In 1999 Visa announced it was ‘the year of the e-wallet’. It wasn’t until 2018 that mobile wallet payments overtook payment cards by the number of transactions. These two data points show that it can be notoriously difficult to predict how things will play out, not to mention when.
The European Commission under their Digital Programme has started a pilot of the ‘European Digital Identity Wallet’ (EUDI) which ‘will provide a secure and convenient way for European citizens and businesses to identify themselves when needed for accessing digital services’.
There is certainly a vision and ambition for citizens to use a EUDI wallet to do things like check-in at the airport, rent a car, or open a bank account.
To move things forward having a vision and an ambitious plan is absolutely the right thing to do but as part of that plan, it is very important to try to spot where challenges may lie and plan to avoid, work around, or meet them head-on with solutions. This article tries to provide a list of challenges that may need to be overcome before the stated target that ‘80% of (European) citizens have access to digital ID’ can be realistically achieved.
Increasing the convenience of carrying and presenting identity information makes it much better for citizens, and the businesses they are dealing with, when things are going well. However, making it easier to share digital identity credentials also makes it easier to over-share with a relying party that wishes to use data in a way that the end-user has not agreed to or, much worse, easier to share digital identity information with a fraudster. It could well be that one of the biggest risks arising from the EUDI Wallet is that it makes it easier for fraudsters to access citizens’ digital identity credentials by simply tricking them.
In some ways, this may be compounded by using the wallet. Part of the reason a wallet is good is that it reduces potential abuses by legitimate businesses by making the tracking of user behaviour harder, unfortunately, it quite probably also makes tracking and stopping fraudsters harder too.
The digital wallet may reduce tracking by credential issuers, but concerns about using digital identity persist among citizens. The prevalence of cyber security incidents and online influencers warning about the potential tracking capabilities of digital IDs have only amplified those concerns, ultimately it is easier to track the use of digital IDs than track the use of physical IDs. While the wallet architecture is a response to web tracking and gives end-users some control of their credentials, it may shift the problem to different components of the technology stack, such as network operators, wallet providers, or mobile OS providers. It is uncertain whether the wallet-based architecture will really mitigate tracking, but it offers a potential solution for consumers who have grown wary of web tracking and abuse by big players.
Another probably unintended consequence is that a disproportionate burden falls upon people in lower socio-economic groups. While making digital journeys easier and safer is the overall goal it seems likely that the use of these ‘easier’ journeys will, in reality, be easier for people who already have the skills and appropriate devices, and already have one or more existing sources of strong identity (like a passport). The unintended consequence here is that there is bias baked into the assumptions of the programme that further expands the existing digital divide further, increasing discrimination against people who for whatever reason already struggle with digital journeys.
When building a multi-party ecosystem, the reputation of the overall system is quite strongly tied to the interoperability of many parties. If any one entity in the ecosystem implements a change that renders it incompatible at a technical level with other parties, then the impact will be much wider than the single party, and there will be dissatisfaction with the ecosystem in the mind of impacted consumers.
In the case of the EUDI ecosystem, it is anticipated that there will be many issuers, relying parties, and wallet providers. It is highly likely that technical incompatibilities will exist, sometimes transient but also potentially for extended periods as multi-party troubleshooting takes place. This will inevitably impact the utility and reputation of the EUDI ecosystem as a whole. It also seems likely that fallback mechanisms will have to be designed into the relying party processes and systems for when people present themselves and there is a glitch that cannot be resolved in a timely fashion, for example when presenting credentials that are needed to board a plane.
The fallback measures are likely to be more time-consuming and costly and could have knock-on effects for all concerned.
Delivery of a functioning digital ecosystem that works across borders and business sectors that reduces the risk for legitimate participants is a tall order. Doing it in a way that is sufficiently stable to become the primary channel will require an unprecedented level of standardisation and operational stability. Once that stability is achieved changes by implementers will need to be performed very carefully, and change to the standardised interfaces will be very hard.
This necessary operational stability will act as a significant impediment to future change (and therefore innovation) and unless it turns out that the solution presented is pretty close to ‘the right answer’ this could have a significant detrimental impact on the ability to innovate going forward.
The cost of interacting with the EUDI ecosystem will be a barrier for some businesses, there will need to be additional equipment, software, or services to interact with the EUDI ecosystem whether they integrate themselves or subscribe to a service provider to help. There is also the potential for smaller businesses to find that accepting digital identity is not cost-effective if their transaction volumes or margins are not enough to cover the overheads.
Maintenance, upgrades, and dealing with incidents and disputes will also incur a cost but it remains unclear how that may be covered.
Despite the likely macro benefits of digital identity, the unresolved business model for using EUDI Wallets may have unintended consequences for some market participants, resulting in some business entities losing out.
We have one measure for success in the ‘80% of citizens have access to digital ID’ statement but perhaps a greater success was if the use of strong digital identity via a EUDI Wallet were to overtake the inefficient, insecure, costly, and generally annoying assurance processes we have to endure today. Let’s keep discussing how we can address these (and other) consequences and hope we get there in less than the 19 years it took payment wallets to overtake cards.
This editorial was initially published in the Financial Crime and Fraud Report 2023 which dives into the captivating world of fraud management, digital onboarding, and financial crime in the financial services industry. You can download your free copy here.
Mark is an engineer and entrepreneur who has focused his career on building solutions that enable business and mitigate risk largely in financial services. Mark has helped organisations navigate the complexities of securely enabling third-party access to data via APIs in tightly regulated environments.
considrd.consulting is a specialist consultancy founded by Mark in 2020 that focuses on strategy, architecture, and engineering of Digital Identity, transformation, and security concerns and has supported clients in many countries.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now