Digital identity management: Balancing usability, security and privacy

The term "identity" has certain emotional connotations. All kinds of misconceptions and complexities can arise when people talk about digital identity.

“People want to make digital identity more than what it is,” said Susan Morrow, head of R&D at Avoco Secure, in a recent Cyber Work Podcast.

She moved from the field of cybersecurity more than a decade ago to focus on the digital identity arena. As digital identity is where technology and human beings intersect, it can become complicated, especially when you work in things like citizen ID and consumer identity-driven transactions.

Digital identity vs cybersecurity

"Digital identity overlaps with cybersecurity in every possible part you can think of," said Morrow. "When you design an identity system, you have the human using it, the administrator, and other people working on configuration. There are so many pieces that need to intersect with cybersecurity."

Areas like authentication, for example, are part and parcel of the eternal security puzzle of balancing usability with security; digital identity is at the cutting edge of that security/usability balance. The value of identity becomes readily apparent when you consider that most cyberattacks utilize compromised identity as part of their mode of operation.

Thus, digital identity management is central to all cybersecurity and online interactions.

Digital identity management vs digital wallets  

Traditional digital identity systems can sometimes be at odds with those companies promoting digital wallets, such as the Apple Wallet. Since many services want to use various aspects of identity, some people in the middle need to control that as part of privacy and security. You need all kinds of plumbing. For example, protocols are used in the identity space, but not everybody speaks the same language. Systems must be able to translate the different languages and protocols and remove some of the heavy load weightlifting from service people, web developers and others.

“You need something to search around and find the right type of identifier for a particular transaction because web developers often lack comprehensive knowledge of protocols,” said Morrow. “Middleware and plumbing must be able to automatically perform tasks such as privacy enhancement and analysis of data.”

She believes that the hard work will be involved in convincing the industry that we can all work together to create a better user experience (UX) for everybody and stop building proprietary wallets and other systems that just add more complexity.

The lack of uniformity  

A big challenge is the lack of uniformity among users, their devices, capabilities and preferences. Some users don't want to use a smartphone, and others might not be able to complete the digital processes necessary to sign up for an account online. For example, signing up for a crypto platform account might require holding up a passport picture while holding your camera facing you and other functions that may be difficult for some users with arthritis or other physical ailments.

"You need to give commercial enterprises choices about how a vast audience wants to use their services; otherwise, they are going to miss a whole slice of the market," said Morrow.

In some ways, it is like the old days when there was a fight over video formats — NTSC versus PAL. It took about a decade before standardization on one platform occurred due to conflicting proprietary interests. What we have today is similar, yet more complex. Competing identity systems are being developed simultaneously, and neither side wants to step down. Hence, today, we have all so many different identity systems.

"There are so many companies now investing in wallets, including Android and Apple, that there's going to be a shakeout, and you're left with a few," said Morrow.

There are also government initiatives about identity around the world. There's a European-wide identity system that they're looking at moving to a wallet. The Europeans may agree on a centralized identity system, but that is less likely to materialize in the UK and the USA. Ultimately, the market will decide.

Digital identity versus technology 

Digital identity isn't just about technology. It's about people. It's about processes. It's about liability, too, because this is all about data. Therefore, businesses, analysts, solution architects and those in cybersecurity need to truly understand at a granular level how people will be using the system and account for the many different use cases and preferences.

Morrow believes we have a golden opportunity to make people's lives and jobs more accessible and secure and to enhance privacy. There are systems already in existence that might be able to take us there, such as the work occurring with open banking.

But, now, open banking is limited in the data it can exchange. It needs to go a step beyond to arrive at an ideal state. That requires a lot of standardization in establishing ecosystems with aligned protocols and systems.

"On the design side, the user interface and the UX are fundamental aspects of the identity space as they are central to understanding human behavior and interaction," said Morrow. "I'm hoping that more anthropologists and behavioral scientists are involved in this space because we really need to be engaged in these people because this is where human beings and technology truly intersect."

For more, listen the Cyber Work Podcast, Digital identity and cybersecurity are inseparable.