Identity Management: The Times They Are A-Changing

In a very interesting article on New Tools for Modern Identity, Mark Diodati addresses new challenges with user authentication. He argues that adaptive authentication, and mobile biometric authentication are here to stay. I agree and encourage folks to read the article to learn about these new tools.

To hit another nail on the head: Implicit to the adaptive (or contextual) authentication discussion is that along with the unstoppable Bring Your Own Device (BYOD) trend, IT security must accept Bring Your Identity (BYOI).

I’m afraid national id cards were dead on arrival most places they’ve been implemented. Not only is it impractical to make all individuals in an enterprise’s outer circle of consumer and partner constituents use a strong authenticator like smart cards, it is impractical to make them accept any other (single) authenticator or identity provider.

BYOI is about choice and preference. For all those contributing to the so-called “pressure for social identity” Diodati mentions, there are many that eschew (some) social networks due to privacy concerns. Or that just eschew social login; a large plurality of Facebook users won’t touch Facebook Login with a 10-foot pole. 

I believe that mobile biometric authentication from vendors such as Apple will encounter a similar diversity of opinion – some will love them, some will hate some forms of, or some providers of them. Especially in a world of nation state espionage exploits. Distrust of, and state-imposed barriers to, will limit the use of any kind of device that enables surveillance or control by the identity provider(s).

BYOI is about choice. Choice drives diversity. Diversity drives complexity. Complexity drives a need for contextual authentication and contextual authorization. 

Diverse, heterogeneous technologies and their contextual application engender complexity, and it is challenging for IT to deliver complex solutions. Even though standards and interoperability have improved, this challenge remains. I see complexity therefore as a driver of cloud services, through which scarce expertise to adapt tools to constantly changing needs can be leveraged across large numbers of customers to drive the level of friction (and cost) down. 

The relevant cloud services are called Identity as a Service (IDaaS) – an authentication infrastructure that is built, hosted and managed by a third-party service provider. IDaaS can deliver single sign on (SSO) and is a logical place to implement customer-controlled policies that can be used for contextual authentication. 

The goal should be to make it very easy for users to get to services when risk is low. In emerging people-centric models of IT, organizations seek to build a compelling user experience (UX). As a corollary to that, they must avoid over-authenticating unless its possible to make the authentication process completely transparent. Many low risk activities may require no authentication, just some statistical likelihood of recognition and social trust – something that astute marketers should seek to foster.