Being able to identify employees and customers is not only necessary for security reasons, it is central to providing good digital experiences.
"The right to be anonymous is definitely important," said Ping Identity CTO Patrick Harding, but it can be overwhelmed by the efforts of marketing departments. Without government regulation, organisations have no incentive to preserve privacy.
One example of government intervention is the EU's General Data Protection Regulation (GDPR), which Harding noted mandates user consent and includes the 'right to be forgotten' even when the relevant data must be retained for compliance with other laws or regulations.
Ping's technology can help organisations comply with such rules by governing access to user profile data in a policy-based way.
{loadposition stephen08}"User consent is becoming a more and more important paradigm that organisations are going to have to adhere to," Harding said.
While many people are concerned about privacy, identity is central to providing a good user experience, he suggested. It also allows an organisation to gain a single view of its customers.
Customer identity and access management (IAM) is a relatively new part of Ping's business, which has traditionally focussed on enterprise IAM.
The growing use of SaaS and mobile apps has made IAM more complex, said Harding, but the widespread adoption of smartphones in recent years has made multi-factor authentication more acceptable. People didn't like using security tokens, but "employees love it" if you implement authentication via push notifications to their phones. So he suggests that it's time to reconsider multi-factor authentication if you're not currently using it.
However, there are many edge cases where smartphones aren't the (whole) answer. Some people choose not to use smartphones, others do not want to use their personal phone for any work purpose, and some workplaces have banned the use of mobile phones.
Workarounds include delivering one-time passwords via applications running on computers rather than phones, or via emails to corporate addresses. This is "not as good a user experience" but shows that the issues can be worked around.
Harding said there is a need to integrate physical and logical security credentials, for example by using a building access badge as part of the log-in process. Proximity-aware devices such as badges would be convenient, he said, especially in situations such as a kiosk shared by hospital staff because they would not need to keep logging in and out. "That's the vision of where we need to get to," he said.
It is also possible to combine information from different sources to help confirm a person's identity. For example, there's reason to be suspicious if the access control system puts them in one place but their smartphone is somewhere else, so further authentication would be appropriate. And the more sensitive the systems being accessed, the more rigorous authentication is needed.
Yet there is a particular problem with making the smartphone too central to the authentication process: "if you lose your smartphone, you're kinda hosed," Harding said.