Digital Identity & Authentication
The digital economy needs better solutions for authenticating digital identities to address many of the big problems of fraud and criminality in the ecosystem.
In any functioning society, many everyday transactions only work when a person can prove who they are. Reliable proof of identity is the basis of trust.
So a consumer wanting to open a bank account, or start a job, or hire a car must be able to answer this question: can you prove who you are? In a world of digital services, this need becomes even more pressing. Why? Because in many cases, the ‘consumer’ isn’t even physically present.
That’s why the identity issue is just about the biggest challenge facing the digital economy today. After all, for a scammer to succeed, he or she only has to do one thing: pretend to be you.
Forging a passport or phishing for a password is becoming easier for professional criminals. The digital economy needs a better solution – find it and many of the big problems of fraud and criminality can be addressed.
The difference between identity and authentication
Before looking more closely at the challenges around identity and authentication in Africa, it’s a good idea to describe what these two ’things’ are.
Identity comprises a set of details that collectively comprise ‘you’. They could be your name and address. They could be a token/alias (an email or tax number for example). Sometimes they can even be a physical ’thing’ (an ATM card). In any example, the identity credential must be unique and effectively say to a third party ‘this is me’.
Authentication describes what we do when a third party asks: ‘OK, how can you prove it?’. In the most traditional case, a person’s ID is their name and the authentication that proves it is a passport or ID card. In the example of an ATM card, the plastic is the ID and the authentication is the PIN number.
In the digital economy, the most common form of authentication is the password or PIN.
Unlike ID, authenticators don’t have to be unique – just secret. Clearly, it is vital that the ID and the authentication key are kept apart. As the default ID system for many digital services, email and password provide a very weak system, which criminals exploit every day. They can do this with technology (hacking a database for example) or they can use social engineering (sending spoof emails, persuading a call centre agent to disclose details etc). These criminals can use ’brute force’ attacks to crack passwords, ‘phish’ until users reveal them voluntarily or browse a person’s social updates for clues (mother’s maiden name, pet names and so on).
To protect against users being exploited when their login credentials are compromised, two-factor authentication (2FA) and multi-factor authentication methods are being rapidly adopted across the industry. Authenticating a user where more than one factor is required for validation, enables a much stronger and more reliable fraud deterrent.
Strong User Authentication Factors:
– Knowledge: Something I know (PIN, password …)
– Possession: Something I have (a code generator or other hardware token)
– Inherence: Something about me (fingerprint or other biometric)
For more on Digital Identity and Authentication, download the white paper here.