Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Is "Bring Your Own Identity" a security risk or advantage?

Ellen Messmer | July 29, 2014
Questions abound over websites authenticating users via identities established through Facebook, LinkedIn, Google, Amazon, Microsoft Live, Yahoo Ponemon Institute survey shows.

The "Bring Your Own Identity" (BYOID) trend in which websites let users authenticate using identities established through Facebook, LinkedIn, Google, Amazon, Microsoft Live, Yahoo or other means raises some questions in the minds of IT and business managers. And a survey conducted by Ponemon Institute shows a vast difference in how the IT and business sides think about this so-called BYOID method of authentication.

Ponemon asked 1,589 IT and security practitioners and 1,526 business staff personnel, many of them in managerial roles, about what they thought about BYOID and whether it could be used to simplify online authentication for everyone from employees to contractors to retirees to website customers or mobile customers. Both the IT and business sides said they considered BYOID as a way to simplify interactions with customers on the web and mobile devices. Both sides saw it as a way to make registration of new customers easier for them and the organization, plus possible cost reduction related to forgotten passwords and other sign-in problems. But beyond that, the IT and business personnel had differing perspectives about BYOID.

Three-quarters of the business staff answering the survey saw BYOID mainly as a way to either "reduce friction in the user experience" or "simply engagement for users" as a form of "identity validation." Over half of the business managers thought BYOID would increase revenues for the organization, with many envisioning "targeted marketing." Less than 15% on the IT side shared this view.

According to the Ponemon survey, 67% of the IT and security respondents saw BYOID as a way to strengthen the authentication process and 55% said it could be a way to improve risk evaluation and decrease fraud. Only about 15% of business people felt that way. IT and security personnel thought more important that the "identity provider" in any BYOID arrangement have some sort of "formal accreditation."

Respondents on the IT side ranked PayPal, Google and Amazon as the top three preferred identity providers to their organization. Yahoo was ranked of least interest. The business staff ranked Amazon, Microsoft Live and PayPal as the top three identity providers for their employers, with Facebook ranked the least.

When it comes to perceived barriers to BYOID deployment, IT and security personnel were far more concerned about risk and liability concerns and "loss of control" than the business staff. Business staff worried more about "cost."

"Organizations that accept third-party identities also worry about instances where an identity is compromised and non-legitimate access is granted to applications or customer data," the Ponemon survey points out.

Not surprisingly, IT and security personnel regard BYOID in a far more technical light, with 57% saying they would feel more favorably about BYOID adoption if the identity provider would implement "fraud risk engines" while 66% said they wanted "multi-factor authentication." These were of interest to only about a third of the business staff. For mobile devices, four-digit PINs and one-time tokens were more important to IT personnel, while "geo-location" tracking was important to more than half of the business staff.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.