Global Trends in Bring Your Own Identity (BYOID)

Global Trends in Bring Your Own Identity (BYOID)

CA Technologies & Ponemon Institute

July 2014

2 © 2014 CA. ALL RIGHTS RESERVED.

Are your users suffering “registration fatigue”?

A growing number of sites areallowing visitors to login using asocial or digital identity from atrusted third party – like PayPal,Facebook, Microsoft or Google.

The technical term is “federated identity,” but most people call it Bring Your Own Identity or BYOID.

The Ponemon Institute and CA Technologies recently surveyed 1,589 IT security practitioners and 1,526 business users worldwide to understand how companies view BYOID.


The Promise of BYOID

Reduce complexity, improveuser experience


The Challenge of BYOID

I am Losing Control!


High interest in BYOID for online & mobile users

82% of business users responded High or Very High on

using BYOID for mobile users

79% of business users responded High or Very High on using BYOID for website visitors

Customers want and expect a simple user experience …BYOID can help


IT and Business look at BYOID for different reasons

Outsource password reset activities

48% 9%

Capture user attributes from external sources?

26% 95%

IT

Business

Business sees value in BYOID for gathering customer data whereas IT sees BYOID as more of a cost savings initiative


Different personas explored in this survey

IT User• I need to manage

customer data• I need to keep

sensitive data secure• I need to meet

compliance and policy mandates

Business User• I want to simplify

the customer experience

• I want to know more about my customers to help improve retention and drive incremental revenue


Are you familiar with BYOID?

Q1. What best describes your level of familiarity with the emerging trend in identity management termed “Bring Your Own Identity” or BYOID?

27 27

3428

3945

0 0

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

IT User Business User

Very Familiar Familiar Somewhat Familiar Not Familiar


Level of interest in BYOID?

Q2. What best describes your organization’s level of interest in BYOID?

20%

30%34%

16%

IT USER

23%

40%

23%

14%

BUSINESS USER


Main reasons for BYOID adoption

Q3. What are the main reasons for BYOID adoption in your organization today? (Multiple selections)

1

36

26

48

13

69

0

10

95

9

11

65

Other

To get multi-factor authentication at a low cost

To capture attributes about users from external sources

To outsource password reset activities to identityproviders

To create an identity credential that lasts beyond the user’s employment or temporary employment

To combine digital identifiers owned by each user withcorporate factors to create a stronger identity credential


1


Control of BYOID

Q4. Who controls or “owns” digital identities in your organization?

20 16

2 5

27 28

1018

13

24

28

9

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%


IT IT Security Lines of Business

Marketing & Sales Data Analytics Shared Responsibility

Note: Two choices, “Research & Development” and “Other”, did not generate any response


Accepting digital IDs by user population

Q5. How would you rate your organization’s level of interest in accepting digital identities for any of the following user populations?

IT

Business

WebsiteCustomers

MobileCustomers

EmployeesRecruiting

Job Prospects

Contractors Retirees

2228

28148

36

439

93

2226

2814

10

41

417

84

2125

3012

12

14

22

38

15

11

12

20

34

24

10

12

25

44126

2023

3513

9

10

18

49

11

11

14

22

31

18

15

19

22

30

16

13


Importance of third-party validation

Q6. Please rate the following statement using the scale: “My organization would be able to offer more online services and programs if those digital identities were validated and trusted by a third party such as Google, Facebook, Yahoo Microsoft or LinkedIn.”

38

15

26

22

3330

19

29

15

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%


Strongly Disagree Disagree Unsure Agree Strongly Agree


Are you considering a trusted identity partner?

Q7a. Is your organization using or considering the use of digital identities produced by trusted identity providers such as Google, Facebook, Yahoo, Microsoft or LinkedIn?

44

40

16

IT User

30

45

25

Business User


Deployment timeframe

Q7b. If yes, what best describes your organization’s timeframe for deployment?

23 21

75

19 22

17 18

18 21

16 12

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%


Never > 24 mos 12 - 24 mos 6 - 12 mos < 6 mos Already Deployed


Ranking providers by organization’s interest

Q8. Please rank the following identity providers in order of interest to your organization. 1 = of most interested and 7 = of least interest. Avoid ties.


PayPal – 1.87 Amazon – 1.91

Google – 2.42 Microsoft Live – 2.57

Amazon – 2.60 PayPal – 2.63

LinkedIn – 3.36 Yahoo – 3.05

Microsoft Live – 3.91 LinkedIn – 4.55

Facebook – 5.76 Google – 5.54

Yahoo – 5.79 Facebook – 6.30


Ranking providers by individual’s interest

Q8. Please rank the following identity providers in order of interest to you as an individual accessing other organizations or service providers. 1 = of most interested and 7 = of least interest. Avoid ties.


Google – 1.82 Facebook 2.04

PayPal – 2.59 Google – 2.22

LinkedIn – 2.73 Amazon – 2.42

Facebook – 3.50 PayPal – 2.97

Amazon – 4.07 Microsoft Live – 3.13

Microsoft Live – 5.64 Yahoo – 3.44

Yahoo – 5.84 LinkedIn – 4.09


How does BYOID add value?

Q10. How do the creation and/or use of digital identities add value to your organization? Please select all that apply.

1

13

29

21

25

49

21

37

23

53

54

67

2

21

18

32

36

55

43

40

76

79

55

38

Other

Generates new revenues

Enables self-service processes

Enhances innovations in products & services

Decreases customer turnover (churn)

Streamlines operations & logistics

Increases customer acquisition

Increases employee/customer productivity

Increases the effectiveness of marketing activities

Delivers a better customer experience

Reduces the cost of insecurity (impersonation risk)

Strengthens the authentication process



Measuring BYOID value

Q11a. Does your organization attempt to measure the added value resulting from the creation and/or use of digital identities?

27

62

11

IT User

59

38

3

Business User


How do you measure BYOID value?

Q11b. If yes, how do you measure this added value? Select all that apply.

0

14

0

56

72

8

63

1

12

78

Other

Cross-selling/incremental revenue

Brand loyalty

Risk & fraud reduction

Cost reduction


8

1


Future value of BYOID

Q12. In your opinion, how will the added value resulting from the creation and/or use of digital identities change over the next 24 months?

47

34

416

IT User

59

26

114

Business User


Future cost of digital identities

Q13. In your opinion, how will the total cost incurred by your organization to create, use and maintain digital identities change over the next 24 months?

33 48

316

IT User

49

28

221

Business User


Features likely to increase BYOID adoption

Q14. Which of the following features would most likely increase BYOID adoption within your organization? Select all that apply.

20

30

37

56

57

73

66

11

30

27

71

37

71

33

Risk-based evaluation of account recovery processes anduser identity

Simplified password or account recovery

SMS mechanisms for user validation

Simplified user registration

Identity provider implementing fraud risk engines

Identity validation processes

Multi-factor authentication



Added factors for added control

Q15. What factors would you add to a digital identity to increase control or scrutiny by your organization? Select all that apply.

39

52

32

24

22

44

18

66

7

2

59

25

Risk-based evaluation

Mobile device factors

Smart cards

One-time tokens

Passive factos such as geo-location

4-digit PIN



Useful BYOID characteristics

Q16. As a BYOID relying party, what characteristics about digital identity known to the identity provider would be useful? Select all that apply.

55

31

23

45

60

56

69

49

15

15

35

55

29

62

Length of user account lifetime

Token expiration

Account recycle notification

Account suspension notification

Abuse account use

History of identity takeovers

History of password resets



Increasing the value of a BYOID provider

Q17. What additional information or services would increase the value of the BYOID identity provider? Select all that apply.

32

16

29

46

24

13

60

73

86

86

None of the above

Access to payment systems

Payment information

Validated phone number

Current shipping address



BYOID benefits of interest

Q18. Which BYOID benefits are of most interest to your organization? Select all that apply.

1

46

45

14

48

49

57

58

74

55

11

1

62

5

56

75

78

25

25

63

21

43

Other

Access to fresh identity information

Security enhancements

Increased revenue

Simplified engagement for users

Reduced friction in user experience

Contractor on-boarding

Employee on-boarding

Indentity validation

Fraud/risk evaluation & reduction

Targeted marketing



Importance of accreditation

Q19. How important is formal accreditation of the BYOID identity provider?

2930

2115

5

IT User

12

15

48

22

3

Business User


Minimum BYOID provider assurance level

Q20. What is the minimum level of assurance you would be willing to accept from a BYOID identity provider?

22

26

30

21

8

13

38

41

Provides multi-factor remote authentication only usinghard cryptographic tokens

Provides multi-factor remote authentication using sofycryptographic tokens, hard cryptographic tokens, and/or

one-time password tokens

Single factor authentication using a wide range ofavailable authentication technologies

None (no assurance necessary)



Best use case to show BYOID benefit

Q21. What use case would you choose to demonstrate the benefits of BYOID within your organization?

21

20

17

12

30

8

11

4

29

49

Support for specific mobile initiatives

On-boarding employees

On-boarding contractors

Accepting social identities to access additional attributesthat drive targeted marketing promotions

Streamline online user registration process for newcustomer acquisition



BYOID inhibitors

Q22. In your opinion, what is the most significant inhibitor to BYOID deployment?

0

19

34

12

21

14

1

8

19

18

23

31

Other

Loss of control

Risk & liability concerns

Lack of a compelling business case

Complexity

Cost


1


Preferred payment for BYOID services

Q23. What is your preferred payment method for BYOID services?

0

53

26

21

2

37

17

44

Other

Single annual fee regardless of user size

Fee per transaction

Flat fee per user


2


Conclusion:A New Value-Based View of Identity is Emerging:

Risk-based has dominated for the last decade but that is changingEvolving towards a more value/customer-centric view of identityKey is finding appropriate balance between both

Value-basedRisk-based

IT/IT Security Line of Business


Sample Sizes

IT User Business User Total % of totalsample

USA/Canada 570 428 998 32%

Australia 99 110 209 7%

Brazil 158 185 343 11%

France 127 148 275 9%

Germany 182 180 362 13%

India 141 152 293 8%

Italy 143 131 274 8%

UK 169 192 361 12%

TOTAL 1,589 1,526 3,115

Other demographic Info• 100% of respondents were from companies with >1,000 employees• 75% of respondents were from companies with $500M+ in annual revenue• Target titles for IT users were CIO/CISO; target titles for business users were VP/line of

business manager• Even distribution across all common vertical markets


For more information ….

… visit our Website to see more analysis and opinion on the

survey data.

http://www.ca.com/lpg/ponemon-study.aspx

Copyright © 2014 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. No unauthorized use, copying or distribution permitted.

THIS PRESENTATION IS FOR YOUR INFORMATIONAL PURPOSES ONLY. CA assumes no responsibility for the accuracy or completeness of the information.

TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENT “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING, WITHOUT

LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. In no event will CA be

liable for any loss or damage, direct or indirect, in connection with this presentation, including, without limitation, lost profits, lost investment, business

interruption, goodwill, or lost data, even if CA is expressly advised of the possibility of such damages.

http://www.ca.com/lpg/ponemon-study.aspx?cid=GLOB-SMM-SEC-AGH-000072-00000016&social=425887

Global Trends in Bring Your Own Identity (BYOID)

Technology

business business

user business user paypal

business users

simple user experience

policy mandates business

promise of byoid

challenge of byoid

digital identity