Part 3: Creating Trust Among Strangers
March 16, 2018
Online verification needs are growing, precipitating a major change in how authentication is handled.
Part One of this three-part series looked at the current system of authenticating user credentials and its inherent weaknesses, such as the increasing difficulty of protecting Personally Identifiable Information (PII). In Part Two, we surveyed some of the factors set to cause personal data and online verification needs to spike. These include the expansion of digital business into more consequential areas of life such as healthcare, the growth of digital ecosystems with their many interdependencies, and the widespread adoption of IoT and AI, bringing the real and virtual worlds together in complex new ways. In this final installment, you’ll learn about new online verification solutions enabling businesses to transition to radically more efficient and secure means of creating trust among strangers.
The way companies verify identity and authenticate various credentials and attributes today leaves people with little control over their personal information. Once provided online, it takes up residence in a corporate or organizational database where it can be nearly impossible to protect, update, or remove. The ideal solution to online verification would shift possession of this information back to the individual. People should be able to provide their verified proof of identity and credentials to any digital platform they choose, without handing over sensitive PII each time. The ideal solution would be secure, scalable, rely on consent, and return control to the individual. As TechTalks’ Ben Dickson put it, “Our online identities have become too valuable and complicated to entrust their safekeeping and management to anyone else but ourselves,” but what’s the best way to make that happen?
Improving Security with Multi-factor Authentication
One way to be more certain about identity verification results is multi-factor authentication. The combination of data such as a username and password together with a second step of a unique code certainly improves security, but it also slows and complicates interactions. This kind of friction puts a damper on confidence and enthusiasm, and makes the user experience less positive. Still, multi-factor authentication can be a valuable addition to a systemic identity verification program, particularly if it is incorporated in such a way as to minimize the steps individuals have to take and businesses have to manage and maintain. Leading edge identity verification solutions are finding ways to offer multi-factor authentication without creating more work for users or companies.
Blockchain is a Seismic Shift, Not a Practical Solution
Bitcoin has made blockchain almost a household word. Technology journalists regularly extoll its virtues, suggesting that our collective data security worries may soon be over. While that may one day come true, for the foreseeable future, blockchain and other ledger-based strategies are valuable tools to be considered and potentially integrated into broader authentication platforms, but likely not a complete solution on their own.
Blockchain ledgers are more resistant to cyberattacks and tampering. They do a better job of preserving data integrity, and are a useful source of forensic detail. However, as a practical solution to authentication needs, blockchain is still a long way from being widely adopted. “While the impact will be enormous, it will take decades for blockchain to seep into our economic and social infrastructure,” according to the Harvard Business Review.
Blockchain in its current incarnation at Bitcoin “suffers from significant limitations in scalability, functional scope, performance, efficiency, and operational manageability,” according to Gartner. While scores of new blockchain platforms are springing up in the hope of addressing online data challenges in healthcare, government, manufacturing, and elsewhere, these technologies will take a long time to implement and become reliable.
Although a blockchain stack is resistant to tampering, the data it holds still comes from a source, which may or may not be authoritative. Not all facts on blockchain stacks are automatically authoritative. MIT has created a blockchain where alumni credentials can be verified, making it perfect for verifying MIT-issued credentials—a useful but narrow application.
Ledger-based innovation holds the potential to return data autonomy to individuals and perhaps ultimately free businesses, governments, and other organizations from their roles as guardians of the world’s data. For now, the practical application is to help improve security, leave a more robust forensic trail, and verify narrow facts.
Start Collecting Answers, Not Information
To find a practical solution that can be implemented now, scale fast, improve security, and see organizations into the future, businesses must shift from collecting information to collecting answers. Consider Part One’s example of current verification practices. The business collects a name and date of birth, works with a verification service to match it to data in an authoritative public record, and then learns whether or not the customer is over 21 years of age. But the business doesn’t need to know when this customer was born, they just need to verify that she is over 21. What matters is the answer, not the detail. Today’s leading-edge authentication solutions are focusing on creating ways to deliver actionable answers, not store personal data.
Evident is one solution that has developed a simple, secure API that enables companies to mitigate PII collection while giving answers. With Evident, customers no longer need to provide personal information every time they want to interact with a business or platform. Evident lets individuals take back ownership and control of their data, protecting their privacy and enabling them to consent or deny access to any entity that requests it. Protected by bank-grade encryption, personal data and credentials reside in just one place, where it can be kept secure and up to date. Evident connects with hundreds of authoritative sources to confirm key facts and attributes, for a more reliable assessment of qualifications. Once established, an Evident profile can be used for any online interaction, building context and improving security along the way. A ledger-based foundation means Evident IDs are easy to protect and audit. Multi-factor authentication is built into the process without adding friction.
This kind of approach liberates businesses from a host of increasingly difficult challenges. First, companies can finally get out of the PII business. If you don’t hold personal information, you don’t need to invest continuously to protect it against ever-evolving threats. The Evident API can also help manage credentials, letting you know when an important change occurs in an individual’s status. If a driver on your platform just lost their license, you’ll know. If a doctor at a healthcare provider you partner with has earned a new certificate, you can get that update as well. What’s more, individuals—those who know their personal information best—can correct and update their information anytime.
Put customers back in control of their personal data
Giving PII and verified credentials back to the individual lets you move quickly to seize new opportunities without scaling up infrastructure. The Evident API minimizes integration tasks, so your business can focus on core objectives, and the IT team can give their attention to innovation. Evident streamlines complex authentications, such as ensuring that a physician has the necessary background and qualifications. The Evident API connects to authoritative sources, from universities to state boards to birth records, to provide verifiable confirmation of the facts. Instead of knowing everything about someone, you can know only what you need to know. Evident lets you streamline manual review processes by automating the evaluation of key attributes. It’s more efficient and helps reduce unconscious bias, as those evaluating applications access only the information they need, not all the information about a person.
Compliance and privacy are easier to manage when you put personal information back in individuals’ hands. Data stays with the customer instead of being distributed to servers that may physically reside in any number of regions. Consent is built into the process and documented. Evident can monitor your PII practices for global compliance issues and notify you when you need to make a change.
The future of data authentication has arrived
Imagine a world where all of us can participate online without handing out personal information for every site and transaction that requests it. Imagine hosting a platform of millions of providers and buyers without collecting PII from any of them. Imagine knowing that you can create new strategic partnerships without worrying about exposing your customers’ personal data to new vulnerabilities. Evident makes it possible.
Evident helps some of the world’s largest digital platforms verify the qualifications of their participants. Through leading-edge innovation and a unique distributed data model, Evident capabilities are also helping companies tap into new data, analytics, and IoT–driven growth opportunities. As devices gather more and more personal data, the potential for business intelligence grows. Businesses looking to access that insight without collecting highly personal data can turn to Evident.
No one knows how far IoT, AI, and other advanced technologies will take us, but we know it will involve an ever-widening array of attribute verifications. Customer expectations are on the rise and brand reputations are on the line, even as existing systems fail to keep up with expanding security, compliance, and verification needs. It’s time for a new approach that enables trust at the speed and scale of digital business.
Connect with us today to learn more about our offerings or start running verifications now with our self-service capability.
Read other blogs in this series:
Part 1: The Future of Personal Data and Online Verification
Part 2: Authentication Gets Serious—Why PII Strategies Must Change
Source 1 I Source 2 I Source 3