And that for far too long, more focus has been placed on password security and management — accessing information — rather than on the effective protection of digital identities — making sure that only the people who should have access to data or systems, get it.
Blake Hall, founder and CEO at ID.me, who was part of this discussion, observes that further compounding that problem is the sheer number of “logins” enterprises are managing, particularly as transactions become digital and more services go online.
“You get to a point where it’s absurd, because you’re managing more than 100 logins, and security experts are telling you to create a new, strong, hard-to-remember password for each one,” Hall explained. “Clearly the human brain is not capable of that.”
As the winner of PYMNTS’ 2017 Innovator Awards’ Most Disruptive moniker, ID.me is no stranger to taking a unique approach to solving real problems.
ID.me’s stance is simple: The identity ecosystem should be organized around the person, not around enterprises, and certainly not around a philosophy that perpetuates making passwords harder for everyone to remember.
Overcoming the Password Trap
Unfortunately, many of the most significant and dangerous data breaches in recent years have been because of issues around passwords and logins.
“It’s systematic of a broader disease that underpins the online ecosystem because really, the password management problem is a symptom of identity being organized around the enterprise and not around the user,” Hall explained.
Hall also believes that proper identity management should be about more than just ensuring passwords are strong enough. In Hall’s opinion, the ability to take an identity and verify it online across multiple websites is the broader and more compelling vision.
And not to mention the most secure.
By solving the identity problem and centering the ecosystem around the individual and not the enterprise, Hall said it can create silos of people being in charge of their own data and authenticating themselves in a trusted way. He added that reorganizing around the user intrinsically solves for the password management problem as well.
During a recent webinar hosted by PYMNTS on this very topic, everyone agreed that there needs to be an effort made to solve the identity verification/authentication problem. But the real question is when — and how.
When Webster polled the webinar participants, which included product and risk executives from across the payments space, about how much of a priority it is to rethink and retool existing systems, nearly all said it was a high priority. But, surprisingly, 50 percent of the respondents said they hadn’t decided when to tackle it. In recounting that story to Hall, Webster asked him what was getting in the way of people making a decision about this significant problem.
Who’s Being Held Accountable?
From Hall’s perspective, the answer is simple and rooted in basic human psychology: who’s responsible and who’s accountable.
Hall drew on the example of the financial crisis of 2008 to show how the diffusion of responsibility led to systems getting so broken that we had a catastrophic failure. Though the risk was so great that it threatened the stability of the entire U.S. economy and society, everyone involved only felt responsible for a small piece of it, because there was also a diffusion of accountability.
“When you have a diffusion of accountability, then there isn’t really a strong motivation for any one actor to say the system is broken and that it needs to change,” Hall said.
This leads to a slippery slope where things continue to get worse until they eventually culminate in what Admiral Stavridis described as a “cybersecurity Pearl Harbor.”
“If you keep identity fragmented across silos where there’s no coordination among good parties, it is inevitable that you have a catastrophic failure,” Hall explained, adding that in a system where nobody is responsible and there’s no accountability, problems become a priority only when there’s an emergency.
Solving for the Right Problem
One of the biggest issues within identity protection, Hall explained, is actually the words we use to talk about it.
When people use “multi-factor authentication,” it can often mean different things. There are instances when people talk about identity verification, but they mean multi-factor authentication — or they may be talking about things like security tokens and biometrics and are also talking about multi-factor authentication.
Hall said the identity industry needs to start with separating identity verification from authentication.
Identity verification is answering two questions: Is this identity real? And is the person who’s claiming the identity actually that person and not a malicious actor?
Then, when it comes to tools like passwords or biometrics, those are authenticators.
The analogy that Hall used to explain these differences is to imagine you live in a house where you control the locks, but there is someone else who owns the deed. While you can give other people keys to the locks on the house, ultimately the rightful owner of that house is the person who has the deed to the property.
“We should think about the digital credential in those terms — that the identity that’s in question is verified by the deed, because that’s who actually owns the house,” Hall noted.
The question of who has the keys to the house could be a number of different people. If a bad guy gets the keys to your house, he can obviously do a lot of harm, just as if a bad actor gets keys to a credential that represents your online identity or bank account.
Ownership is what deals with identity, and the locks are who has delegated access on behalf of that identity.
“If a malicious actor is able to claim your identity during the account-opening process and then they lock down your identity with biometrics, now the thief has a credential that represents someone else’s identity that is highly resistant to anyone breaking into it but that malicious actor,” Hall said.
This is why it’s so important, Hall said, that people don’t conflate identity verification and multi-factor authentication, because iris scans and touch IDs alone can’t solve identity theft problems.