Iain McCallum, mobile industry veteran and MEF Advisor explores the future of Trust and identity in the digital eco-system in a series of webinars and articles.
With the identity and access management industry conservatively valued to be worth between $20-25 billion dollars by 2022 (Grand View Research 2018) and significant data breaches over the past twelve months of Marriot, MyFitnessPal, Facebook, Quora and Aardhaar systems resulting in the personal data of millions of people being harvested by bad actors in the digital realm, the ongoing issue of consumer trust in digital services has never been more pertinent than it is today.
Only last week saw Facebook being forced to admit the ‘unintentional’ uploading of over 1.5 million new customers’ email contacts when they were asked to supply their email password as part of the registration process!
Perhaps most damaging of all is the growing perception amongst a far greater number of consumers than before that their personal data is being used against them by the new global corporations governing the digital world, even down to their keystroke pattern and other basic, seemingly innocuous, behavioural data in ways that are difficult to understand and over which they have very little control. The obvious danger here is that consumers will reduce their reliance on the digital world until they feel that their growing alarm and concern is both heard and addressed.
But addressed by whom?
Is it Facebook’s job to make sure that they don’t ‘unintentionally’ upload what presumably were tens of millions of email contacts? Of course it is. But as the Facebook/Cambridge Analytica case showed, it is for the entire ecosystem to create a framework of best practices, principles and self-regulation that can be monitored and constantly reviewed across the companies. The industry is dynamic and regulators struggle to keep up with the pace of innovation. The concept of consumer trust and self-regulation needs to be part of the emerging personal data economy members. All companies participants should be play along, and involve regulators too.
That regulators find it difficult enough to keep up with developments in digital technology and the myriad commercial models of seemingly-infinite complexity shouldn’t be a surprise to anyone, I’ve been in this business for more than 25 years now and I most certainly struggle to keep up! Add to that the considerable difficulty in legislating such a complex and diffuse eco-system without bring it all down on our heads make the regulators task seem an almost impossible and certainly thankless task. GDPR is a great start, as it’s adoption in many other parts of the world attest.
How industry and government can work together in the future to find a mutually-rewarding and secure balance between the rights of consumers not to have their data rights flagrantly disregarded by bad actors or those who don’t really understand their own systemic capabilities will be the key subject of, (more than one I’ll wager), my upcoming articles.
 At times, it appears that everyone from global enterprises own to one-man-band start-ups are focused on the ‘problem’ of identity. And the focus of these efforts is not just no the ability to provide security for all parties, but also how easy, (or difficult), the consumer journey to assert their identity in the digital world will be in the future.“
Back to the present, the received wisdom of the past few years is that the old paradigm of username/password as an authentication method is no longer fit for purpose. Over 80% of recent data breaches are still believed to originate from weak or stolen login credentials. If this is so, how do we as an industry move forward so that enterprises and brands can, with a high degree of certainty, authenticate the identity attributes of the person who is attempting to transact with them online and, conversely, that the person who is trying to transact can trust that the online enterprise he or she is transacting with is who they purport to be?
The Ease of Use Question
At times, it appears that everyone from global enterprises own to one-man-band start-ups are focused on the ‘problem’ of identity. And the focus of these efforts is not just no the ability to provide security for all parties, but also how easy, (or difficult), the consumer journey to assert their identity in the digital world will be in the future. As Julian Ranger of digi.me put to me recently during a recent interview ‘…whoever wins the convenience factor in Identity wins the future world…’.
This recognition of the importance of achieving an optimal customer UX, both for on-boarding and ongoing use, has been expressed by many industry luminaries I have spoken to recently, not least Glyn Povah, the Global Head of Identity at LUCA/Telefonica in his recent address at the FIDO Alliance’s recent seminar in London on ‘The Future of Strong Authentication’ where he made an impassioned plea for everyone involved in the industry to remember that the balance between security and usability, particularly for younger consumers, is crucial if the industry is to gain their confidence in using such services.
Andrew Bud of iProov also pointed out recently that the efficacy of any identity solution UX will, at least in part, be predicated on how much of process is driven by assets held on a particular device be it laptop, tablet or phone or whether security demands that any solutions core functionality should take place in the Cloud. His view is that Cloud-driven solutions are far superior and less vulnerable to security breach or human error, such as loss or inflicting irreparable damage of handsets, etc.
So, it’s clear that as an industry we are still a long way from finding a solution to the issue of identity assertion and authentication and that there are still, from an outsiders perspective at least, myriad product solutions in the marketplace and still the overall structure of this new industry sector has yet to coalesce into something that will deliver the industry and regulatory consensus so urgently required to make this new sector a success, for all stakeholders.
The emerging solutions – still emerging…
The good news is that a lot of scarily smart individuals across the world are focusing their considerable talents on solving this very problem…
However, there is still no clear commercial framework, business model, set of standards or even, in many cases, an agreed nomenclature to adequately codify the key eco-system elements emerging from the myriad proposals and solutions being proposed by players across the globe.
This means that today enterprise and brands must do a significant amount of work, often by necessity piecemeal and quick-fix, simply to identify and properly assess any identity or authentication solution that matches their own immediate or short-term requirements and, crucially, their own legacy systems which, by their very nature, can further propagate an eco-system of ever-more confusing and complex proprietary solutions and thereby making the emergence of a dominant identity model(s) ever more difficult for the industry to realise.
We can see today the ever-increasing willingness of regulatory bodies globally to support the consumer in this space by adopting the EU’s GDPR model, or a model very similar, in their own domestic markets. This is encouraging.
But, it is crucial that the industry players for whom identity and authentication is a central focus of activity in the years to come, engage NOW with their eco-system colleagues (and competitors!), in the solution provider, brand and enterprise AND regulatory sectors to ensure that the further regulation that is coming down the track is fit for purpose for all in the digital economy.
To close then, identity is a complex and, at times, bewildering subject with which to grapple, but grapple with it we must if the future prosperity of the digital economy is to be protected, nurtured and grown still further.
MEF will endeavour to help guide its members through the complexities of this market development as it has done for many years now across many industry initiatives and continues to do in the working groups and events of the Personal Data, Messaging, and IoT programmes.
As MEF Members, your continued and active engagement in these initiatives is crucial both for the betterment of the industry as a whole and to ensure that you and your business remain at the forefront of the critical developments within it.
And for non-MEF members? Please feel free to reach out to me to discuss how MEF membership can benefit you and your business.
Iain is a MEF Advisor and has, since 2012, worked extensively with mobile network operators across Europe and the Russian Federation to drive adoption and uptake of the GSMA’s Mobile Connect identity, RCS and Smart Cities initiatives. Prior to this, he ran third-party Messaging at Telefonica O2 UK from 2002 until 2010, working with Aggregators and Brands (Lloyds, ITV, C4, et al), driving the uptake of premium and bulk services and managing the issues of self regulation (PayForIT, a UK joint-MNO initiative), and subscriber protection.