Allowing employees to use their own digital identity may reduce issues such as remembering multiple passwords and security reporting.
A lot of the talk around the consumerisation of IT focuses on employees using their own devices, installing their own apps and using social media
The trend to bring your own device (BYOD) is at best seen as employees being innovative in the way they use IT, and at worst a danger to an organisation’s digital assets that needs to be monitored, controlled or blocked.
While employers can exercise some level of control over what their employees do with IT systems, this is not the case with customers.
Recent Quocirca research shows the extent to which the BYOD trend is being exploited more and more by businesses in one particular area – bring your own identity (BYOID). The primary opportunity is the ease of engagement with consumers.
More articles on identity access management
The driver for this is to solve one of the oldest issues in the pantheon of IT security issues – the problem of users having to manage multiple identities and remember many passwords. In effect, BYOID is outsourcing all the issues involved with establishing and managing identity to third parties.
The marketing push
Most providers of internet services want their regular users to create an account of some sort so the relationship can be deepened for marketing and other commercial purposes. Accounts need logins and that means establishing an identity. However, rather than getting users to create a new identity, many now turn to third-party social media sites that the user already has an account with; there are many to choose from: Facebook, Google, Yahoo, Twitter or PayPal for example.
Most of the major social media sites provide widgets and APIs that enable the use of the login credentials the user has for their site as a way of authenticating to another. This is convenient for the consumer as it allows them to register for a service more easily and then, of course, when they return at a later date, they are far more likely to remember their credentials if they are the ones they use for their favoured social media site. Indeed, many of their devices may be set to automatically log in to such services.
Cementing the relationship
It is good for the social media site as it cements its relationship with users too and raises its profile through exposure on hundreds of other sites. JustGiving, Spotify and The Economist are just a few examples of those offering social login. For the provider of a new online service, there will be whole series of questions about doing this, including the veracity of social identities, how to set up and manage them and how to authenticate the actual user behind the identity.
When it comes to veracity, some will worry more than others. A free media service that wants to capture identities for marketing purposes may not care if a few are not real. Users will like the convenience of using a social identity and will be more likely to create an account. Anyway, why would someone want to sign up for a free service in someone else’s name?
However, as soon as money starts changing hands, there is a need to be sure of whom you are dealing with. Using social identities actually reduces the problem, making up an identity on the spot is easier than creating a social identity expressly for the purpose. If it can be established that the account being used has been active for some time and has a history of activity that matches that of a genuine user, then it is arguably far better to be using social identities than ones created on the fly.
The good news is that social infrastructure services such as Gigya, Janrain and Loginradius are, among other things, designed to check the veracity of social logins. By looking at a given user’s history and activity on a given social media site they can verify that they are an established user with a track record. They also help with another obvious problem, which is that many users will want to use different social identities and this needs managing.
Acting as the middleman
Social infrastructure services act as brokers, managing the many-to-many relationship between the social media sites and those providing services that want to enable social login. Social infrastructure services enable a retailer, charity or media company for example, to establish a single view of their customers regardless of how they login – providing a basic form of customer relationship management (CRM).
Using such services, it is possible to establish a high level of confidence that a real person is being dealt with – far more so than if someone had just made up a username and password. The next question is when someone logs in with a social identity, how do you know that in this instance the user is the owner of that identity? Authentication is only as good as that offered by the social media site itself. Some now offer two-factor authentication as an option and have auto-log out settings. Remember, the competition here is ad hoc usernames and passwords scribbled on scraps of paper.
But such an approach is still focused primarily on the consumer. However, for many organisations the need to manage external identity goes well beyond this. There are also external business users, the employees of partners and customers – these are business-tobusiness relationships.
Quocirca’s research shows that in some cases social identities are being used here too. However, there are other sources of identity that come into play, including the other business’s own directories, the membership lists of professional bodies, government databases and so on. To manage all this requires a federated identity management system which can bring together identities from all sources and manage them via a single interface. This may include employees as well as third-party users, many of whom will access common applications (for example, supply chain systems). To this end, many of the big identity management providers such as CA, Oracle, IBM and Intel/ McAfee have adapted their systems to work from multiple identity sources.
A professional passport
Having a unified identity and access management system, regardless of the sources of identity, eases reporting for security and compliance purposes and makes it easier to implement single sign on (SSO) systems. SSO solves the business equivalent of the consumer problem described earlier, the user having to remember multiple usernames and passwords for different systems. SSO also helps solve another growing problem for businesses – controlling access to web-based services. The problem here is if a business uses Google Apps or Microsoft Office 365 for document management, Salesforce.com for CRM, SuccessFactors for HR and so on. Enabling every employee for each one and, perhaps more importantly, ensuring access is de-provisioned when they leave, is much easier if all access is provided via an SSO portal. This has led to the emergence of a host of new identity and access management suppliers including Ping Identity, Okta, SaaS-ID and Symplified (the last of which has a partnership with Symantec). Many of these are offering SSO and identity and access management as cloud-based services; if the users can be anywhere and the applications are in the cloud, why not the SSO system too? The big identity suppliers are adapting their products as well, for example CA’s CloudMinder can be deployed as a purely on-demand service or linked with existing on-premise systems creating a hybrid deployment.
Looking to the future, we can speculate that we may all get more ownership of our digital identities as time goes by. As consumers, we can already choose to use a favoured social identity and, with education, we can understand how to protect and harden it. Actually we are quite used to this in the offline world. Most people have a passport and understand the need to care for and protect that.
This raises an interesting point. A new employer does not issue you with a passport for business travel; you use your own. Perhaps in the future employees will provide employers with their favoured digital identities. It may not be long before you are accessing your employer’s IT systems and applications using your Facebook, LinkedIn or Twitter identity. When that happens the age of BYOID will truly have arrived.
Picture Credit: Thinkstock
This was first published in June 2013