It is time to (Re)-invent Digital Identity

Nowadays, barely a week goes by where news does not emerge of another major cyber attack, putting at risk consumer information. For more than a decade, financial institutions and businesses have invested significantly to protect personally identifiable information (PII). Companies take data protection very seriously, yet an epidemic proportion of data breaches continue to occur, highlighting the need for a new set of strategies and tools to manage this risk.

To adapt our response, it is important to appreciate the evolving nature of the threats. First, their scale have reached dramatic levels. Second, the targets are becoming more diverse, even including financial institutions. Third, the motivations of the attackers are going beyond just criminal intent.

User IDs and passwords were never intended as a cornerstone of digital identity and the security paradigm is clearly outdated. According to my friend Taher Elgamal—inventor of several key advances in modern cryptography—user ID and passwords were invented about 50 years ago to manage access to resources on time-shared mainframes. Today, that’s hardly how we use them.

In 2012, Experian found that average Internet users had as many as 40 different online accounts. In 2013, Harris Interactive found that, in most cases, consumers continue to rely chiefly on usernames and passwords. In addition, more than half of consumers have been found to use just five different passwords across all of their accounts—increasing the level of vulnerability. But this form of authentication is no longer completely effective. In the last year, cyberthieves exposed personal data from nearly half of the entire U.S. population. And with repetition comes numbness. After the Heartbleed hack, only six percent of users actually changed their passwords.

In 1993, when Peter Steiner famously stated, “On the Internet, nobody knows you are a dog,” anonymity on the Web was considered a benefit. Today, identity is at the core of many of the Web 2.0+ plays: whether logging in through services from Facebook, Twitter, Google or PayPal; matching device and account IDs for cross-channel experiences; or accessing a wide array of confidential information from health data to bank accounts.

Given the growing use of connected services and consumer password fatigue, we can assume that data breaches are not a short-term crisis. As such, we should treat it as a new part of the landscape and find new ways to prevent such attacks from happening. We are dealing with asymmetrical digital warfare. Just as General Petraeus rewrote the book on guerilla wars, we need a new doctrine to deal with this fundamental risk to our connected economies and way of life.

Search for “identity security” on the Web and you will find a laundry list of technologies to consolidate passwords and strongly authenticate users, insurances against certain forms of losses, and services to assist with the recovery of compromised identity. Nowhere, however, will one find a holistic approach that combines technology, business processes and end-to-end services for the parties relying on digital identities, to minimize the disruption but also the liability caused by breaches.

Right around the time user IDs and password were invented, the payment industry—realizing the limitations of closed, fragmented systems—created open payment networks. They provided interoperability and the benefits of standardized business practices for users (consumers and merchants ). I can only wonder if the time has come for a similar approach to redefine identity services, with “Identity Providers” (issuers), “Relying Parties” (acceptors) and networks to connect them in a many-to-many configuration.

To be successful, this approach would have to provide consumers with various choices, while simplifying their experience and reducing the number of identities needed. It would also need to combine the use of deterministic and probabilistic methods to authenticate users more reliably and leverage well-honed risk management tools to: identify and block suspicious activities; define liability rules for parties utilizing or providing identification services; provide a framework for the protection of privacy and also for the recovery of compromised identities; and establish a mechanism to quantify the risk transfer between relying parties and authenticators.

The parallel with payment networks is easy to make simply because we are similarly dealing with a multi-party system at a scale that requires interoperability between identity domains. Monetization, however, will differ. Unlike payments, the potential exposure, and therefore fair compensation for that risk, is more difficult to establish.

The field is therefore wide open. We could see a coalition of the willing emerging from one of the many standards conglomerates (e.g. OpenID, or FIDO, in both of which PayPal is a major participant), or a major business expansion by one of the Web/ecommerce platform providers, or even new entrants with key backings (for instance government agencies) such as SecureKey in Canada, or a combination thereof. The demand is broad enough to justify more than one approach.

Success, however, is not for the faint of heart. It requires deep technical roots in identity and access management (I&A) and system security, advanced risk management expertise, a brand that inspires trust and a willingness—and a balance sheet—to weather large risks.

Still, the prize could make more than a few heads spin. About a decade ago in Europe, I tested 3D secure to provide identity validation services and found that relying parties were willing to pay one euro per transaction, without any form of liability insurance included. I believe the market for “commercial digital identity” is of a scale worthy of turning the head of any seasoned partner at a top venture capital firm.

It is in times of great challenges that great innovations—and great fortunes—are made. The cyber attack headlines and the associated pain felt by corporations and individuals alike all indicate that the time to reinvent digital identity is now.

Patrick Gauthier is General Manager, Emerging Retail Services at PayPal, providing Demand Generation services to connect merchants and consumers. The ideas expressed here are his and his alone, and do not represent eBay, or PayPal in any way. Patrick can be reached at and on twitter @PRGauthier