July 23, 2023
The Rise of Integrated Identity Platforms: Streamlining Security in the Digital Age
In today’s interconnected world, digital identity has become an indispensable aspect of our daily lives. From accessing online services to conducting financial transactions, our identities are integral to our digital existence. However, the surge in cyber threats and data breaches has raised serious concerns about identity security. The statistics are alarming. According to the Identity Theft Resource Center, there were 422 million victims of identity theft last year, with phishing attacks increasing more than 7 times.
To understand how to get past this, it is important to peel the onion and understand the root cause, which ultimately boil down to two things:
- The personal data that is stolen in these breaches is valuable. Very valuable. It underpins a black-market economy valued at 2-5% of global GDP. On the dark web, a social security number costs as little as $2, stolen online banking logins with verified balances are in the $35 range, and so on.
- Identity management is broken. Processes are inefficient, data is not connected among different functions and privacy and usability concerns cause massive tradeoffs that organizations end up making at the expense of security.
The Evolution of Digital Identity
In the early days of the internet, digital identity was often handled through basic username and password combinations. As technology advanced, single sign-on (SSO) solutions emerged, enabling users to log in to multiple platforms with a single set of credentials. While SSO improved convenience, it still relied heavily on passwords, which we all know presents inherent security vulnerabilities.
At the same time, as the number of digital services expanded, managing multiple sets of credentials became cumbersome for users. In fact, two thirds of users reuse the same password across multiple accounts. The rise of mobile devices and digital applications during the pandemic further complicated the digital identity landscape.
FIDO emerged as one solution to get rid of passwords using device biometrics (FaceID, Fingerprint) to verify the user and release a cryptographic key that in turn authenticates them into the app or service based on Fast ID Online (FIDO) protocols, but this too has its challenges as these passwordless solutions were not bound to the original onboarding, do not have mechanisms for account recovery and may not apply in many scenarios or in all service channels.
To address these challenges, the rise of Integrated Identity Platforms (IIPs) has emerged as a groundbreaking solution that streamlines security, enhances user experiences, and protects personal information. I have been calling it the Circle of Identity but from a product perspective, the term IIP is probably more accurate to describe the integration of different aspects of the identity lifecycle into a unified and secure system.
What are Integrated Identity Platforms?
According to Liminal Research’s definition, Integrated Identity Platforms (IIPs) are comprehensive solutions that “facilitate key consumer events like registration, login and transactions, streamlining processes to maximize UX, adding security through a holistic view of the consumer, and simplifying complex multi-vendor technology stacks for enterprises.” By consolidating various authentication methods, security protocols, and identity management systems into a centralized platform, IIPs not only offer a seamless and secure experience, but they also simplify user onboarding and authentication across numerous applications and services.
IIPs work across the consumer lifecycle:
- Onboarding or Account Registration: In consumer applications, this process generally involves KYC, risk-decisioning, document verification and selfie verification, among others.
- Authentication: Best practices for authentication requires users to provide two factors, ideally who you are (a biometric) and what you have (device, token, card, etc.) or what you know (knowledge questions, password, SMS code, etc.). In addition, many organizations will implement adaptive authentication, which verifies a user and their authorization levels based on additional fraud and risk factors. This helps to enhance the authentication score and enable better user experiences.
- Account Recovery: Today, the account recovery process for the most part falls back to only what you know (knowledge questions), making this the most vulnerable point in the identity lifecycle.
Today, to piece together a connected technology stack that covers all these elements, enterprises essentially must combine different endpoint solutions and platforms – can be up to 8-12 vendor integrations per use case! – that address each of these stages, creating enormous inefficiencies and gaps that attackers exploit.
IIPs can unify these 3 aspects of the lifecycle by storing personal data, particularly a biometric (selfie, voice, etc.) collected at the onboarding stage, binding different attributes to the biometric record, and making that biometric record available for authentication and account recovery. This means that users can access multiple applications with a consistent, persistent biometric, streamlining authentication, reducing the reliance on passwords and sharing identity information across different services, which minimizes redundant protocols and system design. By maintaining a single source of truth in an organization via an IIP, identity governance is also much more robust and easier to manage with respect to privacy and data protection regulations.
Liminal cites compelling statistics for adopting IIPs in their latest research report, including:
- 15.3x annual return by avoiding the cost of integrating multiple vendors and reducing fraud losses that occur as a result
- 300% faster authentication time
- 230% reduced fraud attack risks
- 98% reduction in consumer help desk requests
- 89% reduction in account recovery time
- 6.6x more converted customers as a result of lowering abandonment rates
- 2.3x reduced fraud losses for consumers
- 29% increased trust with enterprises
The benefits of the holistic view that an IIP provides are compounded by the layering of advanced analytics and the combination of different protocols including biometrics, fraud detection and other low-friction workflows that enhance accuracy and lower friction both for the consumer and the enterprise.
IIPs, Privacy and Data Protection
According to IBM’s Cost of Data Security Report 2022, 83% of organizations had more than one data breach, with the average cost of a breach rising nearly 13% in the last several years. At the same time, data protection laws are becoming more and more common across the globe, creating a conundrum for enterprises who need to effectively manage identity and security risks. In fact, anecdotal evidence from Anonybit shows that many organizations opt not to store biometrics and other personal data for fear of a data breach and the recurring liability. This puts into question how to effectively implement an IIP, for how can an organization have a unified identity system without storing and managing biometrics and other personal and identity data?
Enter Privacy Enhancing Technologies (PETs), a new class of technologies that embody fundamental data protection principles by minimizing data that is collected and stored, and limiting access to the data itself. PETs can provide the underpinning to a strong and robust IIP implementation, reducing the organization’s risk and exposure in collecting and managing the data that is required. Multi-Party Computation (MPC), also known as Secure Multi-Party Computation (SMPC) is one type of PET that in particular, has a lot of advantages for biometrics and identity in that it can be combined with another PET, Zero-Knowledge Proofs (ZKP) to distribute the storage and the processing of personal data across multiple environments. This includes one to one biometric matching, one to many biometric lookups and non-biometric data storage and retrieval (images, tokens, etc.). With MPCs, multiple parties perform an agreed computation over their private data, while releasing only the final computational output. What this means is that it is possible to confirm an identity without recalling or reinstating the original biometric sample, a very powerful proposition for the implementation of an IIP, where it is desired to have a consistent process across multiple channels and applications without transferring data across.
Access the Liminal Report on the Rise of IIPs and Their Impact on Digital Identity
As the digital landscape evolves, the importance of secure and streamlined identity management cannot be overstated. Integrated Identity Platforms represent a significant leap forward in safeguarding sensitive data while offering a seamless user experience. By integrating multi-factor authentication, single sign-on, identity federation, and adaptive authentication, IIPs effectively address the challenges posed by cyber threats and data breaches. As businesses and individuals continue to navigate the digital realm, embracing Integrated Identity Platforms will be crucial in ensuring a safer and more convenient digital future for all.
“The identity market is rapidly shifting. Vendors like Anonybit are developing end-to-end Integrated Identity Platforms (IIPs) to capture a large, rapidly growing market opportunity and deliver real, tangible ROI to enterprises and end customers,” said Will Charnley, Managing Director, Advisory Services from Liminal.
Request full access to the report here.