March 15, 2019
Identity: Yesterday, Today & Tomorrow
Posted October 16, 2018
Thanks to a business world that is growing evermore digital, mobile and increasingly global, age-old ideas about what constitutes one’s identity—specifically, how to prove you are in fact who you claim to be—is undergoing a seismic shift.
Today, roughly half the world’s population and more than 80% of the U.S. population transact online, fueling a digital economy expected to be worth $23 trillion by 2025, or 24.3% of global GDP. According to Information Age, there are already 3.8 billion Internet users worldwide. By 2020, it will be 6 billion.
And that is creating an “identity crisis” the likes of which the world has never before seen.
Identity Abuse on the Rise
Thanks to a never-ending stream of corporate data breaches in recent years, stolen identity data is routinely and cavalierly leveraged by cyberthieves to raid bank accounts, make illegal purchases, take out fraudulent loans and more.
More than 9 billion identities have been stolen in just the last few years, and 10.2% of U.S. children under age 18 have already had their Social Security Numbers swiped in order to create “synthetic identities” comprised of real and fictitious information. Today, bank card issuers attribute as much as 31% of fraudulent applications to these Frankenstein identities.
All told, the price tag for cybercrime is expected to top $600 billion in business losses worldwide—a figure that could reach $3 trillion by 2021.
But why can’t this be stopped? The fact is, businesses are finding it challenging to accurately verify the identity of the people with whom they transact via digital channels, because static identity information alone is no longer reliable as proof of identity, when and where it even exists. Large swaths of the world have no such proof of ID.
Indeed, for all the industry buzz generated by federated identity schemes and technologies such as blockchain, a critical point is often missed. Each of these advances still requires verifiable identity proofing for them to work. Without it, you can be left providing the very best security for identities that are actually fraudulent.
The good news? A new approach is emerging that no longer relies solely on static information that can be lost, stolen or abused. To understand its evolution, let’s look at its predicates, including where identity proofing has been, where it is today, and where it’s headed next.
Who Are You?
When you think about the static information that has come to define “you,” it started with tangible, real-world identity elements such as a government-issued birth certificate, a social security or national identification number, a driver’s license and a passport, often with photos and perhaps a thumbprint to establish physical attributes that are inherently yours.
As your life has progressed, additional data has been added to the body of information that defines “you”—your mailing addresses, your credit score, your vehicles, your purchase history and more. With the dawn of the commercial Internet, additional digital forms of identity arose for digital platforms—with your email address ranking among the most critical identity attributes of all. Today, 91% of users have retained the same email address for at least three years. More than 51% have had the same address for more than a decade.
All of this is fundamental to demonstrating that you are in fact, you. But stolen identity information is increasingly monetized in a head-spinning number of criminal activities, altering the threat landscape. As a result, these digital, yet static pieces of information have grown unreliable on their own. Indeed, as more business processes go digital, identity proofing has become a moving target—requiring a continuous cycle of improvement.
Taking Identity Factors into Account
Think of it this way. In the beginning, you were who you asserted you were. All one needed to establish an account with an online merchant or service was an email address and a credit card number.
There was low friction, few errors, and users had a large measure of control over what was known about them. But as fraudsters caught on to the advantages of this arrangement, an additional authentication factor was added to the equation.
Knowledge—identity information that, theoretically, only the rightful owner would possess—became the standard of the digital realm. Other mechanisms emerged as well, such as shared secrets, which helped ensure the individual returning to a site was the same one who last visited. And don’t forget CAPTCHA, which became useful when it was longer clear whether a user was a human being or a bot.
All of that may have been enough too, if personal information had remained private. When it became clear that was no longer the case, businesses began adding a second identity factor, aka 2-factor authentication (or 2FA).
Identity, Here & Now
Sometimes this second layer of security involves a one-time passcode sent to a device established to be yours. In others, it requires special devices that users must carry with them wherever they go.
But while necessary in some cases, these “out of band” step-ups have added significant friction to the user experience. Predictably, the result is often fewer transacts, higher abandonment rates and increased customer defections. In fact, it’s estimated that $1.6 trillion will change hands in the next year as consumers permanently defect from one brand to another due to poor digital customer experiences.
In an effort to enhance this, “I am what I possess” is very quickly giving way to “I am my biometrics.” Think voice recognition or the thumbprint reader and facial recognition capabilities built into modern smartphones in the hands of 94% of US adults under 30, and 89% of those under 50.
Yet while this delivers ease and convenience to customers accessing a device or application, they aren’t foolproof on their own, either. When they fail, sometimes due to attacks using remote access trojans (RATs), the fallback is typically a reversion to static login credentials—once again leaving customers vulnerable to fraudsters.
Even worse: Once they succeed at taking over an account, cybercriminals can easily add their own device and biometric to a profile, making them “legitimate” users, and a true nightmare to their victims.
Instead of relying exclusively on 2FA or static and inherent identity elements, a new form of digital identity has emerged that builds upon all of these factors, combining it with dynamic data elements to redefine identity based on what you do—when, where and how you do it.
“I am something I know, keep or inherit” becomes “I do, therefore I am.”
This dynamic identity data, fully anonymized and passively captured from the digital markers that connect each user and their associated devices, accounts, locations, transactions and behaviors, can never be stolen, lost or abused.
When combined with offline identity attributes and global threat intelligence, these dynamic, digital identity elements offer a truly holistic view of each identity and the risk associated with transacting with them in real time.
By layering in this new form of identity, businesses can move to instant, risk-based decisioning, bridging the gap between digital and physical worlds to turn insight into actionable, even anticipatory, intelligence against new and emergent threats.
As my colleague Tom Brown explained in a recent post, this has promising implications for business and for all of humanity.