Embed Size (px)
Citation preview
The balance between identification and authenticationThe digital identity evolution
2 3
The balance between identification and authenticationThe digital identity evolution
Usernames and passwordsIn the current situation there is a strong emphasis on full identification, we authenticate using (re-used) usernames and passwords.
Social identitiesCreating social identities and associating these with other services remedies (part of) the pain of having multiple passwords.
Reputation brokersReputation brokers provide assurance on identity data and share attributes on a need-to-know basis.
Attribute based We envision that in the future identification and authentication will be done with only the attributes that are needed for the transaction at hand.
IDENTIFICATION AUTHENTICATION
TIME
4 5
Digital identity - keeping up with exponential growthTechnology is developing exponentially, and the human brain is not wired to grasp the effects of exponential growth. We can imagine taking 30 steps linearly, which will take us roughly 25 meters down the road, but not taking 30 steps exponentially, which will land us on the moon. What will this imply for areas such as artificial intelligence and robotics? We don’t know, but we can sure try to peek into that future and ponder. The digital identity will enable us to continue to grow in this pace, where less paper and physical means will be used in daily life. Everything, every form of transaction and of data collection is, or will be, done digitally. Even traditional passports can be part of a digital world by the use of chips that are placed inside the document. Thanks to the chips, passports can be tracked or even delivered with a drone. Waiting in the office in a huge line to pick up the document belongs to the past.
In real life we have created a structure to cooperate with and trust each other. For instance, our signature or passport is considered as a means to prove our identity: that we are who we say we are. Now we are converting this to the digital world to create a form of trust. Is a signature still the proper instrument to verify that we are who we say we are? How can we identify ourselves with a passport in a digital world? And do we really need to fully identify ourselves or is it possible to just reveal parts of our identity?
Meet Mike and SaraNot so long ago, Mike and Sara trusted each other with their greatest secrets, wishes, money and dearest possessions. After two happy years, Mike decides to propose to Sara. But Mike is no ordinary man – he is a typical geek with a great love of gadgets. His entire house is packed with robots and drones and he has a cupboard full of servers and network switches. Almost every weekend he will visit a convention to show off his gadgets or even worse – to buy new ones. Sara on the other hand, is a traditionalist and happy with the simple things in life. All she needs is a book, a cup of tea and preferably the sun shining on her face.
Mike proposes to Sara in his own extravagant way. Nervously, he sits on his chair. Sara doesn’t understand why Mike is so nervous - after all, they are on vacation! What Sara doesn’t know, is that Mike has programmed a drone to approach the restaurant where they are having dinner, at 6:30 PM. The tension of waiting another two minutes before proposing to Sara is killing him. He hears the drone approaching, the ring is on its way. Mike has tested it endlessly. Many times a day the drone would approach and the claw of the drone would open at the right moment and the right location. And this time is no different. At exactly 6:30 PM the drone approaches, Mike kneels before Sara and catches the ring as it is dropped by the drone. The magic words ‘Will you marry me?’ combined with his gadgets, work for Sara, and she screams: ‘YES OF COURSE!’
The world is changing rapidly through technological developments, impacting society and touching our daily lives. As Deloitte, we want to be ahead of the innovations that create and lead to these changes. During the last speech by the CEO of a big electronic manufacturer, he stated: “We didn’t do anything wrong, but somehow, we lost”. The manufacturer ran business as usual, didn’t keep up with the changes and failed, because standing still is not an option anymore. For instance, consider internet, smartphones, drones, self-driving cars and food printers. One area of these innovations is taking place below the surface in the digital world, but touches our day-to-day life now and will continue to impact it in the future physical world. This innovation is the evolution of our identity. We are on the tipping point of the digital identity evolution, where we envision a fading need to identify ourselves. We want to take you along with us on this journey and explain the change over time of how we use and perceive digital identities. Through this point of view it is shown how digital identities will play an increasingly important part in all aspects of our lives.
How the digital identity evolution impacts our lives
6 7
There are global standards like Stork & EIDAS that determine how much we can trust methods of identification and authentication like the smartphone that we mentioned before. These standards have been agreed upon to provide a common understanding on when and how much we can trust methods of identification and authentication. This is important to create a common ground when implementing identification and authentication systems on which requirements have been agreed upon. To achieve a high level of trust according to the standards, physical identification of the user is crucial. Not even the most advanced and secure methods of authentication can counteract this requirement. We believe that the level of trust should be based on a balance where highly secure authentication can balance ‘the lack of’ physical identification.
’Sorry Sara, you’ve been hacked’‘Dear Sara,
Please accept our sincere apologies for the inconvenience you may experience in respect to the possible hack of www.clothingalike.com.At www.clothingalike.com, we take pride in ensuring our customer’s satisfaction. Unfortunately, we did not meet your —and our own— expectations. Upon thorough investigation of the situation, we must face the possibility that our database has been breached. We took immediate action by resetting all accounts. This means that as a precaution, we have to ask you to change your password by following the link below.
As a proof that we continuously strive for perfection, we have taken steps to ensure that this will never happen again by increasing security controls and periodic security tests.
Yours in service,
Thomas Utambulisho CEO Clothingalike.com’.
Sara is annoyed. Now she has to change all her passwords. ‘You must be stupid to use the same passwords everywhere!’ Mike says in reply to Sara. Sara is not convinced. ‘They shouldn’t make it so annoyingly hard for everybody’. ‘How hard could it be to use different passwords? There are tons of apps to store them’, Mike replies. Sara: ‘It’s such a hassle, why am I being bothered with this crap?’ Mike: ‘Are you telling me that you still use the same password everywhere?’ ‘Uhmm… Maybe?’ Mike sighs. ‘I hope you’re not using it on any important websites!’
Sara has been under a lot of stress since she found out that her password was stolen. Fortunately, she uses a different password for the banking website and for her e-mail. Mike begs her to start using a password manager. ‘One day it’s going to be a website where you do use the banking password’. Contrary to Sara, Mike is very careful with his passwords. He’s used a password manager for over a year which notifies him in case of a breach.
An average morning at work for many office workers looks as follows: log on to computer, get access to financial system, ERP-system, HR-system and any other application that is needed. These applications most of the time have their own username and password combinations that need to be remembered and changed after a certain amount of time. Even though it’s the 21st century, there are no fancy devices to help us with that. Of course, there is the Post-it. A very neat yellow piece of paper that can hold up to 10 usernames and passwords if you use it efficiently, and it sticks perfectly to your monitor. Yet, although it eliminates the need to remember your login combinations, it is far from safe.
The situation described above also applies to home internet usage. The majority of online stores you buy from, forums or other web services you use require full identification. This consists of creating a personal account and providing more privacy-sensitive information than what is strictly necessary for the transactions. With each new account, you create a new digital identity. To keep things simple, you probably reuse your username and password whenever possible, not really thinking about the risks and consequences you might face. In a study by the Dutch technology website Tweakers, it was found that two out of three of their (‘techy’) users reuse the same password for multiple websites1.
As not all services you create an account for are secure, there is a great chance that one of them will be hacked. Criminals can steal the username and password combinations (credentials) and sell them on the black market, or use the passwords and usernames themselves to perform fraudulent actions. When the news of the breach gets out, at first you might not be worried. After all, what harm can criminals do with your credentials? But even the LinkedIn password database leak from 2012 was a point of concern for many in 2016, 4 years after the fact, because it became clear through a black market sale that a far larger number of account details was stolen in 2012 than previously thought. The same credentials are used for multiple web services over a long period of time. Your LinkedIn password from 2012 could be used by hackers to logon to other services. This is known as the ‘spillover effect’, which is very common in the present world and is the immediate result of reusing credentials.
The use of a smartphone or a tablet as an extra secure factor can mitigate part of the risks connected to username and password authentication. Next to the username and password (‘something you know’) there is also ‘something you have’. Your mobile device or token can be uniquely linked to your account. For instance, when logging into your webmail, after providing your username and password, a onetime passcode is shown on your smartphone which you fill in after you typed your username and password. Whenever an unknown person tries to access your webmail, they would need that additional one time passcode in order to authenticate as you.
1 http://tweakers.net/nieuws/106456/meer-dan-helft-nederlanders-weet-niet-van-bestaan-wachtwoordmanagers.html
Passwords are everywhere and spills happen daily
8 9
last time. Logging in from a device you did not use before to access your webmail might raise a flag for suspicious activity. And if you are logging in from China, when you logged in two hours ago from the Netherlands, that will make this login attempt even more suspicious. It will trigger the webmail service to request an extra factor for login (e.g. a token or a smartcard) or simply block the login attempt. By continuously evaluating these kinds of environmental variables, fraudulent login attempts can be detected and blocked.
A new digital identity is bornA child, what a gift! Nick is barely four years old and already more skilled on the tablet than his parents. ‘When will we give him his own device?’- Mike wonders out loud. ‘Don’t be silly’ says Sara. ’No, I’m being serious. We should have discussed this before he asks for it, right? ’Mike replies. ’When he’s twelve’ says Sara. ‘What? Why so late, it can help him!’ Mike tries to defend his idea. However, so does Sara. ‘It will expose him to cyber bullies, everything he puts on social media will haunt him for the rest of his life and if he will be anything like us, whatever we do, he will not be popular in school. So we’d better wait it out’. Mike can’t believe his ears. Is she still living in 1997, when the most advanced feature of mobile phones was Snake?
Going into town is not really Sara’s cup of tea. She loves to wander around the internet in search of new (or even better, old) books or to sell her – and Mike’s – stuff online. It is so time-consuming to register on each website though! All those passwords that she can’t remember are securely stored in a password manager. To make things easier, Sara uses social login for all online stores. With accounts on Gmail, Facebook or Twitter she can log into any website. That means she has to remember only three passwords. The registration time is far quicker as well, as she doesn’t have to fill out all the personal data over and over again. When Sara visits her favorite shopping site she isn’t logged in automatically. She reads: ’Dear customer, you’re logging in from another device, please provide your additional code’. Sara opens the app, swipes her fingerprint and instantaneously she is logged in to the website. ‘So much more efficient and secure!’ Sara thinks. Now she can really enjoy shopping online!
Online services are very much interested in your personal data, as they can use it to send you personalized marketing or –in the case of online stores– to provide a faster and easier shopping experience. However, personal data becomes outdated over time. For example, people change addresses but they don’t bother to update their personal information at every online service they once offered it to. And be honest, how many of the data you filled out is accurate? How many times did you fill out ’January 1st 1960’ or something similar just to get rid of it? This has a direct impact on the effectiveness of marketing campaigns from the service provider perspective, and it is one of the areas where social identities come into play.
A growing number of companies enable the usage of these social identities. A social identity is simply an account at a social website like Facebook or Twitter. These social networks act as a broker or an identity exchange. When you sign up for Spotify you don’t have to log in with a newly created account and fill in all your personal data yourself, but you can use your existing social account at Facebook that provides this data for you. These social networks have very large user bases - Facebook alone has over 1.65 billion registered users2. They all provide services that allow for integration of their login platform into third party websites and applications. This allows visitors of these websites to log in with for example their Facebook username and password, thereby reducing the barrier to use the services, as they don’t need to enter their personal data again and again. The users can also profit from the security features like two factor authentication offered by the service. Whenever a visitor uses his or her social identity to log into a website of another party, the social provider shares identity information such as name and e-mail address with the third party on request of this third party. The data provided by these social media tends to be more accurate, as users of these services keep their profiles more up-to-date.
As your digital identity becomes more important, it will contain more accurate and valuable data. This means that protection should be improved as well. One measure that can help with protecting your identity is risk based login. In fact, banks, credit card companies and social website like Facebook have already been rolling out this technique over the last few years. Risk based login or risk based authentication means that environmental variables are taken into account in the login process. For instance, when logging into your webmail, the process handling the authentication also evaluates the device you are using to log in, the location you are at and compares this with the device and location you logged in from
2 http://newsroom.fb.com/company-info/#statistics
Social identities interconnecting individual accounts
10 11
offers in January when your actual birthday is in September, and it does not contribute to being valued by the online store. Most consumers will feel uncomfortable, knowing that so many companies require all this personal data they really do not use.
The next step in the evolution of reputation brokers is near. The data they hold will be more accurate by involving the consumers. Thus, they will become more valuable for companies, selecting good and faithful customers and providing them with tailored discounts.
Spoiler alert: You can provide insight in your reputationExciting times for Mike and Sara, they will be going to Curacao for a month! They booked the vacation long time ago to get the best deal. In the past months Sara spotted her dream house in the heart of Rotterdam in the newly built ‘Markthal’. And of course, during their holiday Mike gets a call from the real estate agent; “Mike, great news! The house is yours!” Mike immediately tells Sara the great news. They have been waiting on the deal to get through for months, fortunately they arranged everything in advance. ‘Shall we take the taupe wallpaper or the baby blue?’, Mike wonders. Is the lift big enough for his biggest gadget, the smart beer brewery he recently bought? The next day Mike gets another call from is agent: ”Mike, bad news. The mortgage didn’t get through. They could not tell me why and how!”. They panic, should they book an early flight back home to arrange everything? Together they decide to call the bank and ask why the mortgage isn’t accepted. During the call they hear that the bank didn’t have any insight in their credibility. Luckily they can login at their bank’s website and provide insight in their reputation at their former bank and the employer of Sara. A quick login and several simple approvals later, their mortgage is approved and the deal is made. They can now order the taupe wallpaper and new couch, and enjoy their holiday in Curacao!
Reputation brokers are playing a significant role in the field of digital identity management. Their goal is to provide assurance on identity data. They are independent third parties that give organizations the ability to check the reputation of customers. Don’t be mistaken, this is already common practice for online stores and credit card companies. They can validate whether a customer is allowed to make a purchase for a certain amount or not, based on their previous behavior. This data will be exchanged more frequently between parties. Online stores will ask the reputation broker whether the customer is able to pay for a certain purchase. The reputation broker will answer yes or no, without sharing the user’s bank balance or credit rating, respecting the consumer’s privacy.
To provide these insights, the broker is connected with all kinds of information sources, ranging from financial institutions to government organizations. Data is aggregated from different sources and correlated to do an on-demand risk assessment, providing consumers with real-time reputation insights.
As these sources will be used more and more by reputation brokers, it will become more important to look at privacy. ‘Will my behavior of four years ago be stored and used against me?’ The answer to this question is yes and no. Your behavior will be and is already being stored for long periods of time. But in the future, reputation brokers will ask their users to actively participate and in return reward them for providing valuable data. Now, data is exchanged invisibly, and no consumer has insight into what data is where and what these companies really know about them3. For instance, your insurance fee might be calculated based on your zip code, the previous residents of your home or even a debt you had 40 years ago. Who knows?
As privacy laws in Europe are being intensified, these reputation brokers have to turn to the one source that is really well-informed - you. You will be able to provide selective evidence that you are creditworthy, and to encourage you, the reputation brokers will reward you. The consumer will have more control on which parties have access to private data and are able to provide additional and accurate data. How many times did you fill out ‘January 1st’ of a random year just to get rid of the question? Now, this has a direct impact on the effectiveness of marketing campaigns from the service provider perspective, and from a consumer standpoint it negatively influences the buying experience as well. You will get
How to be in control of your reputation
3 http://www.ad.nl/ad/nl/1012/Nederland/article/detail/4129472/2015/08/26/Letter-bij-huisnummer-verzekering-duurder.dhtml
12 13
Several large banks already use this form of authentication (attribute based authentication) in the background and evaluate transactions based on scoring criteria to assess if a certain transaction is legitimate or not. Information used, among others, is geolocation, device fingerprints, known account numbers and transaction time stamps. This information comes from devices containing sensors that we carry with us every day. Companies are exploring the use of these attributes to increase visibility, to become more relevant to their customers. Making use of contextual attributes enables banks to provide relevant offers and information during the transaction flow. The reason why credentials are not depreciated is that they add a feeling of perceived security, which is still an important asset for banks.
Merging your identities: a full fridgeA full fridge - every man’s dream. Except when it is filled with vegetables and healthy stuff. Mike thinks back to the days when he was the one doing the grocery shopping. He would go out early in the morning and sniff around and buy almost everything he liked. Potato chips, hamburgers, pizza, cola and beer were always in his shopping cart. Nowadays, almost everything is automatic. Mike and Sara still do grocery shopping, but they choose food based on a strict diet that Sara has set up online. When they drive to the supermarket, their car, smartphone and tablet are recognized and based on those attributes their shopping list and sale offers pop up. Based on their behavior, the exercise they get, and their previous shopping, the vitamins and products that are needed for a balanced diet are suggested. Most of the time groceries are delivered, but today Mike feels like going to the shop and exploring it a bit. The supermarket is an exhibition of healthy experimental food, and pre-made fillings for his food printer. It consists of walls with pictures of the food from different brands. With the help of his smartphone the products are scanned, put on the list, and paid. The shop already knows his credit card number, so there is no need to take it out of his wallet. Two hours later a drone delivers the package with Mike’s groceries.
The digital world is becoming more important and will reach the tipping point, where the digital world will be the preferred setting for most of us. In contrast to the physical world, the digital world can be programmed to provide great interaction with the end-user. To achieve this, accurate personal information is becoming increasingly important. Currently, much weight is placed on identification to verify that the person is who he claims to be. This is still a direct reflection of the physical world: when we meet someone in person, we recognize their face and we feel more comfortable doing business with them. But relying on identification is ineffective in the digital world. Full identification makes transactions more difficult and time-consuming, because the user is required to provide a lot of information to identify himself. That is why in contradiction to the current state, full identification will become less beneficial in the future. The search for sufficient identification without disclosing and establishing the full identity is on.
One’s behavior and attributes at a current point in time are more valuable than a one-time full identification done in the past. How many times did you receive a congratulation e-mail on a wrong day from a website where you registered years ago? The explanation is simple: you filled out a random date of birth during identification. When the collection of attributes is not linked, or useful for the transaction, the user is less motivated to provide correct information. In contradiction to attribute based identification, full identification is executed once, whereas attribute based authentication happens continuously, providing more valuable data. This can lead to minimizing the need for full identification for digital interactions in the future. Instead of sharing too many attributes to identify yourself, it is more valuable that there is “just enough” assurance. On top of that identification doesn’t necessarily have a big contribution to trustworthiness of identity – you won’t trust the transaction more if you have the full data profile versus only the relevant attributes. Using attributes makes the transaction much easier and more efficient.
In line with the Pareto principle we believe that 80% of all transactions don’t require full identification. Attributes are enough to perform the transaction successfully without disclosing the full identity. The link between personal attributes and the transaction becomes stronger. As an example: it’s not important to know when you were born to buy a beer. Only one thing is relevant: whether or not you are old enough to buy beer. The attribute that needs sharing is the one that tells you just this, and only this. Of course, the reliability and credibility of this information becomes increasingly more important. To achieve this level of assurance, a trusted source is needed that validates and asserts these attributes, for example governmental institutes or banks.
Your identity is no longer needed, your attributes are
Jan Jaap van Donselaar Marcel van Kleef Nick Smaling
14
The journey we took, through the evolution of digital identities, helps to realize what a great impact digital identity has on our lives, our business and why this should be addressed. We have shown you the impact we foresee the digital identity evolution will have. It’s up to your organization to get on board and don’t miss out on the opportunities that the digital world presents.
We have seen different ways to identify ourselves:
Usernames and passwords: in the current situation there is a strong emphasis on full identification. We authenticate using (re-used) usernames and passwords, which in case of a hack can lead to compromised identities. Strong authentication can increase safety of our digital identities and personal data.
Social identities: creating social identities and associating these with other services remedies (part of) the pain of having multiple passwords. But in case of compromising that social account, it leads to a spillover effect to associated services. At this stage risk based login can help with protecting our digital identities.
Reputation brokers: eventually independent parties such as reputation brokers will start providing assurance on identity data, where attributes will be shared on a need-to-know basis.
Attribute based identification: we envision that in the future full identification will not be necessary for the bigger part of transactions. Identification will be done with only the attributes that are needed for the transaction. Hence the validity and integrity of those attributes is very important. Attributes will play an essential role as the link between personal attributes and the transaction will become stronger.
Managing all our identities whilst keeping them safe is challenging. We are in the middle of an era where the use of digital identities will achieve a more mature state. There currently is a disbalance between identification and authentication. We authenticate continuously online but we still rely on a one-time physical identification. We envision a fading need to identify ourselves, where attributes will become the determining factor in all transactions.
Concluding the evolution of digital identity
Contact
Henk MarsmanLead Identity ServicesDeloitte [email protected] 2078 99 05
Authors
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.nl/about for a more detailed description of DTTL and its member firms. Deloitte provides audit, consulting, financial advisory, risk management, tax, and related services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries and territories, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte’s more than 225,000 professionals are committed to making an impact that matters. This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte network”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.
© 2016 Deloitte The Netherlands
