What do “123456”, “password” and “iloveyou” have in common? They are among the most used, most predictable, and ultimately most hacked passwords worldwide – and a real threat for users and businesses alike. Weak, stolen or reused passwords cause 81 percent of data breaches. Those leaks are not just a vulnerability to businesses but also threaten security and revenues. And still: In order to access the full online experience on a vast majority of websites and online services, users are required to create an account – which is cumbersome and requires yet another password to manage. Many users already jump off at this point.
SAP Customer Data Cloud data shows that only a fraction of site visitors ends up registering online and on average 17 percent of users need to reset their password on almost every subsequent visit. This does not only have a negative impact on the customer relationship but also puts pressure on customer service: According to a Forrester Report, 25 to 40 percent of all help desk calls are due to password problems or resets. Contacting customer service means additional effort for the customer – an extra mile not everyone is willing to go. In fact, 28 percent of US users responded in a recent study that they abandoned their online shopping cart during checkout because they had to create an account to complete their purchase.
Transforming identity management
How can businesses provide a frictionless user experience on their websites, online shops and apps, whilst saving costs and improving security? SAP’s employee-led venture OwnID by SAP aims to transform identity management with decentralized, portable identities. Just like a key unlocks our home, a user’s phone becomes a digital key to unlock websites and apps we visit every day. Founded in 2019 by Rooly Eliezerov and myself and selected to receive funding in the SAP.iO Venture Studio, OwnID’s vision is to change the mechanism of online logins and lead the next step of digital identity ownership.
How OwnID works
Websites and apps can add OwnID’s “Skip the Password” capabilities to offer users a multi-factor authentication login option with their phones instead of choosing another password. “People forget passwords, but rarely forget their phones”, explains Rooly Eliezerov, President of OwnID. “When users login to a website with OwnID, passwords are no longer necessary”.
Instead, identities are encrypted on the user’s phone. The phone’s biometric lock mechanism like Face ID, Touch ID or fingerprint coupled with FIDO2/WebAuthn are used as a second authentication factor to validate the user and protect their identity right at login. FIDO stands for “Fast IDentity Online” and is an authentication standard that enables simplified login to devices and web services – without having to sacrifice a high level of security. OwnID and third parties do not have access to any data. Websites that already use SAP Customer Data Cloud (formerly Gigya) can enable OwnID with one click. Others can implement OwnID using a step-by-step guide without writing any line of code.
Putting users in control of their data
While one single entry into the digital world is convenient, security and privacy concerns slow down wide-spread adoption. With the rise of the digital economy, retailers, authorities, or banks have turned into identity management organizations, responsible for storing and protecting large amounts of sensitive personal data like social security numbers. Unfortunately, massive data breaches like the one at Equifax in 2017, which exposed the personal information of 147 million people have shown, not all of them were equipped for this new role.
Decentralized identity puts the power and responsibility back in the hands of the individual, enabling them to control and protect their own personal data. With solutions such as OwnID, lock up takes place in decentralized ledgers which are not controlled by any organization or central institution, and cannot be tampered with. Remote hackers might gain access to pieces of personal information but proving an actual identity and logging to a website would require the physical device of that person. But when a user’s identity is encrypted and stored on their phones, what happens when it is lost or stolen? With OwnID, users provide their email address once they have a new phone and receive a “magic link” via email. This link allows them to login directly when clicking on it – similar to a one-time-use code. The thief won’t be able to use the phone to login to a website since a user’s identity is protected by the phone’s unique lock mechanism.
First step towards self-sovereign identity
Decentralized solutions like OwnID pave the way towards a self-sovereign identity (SSI). Based on blockchain technology, SSI provides clear transaction documentation and allows to check the validity of credentials at any time. The decentralized structure of blockchain and the open-source design of all software components underline availability and independence. The user gets a seamless, password-less user experience and has full power and authority over their digital identity, personal credentials, and data without any centralized components.
For enterprises, there is an equally heavyweight opportunity to take identity management to the next, future-proofed level. SSI offers significant advantages over traditional identity management. This includes immediate access to SSI-enabled applications, unprecedented flexibility since credentials can be created, assigned, and revoked as needed to anyone regardless of organizational affiliation, security as well as true privacy by design.
While it will take a couple of years for SSI to mature and gain wider adoption, we believe now is the time to get involved and contribute to shaping the technology. The future of hyper-personalized user experiences with minimal disclosure of personal data and a fully owned digital identity starts with solutions like OwnID.
To learn more about OwnID, visit the new developer’s guide and documentation portal https://www.ownid.com