A user going through identity access management.
Image: adam121/Adobe Stock
Image: PingIdentity. PingOne Neo logo.
Image: Ping Identity. PingOne Neo logo.

With the world moving toward password-free and low-friction user verification systems, identity access management provider Ping Identity has joined the raft of cybersecurity vendors embracing decentralized identity management. It is offering an early version of a multi-standard solution called PingOne Neo.

What is decentralized identity?

Identity access management, or IAM, often involves a complex handshake using personal verification data stored by one enterprise. Besides involving a lot of manual activity by the user, it increases risks to the user and the company because of massive amounts of personal data held by enterprises, constituting a vast threat surface for potential data breaches.

Enter decentralized identity solutions: instead of identity verification being handled by each enterprise issuing a credential, identity is distributed across a network. Because it uses blockchain technology, it is highly secure and hard to hack. Each user has control over a decentralized identifier, or DID, dispensing with the need for a central identity-controlling authority.

A portable, scalable solution

In a 2022 report, Gartner noted that the common IAM paradigm in which a user has to assert their real-world identity with every new service provider “is not scalable given the pace of digitization. Portable digital identity solutions will be required to support both current and evolving use cases in the long term.”

The decentralized identity solution is a portable, or “BYOI” model, where “a user’s identity data is not typically held by a centralized third party, but instead stored locally in a user’s digital identity wallet and managed using underlying ledger [blockchain] infrastructure,” Gartner says.

It is also more secure because it involves less exposure of user data because it does not require the dissemination of data to each certificate issuer (such as banks, retailers and health insurers). A form of self-sovereign identity — or SSI — decentralized identity lets the user manage their own identity by letting them store credentials from multiple sources in a digital wallet. Because it doesn’t require the user to share the verification data stores in their wallet, decentralized identity also reduces transaction fraud.

Multi-standard operability will be important for digital IAM

PingOne Neo simplifies verification whether the user is inside or outside of the organization. This is because the process doesn’t require complex back-end integrations, according to Darrell Geusz, PingOne Neo product lead. He said the technology allows a user to request a verifiable, cryptographically-signed credential from an organization, which is added to the user’s digital wallet and can therefore be shared with a business that requires it, so that the individual is in complete control of what gets shared.

According to Ping Identity, PingOne Neo is a component of an open and interoperable platform that supports popular decentralized and other identity standards from the World Wide Web Consortium, the OpenID Foundation and the International Organization for Standardization. Ping Identity is also a key contributor to the Open Wallet Foundation Initiative, which supports interoperability between digital wallets through open-source software.

“It’s all standards-based, so we have full interoperability,” said Geusz. “Once you have the credential in your wallet, any interactions are possible, depending on the standard: with W3C standards, it’s all QR code-based. Or you can use OpenID Connect certificate-based authentication. For ISO standards, which is what mobile driver’s licenses are built on, you also have the ability to do in-person transactions using Bluetooth or near-field communications technologies to share your information in person.”

Geusz said PingOne Neo is following a trend toward passwordless credentialing. “Most of our customers are going passwordless,” he said. “There are mechanisms now where you don’t even need your username anymore. Neo enables that as well, so that when you log in, it’s all passwordless.”

SEE: Thinking of using these passwords! Don’t. (TechRepublic) 

Decentralized ID as a key that fits many locks

Ping Identity is one of the market-share leaders in the crowded identity management marketplace, or identity as a service ecosystem, comprising a very long tail of providers that include Microsoft, Okta, ForgeRock, OpenID and many more.

“One of our largest sectors is global banks that run on Ping either for workforce, or they’re consumer-facing, or both,” said Geusz. “We also have a lot of presence in retail, healthcare, manufacturing and transportation — 3.5 billion identities are managed on Ping software platforms around the world.”

Gartner reported last year that organizations under pressure to move interactions online face a paradox: confronting issues around user trust without creating user friction. “Organizations find it challenging to differentiate between the many identity proofing vendors on the market today amid indistinguishable marketing claims about accuracy and machine learning prowess,” the market consultancy wrote in a March, 2022 study.

By 2025, the firm predicts the emergence of a global standard for portable decentralized identities “to address business, personal, social, societal and identity-invisible use cases.”

“There are standards now that are emerging that should be done by the end of the year where we’ll be able to issue credentials into third party wallets,” said Geusz. He said that when a user is issued an identification credential, they will be able to use a mobile app, such as their workforce app, to pair their wallet with the credential issuer.

Geusz said PingOne Neo also supports device-side biometrics like touch and face ID that can interact with the wallet’s credentialing software. “But we also support server-side biometrics: In our Ping backend stack and our Software-as-a-service, we have selfie matching, as well as voice verification for call center and help desk support.” He said a photo can be embedded in a credential so that it functions similarly to a mobile drivers license at a TSA checkpoint.

“When you present your digital credential, your photo can come with it allowing for a live biometric match either online using web-based technology or in person,” he said. “And that means you don’t have to store the photo on the back end. You just put it in the digital credential and on the user’s mobile digital wallet allowing them to present it as they would a digital driver’s license.”

Ping Identity’s goal: speed to trust

How does all of this look in (potential) practice? Geusz suggests this scenario: You are a servicer for the customers — electric companies — of a large wind turbine manufacturer. One of the turbines goes down. Time is of the essence.

“Right now, whenever one of your technicians shows up to a wind farm, it can take hours for them to figure out who the guy is, before he can have both physical and digital access to repair it: Is he certified? Is he allowed to work on that particular model of wind turbine? Does he really work for the vendor? Maybe he’s a subcontractor, even a third party,” Geusz said.

What if they could instantly provide verified credentials from the manufacturer by tapping their phone. “And now how much downtime is there? Zero. This is speed to trust. If you can increase your speed to trust, that greatly benefits your business.”

How decision makers should choose IAM solutions in a crowded marketplace

The identity proofing and verification market is large, comprising several dozen vendors. Gartner, in its report, said Security and risk management leaders should:

  • Balance user experience and trust requirements by considering whether identity proofing in the form of “ID plus selfie” is really required, or whether a combination of identity verifiers are sufficient.
  • Exercise caution in relying on data-centric affirmation alone, given the ease with which bad actors can acquire a user’s personally identifiable information.
  • Use an orchestration layer that links identity proofing, fraud detection and user authentication capabilities to manage risk.
  • Comparing the accuracy of different vendors is challenging. Accept that this may not be practical, and instead focus on aspects such as ease of implementation, UX optimization, connectivity to data sources and references from clients with similar profiles.
  • Look to the future by exploring how to leverage existing nascent portable digital identity schemes where they have sufficient penetration within your user base.
  • Assess whether the level of identity assurance provided is sufficient for your needs.
  • Take advantage of the improvements in UX that can be obtained through portable digital identity.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday