Identity management is the first line of defense in most information security strategies. However, your online identity is complicated, cumbersome, and annoying -- think of all the passwords, pin numbers, account numbers, group memberships, credentials (the list goes on) required to do business in the digital age. The importance of identity management cuts across all industries and roles. And now, as a result of the proliferation of mobile devices, wearables, biometrics, and the Internet of Things, identity management is changing.
My latest report The State of Identity Management in 2015 identifies six trends influencing identity management and explains how organizations should take advantage of identity trends to reevaluate their risk management strategies.
Six Trends Influencing Identity Management
- Mobile Devices are the preferred form of ID. The omnipresence of mobile device and sensors in motion represent a milestone for a decade of progress in IdM. For two-factor authentication (where a user is verified by checking who they are and what they carry), the cell phone is its own second factor. Cell phones are protected against unauthorized use by PIN or biometrics, and many people always have their cell phone on their person.The popularity of wearable devices means wearables could soon replace mobile phones as the preferred mode of identification.
- Hardware is the key - and holds the keys - to identity. Despite the lure of the cloud, hardware is the crux of IdM. All really serious security and authentication takes place in secure dedicated hardware, such as SIM cards, ATMs, EMV cards, and the new Trusted Execution Environment mobile devices. Hardware security is intrinsically less flexible than software security (which is part of the point). However, today's leading authentication initiatives, like the FIDO Alliance, are intimately connected to standard cryptographic modules now embedded in most mobile devices. Constellation believes hardware identity management has arrived in the nick of time, on the eve of the Internet of Things.
- The "Attributes Push" will shift how we think about identity. Attributes are to identity as genes are to organisms -- they are really what matters in the authentication process. In most business dealings, the other party doesn't really need to know who you are, but what you are. For instance, a merchant needs to know your credit card details, a bank needs to know your account number, and a social network needs to know your handle. Our research shows the identity management problem is being recast in terms of attributes. Instead of generic levels of identification, Constellation finds that businesses make use of a variety of specific user attributes when authenticating people online. The Attributes Push will bring simpler, more elegant federation models, and a marketplace for Attribute Validation. By separating identity into attributes and focusing on what we really need to reveal about people, we can enhance privacy while automating our everyday transactions.
- The identity agenda is narrowing. For 20 years, brands and organizations have obsessed about who someone is online. Whole industries cropped up to monetize identity to little avail. Now the IdM industry agenda is narrowing toward more achievable and important goals. In line with the Attributes Push, the IdM focus is shifting to precise authentication instead of general identification. For example, FIDO Alliance protocols aim to help exchange verified data about devices and users, without seeking to make claims about who the users are. Specifically, FIDO leaves the business problem of identification to the applications layers and the service providers.
- A digital identity stack is emerging. Constellation sees a digital identity stack emerging analogous to the "networking stack" introduced in the Open Systems Interconnection model of the 1980s. Elements of the digital identity stack from top to bottom include: Relationships, Identities, Attributes, Presentation, Transport, Deeper Network Layers.
- Continuity will shape the identity experience. Continuity will make or break identity UX which is critical for mass adoption. Users will want to switch between apps, memberships, and groups seamlessly, without being required to re-enter their credentials. Continuous Authentication takes ambient signals, sometimes biometrics, collected from a wearable device, to maintain a real-time picture of what the user is doing, and if their status is still acceptable for the digital activities at hand.
The Future of Identity Management Must Focus on Frictionless Experiences
With accelerating digital transformation and the push toward digital business, organizations must adopt flexible, nuanced methods to manage user relationships and identities. Constellation suggests the following strategies:
- Deliver seamless risk management. Identification is an integral part of risk management -- we identify counterparties simply in order to minimize the consequences of dealing with the wrong person. Identification needs to be right sized.
- Understand and uphold privacy principles. Identity Management is all about what we need to know about each other to do business. Privacy Management is the inverse: What do we not need to know about each other to do business?
- Participate in the larger community. Organizations that do best in quickly evolving areas such as identity management are often leaders. Check out the FIDO alliance.
A snapshot of my report The State of Identity Management in 2015 is available for download. It expands on the points above and describes the forces driving the changes to identity management.