I've had a number of conversations in recent months around the concept of 'identity' as it relates to the interactions between individuals and digital services. Each time I've walked away at best confused and at worst utterly perplexed. Do you know what the term means?
To make matters worse, vendors are piling in, hyping ideas like Identity Relationship Management. I have no idea whether this is a real market or something dreamed up by marketers. Here's what I mean:
ForgeRock Inc, the fastest-growing identity platform vendor, announced today that the identity relationship management (IRM) market, focused on managing customer interactions across any device or environment, will exceed $50 billion by 2020. To celebrate the massive opportunity, ForgeRock surprised RSA attendees with a flash mob today, to draw attention and celebrate the growth opportunities in the identity security space.
I must have missed that and no-one I know was yapping about it. Maybe it didn't really happen? (sic) Be that as it may, I sat down with Sam Curry, CTO RSA to discuss the topic. Here's his starting point on my question, what do you mean by identity?
"It's a difficult question to answer. I give a different answer to different audiences. Identity is a changing thing. I don't think that people in their personal lives care about their identity as such. The main reason they care in their enterprise lives is because they're liable to lose their jobs for something or at worst potentially go to prison.
So sometimes I play a nasty trick on people and ask them, how many identities do you have? Because there are many shadows of 'you' that exist out in IT land and from an enterprise perspective, take EMC, it costs about $150 per person per annum to manage all the user names associated with me. It's not one thing you pay for: it's the password resets, it's the credentials, it's the usernames and monitoring of behaviors and then we have all the devices on which I access data and services, some of which the company doesn't control - oh yes, and I personally allow people in my family for instance to use some of those devices."
This is where you get into the complexifying of identity.
In essence, Curry is describing a scenario with which many end users might be blissfully unaware given that many companies try to get users into the systems they need via single sign-on but then that isn't always straightforward.
"I agree, it's a pain and it's only going to get worse. In the digital world, it's going to be much much easier to impersonate someone "
Well that's reassuring said I with a touch of irony. As a slight diversion I was interested in how millennials are responding to this world. It turns out that this cohort are much more security savvy then people of my generation because they've been taught from the get go about the need and value of secure passwords. Curry claims that his company's studies demonstrate that millennials are far more likely to have multiple passwords in part because they have an intuitive understanding of IT and can figure out how to use things for more quickly than older generations.
So - is there an answer to the question of hoe business maps multiple personas which themselves add up to a blended form of identity that is specific to the way users interact with digital services?
I think it is important that we're transparent about the way we make these mappings as simple as possible while being easily auditable because we don't know in the future what you could be nailed for by someone abusing the systems and so doing better authentication without being intrusive is the challenge.The pressure is on now to get a few qualities into a set of authentication services. We need to get away from this big beefy form factor thing.
I don't think anyone would disagree with that broad sentiment but then I keep coming back to the hard question: how do we get from where we are today to where users would like us to be while recognizing the ever changing landscape of devices and threats. Here Curry provides a glimpse into what he claims is the near future:
Rather than talking about multi-form factor authentication which says the cost of breaking two or more factors is greater than the sum of the parts, why stop at two or three. Why not ten or thirty? Let's take the example of location where I could infer your location from a number of different sources like IP address, GPS, cell tower triangulation. It's much harder to spoof a bunch of those things. The trick is to establish on the back end of an intelligent system that it is normal for 'me' to be in any of a dozen locations with a certain set of devices. It's almost like I can have a stock market for you where the combination of factors identify you.
- Curry talks a lot of sense in relation to the reality of managing personas but it is clear that while RSA and others are making significant headway in the battle for protecting our identities, there is still a long way to go. In that sense, it is a war without end.
- The notion of poly-factor authentication clearly holds considerable promise but I suspect that any near term solution will be difficult to scale since I expect that behaviors will be specific to a wide range of circumstances and I imagine it will be difficult to generalise an algorithm that will be fail safe in a generalised manner.
- Despite Curry's assurances, I'd like to see how RSA and others tackle the problem of false-positive identification when using predictive analytic techniques. Their ability to overcome this aspect will be key to making authentication easier for all of us.
- In the meantime, I'll continue to wrestle with dongles, multi-form authentication and a myriad of passwords I have to hold in my head, hoping against hope that I don't forget that one crucial upper/lower case combination that gets me into a favorite service.
Image credits: dahowlett