It’s time to reconsider how we identify ourselves online
Digital transformation is facing a serious gatekeeping challenge. The successful expansion of digital business in coming years will depend in large part on the secure and efficient handling of personal data. Current methods of identity verification require businesses to collect personal data in order to enable online interactions of every sort, whether it’s buying a book, booking a room, or finding a pediatrician you can trust. But personal data, even just an email address or date of birth, has value and cannot be kept safe when doled out to every site that requests it.
No business wants to be obligated to hold, update, and protect the mountains of data that are generated by growing Internet activity. But every business wants to pursue the opportunities that accessing personal data makes possible. As the pace and intensity of our online world ratchets up, what can businesses do to enable participation without exposing themselves and others to a security breach? How can we create fact-based trust among strangers without slowing down transactions or continuing to spread personal data all over the Internet?
How do I know you are who you say you are?
To get a sense of just how big the challenges ahead are, we have to look at how businesses currently handle the vital task of identity verification. Up to now, verification requirements on the Internet have been fairly simple. The information we’ve needed to know about someone in order to feel good about giving them access to our system or platform has been pretty straightforward. Often, we’re simply verifying that a user matching a certain set of data exists in the real world and that, for example, they’re over 21 years old. How do we verify this information?
First, the user provides personal data such as their name, address, and date of birth. Let’s call our customer Samantha. The company then has to establish in some authoritative way that such a Samantha exists. As there may be multiple Samanthas in the world, we must also determine which Samantha we’re talking about. That’s identity resolution. To do this, we need to consult an outside authority. This authority compares the information we’ve gathered from Samantha to find a match among available public records. Once we’ve established that our Samantha matches a Samantha in a specific authoritative public record, we can look at the relevant piece of data, in this case date of birth, and produce an answer: Yes, this Samantha is over 21. That’s the verification piece of the process.
It took three steps to get the answer we needed, and we had to collect, hold, and touch sensitive personal data to do it. First we gathered Samantha’s data and shared it with a service provider. That service provider matched it with similar data in an authoritative source (identity resolution) and then verified the piece of information we needed to confirm (verification). The process is relatively short and the answer is a tidy yes or no. So far, so good. But what happens when the question gets more complicated? What if, for example, what we need to know is whether or not Samantha is a qualified and reputable psychiatrist? That answer is not so easy to produce.
Over the next decade, as activities on the Internet expand into more sensitive realms of our lives and businesses, this process of authentication is going to explode in volume and complexity. Powered by advances in analytics, the Internet of Things, artificial intelligence, and other trends, interaction on the Internet will grow and change in ways we’ve hardly begun to imagine. These interactions will require us to authenticate facts about the participants that we have no authoritative way to validate right now. Expanding digital ecosystems will require many layers of verification and authentication that, addressed by current means, will create friction and frustration.
Identity verification and credential authentication as it is currently practiced is a roadblock to progress. We need a more secure, streamlined way to be sure we know who we’re dealing with and that the facts about them are complete, current, and correct. To get there, verification and authentication processes need to change dramatically, starting now.
Check back soon for the next installment of our Future of Personal Data and Online Verification series, where we’ll look at the factors blowing up the volume and complexity of personal data authentication, making new solutions a necessity.
Read other blogs in this series: