What You Need to Know
Digital identity has an increasingly fundamental role in our lives as modern society becomes digitized.
Schemes that allow electronic identification, authentication and authorization are six decades old. However, legacy approaches were siloed within each organization we interacted with. Each organization had to address the challenges of account takeover (ATO) fraud, identity theft, data breaches and so on — often with a significant impact on user experience (UX).
Over the past decade or more, we have made more use of identities across organization boundaries (federation, “bring your own identity”). Gartner has seen growth in technologies enabling people to selectively share information or prove eligibility, while maintaining privacy.
Digital identity now extends our personal identity beyond our physical presence, and is becoming widely distributed across multiple organizations, systems, algorithms and smart devices. In addition, organizations are also challenged to manage trusted identities for machines (i.e., workloads, devices), and beyond that for organizations (i.e., legal entities).
There is an emerging ecosystem of people, machines and organizations, using sharing and protecting elements of their identity via trusted infrastructures to get access to assets or to validate claims. There is also a slew of innovation to underpin and enable these new possibilities.
The Hype Cycle
Rising to the peak are zero-knowledge proofs that allow entities to prove something in a secure manner without disclosing evidentiary information required for the proof (e.g., allowing someone to prove they are above the legal age limit without providing their birthday).
Also on the rise are technologies and methods that assert the identity of machines, and managing digital identities for them.
Sliding down the trough are previously hyped technologies that still struggle to find widespread adoption. Decentralized identity (DCI) standards have been in the making for years, and some large use cases like verified.me in Canada, have shown success. However, global adoption still lags.
More established innovations like SCIM, OAuth 2.0 and OpenID Connect can underpin the inner workings of modern identity management architectures and ecosystems. Others are mechanisms to authenticate people’s identities using biometric traits. In previous Hype Cycles, biometrics were covered within one innovation profile, However, starting here, we distinguish between three flavors of biometrics with different trajectories, reflecting differences in adoption and maturity.
Entering the plateau is document-centric identity proofing (DCIP), an established method by organizations to verify a person’s claim to a real-life identity through verification of government-issued photo identity documents and comparison of them with selfies. At the mature end of the spectrum is data-centric identity affirmation, which is used by organizations to verify someone’s claim to a real-life identity, and often their physical address is cross-checked against databases from external providers. The Hype Cycle ends with social identities, an established form of digital identities for people managed by social media and digital consumer platforms.
The Priority Matrix
Table 1: Priority Matrix for Digital Identity, 2022
Source: Gartner (July 2022)
Transformational technologies covered in this Hype Cycle revolve around technologies that establish, broker and manage trust in digital identities, while allowing users to “own” their digital identity. These technologies are no longer nascent, but there isn’t much experience of how they work at scale, and there are competing specifications. In addition, trust needs a guarantor, and this requires business models that allow third parties to “vouch” for information about other identities.
Organizations acting as “trust anchors” may leverage these technologies for new business models with identity-proofing components to their use cases. In many cases, these can be simple extensions of real-life, nondigital business cases. For example, many companies require a copy of utility, bank or telecom bills as proof of address: decentralized identity can cover this use case. Governments and educational institutions can facilitate the verification of credentials, such as licenses or certificates.
Machine IAM is a concern for virtually any organization, including devices and workloads.
Finding the balance between appropriate levels of trust and UX remains critical for every organization’s employees and customers. Different biometrics offer better authentication UX than passwords and tokens. Continuous Access Evaluation Profile (CAEP) enables sharing risk signals, which contributes to adaptive access approaches, fostering seamless UX for most users by reserving high-friction challenges for high-risk activity.
Go to Publisher: Holland FinTech
Author: Andrii Stelmakh