Meta made the controversial decision to charge its users for account verification. Twitter made 2FA available only to paid subscribers. Now, we are looking at a heated debate: What are the implications of productizing identity services and turning them into premium offerings, available only to some?
Identiverse 2023 is happening the week of May 30, in Las Vegas – and the impact of paid identity verification and authentication is one subject that will be on everyone’s minds. Attendees and vendors will be exploring “Identity Everywhere,” a theme outlined in the 2023 Identiverse Trends Report.
Access and at-risk identity
Paying for a product or service that verifies and authenticates users is a long-held practice for some organizations. For others, this concept is new. B2C and B2B online services may pursue a similar revenue stream, potentially without considering the risks to their users (e.g. having their identities impersonated and their accounts taken over) or themselves (e.g. suffering reputation harm or legal repercussions over security or privacy violations).
Should this become a commonplace practice, it could diminish the infosec community’s efforts to make cybersecurity protections accessible to everyone.
“Are we creating a bifurcation of people – those who can afford to have a secure identity and those who can’t?” asked Jeff Reich, executive director of the Identity Defined Security Alliance – one of three panelists who touched on this provocative topic at SC Media’s April 2023 Identity & Access Management eSummit virtual conference. “Is your identity now at risk simply because you can’t pay?”
“I’m concerned about the creation of the haves and have-nots,” added fellow panelist John Sapp, VP, information security and CISO at Texas Mutual Insurance Company.
Cost of cybersecurity to end-users
Some subscription-based online services already effectively charge their users for authentication/verification services by factoring the cost of security into their monthly price plans. For a service that is already going to have a price – factoring in the cost of maintaining the necessary security is a no-brainer.
However, Twitter and Meta’s Facebook and Instagram sites have always been free to use. This makes their decisions to charge for online identity protections a bit more complicated. Some of the panelists wondered if a better revenue model for web-based content platforms would be to pass security costs on to the marketing companies that buy ads on their sites, rather than ask consumers to foot the bill.Many consumers are not well-informed enough to understand what’s at risk if they elect not to pay. “They’ll tend to choose the free or the cheaper option,” warned Sapp.
Ed Harris, global director of information security at Mauser Packaging, said that it’s already a challenge getting customers to buy into the extra effort that’s required to conduct 2FA in the first place. So adding a fee to that inconvenience may be the final straw. “I’m a little curious whether or not they begin to see drops in numbers for people who just don’t want to have to deal with it,” said Harris.
Sapp agreed: “As security practitioners, we know that there’s value [in] understanding the identity of the person who’s accessing the services. We want to be sure that that’s not being impersonated,” Sapp said. “But does the end user care about that? They’re not security practitioners. They just want to get in and use the service.”
According to the SC Media virtual conference panelists, many users have also adopted the stance that their data is already out there on the internet, and probably compromised – so why worry? Indeed, when an online service is breached, “what percentage of consumers stop using that service? [It’s] a very low number. And it could be that… organizations are banking on that history,” said Reich.
Frictionless identity management
Therefore, it’s up to the security community to better educate the public and also make identity management more palatable.
“We haven’t done a good enough job of providing all the tools to make this frictionless,” said Reich. “It’s a pain to have to do MFA – and now it’s a pay-and-a-pain, and no one wants that.”
For infosec and identity professionals who are opposed to charging for MFA and similar services, the onus may also be on them to demonstrate to their companies’ business executives why IAM is a must-have for all users.
According to Reich, the first key step in this conversation is pinpointing your company’s risk appetite. Once that’s established, then you can individually examine the various factors that fit into the overall risk equation, including: “We are custodians of the identities for every one of our consumers – what value do we place on that? What’s the downside of compromise? And what’s the upside of demonstrating that we’re doing the right thing?”
Sapp said it comes down to the business outcome that your organization wants to achieve – “and what value can I bring from a security standpoint to help them achieve that, in a way that protects the organization?”
The objective is to couch the MFA discussion in a “business risk context” and “quantify it in… financial terms,” that resonate with your business decision-makers, Sapp continued. Talking points might include how the risk of a major cyberattack will increase due to adversaries targeting unprotected users; whether an identity-based attack could take your platform offline or disrupt its operations; if advertisers are likely to flee if such an attack occurs; and whether there legal or liability risks associated with an identity-based attack.
These are all important points to address before making consumers pay for their own digital identity protections. After all, noted Harris, “there are ramifications [for] not taking the opportunity to ask the question, ‘How does this affect the type of users that we have signed on for our services today?’”