Making sense of digital identity

Everyone is talking about digital identity

Individuals are becoming increasingly aware of the lack of control they have over their personal data, which is in effect what constitutes their digital identity. Banks are facing new regulatory requirements, such as 5AMLD and PSD2, making digital approaches identity an imperative. Other sectors such as health and employment are encountering identity-related issues as they seek to go digital. And there are numerous attempts at creating digital identity systems being made by governments and industry – all different, solving similar problems in different ways. 

How can we make sense of it all?

Firstly, we need to understand what problem we are trying to solve.

Today identity is held in silos. Each organisation a customer interacts with has its own “virtual identity” for the customer, consisting of the personal information that the organisation needs. These virtual identities are locked up. If the customer wants to open a new bank account, buy insurance, submit his or her taxes and so on, the existence of these virtual identities does not help. Today customers have no way of saying “Look, my bank can tell you who I am”.

Secondly, we need a model that helps us fix the problem. At Consult Hyperion we use this one:

When a customer onboards to a new service, the service will need to establish that the customer is real and unique. This is what we call “identification”.

It is quite likely that the service will give the customer an app or ask them to set a password, allowing them to access that service more easily from that point forward. This is what we call “authentication” – asserting that the user is a previously established real customer.

The customer should then be given control over how their information (ie their virtual identity) is used. This is what we call “authorisation”. Unfortunately, today this too often just boils down to giving marketing preferences. It should be much more than that. A customer should be able to say “Yes, please help me access that other service by telling them you know me”.

The key to creating portable virtual identities is the authentication domain in the middle. A customer should be able to present information signed by one organisation (a “claim”) to another organisation and use their authentication method to show digitally that the claim belongs to them. This is how you would allow someone to digitally say “Look, my bank can tell you who I am”.

Digital identity is the bridge between real identities and virtual identities. It is the means through which a person or an organisation can make their virtual identities portable.

Solutions that solve particular problems

The digital identity solutions that have been developed to date have solved particular problems.

India’s Aadhaar programme is fundamentally about creating a register of real identities. In that sense, it is not really a digital identity system but was intended as a foundational step towards inclusion. Mainly, the widely reported issues with Aadhaar arise from the ways in which the register has subsequently been connected to digital identity systems.

eIDAS, GOV.UK Verify, and the successful Nordic Bank ID schemes all solve the narrow but important problem of allowing people to create and assert a digital version of their real identity. They do not, in their current forms, solve the wider need for portable virtual identities.

The GSMA has focused more on authentication, as that is the primary place mobile operators can play. FIDO provides similar but over-the-top device-based authentication.

The various Self Sovereign Identity projects are about giving people total control over their virtual identities; but to work, people will need to be given tools in the authentication domain (eg wallets) to protect the keys that unlock those virtual identities.

Making it work for everyone

A key barrier to the adoption of digital identity solutions has been the perception (and in some cases the reality) that it will disrupt the relationship with the customer. Most solutions to digital identity today involve an “Identity Provider” that could equally be described as an “Identity Disintermediator”. Instead of mobilising virtual identities, they create a new silo of data that sits between the customer and service. No service provider wants this.

In order to work, digital identity needs to be a low-cost enabler that is focused on providing the customer with the ability to move seamlessly (and securely) from one digital service to another. Until this is widely understood we will continue to have fragmented solutions with narrow applicability and limited adoption.

This editorial was first published in the Web Fraud Prevention, Identity Verification & Authentication Guide 2018-2019. The Guide covers some of the security challenges encountered in the ecommerce and banking, and financial services ecosystems. Moreover, it provides payment and fraud and risk management professionals with a series of insightful perspectives on key aspects, such as fraud management, identity verification, online authentication, and regulation.

About Steve Pannifer

Steve is COO at Consult Hyperion and a digital identity and security expert. Steve has a detailed understanding of the global digital identity market having advised numerous organisations around the world on all aspects of digital identity – commercial, technical and regulatory. He is actively involved in key identity initiatives in both government and financial services sectors and is a regular speaker at digital identity conferences and events.

About Consult Hyperion

Consult Hyperion is an independent consultancy. We hold a key position at the forefront of innovation and the future of transactions technology, identity, and payments. We are globally recognised as thought leaders and experts in the areas of mobile, identity, contactless and NFC payments, EMV, and ticketing.