28 Mar 2014
With a little work, social networks have the potential to be as valuable in confirming an identity as a passport. It is the power of the crowd that can prove the integrity of the account holder, perhaps best described as crowdsourcing identity.
There are usually two goals of identity. The first is to confirm you are you who you say you are and the second is to work out your relationship to other people.
Social networks can solve both. We’re all familiar with the burgeoning number of websites that allow you to “login” with Facebook, LinkedIn or Twitter. The vast majority, though, are simply using a convenient approach to challenge and permit access. Rather than maintaining a new set of credentials, they are using a mechanism that maintains those sensitive details externally.
This is to be applauded and is entirely consistent with the objectives of cloud to share services rather than build complete vertical solutions from the ground up. However, just accepting a social network’s credentials only uses a fraction of the capability that aligning with these services offers.
In past decades, our grandparents carefully checked the telephone directory when it came out to make sure all their family and friends were listed correctly. With the whole city doing the same thing, any mistakes (or even deliberate fraudsters) were pretty quickly uncovered.
Today, phone directories are barely looked at and are, at best, incomplete. Once you get through an ID check, your details are entirely within your control and very likely to go unchallenged.
Social networks are different. While the profile that is created is self-regulated, its exposure to the friends forces a level of honesty. It may be easy to create a false identity, but a profile that is fully connected with the network and is actively maintained is much harder to fake for an extended period. Some of the things to look for include: levels of activity, numbers of “friends” or connections who are themselves active and connected, cross-posting and the amount of detail on the profile.
A CV to be trusted
Many employers now prefer LinkedIn to a CV for the simple reason that it is harder to fake qualifications and experience. A CV prepared for an employer requires reference checking and verification that often doesn’t happen.
The media is full of stories of senior people who have been caught claiming qualifications that they never completed. Compare that to the profile on LinkedIn where there are usually hundreds of connections, any one of which will call out if a false qualification is claimed or the description of employment is exaggerated.
Moreover, for most employers the network of connections in common is extensive and a whole range of potential points of verification are added, even if confidentiality requires waiting until after employment has commenced. Just the knowledge that this is likely to happen discourages would-be fakes.
Credentials that aren’t shared
Just as people will grab their smartphone before almost any other possession in an emergency, it seems that they value their social media login credentials above almost any other password.
People will often happily give out their credentials for video streaming services (such as Netflix). They allow their trusted family members to use their banking user details. They will even allow support staff at work to have their network password. But ask for access to their Facebook or LinkedIn account and they will refuse as it sits at the centre of their trusted friend network. Access to this core is just too sensitive to share.
In the future we could see building security where you “login with Facebook” and banks using social media credentials as part of identifying a customer when creating a new account.
A fair exchange of value
Whether a business or government service, it is important that the consumer or citizen receives fair value for using social media to identify themselves. The key is full disclosure.
If all that the Google, Facebook, Twitter or LinkedIn account is doing is providing access then the exchange is one of convenience. For the user, there is one less password to maintain and the site owner there is one less point of exposure.
However, it may be that the site or service needs to know about relationships, locations or other details which are maintained in the service. Full disclosure allows the user to feel confident on what is being used and why. If the use is appropriate to the user’s needs then this approach provides a way of updating their personal details without their filling out as many forms.
Many online services need not have any username or password data at all and those that do may only need it for those customers or citizens who want to opt-out of the social media revolution. Arguably, this last group maintain less of their details online and are usually less exposed in the event of security breach.
Good practice suggests using social media as part of an identity service rather than government or business trying to create yet another master, standalone, identity solution of their own.