Travis Spencer is founder of Curity, an identity and access management and API access security company.
Organizations continue to increase the online services they offer to meet customer demand for “anywhere, anytime” convenience. The digital paradigm shift we’re currently in brings many opportunities for growth and high consumer satisfaction. However, it also brings many cybersecurity challenges.
Internet access to data and services must be protected against the rising volume and severity of cyberattacks, and digital identity is at the forefront. With 86% of data breaches involving stolen credentials, the stakes are high for ensuring the right people have the right access to information and systems at the right time.
As many businesses work to secure the current state of digital account and application logins, another paradigm shift is gaining momentum—decentralized identities that put the user in control of sharing their identity data. Organizations that aren’t preparing for this development in digital identity and customer authentication may find themselves trying to catch up. It’s important to understand the changes already underway and begin taking the steps to accommodate them.
Organizations Control Digital Identities Today
In most cases, digital identities are stored, managed and controlled by each organization that requires user verification for account login purposes. Users must create a digital identity for each account and application they access. Businesses are then responsible for holding and protecting that information. The organization also facilitates a secure identity authentication process each time the user needs to access the online service or application that typically involves passwords, passkeys, biometric identification or multifactor authentication.
The result of the current state of digital identity is that individuals have large volumes of duplicate digital identity information scattered across different organizations. The user provides various levels of their information, from email addresses to more in-depth personally identifiable information (PII) like government-issued ID numbers, and the user has no control over how this information is managed or shared.
This creates a digital identity dilemma in which sensitive information must be relayed back and forth between verification entities. More information may be shared than an application or transaction requires because there is no way to tailor the data shared for each use case, exposing data to the risk of theft and misuse.
Decentralized Identities Are Emerging
Decentralized identity technologies are emerging as one solution to this digital identity dilemma. Decentralized identity makes it possible for individuals to become the sole manager of their identity data with the control to determine where the information is shared and how much of it is shared relevant to the context and use case.
A decentralized identity system works through a digital wallet that an individual owns and manages. The wallet stores verifiable credentials (VC) that function as a record containing information and facts that help identify the individual. This information can be anything useful in proving the person’s identity, such as PII, certifications, associations or accomplishments.
As a digital format, VCs include tamper-proof properties and undergo cryptographic verification, making them more secure than similar physical forms of identification while effectively establishing trust. The user keeps the wallet typically on their phone or a website where they can readily and securely access it.
Benefits And Challenges Of Decentralized Identity
Mobile devices and computers are already equipped to store credentials on behalf of users, paving the way for easy and quick adoption of decentralized identity. At the same time, standards are being adopted to create a globally unified system with the interoperability to share credentials.
These technology developments can result in benefits for both users and organizations. Users can experience less friction when accessing online services, and they can share less information about themselves which reduces their risk of identity theft and privacy breaches. Plus, organizations can save time and effort storing, managing and protecting large volumes of customer data that is not necessary for their access processes.
However, there are also challenges that the industry must tackle to pave the way for this next evolution of digital identity.
Data Privacy Regulation Relevancy
A challenge to widespread decentralized identity adoption is current data privacy regulations that were not created for self-sovereign identity management. Regulations will need to be revisited and updated, and that will take time.
User Behavior
One large hurdle for decentralized identities is that the practice relies heavily on users taking ownership of their digital identities. This requires diligent and attentive self-management, requiring a significant user behavior shift that will need to be shaped by large-scale education efforts.
Interoperability Issues
Another factor that could slow adoption is the technology interoperability that organizations often experience in the nascent stages of industry shifts. Companies may struggle with adapting their existing technology to accommodate the use of decentralized identities. They may need to devote time and resources to reengineering their identity and access management and API access security solutions to handle new requirements if their systems don’t already have capabilities such as token handling.
What Decentralized Identities Mean For Businesses
The most significant change in moving to decentralized identities is that users will be given control over their own data instead of organizations assuming a custodial role of it. As digital wallet adoption increases, organizations must rethink user authentication capabilities. The basics of identity management and API access will remain the same, but some aspects will need to be adapted to handle this shift. The main changes that organizations will need to address are:
Implementation Of A Token-Based Architecture
Building your API security and identity management around identity verification tokens aligns with best practices and ensures compatibility with digital wallets and verifiable credentials.
Limitation Of Information Requested
Tokens should be configured to use only the data you need to grant a user access to an application and its data. Determine what you absolutely need to deliver the service while still retaining strong security.
Preparation To Accommodate Different User Identities
If you currently rely on only one kind of identity for user login, you may need to make allowances for other types of identifiers. Decentralized identity brings a new customer login method that doesn’t involve a user filling in a form to create an account. Users may expect to provide their identity from their digital wallet to engage with online services. Digital wallets will include decentralized identifiers that could vary from user to user.
Conclusion
As decentralized identity technologies continue to advance, the future of digital identity aims to deliver greater customer authentication efficiency and security. Many in the tech community are currently working to address the technological challenges. The non-technological challenges, such as regulatory concerns and user behavior, may take longer to resolve. However, as we’ve seen with other digital advancements, once the shift starts gaining momentum, the landscape rapidly adapts.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
