Identity is important in digital transformation – I’ve already gone into detail about this in part 1 of this blog. But if it’s so important, then why are so many organisations struggling to adopt it? And why isn’t there a global initiative?
That is something I hope to discuss in article. I’d love for you to share your thoughts and join the conversation. Please use the comments or tweet me @managedLEI.
The Perfect Digital Identity Ecosystem
I’ve put together this list of qualities that an ideal identity ecosystem would have.
- Immutable – identity attributes that are immutable cannot be changed. But, how can we create immutability when identity attributes are always changing? Phone numbers and addresses being the most likely attributes to change on a regular basis and yet, today, very commonly used to confirm the identity of an individual or business entity. The use of attributes such as fingerprints and retina scans can help but there is always a possibility that your fingerprint could change…what then? We need a mechanism in place that logs changes in attributes at the earliest possible convenience.
- Accurate – attributes should be up-to-date and accurate. But how do you maintain accurate records of attributes that can change? Who is the onus on to report a change and ensure it’s reflected?
- Interoperable – a citizen or business or ‘thing’ should be able to use it’s identity attributes in a variety of different systems and networks seamlessly. Government services like filing my taxes and national healthcare systems shouldn’t require two sets of identity. If This means that identity attributes should be portable.
- Trusted – there should be a way to verify with a high level of assurance that individual and sets of identity attributes belong to a single entity. Can we really trust this isn’t fraud or malicious activity? Who provides the checks needed? Will automation work?
- Cost effective – businesses and citizens shouldn’t have to spend a lot of money verifying themselves. We need a system that is cost-effective so that there’s uptake!
- Secure and private – if we’re giving up all this information on ourselves then we should be able to trust that the highest level of security around our data and only those who need to see it can see it.
- Self-sovereign – citizens and business entities should have control over what identity attributes are being used and which data they choose to share with their providers. If I don’t want to share my phone number, there should be alternative methods to prove who I am.
- Easy to use – whether you’re a citizen or a business entity, you don’t want to spend money and time trying to work out how to use a service or prove your identity. Services should make identity easy to use and if possible, enjoyable too. There’s nothing worse than being locked out of a system by an automated machine who thinks you are a fraudster.
Not all groups focused on digital identity have highlighted all of the above features. For example the NIST highlight only privacy, security, interoperability, cost-effectiveness and ease of use as important. I think each of these factors holds an important place if the future digital identity system is going to work.
The conversation is still going on, even at the level where the definition of ‘digital identity’ is perhaps still unstable. We can agree that a digital identity is a set of attributes that, together, identify a particular person, business or thing.
“Giving users more control over their data, the power of consent, more information on who is accessing their data, portability, and other features, will protect individuals much more.
However, there will always be information that must supersede personal consent, such as criminal and security data, or demographic data that allows for allocation of benefits and services. This is the same data that has been and is continued to be used against people. This is the same data that leads to mistrust, unwillingness, and/or fear to adopt.”
Who wants their data to exist in an ecosystem that hasn’t been proven to work yet? And doesn’t all of this eventually lead to the eventuality of government tracking like that we see in futuristic films? One minute we’re sharing our attributes, next, we won’t be able to shop or travel without our government issued chip implants.
Businesses will be accountable for every transaction, possibly making it harder for small business owners to succeed. Compliance can be expensive, especially when you get it wrong!
Where Does Identity Exist Digitally?
We’ve discussed what the ideal digital identity system looks like but how would this work in practice? Let’s take an example workflow from a bank. A citizen would like to get a mortgage online and will use the identity he/she set-up with their bank to complete this transaction.
- Customer applies for mortgage online by verifying identity using a set of attributes of their choosing. They share these attributes with their bank to prove their identity.
- Bank confirms their identity and the customer applies online for mortgage.
- Information is encrypted and sent to bank’s servers where the application goes through the banks CRM tool and triggers complex set of workflows to process application. Identity is once again verified to make sure that the the encrypted message retains its integrity.
- Application is rejected or accepted based on workflows set up by bank.
- Customer gets emailed with denial or a contract to sign digitally (using their identity to sign the application).
- If application is accepted, the agreement (and once again, identity) is verified and funds are released to customer’s bank account.
How many times is identity being used in this transaction?
At a simple level, the bank must check that the applicant is who they say they are. The bank and the bank’s CRM have to communicate and verify each other. The applicant’s email provider is checking and verifying and the signing provider is checking and verifying information on the document. The bank then has to check and verify everything again before releasing the funds.
What makes this exchange of data so complicated? Today, the number of providers that are working together to make this transaction happen mean that the applicant’s data is being sent through multiple different servers. More data exchanges means that there is more opportunity to intercept this information and pose as either the bank or the applicant.
Digital Identity Considerations
As I already mentioned the bank isn’t just verifying the identity of their customer, it must verify the identity of the servers and third-party vendors it works with too!
We’re not just dealing with the identity of a single person, we’re dealing with the identity of people, businesses and things. All very different and involving their own set of attributes but all very important in the ecosystem and very rarely spoken about together.
When updating your business processes (whether you’re a public or private business), you need to take these three levels of digital identity seriously and find a way to build in each feature of the perfect identity ecosystem into this.
Digital Transformation and Identity of People
The most commonly written about and important for a variety of reasons. Digital identity for citizens is about having an easy way to access services (leading to better social inclusion) and the ability for governments to better track the welfare of their citizens.
A great example of this is the work being done in Estonia. Estonia is a shining example of a digital identity system that works. Every citizen has a digital identity that they can use to travel in the EU, access health services, vote and log in to their bank.
Digital Transformation and the Identity of Things
In a future where sensors and devices are all running automated workflows, we need to ensure that hackers cannot intercept these messages and cause a catastrophe. How does a device identify itself? At the moment it’s common for devices to use digital certificates to identify themselves but today, these aren’t necessarily proving or verifying any identity. They simply encrypt the information exchange. To add a layer of identity, we need to digitally sign these data exchanges.
For example, the use of secure digital identities in agriculture can lead to precision farming techniques which more accurately raise livestock and grow crops.
Digital Transformation and Identity of Entities/Organisations
Probably the least studied or talked about type of digital identity but the most important in economic terms is digital identity for business entities. But changes are happening the EU with regards to business entity identification. MiFID2 is requiring all businesses to have a Legal Entity Identifier and use this to make any transactions on the financial market.
Spanner in the Works
As if this whole thing wasn’t complicated enough as it is, I am going to throw a few more spanners in the works.
The Identity Ecosystem
The identity ecosystem is currently made up of identity brokers, identity holders and identity providers.
- Identity Holder – anyone with an identity is an identity holder.
- Identity Provider – a provider (like a bank) is capable of setting you up with an identity and verifying one or more attribute.
- Identity Broker – connects identity providers to services so users can have more control over the identity they use to access services.
As an example, an online service provider wants to give login options to their users without having to code everything from scratch so they hook up an identity broker to their system and the identity holder can access the service using Facebook, LinkedIn, their bank ID or mobile phone.
It’s not always necessary to provide such a wide array of options. For example, your bank may not want you to login with your social ID. It’s up to the business service and broker to work together to come up with solutions that meet the customer’s needs but don’t compromise security!
As we speak, deep learning algorithms are getting much better at identifying a single user based on their online behaviour. This is a bit scary but it could lead to a future where passwords are a thing of the past and people can login with their digital footprint.
Are people ready for such technology? Can we find a balance between identity and privacy needs?
Distributed ledger technology is a big buzzword at the moment and a lot of articles are sprouting up to claim that the blockchain is the solution to identity. But having complete anonymity is not always required in an identity exchange. What you want to do is share your information with WHO you want WHEN you want.
Maximillian Van De Poll has written an entire article on why blockchain is not the answer to digital identity but this isn’t going to stop hordes of companies trying to make it work. At the moment, even if blockchain was proven to work, its not ready to carry the number of transactions on it that is needed for a digital identity network to work. Just as an example, Ethereum transactions were around 20 per second last year. It will take a lot of computing power (which normally also means money) to carry out the number of ‘transactions’ required in a digital identity ecosystem. Which means that for now, blockchain cannot be cost-effective for a national or international identity ecocystem.
Don’t Give Up
I didn’t write this article with the hopes to dishearten companies and individuals but to enlighten them. If there’s any takeaways from this its that we need to focus on what we can do now to make a change. Identify and encrypt at every layer and you should be off to a great start. Protect your customers and give them trust in you to use your online services, then provide an easy and user-friendly way for them to sign up and login. And if you have to do this with a third-party broker then make sure they’re following best practices.
In the next blog I hope to explore some of the initiatives that are already happening to improve the national digital identity ecosystem. I will refer to some initiatives all over the world but with a UK focus. If you have any thoughts or comments on this article. Please feel free to share them with me in the comments or by tweeting me @ManagedLEI.
Cristina is an experienced professional with a diverse career that has played to her strengths as a pragmatic, multilingual manager and educator with a passion for building trust through clarity and communication. Founding ManagedLEI was a natural step for Cristina as an intrepid entrepreneur and under the Trusted Identity banner she has many exciting plans for the future of ManagedLEI and it’s anticipated associated financial and digital security products and services.