What Is Bring Your Own Identity (BYOI)?

Bring Your Own Identity (BYOI) is a term that’s quickly becoming more commonplace in today’s digital-first world. Let’s explore why.

It’s often surprising how much the internet knows about our identities. “Man know thyself,” Socrates said over two thousand years ago—but maybe technology knows us even better. A quick Google search can bring up years-old accounts for websites we might not remember registering on, and fragments of different versions of our identities can exist across hundreds of platforms simultaneously.

And the concept of digital identity is only increasing in popularity and relevance today. As users, we find ourselves creating accounts for most online services we want to use—whether shopping, ordering takeaways, using online banking, or accessing public services. And with each new account comes another password to remember—as well as another identity to add to the pile.

And for organizations, identity and access management becomes increasingly more complex. Managing users’ identities is not only an ongoing and lengthy activity, but is raked with compliance regulations, as well as data and privacy laws. An identity-related data breach could equate to not only loss in reputation and custom, but also a huge fine.

But is registering separate identities for each service provider soon to be a thing of the past? Instead, could we implement single, portable, and overarching identities for users, that stretch across all platforms, meaning they can log into various accounts using the same identity? With Bring Your Own Identity (BYOI), this could become less of a utopian fantasy, and more of a reality.

But what is BYOI, and should we be leaning into this as a solution?

What Is Bring Your Own Identity?

Philosophers have been debating what “identity” means for thousands of years—and we’re not about to add to that debate. But what does it mean to “bring your own” identity when it comes to digital ID?

BYOI—sometimes referred to as BYOID—is a concept that enables users to register with and log into services using independent, pre-existing, portable credentials that are self-managed or verified and issued by a third-party identity provider. This eliminates the need to register from scratch for a new account with each new service provider, meaning each user only has one set of credentials to remember and can log in to a range of services using them.

BYOI not only creates a smoother and more efficient journey for users but, depending on the type of account they’re logging in with, can provide higher assurance to organizations that users are who they say they are.

As an example, a popular method of BYOI is via social login, with many websites providing the option to “Continue with Facebook” when registering for a service—as shown in the image below. Opting to do this can automatically provide the service a user is registering on with personal details stored by Facebook—such as name, profile picture, email address, and more—while enabling them to log in using their Facebook password. From then on, they can continue logging in via their Facebook account, which means one less identity and set of credentials to manage.

But, while logging in via social media accounts is by far the most widely used implementation of BYOI today, it’s not exactly the most trustworthy for high-security organizations that might require further verification. When it comes to access, the question is not only: “Who is this person?”, but also: “How can we know this person is who they say they are?” Access is based on trust. And trust comes from verification.

More secure methods of BYOI can include banks IDs, government-issued IDs, credentials provided by digital identity companies, and more. These require more rigorous identity checks, and often, the physical presence of the user, to verify both that they are who they say they are and possess the appropriate documentation to support that.

Let’s explore each of these methods in a little more detail.

Key BYOI Providers

Gartner recognizes the following key categories of BYOI provider in their 2020 Market Guide for Identity Proofing and Affirmation:

Social networks
Banks and financial institutions
Governments
Mobile Network Operators (MNOs)
Identity-proofing vendors

Each type of provider brings an array of benefits and drawbacks when it comes to user experience and security. Where there’s a greater focus on customer experience, security suffers as a consequence. And vice versa—where BYOI solutions are too secure, they require more complex and time-consuming set-up processes, which takes away from the user experience. Is there a way to strike the balance between these two aspects? Can enterprise-grade security go hand in hand with user convenience?

Another thing to consider is the notion of bi-directional trust. Sure, service providers need to establish trust in the user, and that they are who they say they are—that’s a given. But the user also needs to establish trust with the service provider, with regards to whether they’ll keep their personal data safe from breaches and theft, and can be trusted to manage their identities.

Let’s take a look at the BYOI methods offered by each of these providers in more detail, starting with the most common and widely used form of BYOI today.

1. Social Network ID

Did you know, roughly 36% of the world’s population is currently on Facebook? That’s almost three billion users. So, it’s easy to see why login via social media is the most popular form of BYOI today—it’s by far the most accessible. Not only do the majority of users already have pre-existing social networking accounts, but social login is portable across a range of platforms and is self-asserted, meaning it doesn’t involve the hassle of rigorous identity verification.

And Facebook isn’t the only social network currently offering BYOI as a solution. A report commissioned by The European Commission suggests that login via Facebook, Google, Twitter, Instagram, and LinkedIn is leveraged by 50 thousand companies globally, enabling users to sign into their websites hassle-free.

But with such a high focus on customer experience, should users and service providers rely on these providers to manage account login? Well, there are various reasons why social login should be used with caution.

From a user’s perspective, privacy is a major concern, as well as how secure their personal information really is when using social media sites. In 2019, it came to light that both Facebook and Google had been failing to encrypt groups of users’ passwords, instead storing them in plaintext, meaning a breach could have easily exposed every single one of these to cybercriminals. And for users using Facebook or Google login to access accounts with external service providers, this could have provided hackers with access to all associated accounts.

From a service provider’s perspective, social media sites are breeding grounds for fake accounts—in fact, it’s estimated that more than 90 million Facebook profiles aren’t legitimate. And since accounts are self-asserted, users can easily enter inaccurate information about themselves, which then goes unchecked. So, when the question, “How can we know this person is who they say they are?” arises, there’s only one answer: we can’t.

2. Bank-Issued Digital ID

Bank-issued digital IDs can provide access to public services and accounts that require higher levels of authentication. And in Nordic countries, for example, BankID—a popular form of BYOI that enables access to high-security accounts—was used five billion times in 2020, or 162 times per second, making it a popular and widely used choice for users. In fact, roughly 80% of Swedes currently use BankID, meaning that user trust is particularly high for this form of digital identity. But what are the benefits and drawbacks of using bank-issued IDs such as BankID?

Well, BankID, as an example, is as trusted as official documents like passports when it comes to identity verification, and not only enables users to safely sign in to internet banking, public sector, and high-security accounts, but also can act as a personal electronic signature when signing agreements.

Setting up a high-security digital ID is a far lengthier process than, say, signing up for a social media account. But what’s sacrificed in convenience is gained in higher levels of security. In fact, BankID provides access to public services at the highest level of security—level 4, and to set up a digital ID, most providers require users’ physical presence at one of their branches, alongside a passport as proof of identity. But because of this, login via bank-issued digital ID is only available for use in higher-security scenarios. Users wouldn’t use this method of BYOI when logging into minimal-security services—for example, to order a takeaway—so use cases remain limited to high-security accounts.

Banks can also ensure an easier onboarding process for users looking to acquire a digital ID, as they already have existing records of their customers on their databases. But a drawback of this is that only users that possess existing accounts with participating banks are eligible to use BankID.

3. Government-Issued Digital ID

In recent times, government-issued digital IDs have been implemented in various countries around the globe—some met with success; others, not so much. These types of ID, depending on the country, can often be leveraged to access public services as well as private services, and can also be used as proof of identity during scenarios where a high level of trust is needed—such as applying for a mortgage or during employee enrollment, according to Gartner.

The key advantage of using government-issued digital IDs as a form of BYOI is that they often require users to prove their identity using multiple trusted sources and satisfy strict requirements before the digital ID is issued. This makes government-issued digital ID one of the most trusted forms of digital identification that users can leverage—but it does have its drawbacks.

Concerns about user privacy are likely to be an issue for some groups and in certain contexts. As well as this, registering for and setting up the digital ID can be a lengthy process for users, with rigorous checks and strict requirements that need to be met. In this case, the high level of security comes at the expense of customer experience. Not only can this discourage users from applying in the first place, but the use cases and demand for government digital ID remain relatively low—it’s estimated that use rates are as low as only once or twice a year per person in some countries. So, is the lengthy authentication process worth the output for users?

4. Mobile Network Operator ID

Mobile network operators (MNOs)—also known as carrier service providers, mobile phone operators, or mobile network carriers—are telecommunication service providers that supply wireless voice and data services for their users. As examples, you might’ve heard of AT&T, T-Mobile, and Verizon—all popular MNOs in the US. Many MNOs offer a unique kind of digital authentication in comparison to others discussed within this article; they’re essentially passwordless.

GSMA Mobile Connect is a universal, standardized approach that MNOs can take to support BYOI implementation. Mobile Connect is used by more than 70 operators globally and enables users to not only authenticate their identities when logging into banking accounts, e-commerce sites, public services, and more, but share sensitive information and complete transactions using their connected devices.

To use Mobile Connect when logging into a service, a user selects the option to log in via Mobile Connect, and is prompted to enter their mobile number. They then receive a prompt on their mobile device to enter their pin to authenticate their identity. But what are the benefits of using MNO-issued digital IDs?

Well, the process works using the open-source technology of the OpenID Connect standard, meaning personal information isn’t shared with the service provider without the user’s permission. Further benefits include simple and secure access, a passwordless experience, convenience for users, and an increase in customer loyalty and brand perception.

However, a potential drawback is that, when setting up digital identities with MNOs, the verification process varies according to specific countries and providers. Some might only require minimum levels of identity verification, whilst others might require government IDs. So, while in some cases MNO BYOI can strike a great balance between user convenience and security, it relies on the levels of authentication used by each respective provider when initially verifying user identity.

5. Identity-Proofing Vendor Digital ID

Identity-proofing vendors are increasingly situating themselves within the BYOI market, offering federally certified and portable digital identities that can be used across a range of services. The unique selling point for this type of BYOI, and what differentiates it from others within this article, is that it’s completely independent from any other service provided to the user—the vendor’s only activity is providing identity-proofing services.

ID.me, for example, is used by more than 64 million members and 500 retailers, making it a popular choice with users. According to their website, the ID functions the same as a physical ID card that a user would carry around—except it’s digital, and can be used online.

To register for a digital ID with identity-proofing vendors, users often need to provide evidence of official documents, such as passports or driver’s licenses. To register with ID.me, the user must upload a photo of either their driver’s license, state ID, passport, or passport card, and then upload a “video selfie” to verify that they are who they say they are. Lastly, the user must also enter their social security number.

One of the key benefits of using this kind of BYOI is that it supports a wide range of use cases—such as accessing government services, healthcare, or in e-commerce scenarios— and provides a high level of security. For example, ID.me uses bank-grade encryption to store personal data and meets the highest federal standards. And as well as this, users can turn on multi-factor authentication, and leverage features such as one-time passcodes or built-in biometric scanners within their devices as an added layer of security when using these IDs. This can also give the service provider a higher level of assurance that the user is genuine.

The Benefits And Drawbacks Of BYOI

Of course, there is no right or wrong answer when it comes to whether you should be using BYOI. As always, it depends on your specific requirements and concerns. But the best thing you can do is weigh up your options and make a well-informed decision based on this analysis.

Some of the key benefits of using BYOI include:

Identity is portable across a range of services, meaning the user has only one set of credentials to remember (unless using MNO-provided BYOI, which is passwordless)
Service providers can have greater trust that users are who they say they are (when using more high-assurance form of BYOI, at least), and users can rely on only one provider to manage their identity, rather than having accounts scattered across the internet
Ability to leverage high-security forms of BYOI to protect access to accounts, as well as mitigate fraud
Identities can be scalable and flexible
Reduced administration costs for service providers (from both managing users’ identities and orchestrating password resets, and more)
Users are more likely to sign up for a service as the process is simplified and hassle-free, increasing service providers’ overall conversion rates

On the flip side, it’s important to bear in mind that some of the potential drawbacks of using BYOI include:

Relying on only one set of credentials to provide access to a range of accounts creates a single point of failure, and all associated accounts can be compromised in the event of a breach
Different forms of BYOI are often suited to limited use cases (for example, users cannot log in via Facebook to access their banking account), and so, presently, the types of providers and use cases remain fragmented
Identity-proofing vendors and those providing digital ID are likely to become a key target for hackers
High-security digital IDs come at the cost of user experience, and usually require lengthy authentication processes—but less secure forms of digital ID might be more at risk of user fraud
Identity providers need to ensure users sign up with the correct information, as failing to do so would provide potentially hundreds of services with false information
User training is a priority—users need to be educated on how to protect their accounts against phishing and ransomware attacks, viruses, and more, to keep their online identities safe from hackers

Summary

So, yes, Bring Your Own Identity is an emerging trend in the current identity and access management market, and is something we’ll likely start seeing a whole lot more of. But it also remains fragmented.

It’s important to consider whether BYOI is right for your specific use case and for the level of security you need to protect your accounts with.

Megan is a writer, editor, and journalist and has been actively researching and writing about the tech industry for three years. Throughout that time, she has covered a wide range of IT and cybersecurity topics in depth—including cloud software, biometric technologies, identity and access management solutions, and threat intelligence—and conducted interviews with dozens of industry experts. An avid reader and lover of research, Megan has a master’s degree and First-Class Honours bachelor’s degree in English Literature from Swansea University.