The number of high-profile data breaches in recent months makes a strong argument for changing how online services handle authentication. In offering its Identity Mixer tool on Bluemix, IBM is taking care of authentication so that developers can focus on the rest of the app.
Several facets of Identity Mixer are related to authentication. It maintains user privacy because it handles authentication on the application’s behalf; applications only need to know the user is authorized. Identity Mixer takes care of encrypting and storing user data on its systems so that individual applications don't have to. Finally, it centralizes information storage, so users don't have to fret about their personal details being held across multiple applications and services. Individuals now have control over where their details are retained.
Based on 10 years of research by the team at IBM Research Zurich, Identity Mixer lets developers authenticate users' identities without collecting personal data. The technology has an anonymous credentials system at its core and serves as a security interface between the user and application.
Though Identity Mixer was unveiled back in January, up until now, access has been limited. With the technology generally available on Bluemix, developers can easily incorporate it into their applications.
While the typical data security approach is to add multiple layers of protection on personal data, Identity Mixer restricts who has access to the data. For example, an online service like Netflix needs to verify that users have a paid subscription and are over 18 years of age before granting access to the application. Instead of Netflix collecting the full date of birth and personal details like name and address to validate subscription details, it can let Identity Mixer handle the process instead. Identity Mixer has the user's full date of birth and can tell Netflix the user is over 18.
Best of all, Identity Mixer can use the information to authenticate the user to multiple Web services and mobile apps. In a typical scenario, the user would have to give each service and application his or her personal information. With Identity Mixer, the user is providing the data to only one place.
Identity Mixer on Bluemix is based on cryptographic algorithm that encrypts personal data and shares only specific and relevant details via the user's public key. Users have a single secret key that corresponds with multiple public keys. Each user transaction has a different public key, so the same key is not used across multiple services. This way, Identity Mixer leaves no privacy breadcrumbs, IBM said. Keeping the transactions separate is useful for online payments, as Identity Mixer can protect the personal details used to process payment card data.
Identity Mixer won't help if the service needs to collect personal data for marketing purposes, as the tool is designed specifically to handle authentication. The difference is that users have control over what information to provide for marketing purposes, as opposed to being forced to hand over all the data simply to sign up for the service.
Estimates peg approximately $16 billion stolen from U.S. consumers in 2014 through identity fraud. Authentication has never been easy task, and online services have struggled with the challenge of protecting user data. With Identity Mixer, developers shift the security burden of securing personal data to IBM while they focus on features and user experience.