Digital IDs relies on public trust, writes Johnatan Uzan, Head of Cybersecurity, at the digital product firm BCG Platinion WESA.
Proving who we are – even in the physical world – is a uniquely challenging issue. How can we ever be sure of a person’s identity? Even in extreme cases, such as crime or death, we rely on less than accessible measures, fingerprints, dentist records and such. Online, proving your identity is even harder.
In reality, all the technologies to do this already exist. We wear them on our wrists and in our pockets every day. In a future not be so distant, our biometrics data, the beating of our hearts, the curvature of our gait, our level of oxygen in the blood, the heat of our skin may all be recorded by accelerometers, the sensors of our watches and smartphones.
Unlike fingerprints, proving your identity in the virtual realm isn’t so simple. Without the physical, real life verification, how can anyone be sure that you are who you claim to be?
But what if we should look at this question from another angle? What if your online identity could be the verification? Because as society increasingly becomes digital-by-default, wouldn’t it be more simplistic if your virtual identity was the most effective way of authenticating your real-world identity?
It already seems likely that digital identities will likely become the default form of authentication. Findings by Juniper Research even revealed that digital identity apps in use will jump from a little over one billion in 2020 to more than 6.2 billion by 2025.
But before digital identity prevails real life identity verification, it must be a source of trust for people, companies, employers, and everyone else.
Such transformation, however, needs commitment. While the concept may be alluring, in principle it’s something else entirely. The technical challenge will be to bring together an individual’s different multiple identities – whether that’s through their use of their education institution, their financial services providers or government services and so on – to create a single, transparent, and informative identity. From date of birth and education to credit scores and employment history details, each and every multiple online identity that’s unique can verify the other, and in turn, create a strong, trusted identity.
Regardless of the technical challenges, the appetite remains. In the health care sector, for example, there’s a need for increased transparency as well as stronger security and privacy – and the best route to this is through identity authentication. And as society continues to work in hybrid ways, this will benefit both the user, customer and employee experience. This is something that the NHS is able to do. The technology uses a multifactor authentication process to provide a number of ways for health and care professionals in England to authenticate their identity when accessing national clinical information systems.
In addition, as society begins to demand that social media profiles are held to account, we may see some social networks require digital identities to access their platforms, helping ensure individuals can be held accountable for what they publish and say.
They key to reap the rewards will come from the work of ‘trusted identity providers’ whose role will solely be based on collating and authenticating the digital identities. From here, identities can too be incorporated into IoT ecosystems, creating digital avatars for both consumers and employees. As a result, this makes it simpler to access services such as healthcare or to simplify financial service background checks.
Technologies
In theory, organisations and governments already have the tools at their disposal for digital IDs to work. The technology and data, when working together, can create a unique pattern for each person that’s singularly, pseudo-anonymised but traceable by decentralised models. The blend of sources of various data, whether behavioural, biometric, geo-locatable, in time and space, will be characterised as a unique set of data with more accuracy than ever.
The systemic challenges involving digital that many have and are yet to announce after the Covid-19 surge will be accelerators towards crafting of our biologic-digital footprint. Drifts of course can have serious consequences on our liberty and our lives. We must now ask the burning question of who will carry our data and how?
This question has very serious implications: after all, society is built around our identities. Everything we do is underpinned by the trust that we are who we say we are; and that this can be objectively true and universally proven. Our identities are perhaps our single most significant assets: they form the basis of how we move through the world, what benefits we enjoy or conditions we endure.
Who owns your identity?
The potential here is massive and beyond the day-to-day improvements that digital IDs could provide, the most compelling is the ability to create a global certified identity system that offers the capabilities to collect data on a common identity while from multiple places.
Currently individual countries remain the primary trusted provider of identities. We must re-imagine this, creating a decentralised system with no central governing body.
With the adoption of a unique way of characterising every person on earth – whether that’s through biological information like fingerprints, for example, or a combination of other factors, – it’s possible to create a worldwide decentralised database of identities. The benefit also means data could not be syndicated and would act as a stable and uniform means of accessing services across the world.
And we may finally find the first critical use of blockchain separate from cryptocurrency. This is ideal in a society where we individually want to manage our own data. Blockchain could be the solution to more forward and facilitate significant change in digital identities by successfully anonymising and decentralising an individual’s data. This reduces the reliance on a centralised body to control the identities while also improving security and privacy.
It’s these types of solutions that will be critical for ensuring the mass adoption of digital identities. We’re already seeing eagerness for this within the UK’s public sector. In recent weeks, the Government Digital Service (GDS) has built on its recent trials of Gov.uk Accounts, creating a single sign-on system that acts as a way to deliver more personalised services for users on the Gov.uk website, and the GDS has added identity assurance features and sharing identity data between departments. Although, the plans are already provoking controversy as concerns of how the tracking of individuals across multiple sites may impact user privacy and data protection grows
And in practical terms, Australia’s own e-ID scheme has run into its own issues. Only recently, researches recommended that Australian government abandon its existing digital identity system and start again. This was after weaknesses were uncovered in its myGovID system where researchers found that the system is subject to an easily implemented code proxying attack, which allows a malicious website to proxy a person’s login and re-use their authentication to log in to the victim’s account on any website of their choice. Such fatal flaws serve to deeply undermine the entire enterprise.
So, again it all comes down to trust. Any decisions and changes made in identity, need to ensure two things first. To begin, there must be a unique way to reliably prove who you are, and then, we can trust the institution responsible for creating that identity. A critical part component of the debate will always be data privacy; with the ways in which an individuals’ data is gathered and how it will ultimately be protected. Both are equally as important and need careful consideration. Overcoming these concerns in the long run will require creating a low cost, non-forgeable way to prove who people are, which removes the need for a certification body at all.
As a digital-first gets closer and closer, the need for a unique, non-forgeable digital ID, which is recognised globally and operates both online and in-person, will become increasingly essential. Yet, making this a reality will not be easy. Here, the cooperation and collaboration of multiple organisations and services will be essential, but of course, at the heart of the efforts amongst both parties must be trust.
Digital identity means an individual is easier to track, thus enhancing user experiences but the data itself can easily become intrusive if collected unchecked. Opting into an ‘official’ digital identity must be an individual choice that each of us needs to make but if it’s going to be a success for all users then it must be simple, safe and feel worthwhile.
