Not so fast: how wrong race results point to digital identity issues

A few weeks ago, I was checking on my profile on a popular social networking site for endurance athletes. The site has a comprehensive database of endurance events’ results and allows me to keep track of my results by ‘claiming’ unmarked results.  After logging in, I received a notification that the site might have found some of my results. When I checked them, they were for another Vanessa Vazquez, a forty-three-year-old woman racing in New York. This was not new; the site regularly suggests results based solely on my name, ignoring the fact that based on my profile and history I’m a thirty-five-year-old half-marathoner and marathoner. 

When I look at these results for other Vanessas, I always think that the algorithm should be better. It takes simple math to figure out that, if I was born in the eighties, I couldn’t be sixteen or forty years old. It is also obvious to me that since my best time for a half-marathon is 2:01:40, it is unlikely I’m the athlete clocking in at 1:45:37. And although I have done a few international races most my results are from the United States, so chances are not great that I'm cycling in Australia. If it is so easy for me to conclude these, why is it so hard for this site to suggest results with a high probability of being legitimately mine?

When it comes to ‘digital’ life and identity, most people have had experiences of mistaken identities. Some might be inconsequential –and almost comical– like a website suggesting that I could be that twenty-five-year-old finishing first on a local marathon. Others are more serious or embarrassing, like disclosing private information because someone mistyped an email or like the European Tour sending £120,000 for the Open Championship winnings to the wrong Tommy Fleetwood. Then there are those that could be life changing and potentially threatening to individuals and corporations, including the 16.7 million cases of identity theft in the US in 2017, or the over 80% of hacking data breaches that are attributed to stolen, default, or weak credentials. 

More and more often the line between our ‘real’ and 'digital’ lives gets blurred and shifted; being able to identify individuals has become an integral part of human-technology interaction. Bank accounts, medical records, purchase orders and history, and intellectual property are just a click away, as soon an individual can be identified. As a result, it is imperative that the mechanisms by which people are being identified are as accurate as possible. How organizations determine and validate digital identity, as well as how they secure the personal information that makes up those identities must become a priority because it affects both the public's perception of corporate trustworthiness and, ultimately, a corporation's bottom line. Still, the number of data breaches reported on a yearly basis is on the rise.

There are multiple ways for organizations to improve the accuracy and security of digital identities. Defining and enforcing a strong password policy is vital for the many applications that use basic authentication in the form of username and password combination; adding multiple factors of identification including FIDO(2) tokens or biometric data provides extra layer of security to help prevent data breaches. Having a process to verify emails can help reduce spam complaints and ensure mailing distributions aren't being filtered before they even get to the inbox, not to mention, it protects against disclosing private or confidential information due to address typos. In addition, the adoption of solutions like Forcepoint's Human Point System that understand patterns in human behavior and data flow allow organizations to determine if digital identity has been compromised and data is at risk, and to make threat remediation decisions.

From getting the right race results or medical results, to accessing personal records or intellectual property, digital identity affects every individual and corporation with an online presence. In the upcoming months I will be writing a series of posts to explore the main ideas, issues, and technology behind digital identity and identity management. I will also discuss how understanding digital identity management can increase business opportunity as well as mechanisms and frameworks available to manage digital identity effectively. There is much to be gained for individuals and organizations that become familiar with these topics and how they affect the ability for people to effectively and securely navigate through their online lives, both privately and as part of corporate environments.