The seven deadly sins of identity management

Last week, I gave a keynote speech at the Digital ID World conference in San Francisco, a gathering of technologists working in identity verification, authentication and biometrics. As an information ethicist, I was asked to share some thoughts about how the human component affects complex systems used in identity management (IDM).

Based on more than three decades of observation, I have concluded that most IDM failures aren't due to technology glitches. In fact, most of the leading IDM technologies serve their purpose well.

Instead, the most common problems seem to result from how people interface with these systems. I call the causes of these fiascos the "seven deadly sins of identity management."

  1. Too much rigor reduces employee productivity. More than 10 years ago, a large financial services company changed its password policy from four digits to 10 alphanumeric characters. It also introduced a mandatory password change every 60 days for all employees and contractors and a lock-out provision after three failed attempts.

    While the above password changes required a small tweak to the company's IDM system, the need to remember complex passwords caused hundreds of people each week to require resets. As a consequence, the company dealt with a record number of system delays and numerous complaints from customers. Productivity plummeted until employees were able to cope with the new password requirements.
  2. Tighter security measures can lead to back-end shortcuts. In order to remember a new 10-digit alphanumeric password every 60 days, some employees started to share their unique codes with co-workers or just put their numbers on a note directly on their terminals or keypads. Some employees used a simple heuristic such as their Social Security number and initials to help them remember. Obviously, this all reduced the integrity of the company's system. The main lesson learned: Don't overengineer an IDM system, and don't overestimate the ability of people to remember complex passwords and personal identification numbers.
  3. Too much convenience decreases end-user confidence. How does convenience reduce confidence? Our recent study on online banking (see column) showed that customers have more trust when they believe that a bank's IDM and authentication process is rigorous. On the other hand, when customers view IDM as overly simplistic, they start suspecting privacy and security risks. This study suggests that the balance between convenience and trust depends on various factors, including industry requirements, the sensitivity of information shared to fulfill a customer transaction and access needs.
  4. Too much collection of personal information creates privacy risks. In another study conducted by our institute, we found that people are willing to share personal facts about themselves and their families for purposes of authentication. But they don't expect their personal information to be used for secondary purposes, such as for marketing. Also, when collecting an individual's personal data, more may not be better than less. Collecting too much personal data may tempt others within the organization to reuse sensitive information.
  5. Poor manual controls open the door to social-engineering risks. Consider recent federal proposals to use drivers' licenses for a unified national identity program. While this may sound like a convenient security solution, think of the potential risks that can occur without having good manual control and procedures regarding enrollment.

    Unless staffers at licensing offices across the U.S. are trained in inspecting source documents, this plan could still allow criminals and terrorists to acquire drivers' licenses by using counterfeit birth certificates and passports.
  6. Too much autonomy creates opportunity for malicious insiders. Insiders are a major source of data security problems and breaches, either employee negligence and incompetence or a malicious person who is deliberately trying to harm the company for personal retaliation.

    In my experience, those who operate IDM typically have significant responsibility and autonomy in their company's data center. They may have enormous access privileges, such as root passwords to key systems. Just imagine what might happen if such a person became disgruntled. The lesson here is to know the people who control IDM and watch them closely. Monitoring is even more important when the IDM function is outsourced.
  7. Ignorance causes low-tech risks. Many companies have focused their IT security efforts on creating a nearly perfect perimeter. In other words, keep the bad guys out at all costs. They forget that bad buys can enter a company's systems without having to hack through firewalls or other perimeter controls.

    Take, for example, the recent stories about ChoicePoint, where identity thieves were able to create a fake identity as a business customer, thus obtaining legitimate access to thousands of sensitive individual records (see story). Companies need to pay closer attention to low-tech security risks that can affect IDM, especially if access can occur through remote, offshore locations.

What we've learned

Here are some key findings on IDM systems from Ponemon Institute studies:

  • Identity management should be easy and efficient. Employees and customers don't want to face overly complex passwords or multiple tiers of access controls.
  • Despite identity theft fears, consumers continue to share private information with unknown entities, even during unsolicited communications by phone or e-mail. The public's willingness to share private data makes companies vulnerable to continued criminal attacks, especially on the low-tech front.
  • People will share more and better information about themselves with companies that they know and trust. Hence, organizations that collect this sensitive information for IDM purposes should limit secondary uses and provide notice about possible data sharing with third parties to keep that trust.
  • Certain organizations, such as airlines, credit card companies, banks and health care providers, should have stronger IDM and verification methods than other types of companies such as retailers.
  • Many large companies underperform on the IDM front despite the availability of excellent, low-cost technology solutions.
  • Consumers appear to prefer Web channels rather than telephone or in-person meetings for identity registration.
  • The public's impression about biometrics is improving. Many people are willing to accept some form of biometric technology, such a voice recognition, if it makes it easier to have safe access to information.
  • It appears that the public is warming up to the idea of a national identity management program. But this would need to be managed by a trusted entity. The public favors the U.S. Postal Service or retail banks as a potential program manager.

If done right, good identity management is an opportunity to create end-user trust and confidence. Trust requires organizations to strictly limit secondary uses of customer data. And, companies have to be careful not to overengineer the IDM solution.

Biometrics and other forms of authentication may become increasing helpful to creating an easy and safe IDM program. Finally, and most important, organizations need to have responsible information management practices that support IDM implementations.

Larry Ponemon is chairman of Ponemon Institute, a think tank dedicated to ethical information management practices and research. He is an adjunct professor of ethics and privacy at Carnegie Mellon University's CIO Institute and is a CyLab faculty member. Ponemon can be reached at


Copyright © 2005 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon