Secure Data to Avoid Misuse of Identity
Digital identity is becoming core to the future growth of the Internet, be that through reducing the friction of onboarding users to new online services, or providing trust within the sharing economy, or enabling Internet players to understand individuals better and curate personalized services and experiences for them.
But digital identity is brittle, the majority of the public not truly understanding the role their identity plays online, and the thirst for data fuelled by the surveillance economy, creating honeypots of identity information. These pieces of information are targeted by cybercriminals and results in irreparable reputational, financial and legal damage for the businesses and are devastating for the individuals whose identities are stolen. With credential misuse being the leading threat metric behind most data breaches and associated identity fraud, it's imperative that the next generation authentication mechanisms increase in robustness, but in a way that doesn't present a barrier to user experience.
A move away from passwords to authentication methods utilizing multiple factors, and most importantly authentication factors such as possession (of a mobile phone) and inherence (biometrics) that are immune to scalable attacks, will help to build robustness. Similarly, a migration to a more passive, continuous means of authentication using behavioural biometrics or cleverly inserting physiological biometrics (such as facial recognition) within the user flow has the added benefit or not only improving security but also delivering on the holy grail of reducing user friction. It is perhaps ironic that one of the most promising methods, behavioural biometrics, has a dependency on passively monitoring and collating data on the user. This is unfortunately the mouse trap that is the surveillance economy - on the one hand it can be beneficial in keeping us safe, but if abused can be used to manipulate us in the process.
GDPR is helping to create awareness and provide a set of guard-rails to encourage good behaviour amongst online players. Whilst not as progressive and effective as some believed or feared, GDPR has been instrumental in raising awareness around privacy and data protection and encouraging companies to reposition themselves more favorably within the privacy debate, thereby currying favor with the regulators and winning back confidence from the public. Arguably though, the Internet is sorely missing an identity layer that delivers trust intrinsically.
Decentralized identity is seen by many as a potential way forward, giving back control of identity to users and creating an open framework that can foster an ecosystem for identity without reliance on any dominant players. Work to define and standardize on the critical building blocks is progressing well in W3C and DIF with strong backing from the community. Still, there remain many commercial and operational challenges that need to be worked through before such decentralized identity solutions will be able to achieve mass market adoption.
Whilst the large Internet companies are likely to continue their relentless pursuit of user data, combining it with advanced machine learning to further generate insights and influence user behaviour, the future belongs to those brands who can be trusted to manage their customers' data with integrity, security and transparency; although many believe that such a halcyon view will not be achieved without an evolution in the regulation built on a more thorough understanding of how the surveillance economy operates today and may evolve in the future.