Moving toward password-free and low-friction user authentication systems, identity access management provider PingIdentity has joined the ranks of cybersecurity providers embracing decentralized identity management. It offers an early version of the so-called multi-standard solution PingOne Neo (Figure A).
What is decentralized identity?
Identity access management, or IAM, often involves a complex handshake using personal control data stored by a company. In addition to requiring a lot of manual activity on the part of the user, it increases the risks for users and the company due to the huge amount of personal data held by businesses, which creates a huge threat surface for possible data breaches.
Enter decentralized identity solutions: Instead of identity verification being handled by each credential-issuing company, identity is delivered across the network. Because it uses blockchain technology, it is extremely secure and difficult to hack. Each user has a decentralized identifier or DID, which eliminates the need for a central identity verification authority.
A portable, scalable solution
In a 2022 report, Gartner noted that the common IAM paradigm, in which a user must validate their real identity with each new service provider, “is not scalable due to the pace of digitization. Portable digital identity solutions will be needed to support both current and evolving use cases over the long term.”
A decentralized identity solution is a portable or “BYOI” model where “the user’s identity data is typically not stored by a centralized third party, but stored locally in the user’s digital identity wallet and managed using the underlying ledger. [blockchain] infrastructure,” says Gartner.
It’s also more secure because it exposes less user data by not requiring data to be distributed to individual certificate authorities (such as banks, retailers, and health insurers). Self-Sovereign Identity – or SSI – is a form of decentralized identity that allows a user to manage their own identity by storing credentials from multiple sources in a digital wallet. Since the user does not have to share the verification data stored in his wallet, the decentralized identity also reduces transaction fraud.
More standard operations will be important for digital IAM
PingOne Neo makes it easy to verify whether a user is inside or outside your organization. According to Darrell Geusz, product manager of PingOne Neo, the process does not require complicated background integrations. He said the technology allows a user to request a verifiable, cryptographically signed credential from an organization, which is added to the user’s digital wallet and can therefore be shared with the business that requires it, giving the individual full control over what is shared.
According to PingIdentity, PingOne Neo is a component of an open and interoperable platform that supports popular decentralized and other identity standards from the World Wide Web Consortium, the OpenID Foundation, and the International Standards Organization. PingIdentity is a key contributor to the Open Wallet Foundation Initiative, which promotes interoperability between digital wallets through open source software.
“Everything is based on standards, so we have complete interoperability,” Geusz said. “Once you have the credentials in your wallet, any interaction is possible depending on the standard: for W3C standards, it’s all QR code-based. Or you can use OpenID Connect certificate-based authentication. In accordance with the ISO standards on which mobile licenses are based, it is possible to conduct face-to-face transactions using Bluetooth or near-field communication technologies to share your data in person.”
Geusz said PingOne Neo follows the trend toward passwordless authentication. “Most of our customers are going passwordless,” he said. “There are mechanisms that don’t even need your username anymore. Neo enables this too, so when you log in, everything happens without a password.”
SEE: Thinking about using these passwords! Do not do it. (TechRepublic)
As a decentralized identification key that fits many locks
PingIdentity is one market share of the crowded identity management market, or identity as a service ecosystem, which includes a very long list of providers, including Microsoft, Okta, ForgeRock, OpenID, and more.
“One of our biggest sectors is global banks, which are either looking for labor or consumers or both,” Geusz said. “We’re present in retail, healthcare, manufacturing and delivery—3.5 billion identities are managed on Ping software platforms around the world.”
Gartner reported last year that organizations under pressure to move interactions online face a paradox: they have to deal with user trust issues without creating user friction. “Organizations are challenged to differentiate among the many identity verification vendors on the market today amid indistinguishable marketing claims about accuracy and machine learning,” the market consulting firm wrote in a March 2022 study.
By 2025, the company predicts the emergence of a global standard for portable decentralized identities “to address business, personal, social, social and identity-invisible use cases.”
“There are emerging standards now that need to be implemented by the end of the year that will allow us to issue credentials to third-party wallets,” Geusz said. He said when a user is issued an ID credential, they can use a mobile app, such as the workforce app, to match their wallet to the credential issuer.
Geusz said PingOne Neo also supports device-side biometrics, such as touch and face ID, which can interact with the wallet’s authentication software. “However, we also support server-side biometrics: In our Ping backend and Software service, we provide selfie matching and voice verification to support the call center and customer service.” He said a photo can be embedded into a credential, making it work similar to a mobile driver’s license at a TSA checkpoint.
“When you present your digital credentials, you can include your photo, which allows for a live biometric match either online, using web-based technology, or in person,” he said. “And that means you don’t have to store the photo on the back. It just needs to be inserted into the digital credential and into the user’s mobile digital wallet, allowing them to present it like a digital driver’s license.”
PingIdentity is all about speed of trust
How does all this look in (potential) practice? Geusz suggests the following scenario: You are a service provider for a large wind turbine manufacturer’s customers—electrical companies. One of the turbines falls. Time is of the essence.
“Right now, when one of your technicians shows up at a wind farm, it can take hours for them to figure out who the guy is before they can get both physical and digital access to the repair: Is he certified? Is he allowed to work on that particular wind turbine model? Do you really work for the seller? It could be a subcontractor or even a third party, Geusz said.
What if they could instantly provide verified credentials from the manufacturer at the touch of their phone. “And what is the downtime now? Zero. This is the speed of trust. If you can accelerate the process of achieving trust, it will be of great benefit to your business.”
How decision makers should choose IAM solutions in a crowded market
The identity verification and verification market is large, which includes dozens of vendors. Gartner stated in its report that security and risk management leaders should:
- Balance user experience and trust requirements by considering whether “ID plus selfie” proof of identity is really necessary, or whether a combination of identity verifiers is sufficient.
- Be careful about relying solely on data-centric confirmation because of how easily bad actors can obtain a user’s personally identifiable information.
- Use an orchestration layer that combines identity verification, fraud detection, and user authentication capabilities to manage risk.
- Comparing the accuracy of different vendors is challenging. Accept that this may not be practical and instead focus on things like ease of implementation, optimizing the user experience, connecting to data sources, and references from customers with a similar profile.
- Look to the future by exploring how to leverage existing nascent portable digital identity schemes where they are sufficiently widespread within the user base.
- Assess whether the level of identity insurance provided is sufficient for your needs.
- Take advantage of the UX improvements available through a portable digital identity.