4. Identity Performance: 2-party
So how good are the Identity processes that society uses? Do we have a problem?
I present my answer to the “how good is the performance of Identity” question in the next two newsletters. Each newsletter corresponds to a separate row in the 2x3 matrix below:
The above matrix is based on the two fundamental dimensions, parties and place, introduced in the previous newsletter. This newsletter considers the first row, 2-party performance, and the next newsletter will consider the second row, 3-party performance.
Remember two points from the previous newsletter
2-party transactions are 99% of all Identity processes performed
3-party transactions are only 1% and they are the hard bit we are yet to solve
So this newsletter is about the performance of every-day 2-party Identity processes within the three environments.
I’m giving you a large amount of information, but as Identity has so many levels of complexity this is unavoidable. Please stick with it - the conclusions are worth noting.
Examples and Observations
You will all know lots of examples of 2-party transactions. These transactions are between you (the first party) and an organization that knows you (the second party). I go to the library to borrow a book and I identify myself with a library card, I ring an energy retailer to check how much power I am using and first identify myself by answering a series of credential and account questions, and lastly I use on-line banking to transfer funds once I have signed in using a username and password.
These are absolutely straightforward and you will know many different varieties of using a plastic card in-person, answering questions on-telephone, and signing in on-line. Some observations:
In-Person transactions often utilise plastic cards and have been around a long time. Do you remember the times when you signed up for some service, and almost immediately a card arrived in the mail? I’m not sure if they were anything more than a marketing device, and we see less of them now as on-line becomes the communication channel of choice. But they still have utility (I use my golf club card at both my club and other clubs), to show identity but often they lack authentication capabilities.
For On-telephone I dread the 20 questions I get asked when talking to a person. I think the person dreads it too. Frustration leads to fear and then to anger: “how do you expect me to remember my last transaction?” While the fraud levels for on-telephone are hard to gauge, it cannot be cheap to continually train staff to execute such a process. No wonder so many corporates want to hide their contact details!
On-line, on-line, on-line. Oh dear, oh dear, oh dear. Please, please, please somebody invent something that works better than this. I assume I am not the only one regularly told by Google that all my passwords need to be changed. I assume I am not the only one who is forced to become an expert in the different ways that programmers code identity interfaces. Please, please, please make it better.
I want to make two observations that reveal a lot about 2-party identity:
Each environment - in-person, on-telephone, on-line - has its own method. This is important for multiple reasons. Maintainability and cost are obvious issues - having to support 3 methods is not fun! But it is not fun for the customer either, having to remember three methods!
Within each environment, there are many varying implementations of each method. Poor us! Compared to payments, which is relatively simple, Identity is a minefield. And I have been around for a while – I have grey hair, really, truthfully. And it drives me crazy, so what is it like for the technologically-challenged person? Can we just agree a password standard, please?
Think about it - compare Identity to payments.
2-Party Performance
I am going to give you my unashamedly opinionated view of 2-party Identity performance. I have not done, nor is it possible or practical to do, a survey of all 2-party Identity processes! Appalling, I know, in a world that lives off statistics (however dubious and concocted). I’ll stick to my personal judgment and I ask you to make your own judgements too.
I split performance into four questions:
Availability - is there an identity process?
Ease of Use - can we use it?
Security - is it secure?
Cost - how much does it cost to run?
The diagram above summarises my opinion. Specifically:
We have a lot of available solutions - a tick there!
In-person works ok and we know maintaining card bases is expensive
On-telephone works in a fashion but is unlikely to be full secure or cheap
Online is a dogs breakfast, a cot case…
Ease of use is highly variable. Cards work ok, 20 questions is painful, and on-line can be agonizing.
Security is not great. It is hard to defend the record of current 2-party Identity with all the reports of Identity fraud.
Costs are high. No rocket science required here - multiple methods and continual enhancements to keep up with the arms race cannot be cheap.
2-party Performance Summary
There is little good 2-party identity news - just questions of quality, security, and cost!
2-party Identity looks a bit like the Neanderthals – evolution has not been kind to it!
What do you think?
In the next newsletter, I’ll consider the much rarer 3-party Identity processes, before then moving on to some interesting futures.
Regards
Alan