Cutting Edge: ‘Bring Your Own Identity’
06 August, 2014
category: Corporate, Digital ID, Financial
When an employee starts at a company they are typically given a user name in the form of a corporate email address and told to create a password. Depending on the job and position, other tokens might be assigned but at the minimum they are supplied this initial identity credential.
But a new trend in the enterprise market is starting to emerge as “Bring Your Own Identity” – BYOI or BYOID – takes shape. It’s already being used in the business-to-consumer realm under the moniker of social login, but people often don’t realize this is actually a form of BYOID.
When a consumer chooses to use Facebook, Google or other social media credentials to login to a site, that’s BYOID, says Dimitri Sirota, senior vice president of business unit strategies at CA Technologies. “Now we want to make it easier for the employee to login and use technology similar to what they have on the consumer side,” he says.
The Ponemon Institute and CA Technologies partnered to survey IT executives on BYOID. The study included two groups from the United States, Australia, Brazil, Canada, France, Germany, India, Italy and the United Kingdom. The first consisted of more than 1,500 IT practitioners and the second included more than 1,500 business executives. The goal was to understand trends in BYOID, which the study defined as the use of trusted digital or social networking identities.
According to the survey, the majority of interest for BYOID is in customer use, with 50% of IT users and 79% of business users showing interest respectively. Employee use is also of interest at 46% for IT and 26% for business respondents, though not nearly as far along, Sirota says. “Employees might use that as a primary factor of authentication and then use another PIN or password as another factor,” he adds.
Respondents have high levels of interest in BYOID, but IT users and business users have different perceptions as to its value. IT sees BYOID’s value in fraud reduction, risk mitigation and cost reduction while the business sees the value in streamlining customer experience and improving marketing efforts.
On the IT side of the enterprise, the survey found that the value in BYOID is in strengthening the authentication process at 67%, and reducing the risk of impersonation at 54%. On the business side, the value comes from delivering a better customer experience at 79%, while increasing the effectiveness of marketing campaigns rang in at 76%.
Mobile identity
Mobile is also driving BYOID. Creating new accounts and entering user names and passwords on mobile device is difficult and can lead consumers to abandon transactions.
Almost half of IT respondents and more than 80% of business respondents have high or very high interest in BYOID for mobile user populations.
When asked which features would most likely increase BYOID adoption within their organization, there were a few items on the wish list. Some 73% of IT users wanted identity validation processes and 66% want multi-factor authentication. Business users also want identity validation processes and simplified user registration – both at 71%.
The study also indicates a significant desire for some level of accreditation for the identity providers. In order to consume identities from various identity providers, organizations want assurance that they can be trusted, and this is where accreditation comes in. Some 80% of IT users and 75% of business users say accreditation is important or very important.
In terms of preferred identity providers, IT ranked PayPal, Google and Amazon as the top three while business named Amazon, Microsoft Live and PayPal.
The majority of both IT users and business users would like to have mobile device factors added to the digital identity. IT users would also like 4-digit PINs and risk-based evaluations. Business users prefer to add passive factors such as geo-location tracking.
In terms of barriers to adoption of BYOID, IT users cite risk/liability concerns at 34%, followed by complexity at 21% and loss of control at 19%. On the business side 31% cite cost as the largest barrier followed by complexity at 23% and risk/liability concerns at 19%.
The Ponemon report suggests three steps to assess if and how BYOID would fit into an organizational strategy:
- Engage IT and business in collaborative discussion.Organizations may already be utilizing BYOID for some initiatives, but to achieve maximum gain,organizations should conduct an overall assessment of current and future business initiatives to determine potential fit for BYOID. This exercise could include basic simulation/modeling of a new online initiative with BYOID and without BYOID. This will help address key questions: Will supporting BYOID increase new customer acquisition? Are the costs of continuing to require users to create and maintain their own accounts more than the incremental value that is generated from BYOID?
- Conduct a BYOID risk assessment.To start, convene a cross-functional team with business, legal and privacy expertise to understand the underlying risk and liability issues. These discussions could include questions such as, “Is accepting an identity from identity provider X acceptable?” and “What is minimum level of assurance we’d expect form identity provider X?”
- Monitor BYOID trends.BYOID continues to be an active area with new developments both from vendors and public/private sectors. Leveraging other industry work in BYOID can help enhance your own efforts and ensure that best practices are always being utilized.