Is “Bring Your Own Identity” a security risk or advantage?
By Ellen Messmer, Network World | July 28th, 2014
Questions abound over sites authenticating users via identities established through social networks, Yahoo Ponemon Institute survey shows.
The “Bring Your Own Identity” (BYOID) trend in which websites let users authenticate using identities established through Facebook, LinkedIn, Google, Amazon, Microsoft Live, Yahoo or other means raises some questions in the minds of IT and business managers. And a survey conducted by Ponemon Institute shows a vast difference in how the IT and business sides think about this so-called BYOID method of authentication.
Ponemon asked 1,589 IT and security practitioners and 1,526 business staff personnel, many of them in managerial roles, about what they thought about BYOID and whether it could be used to simplify online authentication for everyone from employees to contractors to retirees to website customers or mobile customers. Both the IT and business sides said they considered BYOID as a way to simplify interactions with customers on the web and mobile devices. Both sides saw it as a way to make registration of new customers easier for them and the organization, plus possible cost reduction related to forgotten passwords and other sign-in problems. But beyond that, the IT and business personnel had differing perspectives about BYOID.
Three-quarters of the business staff answering the survey saw BYOID mainly as a way to either “reduce friction in the user experience” or “simply engagement for users” as a form of “identity validation.” Over half of the business managers thought BYOID would increase revenues for the organization, with many envisioning “targeted marketing.” Less than 15% on the IT side shared this view.
According to the Ponemon survey, 67% of the IT and security respondents saw BYOID as a way to strengthen the authentication process and 55% said it could be a way to improve risk evaluation and decrease fraud. Only about 15% of business people felt that way. IT and security personnel thought more important that the “identity provider” in any BYOID arrangement have some sort of “formal accreditation.”
Respondents on the IT side ranked PayPal, Google and Amazon as the top three preferred identity providers to their organization. Yahoo was ranked of least interest. The business staff ranked Amazon, Microsoft Live and PayPal as the top three identity providers for their employers, with Facebook ranked the least.
When it comes to perceived barriers to BYOID deployment, IT and security personnel were far more concerned about risk and liability concerns and “loss of control” than the business staff. Business staff worried more about “cost.”
“Organizations that accept third-party identities also worry about instances where an identity is compromised and non-legitimate access is granted to applications or customer data,” the Ponemon survey points out.
Not surprisingly, IT and security personnel regard BYOID in a far more technical light, with 57% saying they would feel more favorably about BYOID adoption if the identity provider would implement “fraud risk engines” while 66% said they wanted “multi-factor authentication.” These were of interest to only about a third of the business staff. For mobile devices, four-digit PINs and one-time tokens were more important to IT personnel, while “geo-location” tracking was important to more than half of the business staff.
Both the IT and business sides, though, did want identity providers to give them information related to security issues such as “history of password re-sets,” if the account had been abused, the history of identity takeovers, how long the user account had been established and whether it had ever been suspended. IT personnel also want to have a phone number tied to the account.
The Ponemon survey concluded with the recommendation that the IT and business sides should have a “collaborative discussion” around BYOID in terms of how it might fit into any planned projects.
“This exercise could include basic simulation/modeling of a new online initiative with BYOID and without BYOID,” the Ponemon report said. “This will help address key questions: Will supporting BYOID increase new customer acquisition? Are the costs of continuing to require users to create and maintain their own accounts more than the incremental value that is generated by BYOID?” But before any use of BYOID, a thorough risk analysis should be done by a corporate team that includes legal and business expertise to understand any liability issues.