Identity is important in digital transformation – I’ve already gone into detail about this in part 1 of this blog. But if it’s so important, then why are so many organisations struggling to adopt it? And why isn’t there a global initiative?
That is something I hope to discuss in article. I’d love for you to share your thoughts and join the conversation. Please use the comments or tweet me @managedLEI.
I’ve put together this list of qualities that an ideal identity ecosystem would have.
Not all groups focused on digital identity have highlighted all of the above features. For example the NIST highlight only privacy, security, interoperability, cost-effectiveness and ease of use as important. I think each of these factors holds an important place if the future digital identity system is going to work.
The conversation is still going on, even at the level where the definition of ‘digital identity’ is perhaps still unstable. We can agree that a digital identity is a set of attributes that, together, identify a particular person, business or thing.
“Giving users more control over their data, the power of consent, more information on who is accessing their data, portability, and other features, will protect individuals much more.
However, there will always be information that must supersede personal consent, such as criminal and security data, or demographic data that allows for allocation of benefits and services. This is the same data that has been and is continued to be used against people. This is the same data that leads to mistrust, unwillingness, and/or fear to adopt.”
Who wants their data to exist in an ecosystem that hasn’t been proven to work yet? And doesn’t all of this eventually lead to the eventuality of government tracking like that we see in futuristic films? One minute we’re sharing our attributes, next, we won’t be able to shop or travel without our government issued chip implants.
Businesses will be accountable for every transaction, possibly making it harder for small business owners to succeed. Compliance can be expensive, especially when you get it wrong!
We’ve discussed what the ideal digital identity system looks like but how would this work in practice? Let’s take an example workflow from a bank. A citizen would like to get a mortgage online and will use the identity he/she set-up with their bank to complete this transaction.
How many times is identity being used in this transaction?
At a simple level, the bank must check that the applicant is who they say they are. The bank and the bank’s CRM have to communicate and verify each other. The applicant’s email provider is checking and verifying and the signing provider is checking and verifying information on the document. The bank then has to check and verify everything again before releasing the funds.
What makes this exchange of data so complicated? Today, the number of providers that are working together to make this transaction happen mean that the applicant’s data is being sent through multiple different servers. More data exchanges means that there is more opportunity to intercept this information and pose as either the bank or the applicant.
As I already mentioned the bank isn’t just verifying the identity of their customer, it must verify the identity of the servers and third-party vendors it works with too!
We’re not just dealing with the identity of a single person, we’re dealing with the identity of people, businesses and things. All very different and involving their own set of attributes but all very important in the ecosystem and very rarely spoken about together.
When updating your business processes (whether you’re a public or private business), you need to take these three levels of digital identity seriously and find a way to build in each feature of the perfect identity ecosystem into this.
The most commonly written about and important for a variety of reasons. Digital identity for citizens is about having an easy way to access services (leading to better social inclusion) and the ability for governments to better track the welfare of their citizens.
A great example of this is the work being done in Estonia. Estonia is a shining example of a digital identity system that works. Every citizen has a digital identity that they can use to travel in the EU, access health services, vote and log in to their bank.
In a future where sensors and devices are all running automated workflows, we need to ensure that hackers cannot intercept these messages and cause a catastrophe. How does a device identify itself? At the moment it’s common for devices to use digital certificates to identify themselves but today, these aren’t necessarily proving or verifying any identity. They simply encrypt the information exchange. To add a layer of identity, we need to digitally sign these data exchanges.
For example, the use of secure digital identities in agriculture can lead to precision farming techniques which more accurately raise livestock and grow crops.
Probably the least studied or talked about type of digital identity but the most important in economic terms is digital identity for business entities. But changes are happening the EU with regards to business entity identification. MiFID2 is requiring all businesses to have a Legal Entity Identifier and use this to make any transactions on the financial market.
As if this whole thing wasn’t complicated enough as it is, I am going to throw a few more spanners in the works.
The identity ecosystem is currently made up of identity brokers, identity holders and identity providers.
As an example, an online service provider wants to give login options to their users without having to code everything from scratch so they hook up an identity broker to their system and the identity holder can access the service using Facebook, LinkedIn, their bank ID or mobile phone.
It’s not always necessary to provide such a wide array of options. For example, your bank may not want you to login with your social ID. It’s up to the business service and broker to work together to come up with solutions that meet the customer’s needs but don’t compromise security!
As we speak, deep learning algorithms are getting much better at identifying a single user based on their online behaviour. This is a bit scary but it could lead to a future where passwords are a thing of the past and people can login with their digital footprint.
Are people ready for such technology? Can we find a balance between identity and privacy needs?
Distributed ledger technology is a big buzzword at the moment and a lot of articles are sprouting up to claim that the blockchain is the solution to identity. But having complete anonymity is not always required in an identity exchange. What you want to do is share your information with WHO you want WHEN you want.
Maximillian Van De Poll has written an entire article on why blockchain is not the answer to digital identity but this isn’t going to stop hordes of companies trying to make it work. At the moment, even if blockchain was proven to work, its not ready to carry the number of transactions on it that is needed for a digital identity network to work. Just as an example, Ethereum transactions were around 20 per second last year. It will take a lot of computing power (which normally also means money) to carry out the number of ‘transactions’ required in a digital identity ecosystem. Which means that for now, blockchain cannot be cost-effective for a national or international identity ecocystem.
I didn’t write this article with the hopes to dishearten companies and individuals but to enlighten them. If there’s any takeaways from this its that we need to focus on what we can do now to make a change. Identify and encrypt at every layer and you should be off to a great start. Protect your customers and give them trust in you to use your online services, then provide an easy and user-friendly way for them to sign up and login. And if you have to do this with a third-party broker then make sure they’re following best practices.
In the next blog I hope to explore some of the initiatives that are already happening to improve the national digital identity ecosystem. I will refer to some initiatives all over the world but with a UK focus. If you have any thoughts or comments on this article. Please feel free to share them with me in the comments or by tweeting me @ManagedLEI.
Register a new LEI or transfer an existing LEI to ManagedLEI today for low cost LEI renewals.Buy or Transfer an LEI
Trusted Identity Ltd. LEI: 98450054NFCE7A67C172Managed LEI © 2020. All Rights Reserved.