In today’s world, much of our data is stored online. Individuals are strongly encouraged by mobile apps, retail websites and social network providers to “update their profile” to share more and more personal information in addition to that already collected. Companies use this data to improve the user experience and to better understand their customers. But every interaction that an individual has, online and in person, potentially stores information about them in an unknown database at unknown datacenters somewhere around the world.
There is little incentive for the organizations, merchants and vendors who have collected the profiles to secure this data. The seemingly endless stream of high-profile breaches and the rise of identity fraud – which according to Javelin Strategy and Research was an all-time record high in 2017 – has caused consumers to grow wary over the loss of control over their identity, how this data is being secured/stored and who it’s being shared with.
Privacy concerns have sparked a global debate around the handling of personal information. One possible solution concept, Self-Sovereign Identity (SSI), which advocates for individuals having control over their personal identity data, is becoming more popular. And while the idea of owning your own data and consenting to its use may have seemed impossible just a few years ago, legislation such as General Data Protection Regulation (GDPR) is already making it a reality. Similarly, the Digital Identification Bill was recently approved by Thailand’s cabinet, and is expected to soon be passed by the National Legislative Assembly and should take effect in the middle of 2019. Given this, we expect to see more privacy legislation globally – including within the US – that grants individuals control over their Personally Identifiable Information or PII.
While such regulation is a much-needed step in the right direction, it does not change the fundamentals of the problem. Presently, knowledge-based authentication (KBA) is the most prevalent means of verifying the identity of an individual, especially during online interactions. But once a set of personal information fields has been compromised, it is no longer suitable for authentication – the individual providing the values may be the thief. Soon, when every piece of PII for nearly every first-world citizen is available for sale on the dark web, the current knowledge-based single-factor authentication system will be rendered useless.
So how do we implement self-sovereign identity while complying with existing – and forthcoming – data privacy regulations? There is clearly a need for a system that enables secure management of a verified digital ID with secure methods for sharing of a limited amount of PII fields. This system would require the confirmation of authenticity for both the user and the vendor, without relying on a third party to keep the storage memory location and exchange confidential.
While it may be true that most US consumers are so-called “data pragmatists” who will trade personal information for certain incentives or benefits under the right circumstances (millennials more so than other groups), one thing is clear – consumers are demanding more control over their personal data. And the Identity and Access Management (IAM) industry is racing to solve the digital identity crisis and put the power back into consumers’ hands.