Can organisations achieve identity assurance at low costs while mitigating fraud and money laundering risks? Mark Haine, founder of Considrd.Consulting, has some ideas.
Mark shares more on digital identity at the European Identity and Cloud Conference (EIC) 2023. Don't miss this opportunity to expand your knowledge and network at the European Identity and Cloud Conference 2023, happening in Berlin from May 09 - 12, 2023. Register now for a chance to be part of this informative and engaging event!
Identity assurance is a process of verifying and confirming that an individual's identity is valid and reliable. It involves using various methods, such as document verification, biometric authentication, and knowledge-based verification, to confirm that an individual is who they claim to be. The purpose of identity assurance is to ensure that an individual's identity is secure and protected from fraud and theft, especially in digital transactions and interactions. Identity assurance is crucial for various industries, including finance, healthcare, and government, where sensitive personal information is involved.
OpenID Connect for Identity Assurance (OIDC4IDA) is a specification that builds upon the OpenID Connect Core specification. OpenID Connect Core provides a flexible way to pass identity attributes from one party to another, often with the approval of the end user. In some regards, the flexibility of OpenID Connect Core is a huge feature but it is also a challenge. One challenge arises in the case where parties wish to pass information about how a person’s attributes (name, address, date of birth) were established. Up until now, there has been no standard way to represent that identity assurance process. OpenID Connect for Identity Assurance defines a standard for data exchange that can represent those assurance processes and the documents used.
OpenID Provider - provider of identity data and in OIDC4IDA runs processes to verify the identity of the end-user;
End-User - The human who is interacting and who the identity data is about;
Relying Party - The entity that wishes to use information about the end-user (including how their identity was verified in OIDC4IDA).
Another aspect of the challenge is that the data structure needed to represent all the details of an identity assurance process is often quite rich and it is likely that not all of that richness will be needed by a relying party for a given use case. Each relying party may also have quite different views on what they need for their use case to adequately mitigate the risks they are concerned with. To help minimise the data exchanged the spec provides a mechanism that allows Relying Parties to specify which details they need in the request, thus minimising the data returned.
There are numerous cases where identity documentation is checked; either before permitting somebody to access services or to make sure that the original individual is still in control of the account. In financial services, this is called KYC and in other contexts, it is referred to as Identity Assurance. There are two main approaches to satisfying this need today.
The first is for an organisation to build an onboarding journey itself using a combination of people, processes, and technology. This approach is costly for the organisation to build and maintain and it can also be costly for the end user in terms of time and somewhat risky because of having to share identity documents with many providers.
The alternate approach is for an organisation to engage the services of a specialist service provider to do that customer onboarding or re-verification on their behalf. This remains costly due to the need to pay for the service and to maintain a technical integration as defined by the provider, it may be somewhat streamlined for the end-user due to an optimised user experience. The proliferation of copies of physical identity documents is still a risk for all parties and both options can result in significant abandonment by end-users.
The vision for OpenID Connect for Identity assurance was not only to permit standard integrations to be built (reducing cost) but also to enable the re-use of pre-verified digital identities (again reducing cost but this time for the organisation and the end-user). It also allows for networks of multiple IDPs to emerge, using the same standard interface, allowing choice for the relying party and the end-user, ultimately creating a much more competitive and dynamic environment (in both cost and user experience) and even allowing for arbitrage.
The use cases for OpenID Connect for Identity Assurance are many and varied but are connected by the need for clarity about the identity assurance process and a consistent interface to provide that information. Often these cases are where a higher level of certainty about identity and how it was established is needed.
Open a bank account - When opening a bank account, there is a requirement to perform various checks to prevent money laundering and reduce the risk of fraud. A significant part of this is being able to achieve a high-level certainty that the identity of the individual asking for the account is known. Using OpenID Connect for Identity Assurance would enable a significant proportion of the checks to be communicated via a standard interface including communication of pieces of evidence needed for records keeping.
Buying a house - In the house-buying journey, there are many businesses that both the buyer and seller need to interact with. Most of these interactions require identity assurance to mitigate fraud and money laundering risks (there are up to 14 entities per sell/buy journey, banks mortgage providers, solicitors, etc). OpenID Connect for Identity Assurance could be used to permit a single recent identity assurance process to be used again and again to provide certainty to the many businesses involved and provide a better user experience to the people moving house.
When thinking about using a specification it is important to understand the richness of the supporting ecosystem. OpenID Connect for Identity Assurance is new but has achieved several key milestones. There are already software implementations both as commercial offerings and open source. The following are key data points:
Real companies are using this spec for real business today:
In Germany, there is a fully functioning digital identity system with >1000 banks acting as IDPs and >100 Relying Parties
There are new commercial projects underway involving the use of this spec:
Financial services community in Australia
Integration of financial services and government in the UK alongside the national digital identity Trust Framework
The digital agency of the Japanese government is analysing the use of IDA spec
MOSIP have OIDC4IDA on their roadmap
Conformance
Software and Services that support the spec:
Authlete - Cloud Service delivered
Connect2ID - Commercial IDP Software and open-source RP
Identity First - Open Source
Ping Identity - with custom extensions
Forgerock - with custom extensions
About Mark Haine
Mark is an engineer and entrepreneur who has focused his career on building solutions that enable business and mitigate risk largely in financial services. Mark has helped organisations navigate the complexities of securely enabling third-party access to data via APIs in tightly regulated environments.
About Considrd.Consulting
Considrd.Consulting is a specialist consultancy founded by Mark in 2020 that focuses on strategy, architecture, and engineering of Digital Identity, transformation, and security concerns and has supported clients in many countries.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now