Digital Identity Is Not Just About Security Anymore

by guest on December 3, 2002

in Carol Coye Benson, Writings

By Carol Coye Benson

There’s a sea change happening in the world of digital identity. Suddenly,
crypto-geeks and impassioned aficionados of biometrics, software tokens,
and smart cards are being pushed to the side. The suits have arrived!
Digital identity is no longer about security; it’s now a marketing conversation.

What’s happened? A convergence of standards, products, and capabilities
for what we at Glenbrook call shared authentication is opening
up new relationships between partners on the Internet. Shared authentication,
quite simply, allows one enterprise, which has an online relationship
with a customer, and a means (never mind what) of authenticating that
customer, to pass that customer over to another enterprise. The "receiving"
enterprise does not have to authenticate the customer, but can rely on
the work done by the "sending" enterprise. To forward-thinking
marketers, it’s really a very high-level dating serviceÖ introductions
for sale!

Of course, players in the security industry don’t call it a dating service—they
call it identity assertion—and everyone from OASIS (SAML)
to the Liberty Alliance (Federated Identity) to Microsoft (Passport) is
working on the underlying standards and technologies to make it happen.

What is interesting about the whole phenomena is that developers have
missed the real payoff in the use of the technology. As you might expect,
they have focused on how the "it" will work. For developers,
the payoff is in traditional IT benefits:

  • Improved security
  • Streamlined session management
  • Single sign on/ convenience
  • Cost reduction

Don’t misunderstand me; these are important benefits. On a good day,
we’ll join in with anyone in debating the merits of Passport versus Liberty
or in the enlivening debate about whether single sign-on actually improves
security (fewer written-down passwords) or hurts security (lose your single
password and lose the kingdom).

But with the arrival of the suits, it’s no longer about the technology—it’s
about the use of the technology for business purposes.

It’s Eyeballs All The Way Down

Think of the value that shared authentication brings to the party. Eyeballs
were originally just people who looked at your Web site. Then people who
looked at a selection of your Web site, from which you could inferÖ something.
Then people who looked at your Web site, cross-indexed with information
from marketing databases. Then it all got too complicated, too costly,
and too problematic as constraining privacy regulations came into play.

Today’s Digital ID eyeballs (what a phrase!) are simpler, more direct,
and much more valuable. Imagine you’re a real estate broker. You receive
a digital introduction from a mortgage banker. "I want to introduce
Alice. She’s looking for a new house on the east side of town and just
qualified for a $500,000 mortgage from our bank. Would you like to offer
her some special deals from your portfolio of homes?" With this sort
of qualified lead, you can send Alice an offer knowing that she is in
the market for a new home, pre-approved for home financing, in which geographic
area, and in what price range. Your success rate with this channel is
suddenly greater—by orders of magnitude—than with any other
channel. You happily cut the bank in with a share of your fee.

The bank just made an extra $2,100 (a 5% cut of a 6% commission on the
$700,000 house.) What’s amusing about this is that banks—and others—are
still looking at digital identity as a business with a transaction model.
Let’s see: 1,000 identity assertions a month at a value of, let’s say,
25 cents per assertion equalsÖ $250. Not too attractive a business! So
you up the transaction volume—let’s do 50,000 identity assertions
a month! But of course with lots of competition and little differentiation,
the transaction fees start dropping, and suddenly you have 5-cent transactions
and $2,500 in monthly revenueÖ hmmmm. Of course, there will be transaction
revenue businesses built in digital identity—and winners, as always,
will be those who can manage scale. But the larger—and shorter term—opportunities
will be from shared revenue on new services enabled by identity.

When we say it is amusing, it’s because these authentication security
guys aren’t going to know what hit them as the marketers realize their
authenticated customers have a tradable value in the marketplace. Digital
identities are corporate assets—tangible, exportable, and monetizable
expressions of a customer relationship! Think of it as CRM "to go".

A Wide, Wide World Of Possibilities To Exploit

Financial service professionals seem to be quick to grasp the shared
authentication concept and understand its implications:

  • I had one conversation with a consumer bank strategist who is always
    looking for ways to increase the"stickiness" of consumer relationships.
    He liked the idea of using this as an alternative to complicated and
    expensive loyalty programs. He imagined offering consumers click-through
    deals at affiliate sites-he said it was easy to imagine revenue sharing
    with the affiliate site.
  • Another conversation was with a senior manger at a major bank, responsible
    for running the web portal for the bank’s business equipment leasing
    customers. These customers are coming into the portal, being authenticated
    by the bank, and looking at reports on their leasing portfolios. When
    I explained the shared authentication concept, her eyes lit up. She
    thought she would want to make marketing deals with, for example, equipment
    repair services that her leasing customers could "click through
    to." The receiving site would have a highly qualified customer
    and the bank and the repair service could share in the incremental revenue.

Although these two conversations were specific to financial services,
you can imagine the same model being used in other industries. For example,
in healthcare shared authentication might be used to refer a patient from
one doctor to another, with their medical records and consent "bundled

So What’s New Here?

Skeptics will, we’re sure, be quick to point out that shared authentication
is nothing more than affiliate marketing; its been around for a long time
and is already quite effective. What can shared authentication possibly
add to affiliate marketing? In my mind, it’s really a granularity opportunity.
When presented with user-specific assertions from the sending enterprise,
it is possible for the receiving enterprise to tailor special offers that
directly meet the needs of the consumer. Instead of the generic offer,
the consumer benefits from a customized offer.

In the online world, affiliate marketing programs are heavily used to
reward Web sites that direct online consumers from one site to another.
But what does an inbound referral from a sending Web site really say?
Only that this consumer was visiting the sending Web site and clicked
on a link. The referral says nothing of the consumer’s interests, circumstances,
or qualifications as a customer. It certainly doesn’t say the consumer
is prequalified for a $700,000 home loan!

Privacy – It’s Not So Hard

Let’s gore one more ox regarding shared authentication. We’re continually
amazed over the fuss (within the product development community anyway)
about privacy. While we do have some sympathy for product managers in
banks and other companies who have to retool existing products and marketing
practices to account for new privacy requirements, we have no patience
when it comes to new online services and marketing programs. Just design
in privacy from the very start.

Consumer privacy is really painfully simple. You can’t do stuff to consumers
without their consent; you can’t use consumers’ stuff without their consent;
and you have to take really, really, good care of consumers’ stuff once
they give it to you. This isn’t going to go away or change materially.
Financial service providers who walk the fine line and quibble about what
"consent" means or what "stuff" is will be the on
the receiving end of regulator and consumer outrage.

Luckily, digital identities—and identity-enabled products and services—work
well within this new, privacy-aware environment. The extensions of digital
identities are digital profiles—information about a consumer, their
preferences, choices, and attributes. Use-of-data and use-of-identity
permissions and preferences become simply a "first order" profile
attribute, one that governs all else. A good example of this is in the
Liberty specifications, which go into painful detail to show how a consumer
first has to consent to being introduced to a potential "federation"
site, and then consent to be linked, or "federated" (I still
hate that word, but, sadly, it is gaining currency.) Clearly, the Liberty
specification is privacy aware. You should be as well.

So What’s a Girl to Do?

So you’re the "authentication czar" of your financial institution.
Maybe you are tucked away in Information Security; maybe you are in Technology
Strategy. No one has been listening—much—to your presentations
and explanations about Public Key Infrastructure (PKI). No one cares about
biometrics. They’re not even afraid of what Microsoft might do to their
business with Passport. How do you get your company ready for this new
world of shared authentication and Digital Identity? We have a couple
quick recommendations:

  • Find someone in information security that "gets" the marketing
    piece of this puzzle. Make sure that person is up to speed on SAML and
    the activities of the Liberty Alliance. If your institution isn’t already
    a member, consider joining the Alliance.
  • Find the business managers in the company who are responsible for
    making marketing alliances with partners. With your information security
    colleagues, educate them on what is possible. Try to find one or two
    simple, early applications for proof-of-concept testing. Don’t let the
    people in charge of the consumer portal or client online service become
    a roadblock here.
  • Find and educate your privacy officers on the benefits of shared authentication.
    Make sure your institution has data privacy policies that are forward
    looking towards these new potential applications. Once marketing professionals
    start to use shared authentication, they will be cooking up all sorts
    of unique programs to leverage consumer identity.

There will be value in shared authentication, but when attempting to
leverage something as important as your customer’s digital identity, it
will be critical to have cross-functional buy-in and a well thought out

Grab onto Your Hats

The next few years are going to be fun. There will be a number of these
experiments and tests, and, we think, a rapid learning curve for financial
service providers and their partners. Needless to say, there will be failures
and disappointments. But we think that the bottom line—the marriage
of customer convenience and highly targeted marketing connections—will
pay off for many firms. Now is the time to start learning about this!

Publication History

Initial Publication Date: December 3, 2002

Comments are closed.

Previous post:

Next post:

Clicky Web Analytics