“CIO Perspectives” is a white paper series by Mark Settle that explores top-of-mind technical issues confronting today’s CIOs and IT leaders. Mark is a seven-time CIO, a three-time CIO 100 award winner, and a two-time book author. His most recent book is Truth from the Valley, A Practical Primer on IT Management for the Next Decade.
This paper is Co-Authored with Jelena Hoffart, an investor at the global private investment firm 9Yards Capital which promotes innovation in foundational industries.
History teaches us that innovations in employee identity management will be determined and preceded by advances in the effectiveness and convenience of consumer identity practices. Mobile phones and biometric signatures were integrated into consumer practices long before they were incorporated in everyday employee identification procedures. This phenomenon continues today due to fundamental differences that exist between the objectives and priorities of consumer and employee identity management.
Employee practices are designed to avoid all forms of unauthorized access that could potentially result in a data breach or malware infection. They are based upon zero trust access, least privilege authorization and zero standing privilege principles. In contrast, B2C businesses would rather err on the side of accepting questionable identity claims under certain circumstances than lose customers or financial transactions to a competitor. This has left the door open for innovation on the consumer side while employee practices have been locked into a stringent zero trust/least privilege architecture.
While employee practices are designed to minimize or eliminate business risk, consumer practices are designed to minimize or eliminate end user friction. B2C companies are constantly exploring ways in which new technology can be used to improve customer experience, which is a corporate euphemism for getting to a ‘buy decision’ as quickly as possible. In contrast, enterprises are prepared to accept certain levels of employee friction within their business operations in exchange for higher levels of security.
Historical practices generally assume that the validity of an identity claim increases in direct proportion to the number of actions a user is required to perform or the amount of information a user is required to submit. However, emerging technologies such as passive biometric signatures, TPM cryptokeys, FIDO2 passkeys and mobile wallet credentials are undermining this conventional wisdom by demonstrating that higher levels of identity assurance can actually be achieved by minimizing end user involvement. These technologies enable authentication on demand with little or no end user intervention, in many cases semi-continuously during a website visit or work session.
Our understanding of consumer identity practices (and a healthy dose of personal intuition) leads us to conclude that:
- Historical authentication techniques have become commoditized and can be mixed-and-matched to support any type of consumer or employee login scenario during the next 3-5 years.
- The quest for passwordless employee authentication is over and passkeys are the solution.
- Identity wallets holding verifiable credentials are the ultimate solution for both consumer and employee authentication but widespread adoption in the short term is unlikely.
- Apple and Google's foray into the use of mobile wallets to store and maintain mobile driver licenses will ultimately lead one or both of these vendors to offer wallet-based employee identity solutions in the future and potentially assume a leading role in employee identity management.