What Does 2022 Have In Store For Identity?

22 February, 2022, by Stephen Swann

Experts in the industry have been predicting the death of passwords for many years and those predictions haven't yet come true. There has been progress and some application service providers have appeared recently with a distinct lack of passwords anywhere to be seen - which should be welcomed.

But, would I be so bold as to say that this year will be the year that we see an acceleration in the move to a password-less online experience?

Passwords - R.I.P.

Google, in conjunction with The Harris Poll, commissioned a survey in 2019 to try to understand the state of passwords. Despite those being polled being exclusively from the United States of America, the results could possibly be recreated elsewhere and those results are quite horrifying:

• 59% of adults have their name or birthday incorporated into their passwords
• 33% use a pet's name
• 27% of people have attempted to guess someone else's password (and 17% of those were correct!)
• 1 in 10 Californians still have access to a password belonging to an ex-partner
• 43% of people have shared their password with someone else
• 15% of people use a password manager or password vault

Writing passwords on a post-it note is still popular, but not quite as popular as relying on memory. However, does the following sound familiar:

"Dad, the television is asking me for the Netflix password again!"

It's only natural that some passwords, by the nature of the service, end up being shared amongst a family. And it is only natural that some of those passwords are not as complex as they ought to be. Try inputting a 12 character complex password into a television with a simple remote control - it's a painful process! According to Scientific American, cracking a 12-character password takes 62-trillion times longer than cracking a 6-character password - they failed to also say it takes 62-trillion times longer to input such a password into a television set!

The good news, however, is that over a third of people polled say they now use Two-Factor Authentication for some services. Good news? Let's rephrase that. How are two-thirds of people undertaking banking activities without having some form of Two-Factor Authentication in place? That can only mean that people do not understand what 2FA actually is!

Passwords have to die. But this won't be the year for them to do so. Instead, we shall see another year during which end users become more comfortable with other authentication mechanisms and service providers improve the user experience to make it as frictionless as possible.

Take Back Control with SSI

We have previously spoken about Self-Sovereign Identity on our blog. It has often felt like one of those topics that falls into the "that's a cool idea - we should be doing that" bucket.

But we already are - to a certain extent. And the Covid-19 pandemic has only accelerated the growth in this space. (Think about Covid-19 passports and certificates that you carry about with you on your phone, for example.)

Taking control of our digital identity rather than abdicating responsibility to a supposedly benign internet giant might be a cultural shift for many. But ensuring that only those people have access to those parts of your digital identity that they need access to in order to provide you with a service is just plain common sense. More crucially, the ability to revoke that access because you have control of the asset can only ensure consistent, relevant, and contemporary information is available to those who need it.

Of course, what we really need as an end user is a simple digital wallet to hold this information, rather than a proliferation of wallets and apps.

Identity-As-A-Service

Finally some good news. Identity-As-A-Service has been around for quite some time now, but this year will be a breakthrough year. Most organisations invest in their IAM software for a minimum of 5 years which means that a lot of organisations are re-evaluating their current IAM on-premises solutions and most of them are seriously considering IDaaS.

And why wouldn't they? On-premises deployments have traditionally been painful to implement and have a server footprint that seems disproportionate to the value they bring. The move to the cloud has been on their minds for a while, but fear of the unknown, and handing over the keys to the kingdom to a third-party only leads to auditors having sleepless nights. Until now.

IDaaS has grown up. And this year will see not just newbies to the identity game purchase Cloud Identity services, but the early adopters of identity services will be clamouring to shift their behomothic deployments out of their data-centres too.

The major problem early adopters will have, however, is that they (in their infinite wisdom) bent their identity services to meet their crazy business processes. That was possible when you had, in effect, purchased a framework that allowed you to do precisely that. In an IDaaS world, however, that flexibility doesn't necessarily exist.

I say it is a major problem. It really isn't. Adopting a solution that is more rigid in its approach to delivering a service will likely provide a much more consistent experience for end users and administrators alike. Auditors love rigidity too! It might be painful at first, but the idea that the platform no longer supports weirdo edge cases "just because Dave in Accounts, who has been there for 30 years, needs some special combination of entitlements because, you know... he's Dave in Accounts" can only be a good thing.

Madigan in 2022

As an aside, 2022 looks like it will be an exciting year for us at Madigan Solutions. New hires, new offices and a new product are on the roadmap. You can be a part of it too. Check out our current vacancies.