We’re playing out increasingly personal aspects of our lives online – from managing finances and purchasing wish lists, to catching up with family, friends and even dating.

So encouraging users to identify themselves online – and confirming details against a ‘real’ person – is critical. How can businesses secure this process, without impacting on users’ experience?

Merging ‘real’ and digital identities

True anonymity online declined as social networking’s power snowballed. Users stopped dreaming of unique, bizarre pseudonyms to represent themselves – happily connecting under their ‘real’ identities, online.

Social networks encouraged the change, believing ‘authentic’ user identities increased the credibility and security of their platforms. This approach is now trickling into more and more digital services. For example, businesses invite users to submit product reviews under their real names and many people are coached to increase their digital profiles for career advancement.

The challenge for digital identity verification

So a wealth of digital businesses build authenticity into their service – and must verify we are who we say we are, online.

It’s no surprise that the technology powering identity verification services is constantly evolving. They balance two critical, clashing factors on a knife-edge: security and customer experience.

With headlines dissecting TalkTalk and Sony’s breeches, consumers require more reassurance to part with their data. But, their loyalty is fickle. If registration or purchase is too cumbersome, rigid or protracted – they will head elsewhere.

Trending verification technologies

So the stakes for businesses are high. A wave of verification solutions has emerged to validate who users are online, ready for you to choose.

Two-step verification

Creating a unique username (and password) to access websites is the most familiar digital identity system.

But on a security level, it’s broken. We all know we’re meant to create unique, elaborate passwords for each account… but it’s easily forgotten, with cluttered memories and fast-paced lives.

Two-step authentication is the popular, viable solution. Blending digital and physical, identities are verified with unique knowledge (an alphanumerical term, like a password) and real-time possession (pinging an object).

Sounds complicated? Cash machines are the original. We’re granted access to our sensitive financial information by possessing a physical chipped card, and remembering a secret PIN.

But we’re less used to this online. The trick is integrating a physical authenticator that’s secure, but doesn’t inconvenience. The cost, delay and hassle of issuing unique physical tokens – like a key fob, or card reader – nearly sunk this idea.

Now, it’s nearly seamless – taking advantage of beloved smartphones. Businesses ask users to add a mobile contact number, and enter a unique code sent via secure SMS.

Access to government services online is in demand, yet verification’s critical. Two-step verification secures the login for the British answer – GOV.UK Verify. With certified providers like CitizenSafe, users go through online verification testing just once – opening an account (and logging in) through that two-step, digital/physical process.

Biometric verification

But biometric technology means even our bodies could be the future for two-step verification.

If you own the latest iPhone or Samsung device, you’ve already tried it. Fingerprint data is a particularly elegant solution for unlocking devices, though requiring investment, for sensor installation; and service partners, to use as a commercial purchase channel.

It’s encrypted via a mathematical model. But, as Mashable exposed – criminals lifting a copy of those fingerprint smudges left on your screen could be a flaw.

Our faces could be the future. Windows 10 offers facial recognition for PCs with ‘depth cameras’, using infrared light to identify users for login. Amazon filed a patent application for ecommerce ‘payment by selfie’ earlier this year. It’s secured via their own two-step process: taking the first photograph to confirm users’ identity; then asking them to subtly adjust position, for a second shot. This confirms device proximity, halting fraudsters using photos to pose as another.

Data storage solutions

Regardless of how you choose to protect login – a critical question remains. How can businesses store personal data sensitively, wisely and most of all securely, against hackers?

Not just your credit card details, this question hovers over all identifying data – even your home address, date of birth, or full name could put you at risk of identity fraud.

Originally developed as a secure ledger for bitcoin transactions, adapting blockchain technology is an exciting new possibility. It’s a fortified, distributed database where no organisation holds all the data.

Each block of data is added sequentially, embedded with a ‘hash’ of its neighbour. This is the ‘digital version of a wax seal’ – not only confirming data’s legitimate, but fortifying against unauthorised revision.

Summary

Streamlining our busy lives, we’re eager to connect our digital activities with our ‘real’ offline identities. But, with opportunity comes risk – that organisations must mitigate responsibly for their users.

Businesses looking to leverage new technologies must strike a difficult balance – verifying users’ real identities securely, but without significant impact on their experience. Otherwise, there’s a real possibility they’ll go elsewhere.

 


By Danny Bluestone, CEO of digital agency Cyber-Duck


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.


comments powered by Disqus