The 3 steps: real identity, digital identity, authentication
- The first step in establishing digital identity is to know the user’s real identity (KYC). Typically, this is verified with a government-issued credential such as a passport or driving licence.
For consumer-facing needs, this step is often unnecessary and can be skipped for the sake of privacy and ease of use, but it’s vital for higher-stakes use cases such as employee IAM – or influential Twitter users. - Secondly, a unique digital identity must be assigned to that real identity – otherwise the user would have to present their passport every time they log in.
In the past, this has often taken the form of an email address, but as it’s become easier to compromise emails and create throwaway accounts in bulk, email addresses are no longer ideal. - Finally, the user’s digital identity must be authenticated every time they log in. This means proving the person logging in is actually the owner of the account.
Typically, this authentication has consisted of just a password. But since even the strongest passwords are easily stolen, nowadays users are often encouraged to use MFA to prove their identity with a different factor.
This 3-step process is all about a chain of trust. Trust has to begin at the first step: making sure the person is who they claim to be. Then it must continue through the next steps – assigning a unique digital identity to that person’s account, then verifying the person who later accesses the account is the same person.
What happens without the identity chain?
When part of this process is broken, the whole purpose of identifying users is lost. Usually, this happens because a password has been compromised and the authentication step has failed.
In the case of Twitter, though, a unique problem has emerged. A recognised symbol of a high level of ‘trust’ – a blue checkmark – has been allocated to an account, but that account hasn’t been verified with the first step; the user’s real-world identity.
If Twitter user JoeBiden1, for example, pays the fee for a verified account, they can get a blue check, change their name and picture to that of Joe Biden, and begin to make parody tweets that may convince the gullible.
This user isn’t fraudulently accessing the US president’s account; they have proved that they are definitely somebody by creating an account and paying a fee. They have legitimately authenticated a digital identity. But Twitter has uncoupled the first process – proving just who that somebody is.
Does this even matter? It depends. In many cases, users don’t need to disclose their real-world identity, and can comfortably remain anonymous or use a pseudonym. They just need a stable digital identity and a secure method of authentication.
However, this furore makes it clear just how much it matters when a business changes its own parameters for trust.
Make it simple: use a mobile digital identity
The good news is that, in today’s increasingly mobile world, there is now a better way to manage your user identities online. In fact, by using new technology you can combine simplicity with security.
When a user first registers, you can take them through whatever KYC process best fits your business needs. But from then on, a better solution – especially with mobile app users – is to ditch the email and move to a modern, mobile digital identity.
Use their mobile phone number as a digital identity credential, then authenticate ownership of that credential using a secure possession factor – the SIM card in their mobile device. This way, you can ensure the same user is returning each time.
SIM-based authentication is cryptographically secure, easy to implement and effortless to use. Unlike insecure SMS OTPs and passwords, SIM-based authentication combines strong phishing-resistant security with great usability, providing an ideal, cost-efficient solution to protect all your users – the future of modern digital identity.
To learn more about this powerful new technology, or find out how to get started, talk to us.
