Guide to building a secure and trusted BYOID environment

Full text

(1)
(2)

e-Banking

e-Healthcare

e-Insurance e-Commerce

e-Gaming e-Government

Guide to building a secure and

trusted BYOID environment

Bring-Your-Own-Identity is not new. People have been using their social

media login credentials for other applications for some time now. But how do

you ensure these users are who they claim to be? How can you establish a

Trusted Bring-Your-Own-Identity environment?

(3)

SUMMARY

1

Identity, past & present 3

2

Trends that impact digital identity 4

3

Business challenges around Bring-Your-Own-Identity (BYOID) 8

4

Solution: establishing a secure & trusted Bring-Your-Own-Identity

environment 10

5

Business benefits of a trusted Bring-Your-Own-Identity framework 13

6

Trusted BYOID use cases 16

7

How can I establish a trusted BYOID framework for my business? 18

8

About VASCO 19

9

Glossary 20

(4)

3

Identity, past & present

1

In the past an identity was given to you; often in the form of an ID-card, driver’s license or social security number issued to you by a government authority. The benefit of this approach is that the identity has been verified and validated. Unfortunately this type of approach does not hold ground in today’s interconnected world where more and more transactions take place online. In today’s digital world, identity is something you create yourself. It is often a combination of attributes and characteristics. These attributes can be split into 4 main categories:

Any or all of these attributes can be combined to form a digital identity. From there, a digital identity can be used to create an online account (for a certain service or application).

Attributes linked to “Professional1” include: Male, DOB, lives in Brussels Belgium…

User John uses his “Professional1” Digital ID to create an account on LinkedIn

Example:

User:

Digital ID:

Legal attributes: social security number, ID number, date of birth

Social attributes: attributes related to your preferences and relations with family, friends & colleagues

Physical attributes: age, gender, DNA, picture, avatar

Behavioral attributes: websites you visit, online purchases you make, news feeds you subscribe to, social shares

John Smith

Professional1

(5)

4

Trends that impact digital identity

2

2.1 The mobile revolution

We live in an increasingly inter-connected world.

The explosive growth in smart phones and tablets has triggered an always-on economy, where users expect to access online applications 24/7 and conduct transactions from any device.

Global Mobile Devices and Connections

The number of global users of mobile phones, capable of executing apps, is expected to cross the 50% mark for global smartphone penetration in 2017 and reach 59% by 2019, growing from 28% in 2013 (source 4).

(6)

5

On average, a European smartphone owner has 26 apps installed on his smartphone and almost 50% use a social media network on their smartphone on a daily basis. Users expect to be able to access all their applications from any device.

Most of these apps, if not all of them, require a user to be logged in, thus adding to the complexity of password management and attribute control.

Source data: http://mashable.com/2013/09/05/most-apps-download-countries/

Source data: http://www.thinkwithgoogle.com/

Top 10 countries with the highest average number of installed apps per smartphone user* Global mobile devices and connections

(7)

6

2.2 Social media

Social media is here to stay. There are 2.08 billion active social media accounts. 29% of the

entire world population actively uses an account, for an average of 2 hours and 25 minutes a day.

Facebook has 1,366 billion monthly users, almost 20% of the current global population.

There are 17 different social platforms that claim more than 100 million monthly users.

This increased competition has triggered social media providers to come up with new business models to help them retain and increase their community footprint.

A key element in achieving this has been the “social login”, where users are able to use their social media credentials to subscribe and login to other applications.

(8)

7

2.3 The Internet of Things

The Internet of Things (IoT) is growing, and with as wearables become an increasingly hot trend, it’s growing even faster.

According to Cisco Systems (Source 2) we will reach 50 billion connected devices in 2020, estimating 99% of devices will be connected to the Internet (currently around 1%).

2.4 Bring Your Own Device (BYOD)

The Bring Your Own Device (BYOD) concept is common in technology-related companies

where employees use their personal laptop, smartphone or tablet to log on to the corporate network & applications.

According to a global survey among CIO’s conducted by Gartner (Source 1), 38% of companies

expect to stop providing devices to workers by 2016 and switch entirely to BYOD. Global internet device installed base forecast

(9)

8

Business challenges around

Bring-Your-Own-Identity (BYOID)

3

The aforementioned trends provide a clear insight into the possible impact on and risk for our (online) privacy. In addition to the impact on our privacy, there are also other business challenges that need to be addressed.

3.1 What is Bring-Your-Own-Identity?

BYOID is an emerging approach to identity validation in which organizations allow users to authenticate to a website and consume web services using a digital identity that has already been established with a third party.

Instead of requiring visitors to create a new identity during the registration process, using an existing digital identity enables the user to leverage a “valid” identity from a current service provider.

Example: User John uses his Twitter account to subscribe and log in to his favorite online

newspaper.

3.2 Legally binding transactions

Actions or transactions made by a user using a social login are, at least for now, not legally binding. Therefore, using social logins lacks the required non-repudiation that associates actions or changes to a unique individual in a legally binding way.

3.3 Attribute control and transparency

Who owns the user attributes and data and how will the attributes and data be accessed? As an application owner, it is necessary to be transparent with your users about which data will be accessed and how it will be used.

(10)

9

3.4 Security

Getting rid of multiple passwords for multiple accounts is one of the greatest advantages of BYOID. At the same time it creates a single point of failure. If one is using a social login, and that social media account is compromised, this means all other web accounts are also at risk. Some social media platforms are trying to address this password security issue by implementing two-factor authentication. Unfortunately these solutions don’t always offer the best mix of user convenience, security and total cost of ownership, and can even create additional friction for the user.

3.5 Trust – Lack of validation

Anyone can create a social media account. There is no validation of the identity or attributes provided by the user.

(11)

10

Solution: establishing a secure &

trusted bring-your-own-identity

environment

4

4.1 The digital identity playing field

4.2 Defining the framework

Establishing a Trusted BYOID framework implies that users, application providers and ID providers are able to interact with each other online, in a secure and transparent way. Up until recently the only way to accomplish this would have been for application providers to integrate the different login solutions, offered by the different ID-providers, on a one-to-one basis. The sheer time and resources required to establish and maintain this setup immediately eliminates it as a viable solution. In addition, this type of approach does not consider the users’ need for attribute control, convenience and security.

What is needed is a secure platform, that connects all parties involved. Access to this platform should be secured with easy to use, two-factor authentication functionality, such as a mobile app to generate secure and unique one-time-passwords.

Application owners:

Deliver online applications & services to the market (= value)

Are looking to recruit new users Identity providers:

Have large user communities

Are looking to offer new services to their user-base in order to increase brand loyalty Users:

Are looking for more personalized, user friendly and secure online services

(12)

11

This secure platform also needs to be easily, yet securely, accessible by all parties

involved:

Application providers will benefit since they only need to integrate one platform API, similar to a Facebook or Google connect, resulting in faster time to market and lower development/maintenance costs. Additionally, it enables them to add easy to use two-factor authentication security to their applications.

Perhaps the biggest benefit for the application providers is that he is able to collect

validated user attributes, which are delivered by the ID-provider and authorized by the user, to offer his users a more personal and secure online service.

ID-providers that link to the platform are able to offer their user community secure access to a whole new range of online applications, resulting in a competitive differentiator that will increasing their customer loyalty.

Users will benefit from such a platform as well. They will be able to access all online

applications on the platform with a single and secure login, eliminating the need for insecure static passwords. However, the biggest benefit for the user will undoubtedly be that he or she will be able to decide which of his/her (validated) attributes are shared with which application. Offering the user this type of control over his attributes will increase trust. It is clear that by enabling the use of validated attributes online, such a platform can pave the way for entirely new online business models and use cases that were previously impossible to accomplish due to legal constraints, especially on the mobile platform. A few examples:

Legally signing a contract from your tablet

Submitting an insurance claim from your mobile phone

(13)

12

The biggest challenges in establishing such a secure & trusted BYOID framework will

lay in:

1. The technical availability of a secure platform that can support this framework

2. The willingness of all three parties involved to adopt such a platform Without a trusted BYOID platform

With a trusted BYOID platform

Complex integration

No or low security

Not convenient

-+

Easy integration

High security with two-factor authentication

More user friendly (secure single sign-on)

Trusted BYOID platform

(14)

13

Business benefits of a trusted

BYOID framework

5

The implementation of a trusted BYOID platform has several important business benefits for all parties involved.

5.1 Cost-Efficient & scalable

Application owners and identity providers don’t need to integrate or maintain different online identity standards (that might conflict), but have one standard implementation. This means they can focus more on their core business, cut back expenses and improve financial efficiency.

5.2 Economic benefits

Aside from the fact that a trusted Bring-Your-Own-ID platform ensures a secure way of logging in, it also offers economic benefits. The various application providers no longer need to integrate different API’s and maintain them. Using a single trusted BYOID platform does the trick and can save significant cost.

5.3 UX: user is in control of his attributes

It is important for a user to know and authorize which of his digital identity attributes are being shared with the web application or service he is signing up to. Using a trusted BYOID platform, the user is in control of his own attributes and will know what kind of information is shared with application owners. Additionally, a recent international study has shown that users who are able to manage their online privacy are up to 52% more willing to share information than those who aren’t. By giving users more control over their personal data, they will reward you by sharing more information with you.

5.4 Trust as a competitive differentiator

Using a secure and trusted digital identity platform will render your online services more trustworthy. This in turn will reflect positively on your brand reputation, giving you a competitive edge.

(15)

14

5.5 Know Your Customer - KYC

New Know-Your-Customer (KYC) regulations requires businesses to verify the identity of their customers in order to prevent ID theft and fraud.

Using a trusted BYOID platform will help online service providers to comply with these new KYC regulations. At the same time they are able to offer their users a more personalized service by leveraging their user (attribute) knowledge.

6.6 Enhanced conversion rates & faster onboarding

Using long signup forms and asking users to provide additional personal data makes user onboarding a challenging process. Enabling users to re-use their existing validated digital attribute data when signing up for new online services will greatly facilitate the onboarding process. Especially in regulated environments such as banking, insurance, ecommerce and gambling, the ability to share validated attributes in a secure way will help increases online user conversions. Additionally, this type of approach reduces user mistakes during the sign-up process.

(16)

15

5.8 Increase operational efficiency

Using a trusted digital ID-platform will enable businesses to move some of their processes and services online. Especially businesses offering labour intensive services or services that previously required physical ID validation (example: insurance, finance, government, etc) can expect to gain operational efficiency, reduce costs and develop new online business streams.

(17)

16

Trusted BYOID use cases

6

6.1 Insurance industry

Although virtually all insurance companies offer some level of online services these days; most (if not all) of them still require you to send some physical proof of your identity when taking out an insurance policy. Today this is done either by printing, signing and faxing/emailing back the signed contract and by including a copy of your ID-card or similar. This implies a lot of time, resources and costs are directly related to handling the vast paper flows.

By integrating their online services with a trusted ID-platform, insurance companies and agents can offer their customers the ability to legally sign insurance policies & claims online. Imagine the time gains and cost reductions that could be achieved by adopting such a model.

6.2 iGaming industry

The boom of the online gaming & gambling industry over the recent years, has triggered a whole set of new legislation & regulation to come into effect. Although the exact legislation might differ per country or state, in most cases online gaming/gambling providers are required by law to “Know-Your-Customer” (KYC). This means they will need to perform some sort of age, or even location, verification.

Integrating these verification steps into the user registration process will often hinder the

onboarding efforts and reduce conversion rates. By linking their online gaming/gambling service to the trusted ID-platform, providers of these services could re-use already validated user attributes. This would enable them to greatly facilitate the onboarding process while at the same time complying with legal requirements.

6.3 Government/public sector

Similar to the private sector, government agencies are increasingly under pressure from their citizens to offer secure and convenient public services 24/7.

Although some governments have already made great strides in digitalizing their public services offering, requesting official documents today will still require users to drive down to a local administration center and provide some form of physical identification in order to obtain required documents.

(18)

17

Though different public services are already offered online today in some countries (library, police, tourist information, tax declaration, pension fund, etc.), most often they are not

interconnected and require users to use different login and authentication credentials in order to gain access. The result is a poor user adoption rate which results in a less than optimal return-on-investment (something which is increasingly important also for governments in these dire economic times).

At the same time, government agencies hold a vast numbers of validated user (citizen) attributes (age, address, sex, D.O.B., etc.), and this is an asset that is not maximized today. By enabling their citizens to use government-validated credentials for other “commercial” online services, governments (both local and federal) can help increase user adoption for their own services. At the same time the ability to use government validated attributes will enable service providers to comply with new online transaction security and KYC regulations. A pre-requisit for such a framework to succeed is the availability of a secure and trustworthy digital ID-platform.

(19)

18

How can I establish a trusted

BYOID framework for my business?

7

VASCO’S trusted BYOID platform MYDIGIPASS®

MYDIGIPASS is the secure and trusted BYOID platform of VASCO Data Security, a world leader in strong user authentication, electronic signature and ID-management solutions.

Application providers can easily integrate the MYDIGIPASS “secure connect” API into both

their online and mobile applications in order to increase security, comply with legal requirements, facilitate user onboarding and gain customer knowledge.

Identity providers are able to join the MYDIGIPASS platform and offer their user community

access to a full range of new and secure online services under their own brand.

Users can download the MYDIGIPASS mobile app from the appstore, create a free account

and gain secure access to all supported applications (that have integrated the API).

Additionally, users are able to stay in control of their digital identity attributes. The user decides which of his/her attributes are shared with which application.

Banking level security 2-factor authentication Proven DIGIPASS® technology Easy deployment Cost-efficient 1 implementation Supports mobile, eID,

intel IPT & hardware tokens

Flexible pricing Pay as you grow Free for your users

(20)

19

About VASCO

8

VASCO is the world leader in providing Two-factor authentication and Electronic

Signature solutions to financial institutions. More than half of the Top 100 global banks rely on VASCO solutions to enhance security, protect mobile applications, and meet regulatory requirements. VASCO also secures access to data and applications in the cloud, and provides tools for application developers to easily integrate security functions into their web-based and mobile applications. VASCO enables more than 10,000 customers in 100 countries to secure access, manage identities, verify transactions, and protect assets across financial, enterprise, E-commerce, government and healthcare markets.

(21)

20

Glossary

9

Term Explication

2-Factor authentication Security logon process with 2 different stages in order to log on. An example of the 2nd step is an SMS passcode or generated code on your smartphone.

ASP Application Service Provider

Attribute Parts of your (online) identity, which contain specific characteristics that form your identity.

BYOD Bring-Your-Own-Device; Employees are using their own private laptop/ smartphone/tablet on their daily job instead of using company provided material.

BYOID / BYOI Bring-Your-Own-Identity is an emerging approach to identity validation in which organizations allow users to authenticate to a website and consume web services using a digital identity that has already been established with a third party.

Instead of requiring visitors to create a new identity during the registration process, using an existing digital identity enables the user to leverage a “valid” identity from a current service provider.

eID Governmental trusted and validated online identity service using an elec-tronic ID. Already 150 million verified e-IDs in Europe.

ID-provider Government was the only ID-provider for ages, but with the rise of social media, these players (like Facebook and Google) are now playing a role as online ID-providers.

IoT The Internet of Things; All connected devices on the internet such as wear-able’s, internet connected fridges and smart cars.

KYC Know Your Customer

MYDIGIPASS Trusted Identity Platform from VASCO

Onboarding The process of converting a visitor of your application into a user/customer with a profile.

(22)

21

Sources

10

1. http://www.gartner.com/newsroom/id/2466615 2. http://share.cisco.com/IoE/index.html 3. http://www.thinkwithgoogle.com 4. https://www.forrester.com/ 5. http://www.prweb.com/releases/2012/1/prweb9086226.htm 6. https://datafloq.com/read/login-data-gold-social-login-data-platinum/92 7. https://mydigipass.vasco.com 8. http://wearesocial.sg/blog/2015/01/digital-social-mobile-2015

Figure

Updating...

References

Updating...