a close up of an eye

Identity and Access Management: Online Trust Economics

Dave Coxe, CEO of ID DataWeb

Imagine a world where individuals can conduct sensitive business transactions online with reduced fear of identity theft or fraud and without the need to manage scores of usernames and passwords.

In this world, organizations efficiently conduct business online by trusting the identities and credentials provided by other entities. Redundant processes associated with managing, authen­ticating, authorizing, and validating identity data are eliminated. Loss due to fraud or data theft is reduced and additional services previously deemed too risky are conducted online. Personal information is managed by the individual after it is released to service providers. They are free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party. Individuals' participation in the Identity Ecosystem is a day-to-day-or even a transaction-to-transaction-choice.

In this world, identity solutions are scalable across multiple communities, spanning traditional geographic borders. They are interoperable to allow organizations to accept and trust external users authenticated by a third party. They achieve scalability when all par­ticipants in the various identity federations agree upon a common set of standards, requirements, and accountability mechanisms for securely exchanging digital identity information, resulting in authentica­tion across identity federations — in a community managed Trust Framework.

The onset of convergence of online and mobile applications and services without trusted identity federation infrastructure has resulted in significant security and identity management challenges across the online ecosystem — in short, online identity is currently broken due to the re-use of passwords across the Internet. Despite examples of online trust violations as daily front-page news, major business brands, and business models have evolved rapidly over the last decade that offer "free" consumer-facing online services for person-to-person data sharing, transaction management, media subscriptions, application, and retail marketplaces, search, and many more. In fact:

  • eCommerce as a percentage of total retail transactions has been growing steadily at a rate of eight percent per year
  • Time spent at social networking sites surpassed time spent at portal sites, and public cloud services are forecast to grow at roughly 20% per year over the next five years
  • Media time online and on mobile devices is growing at increasing rates while TV, print and radio time is flat or declining
  • Sophisticated mobile devices have radically changed employee and consumer access to enterprise and government information

Identity management is a foundational issue for most e-commerce transactions and other online activities. Verifying the identity of remote parties, such as determining who is seeking access to an online database of sensitive information, who is trying to do an online transfer of funds from an account, who signed an electronic contract, who remotely authorized a shipment of product, or who sent an email, is a fundamental concern.

While participants in many low-risk online transactions are willing to trust that they are dealing with a specific person or entity, as the sensitivity or value of the transaction increases, the importance of ensuring the availability and reliability of accurate information about the identity of the remote party in order to make a trust-based decision increases as well.

Today, most Internet services know little more about you than that you are an email address. This limits the set of services that can be offered to consumers. With the addition of information such as home address or mobile phone number, a wider range of service providers are able to verify that your email address is linked to the real world individual that they often already know about. So a utility provider can ascertain that your identity provider is representing the correct customer, the media company can verify that you have access to premium content, or the health care provider can connect you to your lab test results.

A person's real-world physical attributes or identifiers are used to help link their online logical identifiers to authenticate that individual's identity when rendering a service. Improving today's process through increased speed and security will allow offline data repositories (such as the NIH, Social Security, VA, IRS, banks and various telephone databases) to link the physical address to a physical and online identity.

This linkage improves the identity vetting process for online identities (identifier + address + other attributes such as name, gender, age, depending on requirements). It also allows individuals to share information about themselves from a variety of attribute providers that results in a more significant set of interactions with service providers on the Internet. These identity services will greatly enhance online transaction trust and security consistent with the goals of the National Strategy for Trusted Identities in Cyberspace (NSTIC) and similar programs in other nations.

While online and mobile growth trends have been remarkable, efficient, trusted online identity ecosystems are expected to drive markets even faster and further with measurable economic results and benefits. Simply stated, reliability plus repeatability yields trust. The use of verified user attributes for mitigating online transaction risks across the Identity Ecosystem will increase trust and decrease transaction friction. Trust results in predictable behavior which drives quantitative and qualitative metrics and benefits (see Figure). Many organizations will attribute brand quality to organizational value and repeatable revenues. Everyone agrees that publicized identity theft, fraud, and related security violations have a direct negative impact on organizational trust, brand value and online economics.

Each participant in a trusted online community is motivated by the prospect of increasing revenue, reducing costs and increasing trust with their customers, partners, and stakeholders. The benefits of participation may also include market channel access that simplifies their ability to limit transaction liability, efficiently participate, deploy new trusted services, and monetize existing assets to the community.

Building online trust may involve individuals using an email or social (or other) identity provider — both public and private — to authenticate themselves online for different types of transactions. As a result of this, many businesses are using services like thefinalstep.co.uk in order to help keep all client's data more secure and keep up a good reputation. Online trust may also require the Internet Identity ecosystem to be user-centric — that means each of us, as a user, would have more control of the private information we use to authenticate ourselves on-line, and generally would not have to reveal more than necessary.

In short, users may be asked to assert and grant permission to bind their verified real-world and online identities to enable online transactions based on services that employ interoperable technology and legal standards to enable trusted, predictable and enforceable transactions at Internet scale.


ABOUT STRATEGIC CYBER VENTURES

Cybersecurity is national security, and we're a D.C.-based venture capital firm on a mission to find cutting-edge startups that help us make an impact. We go beyond the check to help our founders win by leveraging our industry connections and experience as cybersecurity veterans to fuel their companies from inception to exit.

To learn more about our investment strategy and portfolio, explore www.scvgroup.com or connect with us on X @SCV_Cyber to be part of our mission in shaping the future of cybersecurity.