An enormous challenge for organizations is striking an appropriate balance between a need to verify identity and the ability to provide quick and easy access to systems and confidential information. A lack of balance can have serious consequences. A leading Web merchant may lose business because the identity management procedures fail to authenticate a legitimate customer. Or even worse, individuals may become victims of identity theft because an online business fails to use proper identity management safeguards.
To address the convenience and safety conundrum, technology companies are developing biometrics and universal identification systems for purposes such as access to bank accounts, entry into public buildings and security screening at airports.
To find out the types of identity management technology consumers prefer and the expectations they have about how organizations use it, the International Association of Privacy Professionals, Electronic Data Systems Corp. and Ponemon Institute recently conducted a Web-based survey of almost 1,200 adults throughout the U.S.
The survey asked respondents about personal information they are willing to share over the telephone or Internet, both to establish a new business relationship and to validate their identity when making contact with a company they already do business with. People said they are more willing to share personal information with a customer service representative over the telephone than during an online session. The pieces of personal information individuals are most willing to share with organizations to establish their identities are: name (88%), home telephone (88%), address (84%) and customer account numbers (82%).
The pieces of information individuals are least willing to share are: racial or ethnic origin (8%), Social Security numbers (12%), debit card numbers (16%), nationality (18%) and driver's license numbers (18%). How much is too much? According to 65% of the respondents, three or more separate pieces of personal data to identify them is too much.
Consumers want convenience
It is interesting to note that despite the rise in incidents of identity theft, the study suggests consumers want identity management to be a relatively easy and efficient process. The most salient findings are shown in Figure 1 below. In short, respondents don't want organizations to require them to deal with complex passwords or access procedures. For example, if they forget their online password, 44% of respondents said it should be e-mailed to them immediately so that they can access the system with minimal delay, and 44% said that customer service representatives should provide helpful hints or prompts if they forget their password.
As shown in Figure 1, only 26% of respondents believe that they should be locked out of an online transaction for repeatedly failing to enter their password or special access code. And just 13% of subjects are willing to provide three or more pieces of personal data before being granted access permission.
 |
|||||||||||||
|
What actions should an organization take if a customer repeatedly fails verification checks? Most people want more chances to prove their identity before the company reaches a final verdict. Figure 2 shows that 74% of respondents would like to have a live chat with a supervisor for assistance. Fifty-nine percent believe that the live operator or online system should encourage them to call back or retry with correct credentials.
|
||||||||||||||||
|
If a person fails verification checks, 43% believe that the company should immediately contact the individual by phone, and 40% believe that the company should contact law enforcement if verification attempts are repeated. Only 24% of the subjects believe that they should be denied access after three failed attempts.
Which is worse for consumers: to be denied access to an account because of a system's glitch or to be given access even after failing the identity verification test? Sixty-six percent of respondents viewed being denied access as a greater harm to them than being denied access for their protection.
While consumers want convenience, they also expect security. Seventy-seven percent of respondents expect organizations to have strong identity verification safeguards in place to protect their personal information.
Figure 3 shows the top four organizations that are expected to have the strongest identity verification and authentication safeguards: credit card companies (94%), hospitals and clinics (91%), banks (89%) and airlines (84%). While not shown above, hotels, grocery stores, mail and postage services, and retail stores are expected to have less stringent identity management procedures.
|
|||||||||||||
|
Despite indicators that consumers crave convenience, they also see the need for good security. They just don't see the need to sacrifice a lot of effort or time to achieve reasonable safety levels. Most people expect organizations to provide identity management procedures that won't create an undue burden on the public.
Study supports biometrics and universal ID
Survey results indicate strong support for the use of biometrics. More than 70% of respondents believe that technologies such as voice recognition or fingerprinting systems would be acceptable. The top reason is convenience. More than 88% of respondents believe biometrics will make identification more convenient and accurate. Among those opposed to biometrics (11%), most appear to be concerned about secondary or alternative uses of this data.
The study also supports the creation of a universal verification credential, but only if managed by a trusted organization. More than 74% of respondents believe that one universal ID would make it more convenient to establish their identity with different organizations without having to remember different passwords, PINs or access procedures. The study shows that the U.S. Postal Service and retail banking institutions are the two types of organizations that consumers believe are most trusted to issue and manage a universal ID.
Beth Givens, director of Privacy Rights Clearinghouse (a privacy advocacy nonprofit organization), says she believes that the vast majority of identity theft occurs not because of consumer carelessness, but because of industry and workplace negligence. "In fact, I would wager that a minuscule amount of identity theft incidents can be traced back to consumer carelessness," Givens said.
We need to be careful in interpreting the survey findings. The fact that people want convenience doesn't mean that organizations shouldn't be responsive to the need for identity management. This is especially important for organizations that collect and use sensitive personal information such as Social Security numbers and credit reports that if leaked to unauthorized parties could cause identity theft or other serious crimes affecting individuals.
While consumers may be willing to divulge sensitive personal information to establish and maintain business relationships, they clearly value the protection of their personal information. Survey findings indicate that 84% want to be notified when an organization determines that an unauthorized person has been given access to their information. The challenge is for organizations to strike a balance between respecting customers' rights to access their records and protecting them from unwelcome trespasses.
Dr. Larry Ponemon is chairman of Ponemon Institute, a think tank dedicated to ethical information management practices and research. Ponemon is an adjunct professor of ethics and privacy at Carnegie Mellon University's CIO Institute and is a CyLab faculty member. He can be reached at larry@ponemon.org.