The State of Digital Identity
At Spark The Change, a conference in Paris, focused on innovation and changing the world, I shared my view on the State of Digital Identity. Being the CTO of a company like Dashlane gives me a special insight and view on the topic, which I'm excited to share.
But first, let me tell you a story.
A friend of mine was shopping at the Galeries Lafayette, one of the largest department stores in Paris. After a while, she realized she could not find her bag. She thought she had forgotten it in one of the corner shops but soon realized that it had been stolen. She went to the police to declare the theft before going home. An hour later, she got a phone call at home from the Galeries Lafayette. Her bag had been found, dumped in a corner. She could retrieve it from lost & found the next morning between 10 and 12. What a relief!
When she arrived the next day at the Galeries, the agent at the lost & found was very surprised, since the bag was not there and they had never called her. In the meantime, someone had broken into her home and totally emptied it.
Now let me tell you another story.
In 2016, Dropbox discovered that they had been hacked in 2012. Sixty eight million accounts were stolen. The investigation showed that the hacker had used an employee login and password that were themselves stolen in a previous breach. The employee had reused the same password for work and personal websites. More likely than not, many of those 68 million stolen passwords were also reused on other sites, creating a cascade of consequences for all involved.
These two examples tell similar stories, one physical and the other digital. A small and painful incident snowballing into an experience that is costly, time-consuming, and emotionally jarring.
The story of my friend feels visceral, but for many the prospect of problems online are much less ominous or consequential. But the events of the past 18 months, such as Cambridge Analytica, the Equifax breach, the EU taking on Silicon Valley, and the continued privacy misgivings of Big Tech have brought these issues to the surface like never before.
Digital Identity is Broken!
There are billions of users and millions of businesses that rely on the internet today to access, transact, and engage with millions of digital service providers.
Digital identity today is structured such that in order to access the websites, apps, and other digital services you love and need, you need to give each of those digital service providers the equivalent of a copy of your house key. And for the most part, you have no idea what they're doing with that house key, how they're securing it, or if they're making copies of your key and trading or selling those to someone else.
This is one of the fundamental flaws with today's internet. And it doesn't need to be this way.
The way we authenticate and grant access online today is bad for users: you get constant friction each time you need to register, login, or check out. Think about every time you've had to type in your first name, last name, mailing address, and credit card. There must be a better way! To top it all off, you have no idea what data is actually captured, because on top of the personal data you willingly provide, service providers grab many more details about you such as geographical location, device type, browsing history. Many businesses rely on monetizing that data, either directly for advertisement, profiling, etc. or indirectly. So that one key copy you gave has become hundreds that are impossible to keep track of.
This structure is bad for digital service providers as well. The friction of the sign-up funnels is a key business issue—after all, who likes creating an account before being able to explore the product? Additionally, new regulations such as GDPR and CCPA are creating increasing risks and liabilities on those providers. People's trust in digital service providers is continuing to erode. The internet feels dangerous, and nobody seems to know who they can trust.
Unfortunately, the problem is getting worse for everybody. Not better.
People are using more devices than ever, on average 3 or more. We have more digital accounts every year. The number of massive breaches is not stopping: every day the news are filled with more providers being hacked and user data having leaked.
Despite these realities, fear and awareness haven't changed our online behavior. If you look at what most people do, we still resort to crude methods to handle our digital identity. Only 12% of people use tools such as password management, and 86% just memorize simple passwords and reuse them everywhere. 49% write them down on paper.
The risks of life online have emerged so quickly that most people have chosen to ignore it, and accept that giving up privacy and ownership are built-in costs, risks, and burdens of using the Internet.
Why is Digital Identity so broken?
Digital Identity was never part of the foundations of the internet. In the view of the Army with Arpanet or the Academics, this was a trusted network. The technical building blocks (HTML, CSS, JavaScript) did not include a standardized solution to authenticate and handle identity components online. If you look at the evolution of web technology, identity is not part of it.
The internet boomed and it was then too late. Now, experts estimate about 50 billion connected devices in 2020, all of which will have to handle some form of identity or authentication.
A hard problem to solve
The truth is that it is a hard problem to solve. Digital identity should be universal, agnostic of any provider, and work cross-platform. The same way you can use your passport to travel to any country in the world, you should have a digital equivalent. But the internet is completely fragmented. Big Tech, the Apples and Googles of the world, cannot solve it on their own. They are focused on building and reinforcing their own walled gardens, their profit-squeezing ecosystems, not fixing the broader issue.
Biometry was considered as a potential savior, but:
- Biometric systems can be faked, as we've seen with Samsung phones.
- Once your biometric data is compromised, there is no way to change your eyes or fingerprints.
- Biometry is a device-specific solution. No standard or shared protocol has emerged.
- Also it only solves for a small portion of use cases around authentication, as it will take many years before everyone has a biometry-compatible device.
Another hope was that mechanisms such as Facebook Connect or Login with Google would solve the problem. It is definitely a step forward on the convenience and user experience front. But using those solutions require that you trust Big Tech enough to put all your eggs in the same basket. Additionally, recent breaches around Facebook Connect have shown the limits of any centralized identity model, even one with the resources to invest in security like Facebook. The size of the target by centralizing the digital identity of millions and millions of users makes it only a question of time before they get massively breached...again.
Credential Hygiene
A few of my own passwords were leaked in the past, in the 2012 Dropbox breach and in the Linkedin breach. Fortunately for me, at the time I had started paying attention to my credential hygiene. I had begun using Dashlane as a password manager. With a Password Manager, I was able to easily generate unique passwords for all my online services.
Today I have more than 1000 unique passwords. I don’t know any of them. I just remember my Master Password for Dashlane. That limits the potential impact of those breaches for me. I just need to update the single breached password. I still get email scams threatening me because they know one of my old passwords, but I can ignore them and be stress-free.
The Mission of Password Managers
I see the mission of password managers very much like that of a dentist. Nobody likes to go to the dentist and brush their teeth every day. Yet this is the best solution to avoid cavities. Dentists show you how to use a toothbrush then it is up to you to have the discipline. In the long run, preventative care is easier and cheaper than major treatments when something goes wrong.
Another metaphor I like to use is the car seat belt. Nobody today would think of not putting on a seat belt when driving on the highway. Why shouldn’t we do the same on the digital highway of the internet? It is better to be safe than sorry, even if it costs us a little.
The problem is that users do not care. They hear about breaches constantly and have become desensitized to them. Similar to climate change coverage, most of them have stopped paying attention, are not concerned, and don't think their actions make any difference.
Behavioral change is hard. Only 2% of vehicles today are electric, despite our awareness of the climate crisis.
There is also skepticism about the fact that password managers are another cloud solution that could be hacked like any others. In reality, we have built Dashlane such that you remain in total control of your data. Everything happens offline, on your device, where your data is being encrypted. The key, what we call the Master Password, is known only to you. This zero-knowledge architecture ensures that you are safe as a user, and that Dashlane as a company is never at risk. Our solution is decentralized by design and is not dependent on any ecosystem. We work on all platforms in a universal way. It is important to be independent from the Big Tech. We want to be the Switzerland of digital identity.
You may have heard of the recent Siri revelations, where Apple confessed to spying on Siri conversations for years. Microsoft did the same on Xbox audio chats. Zero knowledge means Dashlane is built so "accidents" like this can't happen.
What does the future look like?
There are 3 main trends in the market today.
- The emergence of standardized identity protocols. Apple and Google have created their own proprietary solutions in their ecosystem, which already covers most of the mobile world. The W3C is promoting standards like WebAuthn for the web. But we are a long way away from universal solutions.
- Companies are prototyping with decentralized identity systems. There are concepts like self-sovereign identity, the concept that an individual should own and control their identity without the intervening administrative authorities. Developers are also playing with Blockchain technology around digital identity.
- Finally, some third-party solutions like password managers and enterprise SSO solutions try to become “digital identity providers” but this is as of today still a niche market.
None of them are perfect. None are universal.
Technical solutions won’t be enough to repair a broken digital identity. We need simpler, easy-to-use solutions that can be adopted by all. In today’s optimized life, security and tech cannot be the only trigger. As Ev Williams, founder of Twitter and Medium, says: “Convenience decides everything”.
Our individual efforts can make a collective impact.
You can all start by taking baby steps and start using existing tools.
I am regaining control of my digital identity.
Take a step yourself, to improve the management and control of your digital identity, and help us fix and make the Internet a safer place.
If I may use a provocative parallel, it is by running massive campaigns of vaccination, that mankind was able to get rid of diseases, such as smallpox.
It is time to start brushing your teeth by trying Dashlane.
Sign up to receive news and updates about Dashlane