Providing trust to digital transactions with decentralised identity

Decentralised identity is a form of digital identity that offers specific advantages in trust, security, and privacy. To first establish the common ground between the two, digital identity is a digital representation of a complex individual. This means that digital identities are not simply a translation of physical ID documents into a virtual setting, but can be used to describe the multifaceted identity of an individual. Digital identities of course exist already, an example being government-sponsored eID programs.

Requirements

Digital identities must fulfil several requirements before they are truly useful to entities and users. A few of the essentials are trustability, interoperability, user-centricity, and privacy. A primary goal of a digital identity is to be presented to different entities – a bank, an insurer, an employer, a health provider – as a form of identification or authentication. For this to be possible, the receiving party must trust the issuer and that the data has not been tampered with since its issuance. Therefore, a digital identity must be verified so that a receiving party can trust that the individual presenting it is accurately represented in the digital ID.

Functionally, digital identity needs to be interoperable so that it can be exchanged between the many different entities and successfully processed by the internal systems of each. A user-centric digital identity shifts the model from company-held user credentials (or employee credentials, partner credentials, etc.) to a user-held credential. This streamlines the onboarding and management of identity and the burden is reduced to provisioning, authentication, and authorisation.

Digital identities must have sufficiently high levels of privacy – backed by standards – to ensure that any data shared during transactions is stored appropriately, isn’t leaked or sold to third parties, especially since digital identity transactions will deal almost exclusively in PII. Consent for processing only scratches the surface of privacy, and in GDPR speak the legitimate interest for data processing must be adequately justified.

Decentralisation

These are only a few of the demanding requirements for digital identity, which is why decentralised identity with its distinct architecture and strengths in providing trust to digital transactions should be considered. A decentralised identity experience typically begins with the user downloading a digital wallet app onto their mobile device from one of the many vendors already on the market. The user onboards their real-world identity, starting to create the digital representation of themself. Typically, the user will scan a government-issued ID with the camera on their mobile device. This is checked in real-time against an authoritative source, such as public databases and blacklists, to verify that the ID is valid. A series of anti-fraud checks are also typically completed to detect tampering to the ID. IDs that have a biometric chip can be read by the mobile device’s NFC capabilities to corroborate the information found in public databases.

At this stage, it can be said with confidence that the identity document is a valid one, but there is not yet proof that it describes the person onboarding it. To establish ownership of the identity document, the next step is often to take a selfie video, collecting biometric information to compare against the photo in the identity document and completing a liveness detection test to ensure against spoofing attacks. By this point, the user has theoretically achieved an Identity Assurance Level 3 (from NIST 800-63-3), useful for completing higher-risk transactions, verifying identity before accessing a service, and some KYC processes.

Verifiable and reusable

Looking behind the scenes reveals why a decentralised solution is compelling. The user onboards quite a bit of sensitive identity data. In a decentralised solution, this data is stored in the secure enclave of their mobile device, along with private keys. When this data is checked against the authoritative sources and proven correct, a ‘proof’ is issued and stored on the decentralised ledger. This proof does not contain any identity-related data, but it does describe that an attribute is correct, such as the date of birth. The proof, or Verifiable Credential, is shared with other entities in a way that protects the identity data but yet still proves validity.

New opportunities for selective attribute sharing enabled by zero-knowledge proofs are possible, where a user can present their Verifiable Credentials to an entity without disclosing any private information. An example is proof of age – an individual can prove they are above a certain age without revealing exact information such as their date of birth or name. Emerging standards such as DID and Verifiable Credentials guide how identity attributes are described, stored, protected, and shared.

Impacts

Decentralised identities have some very interesting impacts on financial services. At a basic level, banks can be issuers of identity attributes like account information or verify that credentials by another issuer are correct, for example proof of address. Verified and reusable decentralised identities can be used to uplift the security and trustability of user accounts for KYC processes. Shifting most if not all of the KYC process to automated and digital exchange of verified identity attributes and can decrease the time and cost for financial institutions. Increased accessibility to financial services can be expected over the long term as digital identities reduce abandonment rates. Security is boosted through using verified identities to prevent fraud, targeting specifically account takeovers, spoofing, and fraudulent identity documents. Use cases for decentralised identity are growing, with 2021 holding high potential as more vendors bring increasingly mature products on the market.

This editorial was first published in our Financial Crime and Fraud Report 2021 - How to Fight Fraud and Master KYC, Onboarding & Digital ID, which provides a comprehensive overview of the major trends driving growth in fraud prevention, identity management, digital onboarding and KYC, transaction monitoring, financial crime compliance, regtech, and more.

About Anne Bailey

About KuppingerCole