At the start of the COVID-19 pandemic in 2020, several of our friends and family members had their identities stolen. When we asked how they went about recovering their accounts, we found most companies did not have a safe or easy way to verify their identity and keep accounts protected. Customer service reps with good intentions would ask frustrating questions about our account or credit history, but they would be asking personal questions about information that was likely already made public by data leaks from other companies. Most often, our friends had to go in-person (wearing a mask) and show their driver's license to verify themselves. It was at this moment we realized that while our physical and digital lives have merged, our identities have not.
Social Security Numbers, phone numbers, passports, and physical IDs – none of these alone can confirm our identities on the modern web. They leave us susceptible to phishing, allow unwanted contact from strangers, and cannot be protected or updated in real time if our identities have been compromised. Beyond identity, fundamental account security is also under attack. Our accounts are secured, in the best case, with Multi-Factor Authentication (MFA), but trusting a device with MFA is not the same as knowing its owner.
Authenticator apps are difficult to set up, and even more difficult to recover if a phone is replaced or a hardware token is lost. In the worst case, accounts are protected with only a password which might be known due to a data leak from someone else, or using SMS - which unfortunately puts the burden on phone companies to be unusually excellent at verifying our identities so that a bad actor can’t take control of a phone number.
If our identities can’t be verified online - and our accounts are using weak security that’s tied to passwords instead of real people - then our accounts can’t be protected.
Despite many parts of our lives (including very important transactions) existing only or primarily online, digital security hasn’t advanced enough to protect us. Fraud and identity theft has serious costs for both consumers and the companies they use, making it hard to build trust in a digital world.