At Spark The Change, a conference in Paris, focused on innovation and changing the world, I shared my view on the State of Digital Identity. Being the CTO of a company like Dashlane gives me a special insight and view on the topic, which I'm excited to share.
8. The Problem is Getting Worse, Not Better
Digital accounts
doubling every 5 years
200
2025
400
2020
2015
1072010
48
2005
3+
People are using more devices than
ever
145M 1.5B
427
M
120
M
145M1.1B150M
100
M
500
M
340M
92
M
Personal Credential as main attack vector to penetrate an organization
12. A Hard Problem to Solve
Users are platform agnostic
Identity is a cross-platform problem
MostTech giants structurally challenged
Being cross platform is critical Apple
25%
Google/ Microsoft
23%
Apple, Google,
Microsoft
15%
Apple
Google
13%
Google
10%
Microsoft
8%
Apple
Microsoft
6%
Platform of interaction of Dashlane users
13. Biometry is not a solution
Biometry as the future of digital identity?
16. The Toothbrush…
• We give you the tool and tell you how to use it.
• This is on you, to make the effort to brush your teeth.
• Manage your « credential hygiene ».
17. …and the Seatbelt.
• Even if it is a constraint, you are better off putting your seatbelt on in case
something happens.
• Password Managers are not perfect, but like a seatbelt it is better using than
not doing anything.
19. • Dashlane secures
your data locally to your device using advanced
encryption. Dashlane never sees your data.
• Users maintain ownership and local control of their
data.
• Decentralized by design.
• Independent from BigTechs
Giving control to users
Universality PrivacySimplicity
20. Looking at the future
• Emergence of Standardized Identity Protocols
• Apple and Google providing proprietary solutions
• WebAuthn promoted by W3C for the web
• Decentralized identity systems
• Self-sovereign identity,
• Blockchain decentralized user-controlled identity, unproven yet
• Digital Identity Providers: third-party solutions that help users manage
digital identity.
A friend of mine was shopping at the Galeries Lafayette, one of the biggest department stores in Paris. After a while, she realized she could not find her bag anymore. She thought she had forgotten it in one of the corner shops but soon realized that it had been stolen. She was very upset. She went to the police to declare the theft before going home. 1 hour later, she got a phone call at home from the Galeries Lafayette. Her bag had been found, dumped in a corner. She could retrieve it from Lost and Founds the next morning between 10 and 12. What a relief!
When she arrived the next day at the Galeries, the agent at the Lost & Found was very surprised, since the bag was not there and they had never called her. In the meantime, someone had broken into her home and totally emptied it.
Now let me tell you another story.
In 2016, Dropbox discovered a hack that took place in 2012. 68 million accounts were stolen. The investigation showed that the hacker had used an employee login and password that were themselves stolen in a previous breach. The employee had used the same password between work and personal websites.
Those 2 examples are parallel in the physical and digital world. A small and painful incident can become an even bigger nightmare if you are not careful.
This is only getting worse on the Internet. That’s just in the past 18 months: Cambridge Analytica, Equifax breach, Facebook being fined, and many more.
Digital Identity is basically Broken!
There are billions of users and millions of businesses that rely on the Internet today to access and transact with millions of digital service providers.
More and more users move their data to the Cloud, and by doing so, they each time provide a small subset of their digital identity. It is as if you had spread around hundreds of copies of your id card, or your credit card, or even your social security card. Your digital footprint is all over the place.
The way Identity is built on the Internet is just plain wrong.
In its current state, it is bad for users: you get the constant friction each time you need to register, login, checkout. As a user, you have no idea what data is actually being captured, because on top of personal data you willingly provide, service providers will grab many more details about you: your geographical location, your device type, your browsing history,… Obviously many businesses rely on monetizing that data, either directly for advertisement, profiling, etc. or indirectly. And this becomes uncontrollable since hundreds of copies of your digital identity are scattered across the cloud.
But it is actually bad for digital service providers as well. The friction of the sign-up funnels is a key business issue. Regulations is creating increasing risks and liabilities on those providers, think GDPR. Consumers are becoming more and more wary of providers. They feel the Internet has become a dangerous place.
Unfortunately, the problem is getting worse for everybody. Not better.
People are using more devices than ever, on average 3 or more. We have more digital accounts every year. The number of massive breaches is not stopping: every day the news are filled with more providers being hacked and user data having leaked.
Despite that situation, if you look at what users do, most of them resort to crude methods to handle their digital identity.
Only 12% use tools such as password management.
86% just memorize simple passwords and reuse them everywhere. 49% write them down on paper.
Very few of them really take action. We have kind of given up and accepted that this is the way things are and we support the risk and the burden.
Digital Identity was never part of the foundations of the Internet. In the view of the Army with Arpanet or the Academics, this was a trusted network. The technical building blocks (HTML, CSS, JavaScript) did not include a standardized solution to authenticate and handle identity components online. If you look at the evolution of web technology, identity is not part of it.
The Internet boomed and it was then too late.
Estimates talk about 50 billion connected devices in 2020, all of which will have to handle some form of identity or authentication.
Truth is it is a hard problem to solve. Digital Identity should be universal. It should be agnostic of any provider and work cross-platform. Same as you can use your passport to travel to any country in the world, you should have a digital equivalent. But the Internet is completely fragmented. Big Tech Giants, the Apple and Google of the world, cannot solve it on their own. They are focused on protecting their own wall-garden, their little territory, not fixing the broader issue.
Biometry was considered as a potential savior, but:
1. biometric systems can be faked.
2. once your biometric data is compromised, what do you do
3. Biometry is a device-specific solution. No standard or shared protocol has emerged.
4. Also it only solves for a small portion of use cases around authentication
Another hope was that mechanisms such as Facebook Connect or Login with Google would solve the problem. It is definitely a progress for the convenience of users. But using those solutions imply that you trust Big Techs by putting all your eggs in the same basket. Recent breaches around Facebook Connect have shown the limits of a centralized identity model. The size of the target by centralizing the digital identity of millions and millions of users makes it only a question of time before they get massively breached.
A few of my own passwords were leaked in the past, in the 2012 Dropbox breach or in the Linkedin breach. Fortunately for me, at the time I had started paying attention to my credential hygiene. I had begun using Dashlane as a password manage. With a Password Manager, I was able to easily generate unique passwords for all my online services.
Today I have more than 1000 unique passwords. I don’t know any of them. I just remember my Master Password for Dashlane.
That limits the potential impact of those breaches for me. I just need to update the breached password. I still get email scams threatening me because they know one of my old passwords, but I just ignore them.
I see the mission of Password Managers very much like that of a dentist. Nobody likes to go to the dentist and brush their teeth every day. Yet this is the best solution to avoid cavities. Dentists show you how to use a toothbrush then it is up to you to have the discipline.
Another metaphor I like to use is the car seat belt. Nobody today would think of not putting on a seat belt when driving on the highway. Why shouldn’t we do the same on the digital highway of the Internet? It is better to be safe than sorry, even if it costs us a little.
The problem is that users do not care. They hear of so many breaches all the time, that like for Climate Change news, most of them have stopped paying attention and feel they are not concerned.
Behavioural change is hard. There are less than 2% of electrical vehicle despite the awareness of the climate critical situation.
There is also skepticism, about the fact that password managers are another cloud solution, that could be hacked like any others. In reality, we have built Dashlane such that you remain in total control of your data. Everything happens on your device, where your data is being encrypted, and the key, what we call the Master Password, is known only to you. This zero-knowledge architecture ensures that you are safe as a user, and that Dashlane as a company is never at risk. Our solution is decentralized by design and is not dependent on any ecosystem. We work on all platforms in a universal way. It is important to be independent from the Big Tech. We want to be the Switzerland of Digital Identity.
You may have heard of the recent Siri revelations, where Apple confessed on spying Siri conversations for years. Microsoft did the same on Xbox audio chats.
How does the future look like?
There are 3 main trends in the market today.
The emergence of standardized identity protocols. Apple and Google have created their own proprietary solutions in their ecosystem, which already covers most of the mobile world. The W3C is promoting standards like WebAuthn for the web. But we are a long way away from universal solutions.
Companies are prototyping with decentralized identity systems. There are concepts like self-sovereign identity, the concept that an individual should own and control their identity without the intervening administrative authorities. Developers also play with Blockchain technology around digital identity.
Finally, some third-party solutions like password managers and enterprise SSO solutions try to become “digital identity providers” but this is as of today still a niche market.
None of them are perfect. None are universal.
https://techcrunch.com/2019/08/22/who-gets-to-own-your-digital-identity/
Appearance of decentralized identity systems:
Decentralized Identity Foundation based on Decentralized Identities (DIDs)
Concept of Self-Sovereign Identity
Blockchain-based identity mechanisms, such as https://www.uport.me/or https://selfkey.org/
Technical solutions won’t be enough to repair a broken Digital Identity. We need simpler, easy-to-use solutions that can be adopted by all. In today’s optimized life, security and tech cannot be the only trigger. As Ev Williams, founder of Twitter or Medium, says: “Convenience decides everything”.
Our individual efforts can make a collective impact.
You can all start by taking baby steps and start using existing tools.
I obviously use Dashlane, as a Password Manager.
I started using a safer Browser like Brave, that is better for privacy.
I decided to delete my Facebook account.
I am even currently moving away from Gmail, and using Fastmail, an independent email provider.
I am regaining control of my digital identity.
Take a step yourself, to improve the management and control of your digital identity, and help us fix and make the Internet a safer place.
If I may use a provocative parallel, it is by running massive campaigns of vaccination, that mankind was able to get rid of diseases, such as smallpox.
It is time to start brushing your teeth by trying Dashlane.
Thank you.