Identity is a given: Trusted data is the real requirement

Once upon a time, we started with authentication and credentials. We had passwords (we still do), there were OTP devices, then mobile authenticators, but all of this was, and is, very account centric. It’s good if you want to know it’s the same entity that calls themselves Adam returning to buy socks (or whatever the transaction might be), but it doesn’t say much else about that person – it could, in fact, be anyone with access to my credentials. 

To counter that, we added digital identity – a means of declaring that I really am Adam, that Adam is a real person, and I can prove it digitally. And to make the authentication part stronger, we added two-factor authentication or even biometrics. 

But what does that really tell the service Adam is interacting with? Not much. It doesn’t give the service any background data to check eligibility or complete customer due diligence processes. If we want to fight fraud, reduce compliance overheads, or simply offer a better service, we need that additional information about customers and we need that information to be high quality and from a trusted source. Digital identity is therefore the key, but trusted data is the real value it unlocks.

Not everyone has a digital identity yet – but that doesn’t mean we should ignore it

According to the World Bank ID4D dataset, there are approximately 1.1 billion people with no legal identity in the world today, and a further 3.4 billion who have a legal identity but limited ability to use that identity to access digital services. This means that half the population of the planet are struggling to access digital identity and consequently their ability to transact online securely is limited, forcing service providers to perpetuate alternative channels or simply not be able to provide services to some users.

Digital identity offers a way of plugging this gap by increasing inclusion and offering alternative means of identification and authentication that match the needs of individuals rather than generalised policy decisions. 

Risk assessment is easier if you have trusted data

According to McKinsey Global Institute: ‘In the United States, approximately 16.7 million Americans were victims of identity fraud in 2017, an increase of 8% from 2016. Worldwide, theft of consumers’ identities cost businesses an estimated USD 148 on average per person in the 12 months to June 2018’. Since then, the global pandemic has increased fraudulent activity, particularly where individuals have increased their online activity, ecommerce purchases, and remote working. To make matters worse, multiple large-scale breaches have made huge amounts of personal data available to fraudsters, which reflects the threats being faced by organisations and their responsibility to customers. 

Trusted data alongside digital identity can greatly reduce the cost of compliance by simplifying processes and reducing risk associated with customer account creation. 

Where does the trust come from?

There are 3 key pillars of digital trust: a reliable legal environment, authoritative sources of data, and a means of identifying individuals online. There needs to be a reliable legal environment within which identity can operate and to which services must conform. This means the presence of data protection and privacy laws that meet internationally recognised requirements (GDPR is just one reference point).

Access to authoritative sources of trust, which can be used to verify eligibility and identify individuals, must be made more readily and securely available by government agencies. Processes for the verification and validation of an individual’s identity should be made readily available in a way that promotes inclusion and protects the privacy of those individuals as they engage with digital services. 

Binding these ingredients together under a set of rules that all parties accept and accompanying strong governance, often called a Trust Framework, has become a priority of many governments including the UK, Australia, Canada, and New Zealand. But new initiatives are gathering pace under the guidance of the European Union and the African Union to make government-backed identity and key authoritative sources of data more widely available regionally as well as nationally. 

And how can that trust be shared?

Technology inevitably plays a part. In this case, making possible the sharing of data with service providers in a way that preserves the integrity of information as it passes from user to service and reveals who the issuer of that data was with a high level of certainty. As a result, trust frameworks usually include technical trust requirements to ensure interoperability between issuers of trusted data, the users the data concerns, and the consumers of both data and trust the services people wish to access. 

What does the future look like?

The private sector may well form the catalyst for a growth in digital trust with organisations striving to satisfy compliance, reduce fraud, and meet a growing consumer expectation for the safety of digital services. Initiatives such as the Global Assured Identity Network (GAIN), building on the expertise of financial institutions in the completion of KYC procedures and compliance with AML and other sectoral regulations, may be the catalyst for wider availability of digital identity and trusted data. 

Equally, regional initiatives such as the EU’s revised eIDAS Regulation on digital identity interoperability across the block will begin to show the benefits of digital identity to citizens, organisations, and governments alike. 

Finally, the technological glue needs to bring together a set of associated standards and specifications that surface the power of trusted data in a form where it is largely invisible to citizen users, but is interoperable and reliable enough to be indispensable to operators of online services.

As yet there are no clear winners, but with W3C Verifiable Credentials, DIDs, and many interlinked emerging standards in the identity space, there is no doubt that engineering will find a way and will most likely do so in the very near future.

About Adam Cooper

Adam Cooper is a technical consultant to the World Bank ID4D programme, and an advisor to international initiatives such as the UN Commission for International Trade Law, the Alan Turing Institute, and the MOSIP Modular Open Source Identity platform.

About ID Crowd

ID Crowd specialises in mitigating business and technology risks relating to identity, helping clients understand how to better trust their customers and the businesses they transact with. We understand the critical and interrelated concepts of digital identity and trust together with the various threat vectors including cyberattack, identity, and eligibility fraud.