Last week, our contributors discussed the new reforms in data protection regulation. We continue that thread this week by discussing digital identity and its implication on protection and the regulations governing it.
By Dr. Carlo Duprel, Director of Strategy Regulatory & Corporate Finance at Deloitte Luxembourg.
Today’s world is digital. The average internet user spends 16 hours per month online, and in 2016 the number of emails sent each day will surpass the 200 billion mark. The online retail sector is the main driver of growth in European retailing, achieving growth rates of above 15 percent on average. In comparison, the annual growth rates for all types of retailing range between 1.5 percent and 3.5 percent. Thus, it is evident that the stakes around digital identity are high. Unfortunately, we are still far away from a secure situation.
The password problem
When service providers began to switch to online platforms, identity became entirely information-based, relying on things that, presumably, only the real user knew (username and password). However if you consider that the average user has 90 online accounts, it is not surprising that people select usernames and passwords that are easy to remember, and therefore, easy to crack. On top of that, passwords are often reused multiple times, creating a domino effect if one account becomes compromised.
In order to avoid this, users should choose unique passwords with a certain level of complexity. They should be changed frequently and never be written down. On top of that, password management software is a prime hacking target. Therefore, it is natural that users forget their passwords, which then need then to be reset. This comes with not only irritation and time lost on behalf of the user, but financial costs as well. In online banking, 30 percent of support calls to banks relate to password reset requests, with an associated average cost of US$25 per call.
Whether it is access to personal details, bank accounts, credit card numbers, or online shopping accounts, online identities are vulnerable and breed cybercrime. According to the Breach Level Index Annual Report, in 2014, 190 major data breaches were registered involving about 79 million records, with identity theft being the most common type of attack.
We can see that there is a real need for reconsidering password-based authentication, and there already are promising developments by many market players. The FIDO Alliance develops specifications for mechanisms that replace passwords to securely authenticate users of online services. One commonly used mechanism is the multi-factor authentication, relying on a combination of several factors (biometrics, passwords, devices, etc.) to guarantee uniqueness of the authentication. Biometric-based solutions are rapidly gaining ground with a multitude of physical features being used as unique identifiers: fingerprints, the face, the iris of the eye, the veins in the fingertips, the heartbeat, etc.
A step forward
Because of increasing global transactions, financial institutions, governments, and service providers across the world must collaborate to allow users to protect their digital lives. The eIDAS regulation, effective 1 July 2016, is the European Union’s answer to some of the problems faced by cross-border recognition of digital identity. Currently, there is a lack of common legal basis for mutual recognition of eIDs between countries. An electronic signature in one country, for instance, may not be held up in legal proceedings of another, if there were to be issues in a cross-border transaction.
The new regulation creates a European internal market for electronic signatures, electronic seals, time stamps, electronic delivery services, and website authentication through standardized exchange protocols and security levels. Part of the 2020 digital agenda for Europe, it will ensure that people and businesses can use their own national electronic identification schemes to access public services in other EU countries.
While there is still a long way to go, the state of play in digital identity is improving. Good authentication is strong and easy, enabling users to manage and protect their personal information in a simple way.
Stay tuned next week for more Deloitte Weekly Tech Thoughts!
Source: Deloitte Luxembourg
Publié le 13 avril 2016