sb-au logo
Story image

Okta: Reclaiming control over digital identity

20 Feb 2019

Article by Okta APAC vice president Graham Sowden

The data reckoning arrived last year when news of Facebook’s major breach hit the headlines.

The repercussions went far beyond the social media giant, because social authentication is used with thousands of connected apps.

Diligent consumers rushed to reset their passwords, unlink services from Facebook, and even close their accounts.

But from the chaos, bigger questions emerge: What is a digital identity? Who is responsible for that information? And what rights do digital citizens have?  

While they didn’t necessarily set out to be the custodian of millions of individuals’ personal data, it’s become clear that social media companies, including Facebook, Google and LinkedIn, are in that position today.

When news of the Cambridge Analytica scandal broke, Facebook users the world over felt betrayed. Most people didn’t know their personal data - information they thought was shared privately with friends and loved ones - was being given to third-party companies.

Through social authentication, Facebook’s data breach could have far-reaching ramifications, as users’ digital identities have potentially been compromised in the plethora of apps they permit Facebook to access.

This is not a unique issue to Facebook: similar concerns were raised by a bug in the Google+ network, though it’s not confirmed that any personal information was actually exposed or used by attackers.

A continuous stream of headlines questioned what exactly had happened to Facebook’s shared user data, yet there hasn’t been a wider push to fully understand how much personal information is out there in the ether, and how it’s all interconnected.

Users urgently need a better understanding of their digital identity, and greater control.

First, it’s important to consider what defines personal information.

Most people fear exposing credit card numbers the most.

And while that’s valuable, it’s not personal.

A credit card number is an identifier that matches a consumer to their banking information.

Think of a postage tracking number: it’s better to have control of it, but it's not that concerning if someone else has access to it.

Other identifying numbers, including credit card numbers, driver’s licenses and tax file numbers, should be thought of in the same way.

As people have increasingly complex interactions online, sharing how they think and what they do on the internet, the world has entered a different era than the one in which passwords or PINs were the only keys needed to protect our information.

Software companies now gather information to understand what users like; they record biometric information like fingerprints or heart rates; they listen to voice commands and track typing patterns.

The wealth of information they hold goes far beyond credit card numbers and encompasses who users are as individuals.

In many cases, social media profiles – used to authenticate applications and services across personal and professional environments – now represent much of a person’s digital identity.

It should be a priority to protect this information.

Next, it’s important to understand what companies are allowed to do with user information, and why caution and consent are important.

With new data regulation laws in place, companies now need to know what data they are collecting (especially when third parties are collecting it for them) and are required to be clear about what personal information they will share as a part of the consent process.

Setting and publishing a robust data privacy policy, including consent and strict scopes for what personal information can be collected, what it can be used for, and how long it can be kept for, is essential to being a responsible company in the digital age.

The consent process recognises and gives equal value to the two parties in this social contract: the individual deciding who can access their information, and the company using that information for commercial ends.

It’s worth noting that a business isn’t allowed to exclude users from their services if they don’t say yes to their terms; closing this ‘bully loophole’ is another safeguard needed to ensure consumer protections are upheld.

Last, it’s important to weigh up the benefits of using Facebook to access other services against the risks. The benefits of social authentication are clear: simple, secure verification for both the user and the app developer.

But social media companies have no commercial interest in protecting their consumers’ identity. Whether personal data is being given away or data being stolen, neither is acceptable.

Businesses and individuals alike should consider the vast amount of personal information that is held by different services and be mindful of what organisations are given access to.

Use consent with caution and consider alternate identity authentication methods for the foundation of your connected digital ecosystem (full transparency: Okta’s in the business of enterprise identity management).

There’s too much at stake when it comes to digital identity: it has become a commercial currency. Rather than letting Facebook and others be the custodians of personal data, users need to take back control.

With the dangers of not protecting information continuing to grow exponentially, it’s time to be serious about digital identity.

Story image
ESET launches the latest version of its Mobile Security solution
“With this latest version of ESET Mobile Security, we want to ensure our users feel completely secure when performing financial transactions on their devices, in addition to being protected from malware and phishing attempts."More
Story image
Sophos named mobile security Leader in IDC MarketScape
Sophos Intercept X for Mobile has capabilities in protecting Android, iOS and Chrome OS users from known and never before seen mobile threats.More
Story image
Global attack volume down, but fraud and cyber threats still going strong
“The move to digital, for both businesses and consumers, has been significant. Yet with this change comes opportunity for exploitation. Fraudsters look for easy targets: whether government support packages, new lines of credit or media companies with fewer barriers to entry."More
Story image
Gartner: Security leaders must balance risk, trust and opportunity
Security and risk leaders must focus on balancing risk, trust and opportunity to help maintain the ability of their organisations to function.More
Story image
Why it’s essential to re-write IT security for the cloud era
Key components of network security architecture for the cloud era should be built from the ground up, as opposed to being bolted on to legacy solutions built for organisations functioning only on-premises or from only managed devices.More
Story image
Ripple20 threat could affect 35% of all IT environments – ExtraHop
The vulnerabilities have the potential to ‘ripple’ through complex software supply chains, enabling attackers to steal data or execute code.More