"The right to be anonymous is definitely important," said Ping Identity chief technology officer Patrick Harding, but it can be overwhelmed by the efforts of marketing departments. Without government regulation, organisations have no incentive to preserve privacy.
One example of government intervention is the EU's General Data Protection Regulation (GDPR) which, Harding noted, mandates user consent and includes the "right to be forgotten" even when the relevant data must be retained for compliance with other laws or regulations.
Ping's technology can help organisations comply with such rules by governing access to user profile data in a policy-based way.
While many people are concerned about privacy, identity is central to providing a good user experience, he suggested. It also allows an organisation to gain a single view of its customers.
Customer identity and access management (IAM) is a relatively new part of Ping's business, which has traditionally focused on enterprise IAM.
The growing use of SaaS and mobile apps has made IAM more complex, said Harding, but the widespread adoption of smartphones in recent years has made multi-factor authentication more acceptable. People didn't like using security tokens, but "employees love it" if you implement authentication via push notifications to their phones. So, he suggests that it's time to reconsider multi-factor authentication if you're not currently using it.
However, there are many edge cases where smartphones aren't the (whole) answer. Some people choose not to use smartphones, others do not want to use their personal phone for any work purpose, and some workplaces have banned the use of mobile phones.
Workarounds include delivering one-time passwords via applications running on computers rather than phones, or via emails to corporate addresses. This is "not as good a user experience" but shows that the issues can be worked around.
Harding said there was a need to integrate physical and logical security credentials, for example, by using a building access badge as part of the log-in process. Proximity-aware devices such as badges would be convenient, he said, especially in situations such as a kiosk shared by hospital staff because they would not need to keep logging in and out. "That's the vision of where we need to get to," he said.
It is also possible to combine information from different sources to help confirm a person's identity. For example, there is reason to be suspicious if the access control system puts them in one place but their smartphone is somewhere else, so further authentication would be appropriate. And the more sensitive the systems being accessed, the more rigorous authentication is needed.
Yet there is a particular problem with making the smartphone too central to the authentication process: "if you lose your smartphone, you're kinda hosed," Harding said.