Digital IDs are at the centre of everything that people use to access services today, from ordering food on an app to accessing government e-services online, so it goes without saying that they are increasingly the target of cybercriminals.
The OCBC scamming case a year ago, where cyberattackers tricked users into exposing their login details, showed how vulnerable some users are even with systems that had worked well for years.
So, it is no surprise that Asia-Pacific organisations have been busy beefing up their defences, by better managing these IDs, say, with smarter multi-factor authentication that take into account factors such as the device, location and behaviour of someone logging in.
As threat actors have grown smarter in their attacks, cyber defence techniques must continually evolve as well, says Bill Hustad, senior vice-president for global partners and alliances at Okta, which offers identity management services.
Decentralised identity is the modern approach for the future, he adds. It allows people maximum control and organisations less responsibility over personal information, he tells Techgoondu, in this month’s Q&A.
NOTE: Responses have been edited for brevity and style.
Q: What has driven the takeup of identity management solutions in Asia-Pacific in the past year?
A: The digital identity market is growing briskly and Asia-Pacific is projected to lead the market. The pandemic has driven businesses and individuals online.
This increased the opportunities for cybercriminals, leading to a rise in cyberattacks. In responses, businesses moved to shore up their defences and one of the enhancements they invested in was authentication.
Governments in the region are also offering more citizen e-services and increasing the security of those services. This means they are also investing in identification management and authentication technologies.
Q: A digital ID brings convenience to users but also raises worries about privacy and security. How are organisations in the region balancing these issues?
A: Tighter security typically involves the addition of friction – in the form of passwords and other authentication factors – into the user experience. Business stakeholders should no longer accept trade-offs between security and convenience.
With the right identity solutions forming the foundation of customer experiences, businesses gain the freedom to choose both – security and convenience, without a need to compromise.
Arduous experiences with convoluted password rules, unnecessary data requests, and excessive multifactorial authentication prompts alienate customers before they have a chance to access to the website.
With advanced authentication technologies, businesses can instead streamline login and registration experiences with passwordless authentication fusing biometrics, magic links, factor sequencing and WebAuthn as building blocks.
Features like adaptive multi-factor authentication add an extra layer of security with minimal friction for the user, with prompts determined dynamically via contextual factors like device, location, or user behaviour.
Q: Centralising the digital IDs of users makes that an attractive target for hackers. What steps should organisations be looking at to mitigate that risk?
A: Threat actors have grown smarter in their attacks, as a result, cyber defence techniques must continually evolve as well.
In the identity and access management (IAM) space, regulators, organisations, and individuals are realising that decentralised identity is the modern approach, allowing people maximum control – and organisations less responsibility – over personal information.
With centralised identity management, users access all their applications, websites, or other systems with the same set of credentials. Decentralised identity, by contrast, gives individuals control over which data they share with organisations, including the ability to revoke access to that information—whenever they want.
This can be done by using digital wallets, which store identity and credential information from certified issuers, like governments and employers. It’s secure by design, giving everyone peace of mind that their personal information is safe and that they are at lower risk of identity fraud.
For organisations, decentralised identity reduces the risk of information misuse, minimises the risk of account takeovers, and simplifies compliance requirements. This is a major benefit, as failing to comply with increasingly complex data privacy regulations can lead to huge fines and penalties.
With decentralised identity, businesses can also verify identities with less information from users and customers, which ultimately creates a greater sense of trust and transparency between all parties.
Q: A lot of talk in Web3 circles has centred on decentralised personal data, including IDs. What’s your take on decentralised ID systems?
A: In my opinion, forward-thinking organisations need to future-proof their identity approach. The decentralised path laid out by Web3 can solve many of the problems of centralised identity through several ways.
First, ownership and control of identity. This is the core of Web3 and decentralised identity. Each person should have complete control over who has access to their data. This means users are empowered to grant, modify, or revoke access at any time, as well as receive a unified view of all the data they share.
Second, best practices for securing identity and building trust. Numerous organisations are working to standardise, and shape decentralised identity. Some of the key players here include the Decentralized Identity Foundation and the World Wide Web Consortium.
Third, a way to identify people, places, and things. Digital identities for humans are not the only problem to solve. We also need a way to identify and verify any device that’s connected to the Internet.
One way to do this is to utilise blockchain. Blockchain’s ability to automate and keep transactions accountable via a secure shared ledger and smart contracts has the potential to enable new and interesting use cases, like an autonomous vehicle that can authenticate its driver.
While decentralised identity is still an emerging field, some of the world’s leading organisations, like Microsoft and IBM, are showing the potential it has to increase trust and democratisation. Okta is going to be part of this journey in the digital identity space.