Will Strong Authentication ever Reach a Mass Scale? (Part 1 of 2)
It has to, there is just no other way...
The motivation for this article came from the recent publication of Department of Homeland Security's [Draft] National Strategy for Trusted Identities in Cyberspace, on which I collaborated; as well as conversations I had with Brent Williams at Anakam and Sal Khan at Atrust. Both consider authentication and digital identity as essential components to enabling digital trust in an electronic and online context at Internet scale.
For many years, I have been pondering digital identity (an electronic representation of humans in a digital environment) and identity and access management (IAM): how can they truly enable trust in electronic and online transactions, allowing us to fully seize the benefits of the Internet age?
As I alluded to in a past article, I have some history on this topic going back to 2006. I label myself an identity assurance activist.
Despite the great advances in technology over the last two decades, as a society, we are still being held back from fully realizing the benefits of the 21st century Internet. This is primarily due to the issue of trust (or lack of it) in online and electronic channels, which are highly dependant on reliable authentication.
Allow me to illustrate: If you ever buy real estate in the US, you would have go through a process that hasn't changed much since the 19th century, minus the Pony Express courier service. You would have enjoyed the slow, error-prone, labor-intensive and highly irritating, paper-based process of inspecting, appraising, transacting, registering, insuring and financing the property followed by an 18th century process of contracting services for construction or home improvement. For your sake (and mine), will not get into this highly satisfying, ulcer-generating process. All of this, on the average, employs 12 different parties ranging from appraisers, lenders, local and state government, brokers, insurers, sellers, attorneys, cousins, siblings, party-crashers and the like. I believe that the founding fathers used more sophisticated technology to write the United States constitution, than the average county clerk utilizes to register a property deed. Have you ever stopped to wonder why, in the 21st century, the age of web 2.0, federated identity, facebook, twitter, and the online social networks, we still have to endure and subsidize such an inefficient way of doing business?
What's going on here? Is it perhaps the generational clashes and dilemmas of losing our ancient traditions and values in this fast-paced society that makes us hold on to these relics? I think not.
I could point out other day-to-day examples in healthcare, social security administration, insurance claim processing, cross-border trade, and bank accounts, but that would make this article way too long.
Why are these processes so archaic even today?
I do not have a good answer. There are a multitude of factors, including history and habit. One reason is the fear that moving toward an electronic or online process increases the risk of fraud to levels that we cannot manage or understand.
Nonsense. I would say that the paper-based processes we have today are more fraud-prone. We have all suffered from such fraud in one way or another. By migrating to electronic processes, we won't be worst off, so we must take the leap forward. Fear of risks is no justification holding back.
These processes must be modernized. It's just simple physics: manual labor is no longer scalable or sustainable. It cannot keep up with the backlog of paperwork required in our society. As the baby boomer generation retires and veterans come back from war, this will only get worse. Therefore, automation and process redefinition are essential.
During my days in banking, I learned that the back office processing of mortgages and foreclosures is even more daunting, manual and inefficient. The recent subprime crisis has revealed our inability to keep up with the paperwork backlog.
We have not fully identified the economic benefit and the market opportunity of digitizing these inefficient processes. That is why they have stayed the way they have up until now.
What does it have to do with Identity or Authentication?
It has everything to do with [digital] identity. Identity is the cornerstone of the issue at hand.
If you followed my train of thought to this point, then you are ready for this realization: couldn't we apply the same constructs of IAM that we typically utilize in the Enterprise or Internet consumer worlds to automate these processes and advance as a society? Of course we can.
Then why don't we? Wouldn't we, as a society, be better off without these inefficiencies, which are carbon-footprint heavy and costly? Of course we would.
So why haven't we modernized these processes?
This is not a simple problem to solve. Moving our everyday business processes from paper to electronic will require a quantum leap evolution (e.g. from horse to automobile). When Henry Ford introduced the automobile, people no longer wished they had faster horses.
Some of these processes will need to be decomposed to atomic pieces, and reassembled in the appropriate way, in ways that reflect today's reality. This change will be drastic, simply because we have exhausted the physical limits to bear a gradual shift. Just like we have not yet realized that a gradual shift from fossil fuel vehicles, to hybrid or fuel cell, to truly zero-footprint energy sources will never occur.
I am not talking about PDF'ing paper forms and using document management systems and workflows with electronic or digital signatures. I am talking about forever forgetting that the document would ever be printed, or whether it fits in a Letter or A4 sheet of paper. This will force us to think about digital identities in 21st century style.
Technology will be an integral part of this shift. More important is the definition of standards for brokering and establishing trust at the desired level for the kind of transaction being performed. Having the appropriate legal framework to ensure that provisions and protections can be enforced is also essential. On this topic, I applaud Tom Smedinghoff's efforts with the American Bar Association IDM Task Force, which are necessary and critical. In addition, the business model that will make strong authentication viable, and will be the focus of part 2 of this article.