What makes someone trustworthy in the real world – and in an era where everything’s mobile, how do we translate that trust to digital identity?
Paul explains what makes a digital identity different from a real one, his view on responsibility for fraud and cybercrime... and how trust online can change for the better.
We’ve got the key highlights below, or you can listen to the full conversation with host Hillarie McClure here.
So, Paul, what is digital identity, for anyone who may not have heard that term? And how does it differ from our real world identity?
I think that's a great question, and the two often get mixed up, and I think it's important to separate the two. We all have a real world identity – we're a real person, we have a name, we have an address. Normally, we have a bank account and sometimes a passport, or identity card, or driving licence.
But we spend a lot more of our time these days online – and online, it's not the same. You don't necessarily see the person there. They may not be physically visible, or they're representing themselves through some sort of digital identity, such as a social network or an email address, or increasingly a mobile phone number.
And in many situations online you don't actually need to know a person's real world identity to be able to trust them. So if you want to access, for example, streaming music, you don't necessarily need to give your name and address and your passport to do that; you just need some sort of identity online that can be trusted. And the problem often is that the two are blurred, and so you're asked perhaps to give too much information than is really required.
Okay, so my understanding is that there's a lot of freedom with our digital identities and being able to maybe create an ideal image of ourselves, etc. Conversely to that freedom, what are some of the risks and costs associated with our digital identities?
I think you're right. That freedom definitely comes at a cost. It's hard to prove digital identity, and many of the current approaches – such as email + password + SMS PIN codes – add complexity for the user without actually addressing the core issue, which is: can these identities be trusted?
As I mentioned before, you can have email addresses that represent your identity online. And you could have multiple [email] addresses – for example, it's easy to get Gmail addresses; they're free, and so bad actors can exploit that freedom. You can have multiple accounts created by using those multiple free email addresses, and bad actors can hide behind them either to commit fraud or just to spread fake news. The trick is very much to have some sort of balance between the freedom and the friction; the freedom and that proven identity.
Coming back to mobile numbers as the core theme here, it's an interesting approach to use a mobile number as an online identity. It's personal, but it's not too personal, so people are willing to share it, and generally we give out our number to other people. But if you can make it something that has an associated security factor – and the phone does this, because it's got the SIM card – then you can have that thing which you're willing to share, but at the same time has a proven credential, and that allows you to build trust associated with that.
Authentication is definitely getting more and more complex. I know when I forget a password to an account, I can go through multiple levels of verification to gain access, and often it's very frustrating.
If I know this, then of course, bad actors also know this, and can capitalize on that opportunity to confuse mobile users and get their information; taking over their digital identities. So, Paul, how can people trust that they're being asked for legitimate information via their mobile devices?
My view is that as an individual, obviously, we should always be vigilant. I think that's just a natural responsibility that everyone should have. So try not to share personal information online; banks will always say that they're not going to ask you for personal information and PIN codes. You just shouldn't share that personal information.
But actually, I think the primary responsibility for that really lies with the corporations, with the enterprises whose services we're consuming as individuals. It's those organizations who choose how they verify the identity. And those methods that the companies choose, they either work or they don't work, and the individuals don't really control that.
We can have vigilance and take care not to share data, but the fundamental authentication methods that are being chosen – such as SMS, one-time passwords or even email PIN codes – they leave individuals open to risks that those individuals themselves can't really control.
Final question for you in this episode, Paul, is are there any other ways that we can build trust in the digital world?
Again, mobile is going to be a core part of what we're talking about here. The world is going mobile; in many, many territories now, mobile is the default method for accessing the internet. We live in a mobile-first world, and that has consequences, good and bad. But I actually think the good consequences are that it's an entirely new way of doing business, and the phone is a very powerful tool, but it's not really being used properly yet.
There's been a few small steps that businesses have taken; moving away from email address, perhaps, to using the mobile number a bit more, but they're not using the fundamental security that is innately inside a mobile phone.
There are 5 billion phones out there, all of which have got cryptographically secure SIM cards in them – now the world has this opportunity to move away from a knowledge-based password to a possession-based security factor. And if we can do that together, then I think we can make the world a much safer place.
You can check out the full interview in podcast form, plus the rest of the SIM security series, at Cybercrime Magazine’s Soundcloud page.
tru.ID is a mobile authentication platform that enables direct connectivity to the mobile authentication systems used by mobile carriers, so that online businesses can build simpler, stronger alternatives to SMS one-time passwords, email links, and other legacy 2FA methods.
It’s even easier for developers to get started. tru.ID products are easily implemented into any client-server application architecture using restful APIs and iOS, Android, React Native and Mobile Web SDKs. We offer a fully online, developer-first API platform. Simply sign up to create an account and start testing for free, today.