Before I can answer that questions, I need to define what I think Identity is. Too often authentication is used interchangeably with identity, but that’s like saying a bank account and money are the same thing.
In its most basic terms, authentication is the what-of-you, identity is the WHO-of you. You can authenticate via password to log into your computer or buy a cup of coffee, but if you want a mortgage, considerably more background information is required. I could give you 5 usernames & passwords, 5 forms of biometrics, and have 5 different hardware tokens and you would still not know to any degree of certainty if I’m good for a loan.
Example: Two people are standing in front of you, one’s a stranger and one’s a close friend. You know [for the sake of this hypothetical] that they are both who they say they are, but do you feel equally comfortable lending them your car?
I would assume the answer is no, you would NOT be comfortable loaning a stranger your car, so what’s the difference? Trust, pure and simple. You trust your friend because you know WHO they are, not WHAT they are.
Unfortunately you will never be able to know everyone on the planet as well as your friends, so how can you assure a sufficient level of trust to do business of any sort? Currently, authentication is enough, but it’s almost entirely one way. If you want to buy something on the Internet YOU have to complete the login details (often including a permanent account), you have to enter all of your payment details, and you have to accept the risk that the merchant will send the goods as promised.
With an identity, built over the course of time and receiving input from many sources, every individual and every organisation can build a demonstrable level of trust so that both sides have the assurance they need to conclude the transaction. Fraud in e-commerce is rampant because we simply don’t have this 2-way assurance.
From the individual side: Credit score, confirmation of available funds, payment history, and any number of other factors can build a Trust Assurance Score (TAS), and it will be up to both the buyer and the seller to agree on the level of score required to complete a purchase. e.g. on a scale of 1 – 100 (100 being a perfect TAS) the merchant needs a score of 5 to buy the ubiquitous cup of coffee, but a score of 50 to rent a car, and a score of at least 75 to get a mortgage.
From the merchant side: Time in business, corporate credit rating, ratings and reviews and so on can build their TAS, so you can decide up front the level of risk you are prepared to accept to conduct the business at hand.
Clearly there are many challenges with this; How do you build a rating in the first place (the young and new businesses should not be unfairly advantaged)?; How do you provide instant access to this rating without exposing all of the detailed information behind it?; How do you tie in the level of authentication required to even request a TAS? And so on.
I’m not proposing a way to fix this, I’m simply trying to demonstrate that the reason we don’t HAVE identity built into transaction authentication is that these issues have not been addressed yet. And until we have identity built into transactions, we won’t have the levels of trust required to make significant change. Payments for example will move from plastic to mobile, but authentication (even multi-factor) is not enough to significantly reduce fraud.
I suspect block-chains (the technology behind crypto-currencies) has a big chunk of the answer, but I can’t even conceive on how this will be done. I just know it needs to.
[If you liked this article, please share! Want more like it, subscribe!]