As business leaders we want to create lasting relationships with our customers. We do not want to identify our audience by random IP addresses and faceless sessions that give us no information about who our customers really are.
Our goal is to turn unknown visitors into known trusted and loyal customers.
Digital identity is actually the key to this puzzle. Identity interactions – sign up and login – are oftentimes the very first experience that customers get with your brand. And if done right, with transparency, privacy, and frictionless experience, digital identity can unlock fruitful and trusted business relationships.
The digital identity lifecycle represents technical stages of your relationship with online customers or other users.
Digital identity journey starts with registration or simply account creation.
The goal of registration is to associate a set of online activities with a single specific digital identity.
While there are cases where users can get access to online service anonymously, most of online resources require online account creation. Subscription websites, membership services, e-commerce resources – these are all examples where user registration is required. Some resources have a requirement to reliably establish an association with a real-life identity. Examples include obtaining health care and executing financial transactions. In this case identity proofing with ID document needs to be performed.
Account creation typically revolves around proving ownership of an email address and providing website with identity claims, such as first name, last name, and mobile phone number. Once registration is complete, a user creates a set of credentials that can later be used at the authentication phase. Examples of credentials include username and password, smart card, certificate, or hardware token that is associated with an online account.
When a user returns to a website and wants to access her account, she needs to authenticate.
Digital authentication establishes that a subject attempting to access a digital service is in control of one or more valid authenticators associated with that subject’s digital identity.
For instance, you come back to an e-commerce website to track your order. To access your account you will need to identify yourself using email address and prove the ownership of a valid credential, in this case password, to access your online account. Successfully proving ownership of a credential provides reasonable risk-based assurance that the subject accessing the service today is the same as the one who registered with the service previously.
Authentication can in fact be performed with traditional username and password, or any passwordless method such as authenticating users with a certificate provisioned to their desktop or mobile device.
Oftentimes Single Sign-On (SSO) can be leveraged at authentication stage to reduce the friction and number of authentications a user has to perform. Single Sign-On is an authentication scheme that allows users to authenticate once with central authority and then access a set of related applications or online resources without re-entering any credentials. Typically SSO is implemented in enterprise environment, where employees use one password to access all corporate resources. Social Login is an SSO alternative in the consumer identity world.
Authentication is performed with factors – authenticators or credentials used to prove a claim to digital identity. Username and password combination is a most common authentication factor. Let’s take a look at two concepts related to authentication factors:
- Factor types – how authentication is performed using various factors.
- Multi-factor authentication (MFA) – several factors combined to perform a stronger authentication.
- Something you know – most common factor used, for instance a password or a simple Personal Identification Number (PIN) that you memorize and later use for authentication.
- Something you have – requires users to prove the possession of required authenticator. A common example can be a smart card. It is a credit-card sized card that has an embedded certificate used to identify the holder. The user can insert the card into a smart card reader to authenticate to a service or an application.
- Something you are – biometric methods provide the something you are factor of authentication. Some of the biometric methods that can be used are fingerprints, hand geometry, retinal or iris scans, handwriting, or voice analysis. Fingerprints and handprints are the most widely used biometric methods today.
Multi-factor authentication (MFA)
MFA, sometimes referred to as two-factor authentication or 2FA, is a security enhancement that allows you to present two pieces of evidence – your credentials – when logging in to an account.
Let’s look at a simple scenario – logging into your bank account. If you’ve turned on MFA or your bank turned it on for you, things will go a little differently. First and most typically, you’ll type in your username and password. Then, as a second factor, you’ll use an authenticator app, which will generate a one-time code that you enter on the next screen. MFA helps protect you by adding an additional layer of security, making it harder for bad guys to log in as if they were you – they would need to steal both your password and your phone.
Once we know who the returning user is, we need to determine what the user is allowed to do and what actions to perform in our application.
Authorization is the process of giving someone permission to do or have something.
Let’s take a look at the simple example of car ownership to understand how authorization works.
The owner has full access rights to the car (the resource) but can grant other people the right to access it. For instance, accessing the car is a permission, that is, an action that you can perform on a resource. Other permissions on the car may be driving it, repairing it, selling it, etc.
A permission becomes a privilege (or right) when it is assigned to someone. So, if you assign permission to drive your car to your friend, you are granting her that privilege. On the other hand, your friend may ask your permission to repair your car. In this case, the requested permission is a scope, that is, the action that the friend would like to perform with your car.
Once the user is authenticated (we know who the user is) and authorized (we determined what the user can do) she can start performing actions in our application.
Some online services will record user activity in the form of logs in order to preserve audit trail and conduct analytics to determine if there is anomalous behavior. For instance, if you are located in Pacific Time zone and all of a sudden access your banking application at 3am in the morning, this behavior is abnormal and needs to be investigated in order to determine if your account was potentially compromised.
Some online services implement transaction approval process, or what is called step-up in identity terms, to protect certain sensitive transactions with an added layer of authentication and security. For instance, once you access your bank account and initiate funds transfer, you might be asked to confirm your phone number or re-authenticate in order to prevent fraudulent transactions.
As the name implies, the identity lifecycle is not a one-time event. Rather it is a process that repeats for every user and touches users experience every time she accesses the service. At idemeum we believe transparency, frictionless experience, and privacy are the key components to provide customers enough value in exchange for their information.
We are here to help.