A while ago I wrote about a Digitally Vulnerable Person (DVP), where I only really scratched the surface of the problem of people being excluded in digital journeys. Since then I went on a quest to spread the word and seek a universal solution, a cookie cutter identity product and… I failed. Believe it or not, I focused too much on the minority groups and after a while I came to a conclusion that…
Digital Vulnerability Doesn’t Discriminate…
As ridiculous as it sounds, we can all become vulnerable at some point in our life. We can become DVP’s regardless of our physical or mental ability and the economic status. Imagine coming to work and forgetting your phone, which is the only way to complete MFA (Multi Factor Authentication). You work in sales and are just about to join a call to finalise a $1M deal. But you cannot. Your job is on the line. You’re pretty vulnerable to me, as you have a large family and are the only breadwinner. Let’s look at another example. You need to request a document from a government service in order to get a new job, you’ve applied for. The service requires a passport and if you don’t have one, it’s a series of questions… about yourself. A classic use of Know Your Customer verification. The only problem is that the questions are ambiguous and despite several attempts – you actually fail to authenticate yourself (that’s a real life example by the way). So you can clearly see that it’s not just about disabilities!
And let me make it perfectly clear. Inclusion isn’t defined by how many methods of authentication we are offering or how easy they are, that’s just a technological diversity.
Inclusion is how people feel!
The Focus
In my desperate attempts to make the digital world a better place, I figured that the more I focused on the root causes of the problem vs the consequences, the more problems I started to solve. Let’s look at the following example. A deaf person needs to rebook a flight. One cannot do it on-line, so she messages customer services of the airline and they tell her that they cannot solve this problem via social media and they tell her to… call them. They missed the point completely! I can fix this easily, by building an app, where the user can be authenticated and use chat to communicate. But I am only solving one use case, while the problem is of another nature – we are just using inappropriate channels. Laser focused on the newly discovered phenomenon, I created the four pillars of inclusive identity.
1. Inclusive By Design
My dear identity aficionados, it’s not just about technical controls! Some things are best solved by design. Common sense needs to prevail and we need to apply a bit of empathy into our drawing boards. Let’s go back to our example of impossible authentication based on security questions. If you live in UK and even though you haven’t changed your mobile phone in years it doesn’t mean that your contract remains the same. I have seen questions on our government websites asking when we last took out a mobile phone contract. Jokes aside, this question is ambiguous and there’s a fair chance you will fail to correctly answer it, due to the problem with the definition of the contract itself. Does it take into consideration porting you number into existing contract? I haven’t physically changed my number (and in my view the contract) for years, yet my mobile app says it was 3 years ago, yet I took a new handset and signed off new T&C’s a year ago…
We need to be proactive vs reactive and perhaps expand the QA process by making the audience fairly diverse. And we always need to take redundancy into consideration – what if the user cannot complete a specific step in the journey? Is there an alternative we can think of?
2. ‘Everything, Everywhere, All At Once’
And the Oscar goes to: ‘Adaptive, Omni-channeled And Context Aware’
‘Everything, Everywhere, All At Once’ won 7 Academy Awards and I think it’s the perfect analogy to this pillar. ‘Everything’ means that, we’re not only looking at credentials and/or prescribed authentication methods. We should also be looking for other attributes, especially if they bring the notion of digital vulnerability. For example, if an elderly doesn’t have a smart phone, we need to adapt the digital journey from app authentication to perhaps SMS (more on the security in the last pillar). We can also look at other contextual attributes, like geographical location, device accessing the system, day of week or time of day. ‘Everywhere’ implies omni channeled journeys. It means that we can start it on a desktop computer, but use mobile to authenticate to then finish on the desktop. If I call the customer service, they can authenticate me via push notification to my mobile instead of asking too many questions I may not know answer to. And last but not least ‘All At Once‘ implies the adaptive character of digital journeys. Instead of being prescriptive and deciding on one or two authentication methods/factors we can offer a multitude of them in an easily digestible form, based on the preference, necessity or requirement of the user. I call this approach ‘Everyone can drive a Ferrari‘. Let’s identify methods within the risk appetite of the organisation and let users choose what they want to use. Doesn’t matter if it’s 5 or 10. Use them all if you can. That way, they will naturally adapt to being the best for each respectively. And the various permutations of the journeys are available just in time (JIT), out of the box and without the need to go through different entry points. One journey fits all is the dream, but it can only be achieved if it’s adaptive.
3. Connected
No one goes through their lives on their own. Or at the very least you need to be unlucky to do so. At some point in our lives we all needed some form of help. Don’t look far – COVID-19 global outbreak put a lot of people in a vulnerable position. They couldn’t leave their homes. They relied on medications and groceries being delivered to them and we didn’t really have a great system to delegate authorisation to distribute controlled substances – at least at scale.
So, when the chips are down and you lost access to the system, let’s say an online retailer, what do you do? You call the customer services to reset the password and they will ask you questions. But hold on, the advisor who is authenticating you is probably… the worst person to do so in the whole wide world! They never have seen you, talked to you or worked with you and everyone knows my dog’s name is Tilda! I wrote about a concept of ‘Trust vs Authority‘ previously, but long story short, who is the best person to confirm your identity? Those closest to you. If they have a trust relationship in good standing with the organisation you are trying to establish (or re-establish) trust with then… friend of my friend is my friend!
What does it mean in the context of identity? Well, if I lost my phone and cannot authenticate, we can switch the context throughout the authentication journey, ask for username and password and confirm via push/app on your peer’s device. Those flows have to be designed with ‘it takes two to tango’ principle, making sure no party can complete the flow end to end on their own in order to maintain security and non-repudiation.
4. Balanced
Security is important, but I always say ‘secure enough‘ is much better than just secure. If we apply more security controls than the asset is worth – we’re losing money. If we don’t apply enough controls, we are likely to lose money. So, let’s look at an example of what we observe quite often in identity, it’s just one of many and I hope I can visualise the root problem. SMS as an MFA method. Security professionals don’t like it, because although MFA is stronger than just username and password (and by an order of magnitude), still the text message technology is the weakest on the spectrum of second factors. One can intercept the messages by using SDR (Software Defined Radio), sim swapping or just by the way of phishing and then replaying the one time passcodes (OTP). So we naturally move to the more secure methods and quite frankly we like apps. Apps are good, apps are secure, apps are bound to our iPhones/Android phones. But… not everyone has apps, can use apps or maybe they just aren’t able to. Bonum commune communitatis excluded arrays of individuals, creating digital vulnerabilities for… the greater good. We focused so much on the strength, that we forgot other parameters of potential threats. For example the surface area of the attack. Why can’t we allow DVP’s use SMS? They are the minority after all. That’s not a reason to exclude them! That way we can balance surface the area of the attack with the overall security of the solution. And what happened to the ‘defence in depth‘ principle? It’s not a perimeter security concept, not at all! If we can monitor the behaviour of an individual (UEBA – User and Entity Behaviour Analytics), why can’t we allow for weaker methods while the overall risk of the context is low? There are ways to breath life into weaker methods for the benefit of the ‘new greater good’.
The ‘New Greater Good’
Armed forces around the world have various principles, but the one I have seen pretty much everywhere I went during my career was ‘Never leave a fallen comrade on the battlefield’. And it is our duty to:
Never Leave a DVP Behind In The Digital Journeys.
Image by rawpixel.com Freepik