When we think of identity in today’s connected world, we increasingly associate it with risk. From leaked data points to entire identities stolen, using modern technology all too often involves putting personally identifiable information (PII) at threat.
It’s not just individual consumers who shoulder the risk either; just consider how many people use the same passwords, logins, and other credentials at work as they do in their personal lives. Research from Nomidio found that the average Briton has a digital identity with 39 different organizations. That’s 39 opportunities for a breach that could hurt individuals and organizations alike.
We also need to consider the identities that businesses give to their employees, with logins, staff ID, biometrics and other data that is often held on to long after that employee has left. What happens to that data? It all adds to the many identities that any one individual is issued with across their personal and professional lives.
To solve this identity problem we need to get to the root of the issue and ask why such data needs to be stored in the first place. Businesses need to consider their own approach and ask themselves: is there really any need to hold this depth of data and paint a target on your back? Or to put it bluntly, do the benefits of holding such personal data really outweigh the potential costs of a GDPR fine?
For far too long these questions have been somewhat sidestepped as business perception has been that there is no alternate option, consequently tried and tested access management systems are often deemed suitable for the job despite underlying vulnerabilities. Any business that holds PII must consider itself a target. The latest is Havenly, a US interior design website, which recently suffered a data breach with an attaacker posting nearly 1.4 million accounts online.
We need a solution that works for service providers as well as their customers, but stemming the leaks of personal data will require a wider re-think of the way we provide, store and process sensitive information.
A new perspective
A conversation I often have with colleagues and clients is how today’s identity situation is back-to-front. As consumers, we are issued a new digital identity by every individual company we interact with, when in a perfect world each of us should control one digital identity – kept accurate and secure - that we provide when necessary. It’s what I like to call a ‘unified identity’.
One way of thinking about it is to imagine you had visited 60 countries over the last 10 years. Would you expect to have been issued 60 different passports? Of course not, that would be completely unmanageable. You have one passport that you control, then it is up to each country to request your passport and decide whether to grant you access.
This process will be music to the ears of any business leader concerned about vast PII data sets held internally – often with no real reason behind their storage. After all, it seems like an almost daily occurrence that I read an ostensibly well-managed business has been breached, leaking the personal data of thousands of its customers.
If we keep repeating the same initial mistakes the situation is only going to become worse as our PII propagates again and again, in fact, even more sensitive data, like biometrics, will be lost. So how can businesses put the theory of unified identity into practice?
Identity guardian
The missing link that will be required to enable unified identities is an accountable guardian, one that can centrally store an individual’s personal data while ensuring it remains ultra-secure with checks and balances in place to mitigate risk.
This is a two-stage process. Firstly, the individual’s identity data, including biometrics, must be tokenized so it can be securely managed. Secondly, a decryption key is split with a fragment residing with the user, offering a cryptographically verifiable mechanism to prevent the guardian itself (or an employee) from abusing its power. This means it is only when the individual consents that their identity data is provided to an organization for authentication purposes.
This process offers a simple yet powerful alternative to traditional management structures. The consumer no longer has to unnecessarily hand over reams of personal data or rely on weak passwords to access services, they simple choose to authenticate through the accountable guardian. Meanwhile, subscribing businesses no longer need to hold on to toxic data that can cause GDPR headaches and attract cyber-criminals.
There is no better time to consider making this change than today. We are already beginning to see more biometrics used to authenticate, and while many will view this as a good thing, it could be disastrous under traditional PII management processes. It would mean those 39 different organizations we mentioned at the start of this article would hold each individual’s PII as well as their biometric data – an identity bonanza for any hacker.
Most businesses would admit, when they consider the risk, they hold too much unnecessary PII. Moving to a unified identity model removes this risk and provides a secure, efficient, and futureproof experience for consumers and subscribing businesses alike.