In the 1990’s a concept called “Risk Acceptance” was used to justify the failure to meet online security protocols and guidance. The theory: Complex data is enough to keep unauthorized entities from gaining access, so the risk is acceptable.
This may have been an acceptable risk when Internet usage was counted in the millions of users but at 10 billion Internet connected devices, the math no longer works. Indirect Assertion is an UNACCEPTABLE risk. The failure to apply proper identification is an open secret that can no longer be ignored.
Resolving the identification problem may be disruptive, but wouldn’t it be a good thing to disrupt $5.5 million per hour in online payment theft? The losses are greater than the cost of the solution.
The problem is clear, the solution is available, the damage is unsustainable. Inaction in the face of $600 billion in annual cyber damage is also unacceptable.
Creating and maintaining a digital state-of-existence provides for proper identification online. Existence (a Presence Factor) plus any other factor meets guidance.