Going Social for Secure Digital Identities

With the rise of digital business comes a great increase in the number of systems that each of us has to log into as part of our business and personal lives. Yes, that’s right – even more passwords and user names to remember.

Although employer-provided single sign-on can reduce the number of employer systems requiring a separate login, it still leaves users with many other systems requiring a login. Many cases have emerged where allowing a consumer or other user to “bring your own identity” (BYOI), particularly their social media identity (such as Facebook, LinkedIn or Twitter), provides benefits to both the user and the organisation.

In her presentation at the Gartner Security & Risk Management Summit in Sydney this week, Anne Robins, research director at Gartner, explains that while reusing social identities is still relatively new, and many organisations still aren't sold on it due to risk concerns, a significant number are, especially for identifying existing and potential customers.

“Social identities enable digital business by reducing friction, risk and overhead, while increasing conversion rates,” says Robins. “This is particularly attractive for organisations conducting low risk transactions, where dealing with identity and authentication isn’t their core business. They don’t have to bear the cost of collecting, storing and protecting user information. It also makes it much easier for users to return and transact again because the process is seamless.”

Using social identities can significantly improve the customer’s experience by reducing login and account creation friction, as well as providing attributes that enable a website to provide a richer, more personalised experience.

But before you race in, there are a few important factors to consider:

• It’s all about the user experience. Don't ask the user to perform a lengthy registration or identity-proofing process before they are interested in a website. Instead, allow them to get started with minimal friction, by consuming social identities.

• Respect the user's sense of privacy. Information sharing should be transparent. Support opt-in for attribute sharing, and only ask for attributes that are needed.

• Offer an option to log in directly. Even though convenient, some users are concerned about identity sprawl and don't want their social identities associated with every website they visit.

• Enable social identities for low-risk use cases. Social identities are a proven approach for low-assurance cases, especially for new users and transient relationships.

• Choose an appropriate social identity based on multiple elements. Consider constituency coverage, brand and privacy compatibility, attributes, identity proofing, identity protocol support, and ability to perform strong authentication.

The use of reusable social identities will continue to grow. Ten years ago, some thought a wider array of higher-assurance, enterprise-strength identities would soon become available. Instead, there is growing adoption of lower-assurance, social identities, because of cost and ease-of-use considerations. The acceptance of social identities is slowly moving toward the mainstream.