By Marc-Anthony Signorino, Executive Director, IDESG
When thinking about how to describe what digital identities currently look like, I was reminded of this scene from “The Wizard of Oz” where the scarecrow is attacked by the flying monkeys who proceed to rip him limb from tattered limb. “That’s you all over,” said the Tin Man; and that sums up the current state of your online identity.
Think of all the websites, companies and governments agencies that have your identity on record – all for various reasons and all incomplete. The DMV’s records show what cars are registered in your name, how long you have held a license and any driving infractions on your record. The IRS’s version of the digital you shows your income and taxes owed and paid. At your alma mater, your digital identity revolves around your academic history and achievements…we’ll just assume all A’s. While each of these profiles shows a part of you, individually, they are incomplete – as they should be.
Currently, there are a variety of methods to authenticate your identity and it depends on who you’re proving it to – a credit card company’s requirements could vary from that of a tax refund, and the same for medical or a financial record. It’s recognized that there are three ways to authenticate an identity: with something you are (i.e., biometrics, facial recognition, voice print), something you know (i.e., password, PIN, knowledge based authentication, secret question), and something you have (i.e., smart card, smart phone with secure element, security token). Each of these is bound to fail if done on their own – it takes multiple authentication factors to truly validate your identity. Unfortunately, the current state of online identity only requires user name and password, and maybe a one-time password via SMS text for a second factor, if you’re lucky. This poses a serious issue due to how easily your identity can be used and abused by fraudsters.
This is where the IDESG’s Identity Ecosystem Framework (IDEF) comes in. Digital identities created by IDEF-attesting organizations are designed to be truly trusted. Whatever form the digital identity takes, the IDEF digital profile is one that can be used for each online service that requires a secure log-in – creating a complete, consolidated and comprehensive way to verify that you are who you say you are without relying on usernames and passwords. For instance, an IDEF credential requires that only the barest minimum information necessary for the transaction is shared, and only for as long as needed to conduct the transaction. Want to buy a bottle or 12 from your favorite winery’s age-restricted site? They don’t need your birthday, they only need to know that you’re over 21 years of age. This reduces risk for organizations creating the credential, consuming the credential, and consumers using the credential, as significantly less personally identifiable information is transmitted and stored – making it a much smaller target for hackers.
Version 1 of the IDEF digital profile is close to completion and we’ll be unveiling it soon. Our goal is to create an approach aligned with the NSTIC Guiding Principles (link is external) that enables a convenient, consolidated and secure means for consumers to authenticate themselves to the online sites and services they want to visit. From here, we are working to engage relying parties to leverage their insights and catalyze the adoption of the framework. I encourage you to participate in our next Plenary meeting to see firsthand how you can be a part of our identity revolution.