During the past two years, the international online trade in identity details has increased at a staggering rate. Information as seemingly banal as an individual’s date of birth, pet’s name or mother’s maiden name can now be openly traded on public websites and in private forums operated by criminals with IT expertise. As such, identity details have become the chief currency of a highly sophisticated black market, supporting large-scale financial fraud as well as major theft against the individual.

The startling ambition and ingenuity of those operating such ID data-exchanges represent a major threat to the immediate sustainability of the UK’s e-economy. But as the discussions at Information Age’s November lunch debate on protecting online identities suggest, the cure for consumer distrust can often be worse than the disease.

For while passwords, as all participants agreed, are now more or less redundant as a means of authentication, the inconvenience that often characterises traditional two-factor authentication models could trigger mass customer defection at many businesses. This issue was aptly underlined by the IT director at a major supermarket chain, whose large, demographically diverse online customer base, he argued, could never be expected to operate an extra piece of hardware – such as a token – when shopping online. His views were echoed by the security officer for a global broadcasting organisation, whose customer base is far younger and more tech-savvy than the average end-user. Even his customers, he said, “would never use hardware. They will just go to my competitor.”

When convenience and choice are both compelling reasons for transacting online, additional authentication serves only to undermine the ‘frictionless’ nature of e-commerce. In such a situation, says the head of identity management for a major investment bank, it is almost impossible to sell strong or two-factor authentication as a commercial differentiator. “Absolutely no industry in the world – with perhaps the exception of the airlines – has been able to sell security as a competitive advantage,” he argued. Consumers implicitly assume security should be an in-built part of the online service, he suggested, meaning that, at present, security continues to represent nothing but a cost-centre for online businesses.

For this crucial reason, two-factor authentication schemes in the future should operate across different industries so that they actually ease the consumer experience rather than impair it. This would require both security companies and the stewards of commerce to collaborate more effectively than they have in the past – in order to achieve a level of standardisation that would allow these schemes to provide a host of additional services, as well as multiple points of access from one device, the IT manager for a major news agency added.

But such schemes would also have to accommodate the growing complexity of online identities themselves. Companies increasingly need to authenticate not just who the user is, but how old they are. This issue is assuming a new urgency as many media organisations move to diversify their online offerings by targeting teenage audiences through social networking features; and as virtual worlds afford online users a host of identities in which to transact.

Ensuring organisations are able to cater to this growing diversification of online identity, while simultaneously ensuring its legitimacy in a specific context, will arguably present the next great challenge in the ID dilemma.

Further reading

The return of the ID card debate The UK Government’s embarrassing loss of 25 million citizens’ personal details has reignited the ID card debate