e-Healthcare
e-Banking
e-Gaming
e-Insurance
e-Commerce
e-Government
Guide to building a secure and
trusted BYOID environment
Bring-Your-Own-Identity is not new. People have been using their social
media login credentials for other applications for some time now. But how do
you ensure these users are who they claim to be? How can you establish a
Trusted Bring-Your-Own-Identity environment?
SUMMARY
1
Identity, past & present
3
2
Trends that impact digital identity
4
3
Business challenges around Bring-Your-Own-Identity (BYOID)
8
4
Solution: establishing a secure & trusted Bring-Your-Own-Identity
environment
10
5
Business benefits of a trusted Bring-Your-Own-Identity framework
13
6
Trusted BYOID use cases
16
7
How can I establish a trusted BYOID framework for my business?
18
8
About VASCO
19
9
Glossary
20
10
Sources
21
1
Identity, past & present
In the past an identity was given to you; often in the form of an ID-card, driver’s license or social
security number issued to you by a government authority. The benefit of this approach is that
the identity has been verified and validated. Unfortunately this type of approach does not hold
ground in today’s interconnected world where more and more transactions take place online.
In today’s digital world, identity is something you create yourself. It is often a combination of
attributes and characteristics. These attributes can be split into 4 main categories:
• Legal attributes: social security number, ID number, date of birth
• Social attributes: attributes related to your preferences and relations with family,
friends & colleagues
• Physical attributes: age, gender, DNA, picture, avatar
• Behavioral attributes: websites you visit, online purchases you make, news
feeds you subscribe to, social shares
Any or all of these attributes can be combined to form a digital identity. From there, a digital
identity can be used to create an online account (for a certain service or application).
Example:
User:
John Smith
Digital ID:
Professional1
Attributes linked to “Professional1” include: Male,
DOB, lives in Brussels Belgium…
User John uses his “Professional1” Digital ID to
create an account on LinkedIn
3
2
Trends that impact digital identity
2.1 The mobile revolution
We live in an increasingly inter-connected world.
The explosive growth in smart phones and tablets has triggered an always-on economy, where
users expect to access online applications 24/7 and conduct transactions from any device.
Global Mobile Devices and Connections
The number of global users of mobile phones, capable of executing apps, is expected to cross
the 50% mark for global smartphone penetration in 2017 and reach 59% by 2019, growing from
28% in 2013 (source 4).
4
On average, a European smartphone owner has 26 apps installed on his smartphone and
almost 50% use a social media network on their smartphone on a daily basis. Users expect to
be able to access all their applications from any device.
Most of these apps, if not all of them, require a user to be logged in, thus adding to the
complexity of password management and attribute control.
Global mobile devices and connections
Top 10 countries with the highest average number of installed apps per smartphone user*
Source data: http://mashable.com/2013/09/05/most-apps-download-countries/
Source data: http://www.thinkwithgoogle.com/
5
2.2 Social media
Social media is here to stay. There are 2.08 billion active social media accounts. 29% of the
entire world population actively uses an account, for an average of 2 hours and 25 minutes a
day.
Facebook has 1,366 billion monthly users, almost 20% of the current global population.
There are 17 different social platforms that claim more than 100 million monthly users.
This increased competition has triggered social media providers to come up with new business
models to help them retain and increase their community footprint.
A key element in achieving this has been the “social login”, where users are able to use their
social media credentials to subscribe and login to other applications.
Social login usage
6
2.3 The Internet of Things
The Internet of Things (IoT) is growing, and with as wearables become an increasingly hot trend,
it’s growing even faster.
According to Cisco Systems (Source 2) we will reach 50 billion connected devices in 2020,
estimating 99% of devices will be connected to the Internet (currently around 1%).
Global internet device installed base forecast
2.4 Bring Your Own Device (BYOD)
The Bring Your Own Device (BYOD) concept is common in technology-related companies
where employees use their personal laptop, smartphone or tablet to log on to the corporate
network & applications.
According to a global survey among CIO’s conducted by Gartner (Source 1), 38% of companies
expect to stop providing devices to workers by 2016 and switch entirely to BYOD.
7
3
Business challenges around BringYour-Own-Identity (BYOID)
The aforementioned trends provide a clear insight into the possible impact on and risk for
our (online) privacy. In addition to the impact on our privacy, there are also other business
challenges that need to be addressed.
3.1 What is Bring-Your-Own-Identity?
BYOID is an emerging approach to identity validation in which organizations allow users to
authenticate to a website and consume web services using a digital identity that has already
been established with a third party.
Instead of requiring visitors to create a new identity during the registration process, using an
existing digital identity enables the user to leverage a “valid” identity from a current service
provider.
Example: User John uses his Twitter account to subscribe and log in to his favorite online
newspaper.
3.2 Legally binding transactions
Actions or transactions made by a user using a social login are, at least for now, not legally
binding. Therefore, using social logins lacks the required non-repudiation that associates actions
or changes to a unique individual in a legally binding way.
3.3 Attribute control and transparency
Who owns the user attributes and data and how will the attributes and data be accessed?
As an application owner, it is necessary to be transparent with your users about which data will
be accessed and how it will be used.
8
3.4 Security
Getting rid of multiple passwords for multiple accounts is one of the greatest advantages of
BYOID. At the same time it creates a single point of failure. If one is using a social login, and that
social media account is compromised, this means all other web accounts are also at risk.
Some social media platforms are trying to address this password security issue by implementing
two-factor authentication. Unfortunately these solutions don’t always offer the best mix of user
convenience, security and total cost of ownership, and can even create additional friction for the
user.
3.5 Trust – Lack of validation
Anyone can create a social media account. There is no validation of the identity or attributes
provided by the user.
9
4
Solution: establishing a secure &
trusted bring-your-own-identity
environment
4.1 The digital identity playing field
Application owners:
• Deliver online applications & services to the market (= value)
• Are looking to recruit new users
Identity providers:
• Have large user communities
• Are looking to offer new services to their user-base in order to increase brand loyalty
Users:
• Are looking for more personalized, user friendly and secure online services
• Want to be in control of their personal data (attributes)
4.2 Defining the framework
Establishing a Trusted BYOID framework implies that users, application providers and ID
providers are able to interact with each other online, in a secure and transparent way.
Up until recently the only way to accomplish this would have been for application providers
to integrate the different login solutions, offered by the different ID-providers, on a one-to-one
basis. The sheer time and resources required to establish and maintain this setup immediately
eliminates it as a viable solution. In addition, this type of approach does not consider the users’
need for attribute control, convenience and security.
What is needed is a secure platform, that connects all parties involved. Access to this platform
should be secured with easy to use, two-factor authentication functionality, such as a mobile
app to generate secure and unique one-time-passwords.
10
This secure platform also needs to be easily, yet securely, accessible by all parties
involved:
• Application providers will benefit since they only need to integrate one platform API,
similar to a Facebook or Google connect, resulting in faster time to market and lower
development/maintenance costs. Additionally, it enables them to add easy to use twofactor authentication security to their applications.
Perhaps the biggest benefit for the application providers is that he is able to collect
validated user attributes, which are delivered by the ID-provider and authorized by the user,
to offer his users a more personal and secure online service.
• ID-providers that link to the platform are able to offer their user community secure access
to a whole new range of online applications, resulting in a competitive differentiator that will
increasing their customer loyalty.
• Users will benefit from such a platform as well. They will be able to access all online
applications on the platform with a single and secure login, eliminating the need for insecure
static passwords. However, the biggest benefit for the user will undoubtedly be that he
or she will be able to decide which of his/her (validated) attributes are shared with which
application. Offering the user this type of control over his attributes will increase trust.
It is clear that by enabling the use of validated attributes online, such a platform can pave the
way for entirely new online business models and use cases that were previously impossible to
accomplish due to legal constraints, especially on the mobile platform. A few examples:
• Legally signing a contract from your tablet
• Submitting an insurance claim from your mobile phone
• Verifying a users’ legal age in order to allow access to certain online services and content
11
The biggest challenges in establishing such a secure & trusted BYOID framework will
lay in:
1. The technical availability of a secure platform that can support this framework
2. The willingness of all three parties involved to adopt such a platform
Without a trusted BYOID platform
-
• Complex integration
• No or low security
• Not convenient
With a trusted BYOID platform
Trusted BYOID
platform
+
• Easy integration
• High security with two-factor authentication
• More user friendly (secure single sign-on)
12
5
Business benefits of a trusted
BYOID framework
The implementation of a trusted BYOID platform has several important business benefits for all
parties involved.
5.1 Cost-Efficient & scalable
Application owners and identity providers don’t need to integrate or maintain different online
identity standards (that might conflict), but have one standard implementation. This means they
can focus more on their core business, cut back expenses and improve financial efficiency.
5.2 Economic benefits
Aside from the fact that a trusted Bring-Your-Own-ID platform ensures a secure way of logging
in, it also offers economic benefits. The various application providers no longer need to integrate
different API’s and maintain them. Using a single trusted BYOID platform does the trick and can
save significant cost.
5.3 UX: user is in control of his attributes
It is important for a user to know and authorize which of his digital identity attributes are being
shared with the web application or service he is signing up to. Using a trusted BYOID platform,
the user is in control of his own attributes and will know what kind of information is shared with
application owners. Additionally, a recent international study has shown that users who are able
to manage their online privacy are up to 52% more willing to share information than those who
aren’t. By giving users more control over their personal data, they will reward you by sharing
more information with you.
5.4 Trust as a competitive differentiator
Using a secure and trusted digital identity platform will render your online services more
trustworthy. This in turn will reflect positively on your brand reputation, giving you a competitive
edge.
13
5.5 Know Your Customer - KYC
New Know-Your-Customer (KYC) regulations requires businesses to verify the identity of their
customers in order to prevent ID theft and fraud.
Using a trusted BYOID platform will help online service providers to comply with these new KYC
regulations. At the same time they are able to offer their users a more personalized service by
leveraging their user (attribute) knowledge.
6.6 Enhanced conversion rates & faster onboarding
Using long signup forms and asking users to provide additional personal data makes user
onboarding a challenging process. Enabling users to re-use their existing validated digital
attribute data when signing up for new online services will greatly facilitate the onboarding
process. Especially in regulated environments such as banking, insurance, ecommerce and
gambling, the ability to share validated attributes in a secure way will help increases online
user conversions. Additionally, this type of approach reduces user mistakes during the sign-up
process.
14
5.8 Increase operational efficiency
Using a trusted digital ID-platform will enable businesses to move some of their processes
and services online. Especially businesses offering labour intensive services or services that
previously required physical ID validation (example: insurance, finance, government, etc) can
expect to gain operational efficiency, reduce costs and develop new online business streams.
15
6
Trusted BYOID use cases
6.1 Insurance industry
Although virtually all insurance companies offer some level of online services these days; most
(if not all) of them still require you to send some physical proof of your identity when taking out
an insurance policy. Today this is done either by printing, signing and faxing/emailing back the
signed contract and by including a copy of your ID-card or similar. This implies a lot of time,
resources and costs are directly related to handling the vast paper flows.
By integrating their online services with a trusted ID-platform, insurance companies and agents
can offer their customers the ability to legally sign insurance policies & claims online. Imagine the
time gains and cost reductions that could be achieved by adopting such a model.
6.2 iGaming industry
The boom of the online gaming & gambling industry over the recent years, has triggered a whole
set of new legislation & regulation to come into effect. Although the exact legislation might differ
per country or state, in most cases online gaming/gambling providers are required by law to
“Know-Your-Customer” (KYC). This means they will need to perform some sort of age, or even
location, verification.
Integrating these verification steps into the user registration process will often hinder the
onboarding efforts and reduce conversion rates. By linking their online gaming/gambling service
to the trusted ID-platform, providers of these services could re-use already validated user
attributes. This would enable them to greatly facilitate the onboarding process while at the same
time complying with legal requirements.
6.3 Government/public sector
Similar to the private sector, government agencies are increasingly under pressure from their
citizens to offer secure and convenient public services 24/7.
Although some governments have already made great strides in digitalizing their public services
offering, requesting official documents today will still require users to drive down to a local
administration center and provide some form of physical identification in order to obtain required
documents.
16
Though different public services are already offered online today in some countries (library,
police, tourist information, tax declaration, pension fund, etc.), most often they are not
interconnected and require users to use different login and authentication credentials in order to
gain access. The result is a poor user adoption rate which results in a less than optimal returnon-investment (something which is increasingly important also for governments in these dire
economic times).
At the same time, government agencies hold a vast numbers of validated user (citizen) attributes
(age, address, sex, D.O.B., etc.), and this is an asset that is not maximized today. By enabling
their citizens to use government-validated credentials for other “commercial” online services,
governments (both local and federal) can help increase user adoption for their own services. At
the same time the ability to use government validated attributes will enable service providers
to comply with new online transaction security and KYC regulations. A pre-requisit for such a
framework to succeed is the availability of a secure and trustworthy digital ID-platform.
17
7
How can I establish a trusted
BYOID framework for my business?
VASCO’S trusted BYOID platform MYDIGIPASS®
MYDIGIPASS is the secure and trusted BYOID platform of VASCO Data Security, a world leader
in strong user authentication, electronic signature and ID-management solutions.
Application providers can easily integrate the MYDIGIPASS “secure connect” API into both
their online and mobile applications in order to increase security, comply with legal requirements,
facilitate user onboarding and gain customer knowledge.
Identity providers are able to join the MYDIGIPASS platform and offer their user community
access to a full range of new and secure online services under their own brand.
Users can download the MYDIGIPASS mobile app from the appstore, create a free account
and gain secure access to all supported applications (that have integrated the API).
Additionally, users are able to stay in control of their digital identity attributes. The user decides
which of his/her attributes are shared with which application.
Banking level
security
Easy
deployment
Costefficient
2-factor
authentication
1 implementation
Flexible pricing
Supports mobile, eID,
intel IPT & hardware
tokens
Pay as you grow
Proven DIGIPASS
technology
®
Free for your users
18
8
About VASCO
VASCO is the world leader in providing Two-factor authentication and Electronic
Signature solutions to financial institutions. More than half of the Top 100 global banks rely
on VASCO solutions to enhance security, protect mobile applications, and meet regulatory
requirements. VASCO also secures access to data and applications in the cloud, and provides
tools for application developers to easily integrate security functions into their web-based and
mobile applications. VASCO enables more than 10,000 customers in 100 countries to secure
access, manage identities, verify transactions, and protect assets across financial, enterprise,
E-commerce, government and healthcare markets.
Learn more about VASCO at vasco.com and on Twitter, LinkedIn and Facebook.
19
9
Glossary
Term
Explication
2-Factor authentication
Security logon process with 2 different stages in order to log on. An
example of the 2nd step is an SMS passcode or generated code on your
smartphone.
ASP
Application Service Provider
Attribute
Parts of your (online) identity, which contain specific characteristics that
form your identity.
BYOD
Bring-Your-Own-Device; Employees are using their own private laptop/
smartphone/tablet on their daily job instead of using company provided
material.
BYOID / BYOI
Bring-Your-Own-Identity is an emerging approach to identity validation in
which organizations allow users to authenticate to a website and consume
web services using a digital identity that has already been established with
a third party.
Instead of requiring visitors to create a new identity during the registration
process, using an existing digital identity enables the user to leverage a
“valid” identity from a current service provider.
eID
Governmental trusted and validated online identity service using an electronic ID. Already 150 million verified e-IDs in Europe.
ID-provider
Government was the only ID-provider for ages, but with the rise of social
media, these players (like Facebook and Google) are now playing a role as
online ID-providers.
IoT
The Internet of Things; All connected devices on the internet such as wearable’s, internet connected fridges and smart cars.
KYC
Know Your Customer
MYDIGIPASS
Trusted Identity Platform from VASCO
Onboarding
The process of converting a visitor of your application into a user/customer
with a profile.
20
10
Sources
1. http://www.gartner.com/newsroom/id/2466615
2. http://share.cisco.com/IoE/index.html
3. http://www.thinkwithgoogle.com
4. https://www.forrester.com/
5. http://www.prweb.com/releases/2012/1/prweb9086226.htm
6. https://datafloq.com/read/login-data-gold-social-login-data-platinum/92
7. https://mydigipass.vasco.com
8. http://wearesocial.sg/blog/2015/01/digital-social-mobile-2015
21