For several years now IBM has been trying to convince organizations to give up collecting personally identifiable data in favor of authentication software known as Identity Mixer that can be used to verify whether, for example, a particular end user is over 18 or not. Now IBM is taking that case to the cloud in the form of an Identity Mixer service running on the IBM Bluemix cloud service.
Dr. Jan Camenisch, a scientist at IBM Research, says that making Identity Mixer as a service that developers can invoke via an application programming interface (API) should considerably reduce the amount of inherent risk that organizations face when conducting transactions on the Web. Because they never collected personally identifiable data in the first place, they don’t have the type of data that hackers are routinely trying to discover and collect. As such, the attack surface of the Web site is considerably reduced, says Camenisch.
Identity Mixer makes use of cryptography algorithms that IBM has been developing for a decade or more to create a service that connects to third-party sources to verify identities without requiring an organization to collect that data themselves. The goal, says Camenisch, is to eliminate the need to collect data such as age, nationality, address and, most importantly, credit card numbers. That approach not only makes a Web site a less tempting target of hackers, Camenisch says it provides a method of authentication that inherently protects the privacy of the end user.
IBM, says Camenisch is betting that over time more end users will prefer to do business with organizations that don’t collect all their personal data just so they can buy something once. IBM is also betting that given all the compliance requirements associated with collecting that data, many organizations would simply rather rely on a service to authenticate users in a way that dramatically reduces the potential for fraudulent transactions.
IBM has been beta testing Identity Mixer as a cloud service since earlier this year. Camenisch says the biggest challenge at this point isn’t so much the authentication service as much as it is the inertia associated with the way organizations have been conditioned to collect data.
Naturally, some organizations may still want to collect data to get to know as much about their customers as possible. But Camenisch notes that there are probably more organizations that just want to conduct a simple transaction without necessarily needing to know everything there is to know about every customer.