Identity management is a great opportunity for the organisations that can get it right, because keeping track of our digital identities is a pain that we want someone to cure.
We have to try and remember passwords for every website we visit, log-in details at work, pin codes – the list goes on. Some people are better at it than others and criminals are quick to find new ways to exploit weaknesses – recent figures in the UK from fraud prevention organisation Cifas showed identity theft hit record levels in 2016.
Governments, businesses, institutions and the public are all looking for ways to balance security, access and convenience. It appears that banks are in a prime position when it comes to user's trust and they also possess most of the data related to their customers.
Let's look at three models of identity management – internal, centralised and distributed – to see why this makes sense.
Internal identity management
In this model, one organisation – for example a company managing its employees – acts as the identity provider and provides the secure applications. The organisation uses the information it holds on users to grant permission and access to various internal services.
The organisation is totally independent and can define everything, from what is needed to build an identity, up to how it is used inside the company.
The obvious drawback of this model is that it only works for a single organisation and doesn't solve the multiplication of digital identities problem that people are facing.
Centralised identity management
In centralised identity, a single organisation (or government) acts as an identity provider that authenticates users to everyone else in the system. This is the model used by the Netherlands in DigID, where identity information is held in a national citizen registry.
These systems are often designed to streamline service delivery, enable data aggregation and provide a single view of users across multiple application providers.
This model meets the issue of multiplication of identities and makes it simple for users, as everything is kept in one single place. It provides a single version of the truth and a complete, accurate and standardised view of non-confidential data across different users.
The drawback is that one location for information becomes a very tasty target for hackers – and whether they crack 'the vault' or not, if people lose trust in the system, it will fail.
Distributed identity management model
In distributed identity systems, many identity providers collect, store and transfer user information to many other organisations within the system. The Finnish TUPAS system, where more than 10 banks act as identity providers, uses this approach. With TUPAS, individuals can log into a wide range of services with credentials from their bank.
These systems are interesting because they do not rely on information from a single identity provider. This model incorporates large numbers of identity and application providers, giving users convenience, control and privacy in an online environment.
The purpose of this model is to allow users to interact easily with many different entities in an online environment by giving them a digital "wallet" of credentials. It gives the users complete flexibility because they can choose which identity provider best suits the application they want to use.
The drawback of this solution is that the different identity providers don't have the same level of identity information.
Why it makes sense to involve the banks
Financial institutions have a unique opportunity to position themselves as the most trusted identity provider in a distributed identity ecosystem. I think it's the system that makes the most sense and the banks are in a prime position because they have most of the consumers' data, the secure systems to keep that information safe and, and with upcoming regulations such as PSD2, they are already expected to come up with ways to share that information securely.
This extension from authentication, into identification seems like a natural and logical move for the banks.
But, they need to have optimised infrastructure to achieve this goal, like the right authentication platforms for federated identities, a layered authentication approach while using advanced threat detection capabilities – and it all must comply with regulatory requirements, be cost effective, lower risk, build trust without compromising on security and user experience.
It won't necessarily be easy and banks will need the right partners, but it will certainly be worth it for financial institutions to consider new approaches and ways to engage with their customers.
For more information on how HID Global is helping financial institutions, feel free to consult the following resources:
- eBook - PSD2: Risks, Opportunities and New Horizons
- Infographic - Frequently Asked Questions: Why Banks Need a Dedicated Mobile Banking Security System
- eBook – The Future of Retail Banking
Author: Miguel Braojos – VP Global Sales, IAM Solutions at HID Global