Consumer identity’s dirty little secret
Despite public desire to end data breaches, customer Identity and access management is more marketing than security
03 April, 2017
category:
European regulations
This trust model will continue to evolve as regulation in Europe impact U.S. companies with presence overseas. The GDPR require web site operators to enable consumers’ access to any and all data they have on the individual. The consumer will also be able to delete information from the site.
Most Americans admit needing help accessing online accounts: eight in 10 have asked for assistance – hints, security questions, resets – to access their accounts or apps at some point.
More than six in ten needed a helping hand multiple times a year and 23% seek help at least once each month.
Source: dashlane
While such regulations don’t exist in the U.S., Europe is laying down strict rules with stringent penalties for sites that are breached or don’t enable a consumer to control their personal information.
This means consumer IAM vendors are creating products that enable companies to put the consumer in control of their data, says Derick Townsend, vice president of product marketing at Ping Identity. This future vision of consumer IAM is using one login to access a profile where a consumer can change any information. “In that profile I have my preference, the ability to opt in or out, my consent to share data and my ability to revoke my consent,” he explains.
While these systems will be mandatory for companies doing business in the European Union, they may also appear in the states as companies that do business overseas work to comply. “We’ve been having this conversation with many of our more advanced clients,” says Jamie Beckland, vice president of marketing at customer IAM provider Janrain. “It’s forced a lot of people to get smart about this a lot more quickly.”
GDPR 101: Understanding the EU’s new data protection regs
The European Union Council and Parliament adopted the General Data Protection Regulations (GDPR) with the idea of simplifying regulations and bringing consistency to data protection across Europe. The GDPR is an update and replaces the Data Protection Directive from 1995.
Innovate Identity, a UK-based consultancy, released a paper that described how organizations might be impacted by the regulations along with some of the important changes:
- Any organization that targets EU citizens will fall under this new regulation, even if they are based outside of the EU
- The painful change is that fines for a breach of the GDPR are fairly substantial – reaching up to 4% of the total annual worldwide turnover of the company
- Organizations must prove accountability by bringing in safeguards and changing current organizational cultures of monitoring and reviewing data
- It is vital that consent is “explicit” from consumers with regards their data and it must be given freely for a specific purpose
- With data breaches constantly popping up in the news, organizations will be under obligation to report any breaches without delay or within 72 hours to the Information Commissioner’s Office
Innovate Identity recommends that organizations begin with a Privacy Impact Assessment. These assessments are conducted as part of the regulations when the company is undertaking risky or large scale processing of personal data.
This can be a minefield and it’s important to analyze and review current and future projects and documentation to ensure that levels of risk are low. After conducting the assessment the organization will have a report that covers all privacy risks, suggested changes to how you operate and how to ensure you remain compliant on an on-going basis.
The GDPR takes effect in May 2018.
A necessity with these new mandates will be a centralized compliance center where organizations can see across all their systems in one place, says Townsend. “Organizations will need policy engines in place to enforce these regulations,” he adds.
U.S. organizations do have some regulations to comply with – it’s not the Wild West, Townsend says. The Children’s Online Privacy Protection Rule (COPPA) imposes certain requirements on operators of websites or online services directed to children less than 13 years of age. Having these compliance and policy engines in place can make it easier to manage and report on how personal data is stored and used.
While COPPA relates to handling information about children, there are no national regulations when it comes to overall consumer data. In the U.S. some states have different regulations impacting consumer privacy but nothing as rigorous as the GDPR, Beckland says.
The GDPR in Europe is likely the first volley of regulations that will protect consumer’s information, says Marisa Wang, vice president of products at Gigya. “Regulations are becoming onerous as organizations need to manage restrictions around user data and give users the ability to see their relationship with the organization,” she adds.
This will lead to an extended definition of identity and the convergence of lead generation models for marketing coming together with consumer IAM, Wang says.
Some identity providers are trying to be proactive and enable consumers to choose what information is being given to relying parties. Facebook put this in place a few years ago and it may be a reason they are the most used credential for social login according to Janrain reports.
Good IAM could translate to more business
Companies typically see a loss of business if victim of a data breach. However, good stewardship of data, easy onboarding and authentication are all things that can be a competitive differentiator, Townsend says. “Showing you’re a good steward of data can translate into increased customer loyalty and trust.”
But consumer authentication remains a tough nut to crack.
As with all things, taking a risk-based approach is best, Wang says. “Rather than requiring a second factor for every use you need to evaluate the risk and then decide if additional authentication is necessary,” she explains.
Even though more sites are moving to social login, when a consumer wants to conduct a higher value transaction, additional authentication is often required. With password fatigue at an all time high, consumers often don’t want to remember another one or get frustrated with the password reset process and simply abandon the transaction.
Unfortunately, the common alternatives – particularly those that increase the security of the transactions – aren’t appealing to most consumers. “There’s not a one-size-fits-all approach,” Townsend says. “Some people don’t like social login, some people don’t like multi-factor and text message one-time passcodes because of sharing their mobile number.”
A system that enables the individual to choose the authentication method can remedy this problem. “You need to support multiple approaches and let the consumer choose which multi-factor authentication they want to use,” Townsend adds.
Emerging approaches to consumer authentication
Adaptive authentications technologies – systems that check an IP address, geo-location and behavioral attributes – are being explored for consumers as well, says Tony Ball, senior vice president and general manager of Identity and Access Management at Entrust Datacard. “We need to replace the ways that authentication is being done,” he explains. “Identity needs to be changed, no more mother’s maiden name or Social Security number.”
When it comes to the identities consumers are using, Facebook dominates accounting for 45% of all social logins. Google comes in second with 26%, Yahoo at 10% and Twitter with 9%.
Source: Janrain
Adaptive authentication that uses behavioral attributes is the future of consumer identity and access management, Ball says. “This isn’t just biometrics like fingerprints but it also might bring voice into the equation, how you tap on the keyboard – they all help paint a picture of the user and how he asserts himself,” he adds.
And this, like all things when dealing with the masses, has to be easy to use. “The user experience has to be intuitive, has to be red/green, yes and no, something that’s easy to navigate and makes you feel confident at the same time,” Ball says.
Progressive profiling is another way to ease the consumer into authentication. On each visit a site would gather more information that would eventually complete a full profile, Wang says.
This information could then be used to create a more sophisticated picture of the consumer, adds Beckland. Janrain is working on a tool that would take all the granular consumer data and put it together to create a picture of the consumer and empower marketing efforts. “There wouldn’t be one consumer journey, you might have six or 400 but it would be based on attributes the consumer provides,” he adds.
Consumer identity management serves many masters and has a different purpose for each. For the consumer it has to be easy to get onboard, easy to use and not overly laden with marketing messages. Of course, it also has to be secure.
For the organization it needs to gather valuable information about consumers in a way that is not overly intrusive. It also has to be secure and enable the organization to paint a picture of the consumer even though they might only be getting piecemeal information. And lastly, it needs to enable the organization to comply with any regulations governing that particular jurisdiction.
That’s a lot to ask, but as regulations promulgate and consumers demand easy access plus the ability to see and even control their data, these robust consumer identity and access management systems will become a necessity.
*This article originally published in December 2016.