The Future of Identity Management
Part 1: Centralizing Identity and Access Management
Earlier this summer I got invited to speak on a panel during Identity Week Asia 2019 on the future of identity and access management. As the conference is approaching, and I am getting ready for this incredible experience, I’ve been thinking more and more about the topic and where the field is going. I thought I’d jump on here and share with you my untainted views prior to speaking at the conference and exchanging ideas with colleagues from around the world. I’ll update you on how my views have changed and on any new information I’ve learned after the conference, so stay tuned for part two.
Security vs. Ease of Use
From the very beginning, there has been a clear conflict between security and ease of use. The more the security of vital information is enhanced, the less user-friendly its access becomes. We’ve all experienced the dreaded password forgetting and resetting workflows — you know, the ones with multiple requirements like the new password must not have been used in the last year, must contain at least one special character, must be at least eight characters long, with at least one upper and one lowercase characters, and so on. Some organizations even require you to have MFA enabled, forcing you to install an app or take the extra step of checking your email for a confirmation code. This is security versus ease of use personified. The more secure systems are made, the harder they are to access.
Identity and access management is no different. There is a big push to get identities extra attention as new laws are introduced, i.e. GDPR, aimed at protecting the individual. Users are demanding their identities be top priority and protected at all costs, or else face litigation and/or large fines.
At the same time, however, there’s also the need for increased personalization. Companies are expected to tailor content and products to users. This requires more personal data points to be collected for each customer. The more data points are collected, the more damage is caused if the identity is hacked.
Thus, we run into a dilemma. How do you increase personalization while tightening system security? The future of identity management must be one where both requirements of identity and access management are fulfilled:
- Increased security
- Tailored/personalized services and content
Eventually, industries, aided by new laws, will strike the right balance between securing their customers’ identities and providing the best-tailored services that users expect.
Centralization of Identities
Globalization comes with new requirements for organizations as customers expect ease of use. End-users want companies to facilitate their online experiences. They don’t want to have to enter credentials multiple times. They want seamless integration across all services, even if the services are not part of the same company. Organizations and companies are expected to integrate with one another to better serve their clients. The process has already started with the majority of brands already allowing, and in some cases preferring, users to use their social media accounts to log in.
In the not-for-profit space, government agencies and NGOs are expected to tightly integrate with one another. In the case of scientific journal publishing, the need for a central identity has clearly emerged, especially with ventures like ORCID now being more popular than ever and starting to be mandated for some professional organizations.
Given these strong currents shaping identity management requirements, I foresee an increased need for a centralized identity. This would be a global service where identities are stored and used by vetted organizations who will not misuse their privilege, or else face serious consequences.
For a more detailed account of my centralized identity service methodology, along with its pros and cons, please see my previous article on How GDPR is Forcing the Tech Industry to Rethink Identity Management & Authentication.
If a single identity service is not achieved soon, at the very least, I foresee different industries creating their own centralized identity databases that individual entities and businesses can tap into. The industries that could be at the forefront of this undertaking can be the education system, scientific publishing niche, e-commerce, social networking, professional collaboration tools, and so on. Eventually, these niches will come together into a single global identity repository.
Biometrics & Neuralink
Currently, authentication can happen in one of three ways:
- From something you know — e.g. username/password combination
- From something you own — e.g. a cell phone can get a text or temporary code
- From something you are — e.g. biometric authentication, thumbprint, retina scan, etc.
Biometrics are great when used for authentication, and the trend of utilizing them for access management will most likely continue to grow. However, I don’t see simple physical biometric properties as something used in the long run. Thumbprints, retina scans, palm prints, and other scanning techniques will most likely be replaced by something more intricate in the long term. In the short term, they might temporarily thrive since better options are still in early development.
One of these better options is combining biometrics with human-machine interaction methodologies, such as Neuralink. If you are not up to speed on Neuralink, watch the video below.
This combination will most likely introduce a fourth mechanism for authentication. The fourth mechanism will essentially be on the intersection of something you know (#1 above) and something you are (#3 above). Combining these two techniques will create authentication and access management that are truly seamless and much more secure. With implants like those of Neuralink, machine-extracted knowledge from the subconscious might become possible, and it could facilitate access through something you know but don’t have to actively remember. Combined with a physical imprint of your being, this new methodology will pretty much guarantee a higher level of security, as you’d have to replicate someone’s subconscious to hack the identity.
Related article: Stop Calling Automation AI… and the Natural Progression of Intelligent Machines
Quantum Computing
It is hard to predict how quantum computing advancements will revolutionize identity and access management. This field is still in its infancy, with some impressive initial results.
However, if quantum computers do become commercially viable at some point in the future, such technology will inevitably revolutionize the identity management field overall. It will have to quickly adapt to the paradigm-shifting computer evolution that will naturally emerge from quantum technology.
Blockchain
There’s been a lot of buzz around blockchain in the last few years. Many companies, especially startups, have quickly jumped on the blockchain bandwagon. When it comes to identity management, blockchain promises a decentralized solution where data is not stored in a central repository/database. Instead, identities are stored across the blockchain so that identity theft becomes almost impossible.
Before I make any predictions on whether this methodology will work for identity management in the future, I’d have to first theorize over whether blockchain, in general, will survive, or if it will fade away just like a number of other emerging technologies out there.
Either way, if blockchain does survive, it could serve as the centralized location of all identities as per my description in the “Centralization of Identities” above. Blockchain could be that one central repository where all identities are stored, even though within the chain itself the identities are decentralized.
From my experience with managing identities, integrating systems, SSO implementations, etc., however, I don’t think that blockchain will have a major role in identity and access management. The field will most likely continue to utilize methodologies that are intrinsically easier to manage versus the blockchain itself becoming the central repository of identities.
. . .
There are other technologies out there that look promising in identity and access management. As of now, however, I don’t see any of them becoming major players in this field and, therefore, will not be covering them in this article. If any of these new technologies start gaining traction, I will make sure to cover them in future writings.
Thank you for reading.
Subscribe to get my essays, and if you have a topic you’d like me to cover, don’t hesitate to let me know.
