New Internet identity ecosystem forges a user-centric future
Click on a new Facebook application and a warning box pops up telling the user that the app will access their basic info, email address and other data. The user can either hit “OK” or “Cancel,” it’s a black and white choice with no option to just give up certain data.
The scenario illustrates a major concern with the use of social media credentials for access to other sites, a process known as social login. The user does not control the information that is shared with the other site. This issue is leading some to advocate a different type of identity model online.
A user-centric identity model puts consumers at the center of action enabling them to choose what information they want to share. It puts the user in control of their identity, eliminating reliance on an outside identity provider every time a new connection is made.
It also can make the process more secure by adding multi-factor authentication – such as one-time passcodes, biometrics or smart cards – or multi-factor security techniques such as identifying the specific computer used for login, geo-location or other passive behind-the-scenes operations. A combination of these techniques eliminates reliance on and lax security around user names and passwords.
“The definition I favor for user-centric identity involves a digital identity or credential that an individual, acting on his or her own behalf, can choose to use in a variety of online interactions, with an expectation of privacy and security around identity-related data sharing,” says Eve Maler, principal analyst serving Security & Risk at Forrester Research Inc.
These user-centric credentials can also be used in multiple places. “This differs from a digital identity or credential issued by an employer, whose usage is governed by an employment agreement and by goals that aren’t entirely the individual’s own,” Maler adds. “It also has a reusable element with multiple online services, which local login accounts like the ones we use in the U.S. for online retail banking don’t generally support.”
Single sign-on, federated logins offered by OpenID, Google, Facebook, Yahoo and others has its roots in user centricity, but ultimately the consumer doesn’t have control, says Phil Windley, founder and chief technology officer at Kynetx and a founder of the Internet Identity Workshop.
Social login bolstered by password frustration
Using social network information to login to other web sites is becoming increasingly popular. “People have too many identities and can’t keep them straight,” Windley explains. He feels consumers end up accepting social logins because they simply don’t want to remember any more user names and passwords.
A recent study concurs, finding that 52% of consumers are comfortable using social logins for access to other sites. The study – conducted by identity management provider Janrain – determined that the main reason was consumer frustration with multiple user name and password combinations.
Companies who choose to accept these social logins also stand to benefit. Some 92% of those surveyed have left a site and cancelled a transaction instead of resetting or recovering login information according to the study. Leveraging a social login that the consumer has already established can solve this problem, and 65% say they are more likely to return to a site that accepts social credentials and automatically welcomes them.
Janrain provides web sites with the ability to accept credentials from 30 different identity providers, says Michael Olson, product marketing manager at the company. Sites that use Janrain’s technology present a login screen that enables a user to select their credential of choice.
After the user selects their desired login, a permissions screen displays the specific information to be shared with the other site. The information given up is highly dependent upon which identity provider the user chooses. “For some they need to grant access to all the information, for others it’s more granular and they can choose what information to give up,” Olson explains.
Using these social credentials can also lead to greater security, Olson says. Consumers who leverage social logins tend to use more secure passwords. Also, when a social login is used the relying party – or the site where the credential is used – doesn’t store the password information. So if that site’s identity database is hacked they don’t have to worry about the information being compromised.