Digital Identity on the internet is a well known, and yet unsolved problem. Done right it would open up great opportunities, eliminate tons of headaches and simplify online presence for everyone.
The Crucial Role of Identity Proofing in IAM
IAM (Identity & Access Management) is a constantly evolving and well architected domain, realized through tons of technology master-pieces. Still it hasn’t been able to contribute significantly to trust on the Internet. Many areas are well covered with technologies, but the value from e.g. authentication, authorization, resolution, will remain limited until Identity Proofing is addressed.
To clarify the value of Identity Proofing, we will look at IAM together with the Internet in the context where people access services online. People representing any human being living on our planet - and services often with the ambition of being globally present. Services need Identity Proofing to distinguish real sincere human beings from frauds, robots and troll armies. People need Identity Proofing to be certain that their digital identity is never stolen or misused.
Identity Proofing has two fundamental parts; Identity Verification that normally comes at hand during the first meeting between a person and a service and Authentication that comes at hand whenever the person returns.
Unveiling the Challenges and Opportunities in Identity Proofing
The IAM landscape of today masters Authentication really well, and keeps evolving to increase simplicity and security even more. Protocols like OIDC and SAML have made a big difference, together with surrounding technologies and services. There is also good support on the end-user security/convenience side; with things like password managers, MFA authenticator apps and passwordless initiatives such as FIDO.
Identity Verification suffers heavily. Either services have to manage a cumbersome and expensive process of ID document scanning, face scanning and fraud proof biometric matching. Or they have to accept the drawbacks of a low identity assurance, hence opening the door for robots, trolls and frauds. The second alternative usually implies either self registration with email/phone verification or Social Login (e.g. signing up with Google or Facebook).
There is a clear reason behind today’s weak Identity Proofing story. The IAM landscape has first and foremost been driven to support Enterprise IAM (employee management), i.e. to solve identity management problems in closed and fairly standardized ecosystems.
Organizations have extensive identity proofing processes, but they are semi-manual and rely on physical interactions. This has to change not only to serve the traditional Internet, but also as (in some areas) employer-employee relationships are shifting towards full remote interactions entirely over the Internet.
The current IAM landscape is obviously incomplete; digital identity is a complex problem for service providers to solve and life on the Internet is not easy for privacy-aware people. Identity Proofing does not on its own solve digital identity on the Internet, but it is a cornerstone upon which the solution must be built.
And yes, Truid has the recipe - we address Identity Proofing, and more. Stay tuned 😉