The OIX is a global non-profit organisation uniquely dedicated to achieving ID trust. Working across sectors and borders, our vision is a world where everyone can prove who they are and what they are eligible for anywhere, using a simple universally trusted ID.
To achieve this, we have created a community for all those involved in the ID sector – organisations that will come to accept and rely on ID services, ID service providers, regulators, and market influencers – to connect and collaborate. Together we are creating the rules, tools, and confidence to support the acceptance of universally trusted IDs and eligibility information, whilst offering support and education where it is needed.
Our work has been enabling the creation and evolution of trust frameworks around the world, whether by a government or for a specific geographical area, that will govern digital ID ecosystems effectively, ensuring they meet the needs of all the parties involved. This can be seen in our Guide to Trust Frameworks for Smart Digital ID.
This is feeding into our current work to enable digital IDs to interoperate seamlessly across the regulatory and technical boundaries that are defined in those trust frameworks. As outlined in our recent paper Digital ID DNA - Interoperability across Trust Frameworks, we are getting closer to being able to guarantee that trusted identity transactions can take place internationally.
Our guides and papers form the bedrock of trust frameworks to support the creation and use of interoperable, universally trusted identities.
A key area of focus has been the evolution of digital ID wallets, and the role governments can and should play in that evolution.
There is significant focus on the evolution of digital wallets around the globe as governments try to determine how their own citizens can use them to carry government-issued credentials.
The biggest question being asked is ‘who should provide these digital wallets?’ and more specifically, ‘should governments provide digital wallets?’
Based on our vast research of digital ID trust frameworks across the globe, four key models have emerged of how governments might choose to interact with the world of digital wallets. These are where:
The government provides a wallet for government-issued credentials only.
The government provides a wallet that can hold both government and private sector-issued credentials.
The government provides a wallet for its own credentials and also allows approved private sector-provided wallets to hold government credentials.
The government does not provide a wallet for its credentials but allows approved private sector-provided wallets to hold them.
While there are pros and cons for each one, our recommendation is that governments do not provide their own ID wallets to citizens. There are vast costs associated with creating, issuing, and managing a wallet, and the development requirements as wallets evolve will be extremely technical and complex. Governments are not best placed to maintain these effectively.
We believe the role of governments should be to create strong trust frameworks that enable the approval and trust of private sector-provided wallets. This includes those provided by tech giants, such as Google and Apple, that may want to hold and present government credentials in their wallets. Government credentials can then be issued only into these approved private-sector wallets.
This will help address any perceived loss of control or oversight by governments, and there are significant advantages to this approach for all the parties involved, whether it’s the governments, their citizens or the organisations that will come to rely on digital ID.
For governments, it means the expense and technical resources required to build, operate and continually develop a wallet is not a burden on them. For consumers, it means having one wallet rather than two, that holds a mix of government and non-government credentials – much like they do today with a physical wallet.
Digital ID wallets have emerged as the preferred method of storing, securing, and managing digital IDs. They will carry the credentials that enable people and businesses to prove who they are and what they are eligible to do. Their role, however, will be far greater than simply holding digitised versions of real-world credentials.
The processes and rules involved in ID proofing are extremely complex and confusing for organisations that must work through the various credentials that exist to quickly work out what information will be accepted. And they must do this in constant liaison with the end user (the customer) to get the right ones. The process is even more confusing, and painful, for the end user. Users cannot be expected to understand the ‘rules’ or work out which credentials, or parts of credentials, are needed for each transaction.
Our vision is ‘smart’ digital ID wallets with the ability to interpret each organisation’s complex rules, then work out which credentials are needed for both the organisations and the end user, while helping users obtain the credentials they don’t have. This must all be in a structured way and without requiring an understanding of the rules. If this means combining information from several credentials to meet data minimised needs, the ‘smart’ digital ID wallet must be able to do that safely and with the user’s consent.
As such, wallets will be a crucial element of digital ID adoption. Leaving organisations and end users to work out what credentials are needed will simply become another major barrier to the adoption and success of digital ID.
The next stage in the evolution of wallets is ‘roaming’ digital ID wallets – where smart wallets can read and dynamically adapt to expressions of policy from all parties across virtual trust domains, as well as physical countries, without the need for a new wallet in each new trust domain. For example, when a person flies from the US to Europe, their wallet must dynamically and seamlessly adapt to the policy rules for digital identity in the EU. This would be in the same way that payment cards and phones continue to work quite easily across international boundaries today.
For this to happen, there needs to be a way that will allow all parties in the identity ecosystem to describe their rules to each other. This is something we have now defined in our paper Digital ID DNA - Interoperability across Trust Frameworks as the Open Criteria Exchange Tool (OCET).
Earlier this year, the Open Wallet Foundation was launched to create open source code enabling those wishing to build and issue wallets to users, to do so in a rapid way while leveraging existing global standards. We would then want to see the OCET adopted into the components that are published through the Open Wallet Foundation, so that all parties can work in a consistent way to describe, share, and comply with digital identity policy.
This will help achieve global interoperability among digital ID wallets.
Today governments issue physical credentials, such as ID cards, passports, and driving licenses to their citizens, but they do not give citizens the wallet in which they must carry these credentials, nor do they track where those credentials are used.
If governments move to issuing digital credentials that must be managed and presented from a government-issued wallet, this introduces concerns that governments will track where credentials are used, reducing the privacy of the many transactions that users enjoy today. It also moves away from the mental model that users have of physical credentials held in a single physical wallet today.
With the continuing rise of fraud, governments understandably want to assign the wallets that hold and present digital credentials to ensure those credentials are securely managed and protected from fraud. Unfortunately, it still raises privacy concerns in the minds of the users.
The alternative is for governments to issue digital credentials only into digital wallets that meet their stringent standards, and they trust to be secure. In this case, the role of governments will be to create a strong trust framework for wallets.
In our recommended model, government credentials, including a government issued ‘trust anchor’, can be held only in private sector provided wallets that have been ‘approved’. Approval of these wallets must be through their certification to a government defined digital ID trust framework.
Such frameworks are currently being developed by governments around the world to provide the rules and guidelines needed to govern digital ID ecosystems effectively and guarantee trusted identity transactions internationally. Entities wanting to participate in these digital ID ecosystems will need to be certified to show that they are compliant with the obligations the framework defines.
As mentioned earlier, trust and privacy are key concerns among the general public. A trust framework will be key to enabling them to choose a private sector brand that they can trust to manage their wallet with both their government and private sector credentials. They can use this to access government services, as well as private sector services. It is also a reassurance that the government does not have access to their activities.
For governments, not only does this model take away the burden of managing wallets and the cost of the ongoing innovation that will be needed, but it allows them to maintain some control over government credentials and the way the data is handled.
As such, trust frameworks will play a vital role in driving smart digital ID wallet progress and ultimately, the successful mass adoption of digital ID.
In this model there will be some form of ‘trust anchor’ credential, such as a national ID or a recognized level of assurance, which contains core ID information about the user - name, address, date of birth, national ID number. This information will be verified by the government or to a standard approved by the government. This is used to identify the user, allowing the user to store other trusted credentials in the wallet, and removes the need to re-identify the user each time they ask for a credential.
Government-issued wallets are not able to hold private sector credentials and private sector wallets are not allowed to hold government issued ID credentials. The government issued wallet can, however, be used to provide ID verification to the private sector. Equally, there may be specific use cases where government accept non-government issued credentials from a private sector wallet.
The user, however, will most likely already have a private sector wallet on their smart phone from providers like Apple or Google. This means users will have at least two wallets, contradicting their mental model of a single physical wallet that contains a mix of credentials.
Furthermore, for the organisations that will rely on digital ID for heir customers, in order to gather the credentials required to fulfil a specific transaction, they may need to access credentials from both the government wallet and a private sector wallet. This will involve complex user interactions and high integration costs.
This second model goes a step further. The government issued wallet can also be used to hold some private sector credentials, but private sector wallets are not allowed to hold government issued ID credentials.
Realistically, governments will only be able to support some key common use private sector credentials. This means that users will still need to have more than one wallet. Organisations relying on digital ID will still have the challenge of integrating them.
Privacy concerns also come into play here. Users may be uncomfortable with some of their private sector credentials - banking details, travel details or account access details - being held in a government issued wallet, regardless of any assurances the government might give.
Furthermore, governments will have to host and manage credentials issued by non-government parties, making the operation of the wallet more expensive and complex from a security perspective. Unless they make the decision to charge for holding and supporting all the credential types that exist in the private sector, it will be a mammoth undertaking with little reward for them.
Government provides a wallet for its own credentials and also allows approved private sector provided wallets to hold government credentials.
The third model involves a government provided ID wallet that contains government credentials only, to be used to access specific government services only. In this model, however, government credentials, including a government issued ‘trust anchor’, can also be held in private sector provided wallets that have been approved by the government through certification to a government defined trust digital identity trust framework.
The user can then collect government and private sector credentials in a trusted private sector provided wallet, removing the fear that government might have access to credential use. In this model, private sector wallet providers can use the fact that they have both government and private sector credentials to meet complex multi-credential relying party use cases as a competitive feature of their wallets. The user may have the option to use one private sector wallet for most of their transactions if they choose to.
Users may still need two wallets, with one of them being a government wallet to access specific government services. And, governments still have the burden of the complexity and cost of building and managing a government ID wallet.
Government does not provide a wallet for its credentials but allows approved private sector provided wallets to hold them.
In this final, simpler model, wallets do not come from the government. Government credentials, including a government issued ‘trust anchor’, can be held only in private sector provided wallets that have been approved. Approval of these wallets must be through their certification to a government defined digital ID trust framework.
While this means a loss of direct control over the management of government credentials in a wallet, it still allows some control of government credentials and how the data is handled.
Users can collect and hold both government and private sector credentials in one trusted private sector wallet, rather than several. It also removes privacy fears for the public.
For private sector wallet providers that have been certified and approved through the trust framework, they can highlight their access to government and private sector credentials as a commercial and competitive advantage, as their wallets will be able to more easily meet the complex multi-credential requirements of relying party.
If tech giants wish to carry and present government credentials, then they should become compliant with, or certified to, the trust framework for wallets created by the government in question.
They are already moving in this direction. Their adoption of the Mobile Driver’s Licence (mDL) standard for digital driving licences, for example, which defines some of the storage and presentation rules required for government grade credential hosting and presentation.
By requiring private sector wallet providers to be certified by a government created trust framework, government will be able to ensure high standards for good quality credentials management, use and portability. Government can control which private sector providers can use a government credential and it can withdraw its credentials from wallets that fail to maintain the required standards.
As the wallet is provided by private sector, this allays concerns that users, privacy campaigners and the media may have about the government knowing when or where credentials are being used or the perception that government can track the movement of citizens through government provided ID wallets. It also stops perceptions around the government having a master ID database.
Among the biggest advantages for governments is the cost saving and the speed to market. They would not need to focus on the development, maintenance, security, provision, integration and management of a government issued ID wallet.
This would be left to the private sector providers, who are also better equipped to bring things to market at a greater speed.
Competition between private sector wallet providers would ensure ongoing innovation and evolve digital ID to meet different delivery modes. For example, moving away from smartphone only wallets to a more inclusive approach. It also creates a private sector market for wallets, enabling economic growth, rather than a taxpayer funded ID utility.
This would mitigate the risk of government delivered ID wallets suffering from technology and innovation stagnation.
Private sector wallets can also work more seamlessly across government boundaries, enabling access to services for non-national subjects and further economic growth. Ultimately, more users will be able to access digital ID wallets far more quickly, enabling the digital ID ecosystem to take shape at speed.
For the end users, they can choose a private sector brand they trust to manage their wallet – a trust framework is key to enabling this trust. They also have the option of managing all their credentials in one wallet with seamless access to multi-credential transactions. Equally, they may choose to have several digital ID wallets for different aspects of their life ie for personal, business or when they go abroad.
Fundamentally, it removes the fear of government owning a master ID database and being able to track what citizens are doing.
For organisations that will come to accept and rely on digital ID to enable their customers to access their products and services, this approach will ensure they can access all the credentials they need to meet their highly complex multi-credential requirements through one wallet. Smart wallets will play a vital role here, pushing the complex processing element to a third party.
Continuous innovation by the private sector means that they can be confidence that they are operating in a highly secure environment, rather than relying on often older versions of security that tends to prevail in government systems. This also means that if fraud occurs, they may be able to assign some liability to the private sector ID provider. With a government provided wallet, this liability cover is unlikely.
Ultimately, relying parties will have greater commercial choice and leverage, keeping the market price for credentials competitive.
Nick Mothershaw is Chief Identity Strategist at the Open Identity Exchange (OIX), a non-profit trade organisation on a mission to create a world where everyone can prove their identity and eligibility anywhere through a universally trusted ID. Working with organisations across the globe, Nick is leading the development of clear guidance around inter-operable, trusted identities. In his previous role as Director of ID and Fraud at Experian, he led the development, launch and operation of a full ‘Identity as a Service’ solution - the first live example of a digital ID that is seamlessly interoperable across public and private sector in the UK.
The OIX is a non-profit trade organisation on a mission to create a world where everyone can prove their identity and eligibility anywhere through a universally trusted ID. OIX is a community for all those involved in the ID sector to connect and collaborate, developing the guidance needed for inter-operable, trusted identities. Through our definition of, and education on Trust Frameworks, we create the rules, tools and confidence that will allow every individual a trusted, universally accepted, identity.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now