and Identity Validation
Unfortunately, that’s not the method commonly used by digital businesses today.
Many still rely on user authentication or identity validation systems in an attempt to verify users. However, this era of corporate data breaches has given cybercriminals all the information they need to circumvent these systems.
To get a better understanding of these two methods, let’s take a look at them from a real-world perspective.
Imagine that John is trying to rent a vacation house. John provides the home owner with information about himself and shows some form of identification (driver’s license, credit card, etc.). Satisfied with this information, the owner gives John the key to the house. That is the real-world version of identity validation. But, what if John isn’t really John at all? What if he is actually a criminal who stole John’s information and created a fake ID?
Now, let’s assume that John is actually John, and has the key to the vacation home. He puts the key in the door, the door opens and John enters the house. That is the real-world version user authentication. But, what if someone steals the key from John and uses it to open the door? Neither the key nor the door know the difference between John and someone else using the key.
Similar activities happen thousands of times each day in the digital world.
Identity validation happens when someone first creates an account on a website. After entering the required personal information (name, address, phone number, date of birth, etc.), the user creates (or is given) a username and password that gives the user the right to access the site. But, the personal information used could have been stolen and exploited by a fraudster.
User authentication occurs when the user actually enters those credentials. If the information is correct, the user gains access the site, even if that user is a fraudster. The site can’t tell the difference.
This inexactness, and the inability to identify a legitimate user from a fraudster, make these systems inadequate in today’s digital world.
Making it Simple
Interacting and conducting business in the global digital economy can be quite complex. Today’s digital businesses have to open their doors to the entire world to succeed. Businesses can’t control who comes to their site, leaving them vulnerable to fraudsters and cybercriminals. How then do digital businesses mitigate the risks associated with conducting business in a mostly anonymous ecosystem? Two-factor authentication? Multifactor authentication? What if a thief has the ability to intercept and steal a user’s second factor token or key? What if the methods that the business has been using to validate customers are simply outdated?
The best way for companies to validate online users and mitigate the inherent risks of operating in the digital economy is to create a digital identity.
With the combination of a risk-based approach to authentication, coupled with defining and validating digital identities, ThreatMetrix provides an advanced smart authentication solution. Through billions of transactions, our Digital Identity Network is able to define a user’s digital identity by evaluating, consolidating, and correlating numerous data points over time and with context. Furthermore, a risk-based approach allows a business to understand how the user’s behaviors are affected in real time. Every time a user interacts with a website or app of a ThreatMetrix customer, it will provide more data points to evaluate that user’s digital identity — helping to reinforce or discredit it. With more positive transactions, the more reliable the digital identity becomes.
As for me, the end user, my transaction history validates my existence and my trustworthiness. I transact, therefore, I am.