Saturday, September 21, 2013


Fast-changing, disruptive technologies such as the Internet and mobile devices have brought us wonderful conveniences — banking without boundaries, limitless entertainment and countless productivity apps, to name just a few.
Those innovations have also created significant challenges — that threaten our personal security, privacy, financial welfare and in some cases, our liberty. It’s natural to expect some disruption when rapid change collides with institutional inertia, but the current state of personal identification, and the risks and bottlenecks it creates, has become untenable.
What functioned in a paper-based world was never suited to today's commerce, nor was it designed to establish our identity in the absence of meeting face to face. As our online persona expands with the accounts we create, we release more information than necessary to "prove" our identity. This creates a multitude of companies engaged in a business (identity verification, identity authentication) for which they are poorly suited and distracts from their core objectives.
That was okay in a world where commerce wasn't conducted globally. Information that was stolen couldn't be used as widely or as rapidly as it can today. Yesterday's credentialing processes operating in today's system create a target-rich environment for cybercriminals. After all, the Internet that enables app companies to control your garage door can equally enable cybercriminals to remotely operate your bank account.
Replacing plastic IDs
It's time to reinvent the process of identification. Many attempts have been made to tackle the problem. (Remember the push for a National ID card? You'll be excused if you don't. The idea faded fast.) None of the ideas presented to date have succeeded because they don't address the fundamental flaws in today's system.
A better approach to identification has some critical differences from the way we do things, but it's important to realize that the technology is largely available today. The problem is that unwinding decades of dependence on current methods is complex.
The traditional method of establishing an identity, such as issuing a birth certificate, remains a government-controlled process. After that, verification or authentication of our identity doesn't need to rely on the government.
Identity verification and management are best managed by a company whose responsibility is to you, and helps put you in control of who receives your identifying information. This separation of identity and entitlement is a critical aspect of the system and a big part of what's wrong now. Your driver's license entitles you to drive. Your Social Security card entitles you to benefits. Neither of them actually proves your identity.
Once your identity is established, companies ("relying parties") that require identifying information about you could obtain it from your trusted ID provider (TIP), requesting only the information necessary to entitle you to a service. If a service required that you be 21 years of age, your TIP could confirm your eligibility without sharing your age or actual birth date.
On subsequent visits, the relying party will check with your TIP to authenticate you. This should be welcomed by millions of businesses today that must maintain more information about you than they want, face the cost and pain of password resets, and deal with data and account breaches.
A modern ID system
A modern ID system would incorporate biometrics, location and other modalities to establish high degrees of confidence about your identity. Biometric authentication methods far surpass the average human's ability to accurately verify your identity.
Your smartphone is already capable of these functions, acting as your mobile biometric verification device, which means that this approach would meet a third, critical test. It would be easy and convenient to use. Other challenges and hurdles to developing a secure, robust system remain, but we deserve an identity system suited to the needs of 21st century businesses, governments and citizens.
CHRIS WIESINGER is a principal business architect for CSC's Border and Immigration Solutions Center of Excellence.

No comments:

Post a Comment