In yesterday’s post we discussed the Identity Ecosystem Framework, and the fact that these principles are already starting to emerge with Identity Providers. While the underlying concepts and approach of the framework is solid, there are major barriers to implementing this today. The most significant issue with current implementations is that the “trusted identity providers” are not ready to fulfill their role.
The plethora of high-profile breaches that has been in mainstream news recently has been accompanied by a consistent set of recommendations regarding how consumers can protect themselves. One of the very consistent recommendations provided by security experts is that consumers should avoid using the same credentials (username and password) across multiple sites. This advice is based upon the well-founded assertion that your username and password for any given site is not safe. Combine that assertion with the fact that an ability to access one site may now be used to authenticate your identity for another site, and the amount of damage that can be done with a single set of credentials is multiplied exponentially.
There are many available technologies today for multi-factor authentication; but each approach provides some impact to the user experience, which has prevented many of the same entities that are being used as “trusted identity providers” from fully implementing and requiring the higher level authentication for every transaction. Until these entities require multi-factor authentication for every connection, using them to verify identity may cause significantly more harm than good.
At Electronic Verification Systems (EVS) we always have an eye to the future, and we will continue to incorporate new technologies to protect businesses and their customers from Identity Fraud. We will not, however, put consumers at greater risk by rushing to launch new approaches that fail to account for the security implications.