What Consumers Can Teach Us About The Future of Employee Identity Management

By Mark Settle and Jelena Hoffart

You don’t need a crystal ball to predict the future of employee identity management. You simply need to observe and understand the ways in which consumers establish and employ their digital identities. History teaches us that innovations in employee identity management will be determined and preceded by advances in the effectiveness and convenience of consumer identity practices.

For example, the use of biometric signatures for identity validation was pioneered in the consumer space 10+ years ago with the introduction of Apple Touch ID, Apple Face ID, Microsoft Hello, U.S. Global Entry and CLEAR. The use of biometric factors for employee authentication is a much more recent phenomenon. Biometric techniques have been gradually incorporated in employee identity solutions offered by leading vendors such as Okta, Microsoft, ForgeRock and Ping Identity over the past 4–5 years.

Mobile devices provide another example. Consumers have used mobile phones to establish and verify their identity credentials for over 15 years following the release of the first iPhone in 2007. In contrast, enterprises have gradually incorporated mobile phones within their employee authentication practices over the past 5–7 years, slowly reducing their historical reliance on passwords and physical security tokens.

Innovation in consumer identity management has historically led innovation in employee identity management because the goals and priorities of these practices are fundamentally different.

Enterprises protect internal company resources by avoiding all forms of unauthorized employee access or resource misuse. They seek to reduce the risk of a data breach or malware infection to zero by establishing employee identity practices that enforce zero trust access, least privilege authorization and zero standing privilege principles. Businesses have very different policies regarding consumer identities. Consumer defenses are designed to limit financial fraud to an acceptable level, not eliminate it altogether. Fraud is a necessary business expense to minimize potential revenue leakage and it is tolerated by design. Most enterprises would rather err on the side of more customers and more transactions in the case of a questionable identity claim than lose business to a competitor. A key difference between consumer and employee identity practices is risk tolerance. The optimal tolerance for consumer fraud is non-zero, while the optimal tolerance for corporate infosec failures is zero. This has left the door open for innovation on the consumer side while employee practices have been locked into a stringent zero trust and least privilege architecture.

While employee practices are designed to minimize or eliminate business risk, consumer practices are designed to minimize or eliminate end user friction. Consumers will readily abandon a website or online shopping cart if they feel inordinately inconvenienced by the steps required to conduct their personal business. Consequently, B2C companies are constantly exploring ways in which new technology can be used to improve customer experience, which is a corporate euphemism for getting to a ‘buy decision’ as quickly as possible. Historical practices generally assume that the validity of an identity claim increases in direct proportion to the number of actions a user is required to perform or the amount of information a user is required to submit. However, emerging technologies such as passive biometric signatures, TPM cryptokeys, FIDO2 passkeys and mobile wallet credentials are undermining this conventional wisdom by demonstrating that higher levels of identity assurance can actually be achieved by minimizing end user involvement. These technologies enable authentication on demand with little or no end user intervention, in many cases semi-continuously during a website visit or work session.

Our understanding of consumer identity practices (and a healthy dose of personal intuition) leads us to conclude that:

• Historical authentication techniques have become commoditized and can be mixed-and-matched to support any type of consumer or employee login scenario during the next 3–5 years.
• The quest for passwordless employee authentication is over and passkeys are the solution.
• Identity wallets holding verifiable credentials are the ultimate solution for consumer and employee authentication but widespread adoption in the short term is unlikely.
• Apple and Google’s foray into the use of mobile wallets to store and maintain mobile driver licenses will ultimately lead one or both of these vendors to offer wallet-based employee identity solutions in the future and potentially assume a leading role in workforce identity management.

What is Digital Identity Management?

The three dimensions of digital identity management are proofing, authentication and authorization.

• Proofing verifies that an alleged human identity is real, not synthetic, and that a specific individual is the rightful owner of a legitimate identity. Proofing occurs when an individual opens a new account or applies for a new job. Identity credentials such as passwords, hard tokens, fingerprints or cryptokeys are awarded at the conclusion of the proofing process to authenticate future identity claims.
• Authentication (AuthN) occurs when these credentials are presented to access virtual resources required to conduct personal or professional business.
• Authorization (AuthZ) determines the specific resources an individual can access and the ways in which they can use those resources.

Consumer vs Employee Proofing: Radically Different
Proofing practices for consumers and employees differ dramatically. Consumer proofing is context dependent. The creation of a new online retail account may rely upon some form of social authentication such as “Login with Google” or “Login with Facebook.” This allows companies to leverage the identity management capabilities of Google or Meta and serves a dual purpose for low risk account creation. For users, it eliminates the need to remember multiple login credentials and speeds up the registration and login process. For service providers, it simplifies user onboarding, reduces friction, and can help gather additional user data.

On the other hand, the creation of a new credit card or brokerage account is a highly regulated process in which banks and fintechs commonly use 10+ vendors to verify customer identities. This additional friction is by design because banks are required to verify the identity of each prospective account holder via a process known as Know your Customer (KYC). Additional layers of proofing may require document verification as well as the collection of behavioral, biometric and device data to detect stolen and synthetic identities. (See here for additional detail on the identity verification tech stack for onboarding consumers).

Employee proofing practices also rely upon data and document verification but the ways in which identity evidence is acquired and processed is radically different. Employee credentials are collected and verified through successive stages of a standard job recruiting process, involving application forms, in-person interviews, background checks and reference checks. Employee proofing is much more time consuming and interpersonal whereas consumer proofing is engineered to return an approval decision within seconds.

Consumer vs Employee Authentication: Increasingly Similar
Passwords, one-time messaging techniques and biometric signatures highlighted in Figure 1 are routinely used to validate both consumer and employee identity claims. Social authentication practices are almost exclusively used in a consumer context, whereas the use of hard tokens is typically limited to enterprise practices.

Figure 1. Identity factors employed in consumer and employee authentication processes. Factors commonly used in both environments are highlighted in yellow.

Mobile devices are playing an increasingly prominent role in both consumer and employee authentication. They serve as communication platforms that can support one time messaging techniques or function as surrogate hard tokens. Furthermore, they can store biometric signatures and host cryptographically encoded software keys. They have become essential elements of many authentication procedures.

The quest for passwordless authentication has been underway for a long time. Emerging techniques such as TPM cryptokeys, FIDO2 passkeys and identity wallets can potentially eliminate the need for passwords. However, commercial services based upon these technologies are quite limited at the present time.

Consumer vs Employee Authorization: Converged Vendor Offerings Have Emerged
Consumer authorization controls are also context dependent. Controls applied to common retail transactions may limit access to a specific collection of merchandise, pricing discounts and payment procedures. Controls applied to large financial transactions can be considerably more complex. Transactions involving large sums of money may be screened for their size, source, destination and timing before being authorized.

Employee access controls have historically been based upon an employee’s role and responsibilities (RBAC controls) in addition to situational attributes associated with an access request such as its timing, physical location and source device (ABAC controls). Prior to the explosion of cloud applications and infrastructure services, these controls were largely administered through solutions offered by Identity Access Management (IAM), Identity Governance and Administration (IGA) and Privileged Access Management (PAM) vendors. The scale, variety and ephemeral nature of many cloud resources challenged the capabilities of these solutions and led to the creation of new offerings to support Cloud Infrastructure Entitlement Management (CIEM).

During the past 5 years, conventional employee solutions offered by leading IAM, IGA and PAM vendors have merged into a broader category known simply as Access Management. At the same time, vendors operating in this space have extended their capabilities to support both employee and consumer use cases. Okta’s 2021 acquisition of Auth0 illustrates this trend but other vendors such as Microsoft, ForgeRock and Ping Identity have developed similarly converged offerings.

“The TAM we’re addressing is massive and nearly evenly split between [employee] workforce and customer identity. Today, the majority of [Okta’s] business is workforce identity… Auth0 is also a leader in the customer identity market and brings a complementary go-to-market motion and a more developer-centric approach to the market. Combining the companies really accelerates our penetration into that $25 billion market.” –Todd McKinnon, Q4 2021 Okta Earnings Call

Identity Tech Stack and Vendor Landscape: Trends and Opportunities

Key components of the modern identity tech stack are displayed in Figure 2 and illustrated by references to specific vendors. This figure contains a mix of established vendors and new entrants. It is by no means intended to be comprehensive. A recent search of Crunchbase reveals that over 500 identity companies have been founded during the past 3 years alone (roughly equivalent to one new company every two days!).

Figure 2. Key components of the modern identity tech stack with references to selected vendors for purposes of illustration.

Significant innovation is currently underway in several of the solution categories displayed in Figure 2:

• Conventional Access Management vendors are being challenged by new entrants offering specialized AuthN/AuthZ capabilities that address the unique problems associated with the use of cloud computing and cloud data resources.
• The ongoing crusade to minimize end user friction has fueled interest in AuthN/AuthZ Development Toolkits that can be used to construct bespoke login procedures for any type of consumer or employee scenario.
• Persistent interest in passwordless employee authentication has given rise to Passwordless AuthN service offerings that can supplement or replace conventional AuthN practices and be easily integrated with pre-existing AuthZ procedures.
• Conventional mechanisms for managing employee AuthN permissions have struggled to keep pace with the growing complexity of enterprise IT resources, infosec threats and regulatory requirements. Several new entrants offer AuthN abstraction services — sometimes referred to as an AuthN ‘control pane’ — to manage AuthN policies on a more holistic basis across multiple resource domains. This category of offerings is variously referred to as Externalized Authorization Management, Policy Based Access Management or Attribute Based Access Management (EAM/PBAC/ABAC). Attributes managed by these services are broader than those discussed earlier and include various business-related parameters such as project assignments or regulatory restrictions.
• A new crop of tools has emerged to monitor and audit the ways in which AuthN permissions are actually being used in practice, to ensure that policies are being properly enforced and that cases of AuthN misuse or disuse are detected and remediated. These tools are referred to Identity Threat Detection and Response (ITDR) services, patterned after Endpoint Detection and Response (EDR) services that are commonly used to protect employee work devices.

The age-old debate between the utility of multifunctional platforms versus best-of-breed tools is alive and well in identity management. Platforms have a way of subsuming innovation, either through acquisition or organic product development. The expansion of several new entrant categories such as Passwordless AuthN, EAM/PBAC/ABAC or AuthN/AuthZ Toolkits may be limited or derailed altogether by the incorporation of these capabilities in the extended platform solutions offered by companies such as Okta, Microsoft and Ping Identity.

And finally, we note a nascent convergence of proofing and authentication solutions. Proofing has traditionally been a one-time event performed during the creation of a new consumer account or the hiring of a new employee. However, advances in the availability of identity-related information and the accuracy of data and document verification technologies have made it much easier to verify proofing credentials on a recurring basis and even incorporate them in routine authentication practices. The construction of authentication challenge questions based upon information collected during the proofing process is an example of this phenomenon. We are in the early innings of what we consider to be a major advance in the effectiveness and convenience of identity verification: the emergence of continuous identity proofing.

Perpetual proofing refers to the ongoing surveillance of identity-related data and documentation to continuously verify identity credentials and thwart attempts to achieve authentication through the use of outdated or fictitious credentials. For example, Apple and Google are establishing real time linkages with state DMV agencies to update mobile driver licenses in the event of a name or address change or license revocation. Similarly, Checkr has introduced a service called Continuous Checks that scans criminal records, traffic incidents, public legal filings and online social profiles to detect changes in the credentials of existing employees that might jeopardize their job qualifications or performance.

A more strategic view of the current startup activity portrayed in Figure 2 reveals an intriguing ‘barbell effect’ between the proliferation of high impact point solutions within the consumer proofing and employee authorization categories. The explosion in consumer onboarding solutions on the left hand side of this diagram is juxtaposed with the viral expansion of employee authorization solutions on the right. Entrepreneurs seeking to build new solutions in either of these areas are encouraged to use one or both of us as potential sounding boards!

The Future of Employee Identity Management: Our Predictions

The Quest for Passwordless Authentication is Over and Passkeys are the Solution
Apple, Google and Microsoft support of FIDO2/WebAuthn passkey standards will catalyze widespread adoption of passkey solutions within the consumer space over the next 2–3 years, becoming as commonplace as the use of Apple Touch ID today. Initial implementations will be optimized to work seamlessly within the device and application ecosystems maintained by each of these vendors. However, ease of use and consumer demands will eventually overcome any initial cross-ecosystem constraints on passkey usage. Prominent early adopters include Adobe, Best Buy, CVS, Docusign, Home Depot, Hyatt, PayPal and Shopify.

Enterprise adoption for purposes of employee authentication will likely take longer. However, early interest on the part of enterprise solution providers is encouraging.

• Google has announced passkey support for its Workspace and GCP enterprise offerings
• Enterprise IAM vendors are establishing partnerships with startup companies offering passkey solutions that can be integrated with their existing solutions. HYPR has partnered with Ping Identity and Descope has partnered with Auth0
• ForgeRock has announced plans to support both device-bound and non-device-bound passkeys on their Intelligent Access platform
• Beyond Identity has a device-bound, enterprise-ready passkey solution currently in production
• Leading employee and consumer password management vendors such as 1Password, LastPass, Bitwarden and Dashlane are implementing passkey solutions this year

Identity Wallets are the Ultimate Solution for Both Consumer and Employee Authentication, but Widespread Adoption is Unlikely to Occur In the Short Term
There’s a lot to like about digital wallets holding identity credentials that can be verified by third parties, either proactively or on demand. They are versatile, easily extensible and customizable. They give end users a degree of control over the use of personal identity information that cannot be easily duplicated by other solutions. Furthermore, they provide the highest levels of identity assurance because they rely upon multiple validation authorities instead of a single source of truth.

Wallets also capitalize upon the convergence of proofing and authentication processes. Identity credentials verified during the proofing process, such as mobile drivers licenses or employee badges, can be maintained and kept up-to-date in wallets for reuse during consumer or employee authentication events.

Importantly, this vision is predicated on mobile drivers licenses serving as a Trojan Horse for broader use of Apple and Google wallets as identity credential sources in the future. Apple and Google wallets are already the preferred choice for many types of consumer payments: nearly 75% of iPhone users have activated Apple Pay. The extension of wallet use for consumer authentication is not only likely, but probably inevitable! It’s worth noting that no other companies or company consortia have the market reach needed to trigger mainstream consumer acceptance of wallet solutions. (See here for more detail on Apple and Google’s mobile identity credentials and wallets.)

Apple and Google will Own a Piece of the Employee Identity Management Tech Stack
Apple and Google will ultimately “know your everything” as wallets become the primary source of personal information enabling all facets of a consumer’s online life and many aspects of their physical lives as well. Today, Apple Wallet supports employee badges, insurance cards, loyalty certificates, student IDs, home keys, hotel keys and even car keys. Google is fast on Apple’s heels, launching a mobile ID for Google wallet in June 2023. Thinking forward to tomorrow, Apple has filed a patent for using an Apple mobile device and stored credential as a badge to access electronic locks in offices, hotels and gyms. And, in June 2023, Apple announced that businesses will be able to accept IDs in Apple Wallet by presenting stored credentials in iPhones or Apple Watches to a business iPhone via a Bluetooth or wifi connection.

The possibilities are endless. Apple hardware is already widely used within commercial enterprises. iPhones, iPads and MacBooks could easily substitute Apple wallet credentials for existing authentication methods in many employee login scenarios. Google, on the other hand, already offers authentication services for its Workspace and GCP enterprise products. One or both of these vendors could easily become leading, perhaps dominant, contenders in the workforce identity market in the future.