Personas: financial leaders can't ignore this missing link in identity systems

This article is an excerpt from the white paper Persona-Driven Identity: Enhancing Security By Understanding Human Complexity, available from Venn Factory Learning.

Digital identity and access management (IAM) is the gatekeeper for everything from financial services to healthcare and enterprise operations.

However, these systems often fail to account for the nuanced and shifting ways people interact with them. To account for these subtleties, a new concept gaining traction is persona-driven identity.

In the IAM context, a persona refers to a ‘character’ assumed by a service user, representing distinct data contexts, behaviours, and constraints. The same bank customer might act as a financial adviser, joint account holder, and parent of an underage child — sometimes all within the same day.

Traditional identity systems often miss these distinctions, leading to poor user experience, increased security risk, and missed opportunities for smarter access control.

A persona is not the same as a login account, though systems will often force users to set up new online accounts for adopting different personas. Rather, a persona reflects the usage context and intention of the user — an idea that blends the concepts of access roles as defined by IAM teams and user personas as defined by product managers or marketers.

Let’s examine the joint account holder persona more closely. Alice may want to retain the authority to make purchases and restrict the ability to set up automatic payments, while Bob may hold the authority to manage transfers and savings. Alice may want to ensure her child Charlie and financial planner Dave have some level of access as well, with varying permission levels.

Even if Bob uses the same login to access both his personal bank account and the joint account he shares with Alice, and even if permissions are set up equally for them both in that joint account, the way he interacts online with each will be different because his responsibilities, intent, and mindset will differ.

A couple we know faced significant financial hardship when one partner suddenly withdrew all funds from their joint account, leaving the remaining partner without access to financial resources. Friendly fraud between shared-access account holders is concerning — and hard to battle. With US consumers being scammed to the tune of nearly USD 8.8 billion a year, and merchants reporting an ‘unprecedented increase in first-party ecommerce fraud’, it’s not surprising to see this type of fraud spike as well. The risk is especially high if a life partner, or business partner, relationship begins to deteriorate.

Without paying attention to the personas of Alice, Bob, Charlie, and Dave as they interact with different bank accounts for different reasons, the bank may miss changes in intent that lead to fraudulent withdrawals. For example, understanding Dave’s responsibility to Alice may draw extra scrutiny on withdrawals and deposits he makes between his and her accounts.

When the same person is forced to use different accounts for different personas, architectural constraints are usually the cause. But when an organisation has little visibility into or control of the resulting account sprawl, it faces not only added security and privacy risks, but also added user experience burdens.

We can no longer ignore identity threats, which increased by a factor of four during 2024. One key risk of persona misalignment is greater rates of identity-based attacks, which lead to soaring risks of account takeover (ATO).

Any previous compromise of credentials can lead to a cascade of follow-on threats, including broad-based data exfiltration. What’s more, security risks increase when users have multiple unmanaged accounts.

The risk of security incidents is higher when the same person is provisioned with multiple accounts across which the enterprise has poor visibility. Multiple unmanaged accounts make it more difficult to correlate system-wide activities, for example by trying to detect behavioural anomalies across the different accounts.

With persona-unaware account sprawl, another key risk is privilege escalation and lateral movement.

Such activity might be accidental — we’ve all sent emails from the wrong account while using a unified email client — or malicious. Either way, it illustrates the dangers inherent in a simplistic authorisation approach that relies, at best, on static access control rules. Simply issuing the same person multiple credentials ends up disguising real access control requirements and real-life usage distinctions.

Enterprises labour under this risk, but so do individuals. When an employee is issued multiple unconnected accounts and login credentials, it’s a natural temptation to reuse passwords, long known as a poor security practice, in order to mitigate the UX burden.

A more effective approach to digital identity must begin with people, not technology. Traditional identity systems often prioritise tools over the human element, ignoring the complex realities users bring with them. By considering personas, we can build identity solutions that are more adaptive, secure, and trustworthy.

This human-centred approach not only improves usability and privacy but also fosters smarter, more empathetic identity ecosystems that evolve with user needs and strengthen trust between systems and the people they serve.

Following are some requirements for powering IAM with personas.

Respond to persona cues from context: While identity records typically track a variety of information to support identification and security, IAM systems often miss the subtle contextual indicators of a user’s intentions in the moment. Knowing these can enable dynamic adjustments that curate experiences and security in a persona-consistent way.

Provide direct interface cues about persona implications: The interplay between personalisation and security calls for intuitive interfaces that adapt seamlessly to the diverse needs and preferences of users and their different personas. It’s necessary to adapt user interfaces and application functionality to reduce the user’s cognitive load and set expectations.

Plan for persona implications across ecosystems: Special risks exist wherever users inhabiting a variety of personas interact with loosely integrated business systems, such as Open Banking ecosystems or B2B supply chain flows. Cybersecurity threats are now viewed as the biggest issue by senior procurement leaders, according to Amazon Business.

Protect against adversarial persona selection: We’ve said the same human being can assume different personas that may be associated with different access privileges. To achieve least privilege, it’s important to restrict users’ ability to assume a higher-privilege persona that allows for fraudulent behaviour. Taking a page from the identity governance concept of separation-of-duties violation checking, we could call this separation-of-personas violation checking. A bank president who is also sometimes a bank customer should not be able to abuse their employee privileges.

John Kindervag, creator of the Zero Trust security philosophy, has observed that ‘The human element is always the difficult element in the discussion about protecting data and assets.’ Through our analysis and our work in the field, we have come to believe that by adding a deeper understanding of not just the users in our systems but also the personas they adopt, it’s possible to address this ‘difficult element’ more fully and satisfactorily.

About Eve Maler

Eve Maler is the Founder and President of identity advisory firm Venn Factory. Eve has led and contributed to standards such as XML and SAML, as well as industry efforts such as UK Open Banking and US government health IT.

About Jacob Ideji

Jacob Ideji is a distinguished Cybersecurity Architect and works in Security Solutions Engineering at Cisco. He is known for addressing today’s most urgent security challenges, including digital access for the unbanked and infrastructure resilience. This article is an excerpt from the white paper Persona-Driven Identity: Enhancing Security By Understanding Human Complexity, available from Venn Factory Learning.