The move to digital business models, especially in the financial sector, requires users’ constant and secure access to online products and services. While presenting great opportunities such as financial inclusion, cost savings and other efficiencies, this shift involves substantial risks. Digital identity and access management (DIAM) are key in facilitating innovation in the era of digital economy. This article provides an overview of DIAM, the challenges faced by individuals and institutions, followed by a review of digital identity solutions.
What is digital identity and access management?
Digital identity is the electronic representation of an individual, organization or device. Access management refers to an entity’s ability to perform certain functions and to allocate clearances within a system or a platform. Combined, these two terms create the framework that enables the administration of electronic identities and facilitation of transactions. This framework includes both organizational policies as well as relevant technologies.
The process of creating and managing digital identities comprises several layers; each layer is designed to achieve a specific goal by using input from the previous one. The following illustration visualises this process while highlighting the key aspects attached to every layer:
Source: A Blueprint for Digital Identity, World Economic Forum & Deloitte, August 2016
Ideally, this scheme ensures that access is given according to a pre-determined policy and that all entities and transactions are authenticated, authorized and monitored.
Driving forces & challenges
There are a number of forces posing as challenges to DIAM which also lend a hand in re-shaping the industry. The main thrusting power behind the need for better digital identity and access solutions is cybercrime. According to a report by IBM, USD 112 billion was stolen via identity fraud alone in the period between 2011-2017. The frequency and speed of cyberattacks is expected to rise in the upcoming years. This is due to increasing sophistication of the methods and tools used by hackers to exploit breaches in identity and access systems. As human error considerably increases the incidence of such attacks, improving DIAM technologies can minimize the margin of error and narrow down the number of potential breach points from both human and process perspectives. This is relevant for individuals and even more so for organisations as both financial and reputational damage need to be taken into account.
Another force to be reckon with is the regulator as 2018 ushers in major regulatory changes to Europe. GDPR aims to give EU citizens power over their data along the layered process described earlier. Additionally, GDPR contains strict requirements and imposes hefty fines on those who fail to meet the standard. As the volume and complexity of cross-border transactions increase, companies are able to trade with new parties via APIs and other platforms,yet at the same time, PSD2, MiFID2, trict KYC and AML legislation demands that companies are liable for missing or incorrect identity information. Existing DIAM solutions can only mitigate risk to a certain extent, rendering investment and innovation in the field to become top priorities.
A more latent force that affects DIAM is user experience. Customers expect a seamless automated process that enables them to access services from various devices with minimal friction. It is predicted that the number of IoT devices will reach 20.4 billion in 2020. Combined with the growth of internet access and device ownership in developing countries, the number of digital identities will rise drastically. Individuals and companies alike are in need of solutions capable of handling this influx of digital identities in an efficient and user friendly manner — but without compromising security.
Existing DIAM solutions vary substantially, targeting different facets of digital identity and utilizing various authentication methods. The most prevalent method is the alphanumerical password, either as a stand alone one-step solution or part of a two-step process involving mobile devices or other means of communication.
Biometrics based solutions begin to gain ground as younger generations are more keen to adopt such methods. This type of solution can include the use of fingerprints, retinal scan, facial recognition, voice recognition and even heartbeat. Considered as a safer method, and already integrated in mobile devices, governmental services and soon in payments, biometrics is up-and-coming yet the storage of biometric data is sensitive and raises privacy issues.
Geolocation enables merchants to know the customer’s whereabouts during the transaction. The merchant is able to notice attempts to hide or falsify location and to track anomalies between the details provided by the customer to their actual location, thereby preventing fraud. Compliance is also made easier as consumers might try to access services and products not allowed in their country, allowing the merchant to block such individuals.
Disruptive technologies are also being refined and integrated into the DIAM solution portfolio. Behavioural biometrics involves applying machine learning that identifies and measures patterns of human and device interaction. This creates a seamless layer of security that works in the background which does not disrupt user experience.
Identity as a Service (IDaaS) utilizes cloud technology for an authentication infrastructure run by a third-party service provider. This method reduces infrastructure and personal costs; however it faces the same risks as any other SaaS does such as availability, data protection and placing a crucial business functionality with a third party.
Despite being applied to specific use cases and not deployed on a full scale, DLT technology has the potential to become the building block for a new public service identity model. Estonia has already experimented with blockchain implementations that enable citizens to access health, voting, banking and other services.
2018 Identity Landscape (One World Identity)
- Access Management Handbook (Gemalto)
- The future of public service identity: blockchain (Accenture)
- Digital identity and access management (EY)
- The 2018 Global Fraud and Identity Report (Experian)
- The Legal Entity Identifier: The Value of the Unique Counterparty ID (McKinsey)
- IBM Security: Future of Identity Study (IBM)
- A Blueprint for Digital Identity (World Economic Forum & Deloitte)
By Guy Tocker, Research Analyst
Want to know more about digital identity & security? Follow our series of articles over the next two weeks.