The common practices for identity and access management (IAM) are failing. The ultimate goal of providing improved security for all types of users, as well as for the websites they use, seems to fall further out of reach with every passing year. After all, every new online account that someone creates adds another wrinkle to IAM. It creates another complication, another set of details to remember and the risk that someone will find a weakness in the Web host, password or other protective measures. Yet some companies seem intent on continuing to use the almost archaic safeguard of a login name and password, with no other authentication methods in place.
SecureKey and Forrester Research recently explored the concept of the digital identity in the thought leadership paper, "To Increase Security And User Trust, Embrace A Federated Consumer Identity Model," which is available for download at https://info.securekey.com/digital-notion-thought-leadership-study. With online identity an increasingly important issue for both the public and private sectors, tackling some of the problems below will be key to minimizing the amount of fraud and other issues that seem to occur far too frequently.
Multiple accounts can cause user overload and security issues
Based on the paper's findings, traditional IAM models run into several problems that limit their utility. One of the primary issues is that most users have greater than a dozen accounts, with the average U.S. citizen possessing more than 18, according to Forrester Research – and the majority of respondents (60 percent) admitted to forgetting infrequently used credentials. Among those users who couldn't remember their authentication details, about 40 percent claimed that they had trouble recovering their passwords.
This leads to a state where either people are reluctant, or potentially unable, to use their accounts or where organizations must provide rather simple ways to verify user identities, which can easily lead to compromised security and possibly identity theft.
Some online services are looking toward social networks
Some companies have moved toward simpler security methods, which avoid the issue of users forgetting infrequently used passwords. Social sign-in, where individuals link their identity on a social network to another website's account, possesses the kernel of a good concept, as it reduces registration friction that might otherwise cause someone to give up on using an online service. However, the issue with social sign-in isn't that it's a bad idea, but that social networks are not particularly secure. Users don't treat Facebook or Twitter with the same level of caution that they do with their bank account, and the nature of these websites means that a considerable volume of user information will be accessible by strangers. About 50 percent of worldwide respondents to Forrester's research also revealed that they don't consider social networks very secure or private, which limits their capabilities for sensitive online matters, such as engaging with health care or government services. Furthermore, business leaders typically distrust this IAM method, with one financial services firm telling Forrester, "We don't consider social identities as being strong enough for signing in to a bank account."
Employing a federated identity
But a federated identity, one that links multiple sites through commonly used, but highly secure, credentials could solve many of the problems related to IAM. Social sign-in lacks the necessary trust and privacy for widespread use, but certain institutions – such as banks – can provide both of those features, and in most cases, Forrester Research found that users are willing to accept this change. While organizations can continue to use their siloed authentication practices, this could cause considerable risks, if they haven't do so already.