by Colin Soutar*
When we travel through airports with passports that allow us to enter countries, it is sometimes easy to forget all the underlying steps that went into establishing trust between the issuing and the receiving countries. At a minimum, there’s the international standardization definition of a “neutral expression” for the facial recognition software; the passport’s machine-readable zone that carries our biographical information; the interface characteristics of the on-board chip; and, most importantly, the processes used to initially identity-proof the owner and their rights to the passport, and the subsequent authentication steps used to verify that they are in fact the one presenting the passport at airports and borders.
Just as a physical passport provides ease of movement, imagine the convenience of having your own digital identity “passport” you can present every time you want to access a new online service, without providing all the usual personal information and creating a username password, and other authentication factors. But while the online world – increasingly pervasive due to the global pandemic – does not require any standardized physical documents, identity-proofing and authentication are becoming inexorably more complex as users try to access a broad range of services and benefits without any direct, in-person interaction. For transactions of a single purpose, either in commercial or government sectors, self-contained identity solutions are nowadays often robust and easy to use. The challenges start to arise when we leverage credentials created by one system for use on another.
Why is this so hard? At the heart of the challenge lie two important inter-related considerations: trust and incentive. With travel documents, an issuing country has the incentive to allow its citizens to travel to other countries, and both countries have agreed on the operating conditions for the passport – so there is mutual trust. Securing the digital identity ecosystem matters because it can help to establish the basis for such trust online: among service providers, identity services, and – most importantly – users who will drive the commercial and government transactional engines.
This trust needs to be aligned, though, with incentives for the various parties. For example, users who manage and reuse their identity credentials like passports would likely be incentivized to drive greater online economic growth due to more convenience and confidence. Further, if commercial identity providers are incentivized to enable users to reuse credentials to access a multitude of services, then that helps limit the amount of unnecessary, replicated online personal information that consumers are required to provide. This would mean overcoming any liability concerns between the parties, or the natural tendency for organizations to want to retain information about their customer base for their exclusive use.
While there is still much work to be done around these considerations, the international trust aspect of digital identity is rapidly maturing. Based on supporting programmes across government and commercial organizations for well over a decade, Deloitte recently articulated four specific principles that are important to achieve broader, stronger and more convenient online transactions:
-Digital identity solutions should be user-controlled and portable. This means citizens and consumers can easily access many online services with the same secure digital identity and not have to create multiple different ones for each service.
-Digital identity services should be flexible and adaptive. Services should support the rapid integration of different end-user devices and authentication mechanisms – such as biometric technologies and low-friction solutions like behavioural analytics – based on evolving technologies and the shifting threat environment.
-A broader digital identity ecosystem will likely emerge where verified information is consumed. For example, a citizen may establish reputational trust around their digital identity that can then be used to post online information or receive threat alerts, such as compromised email addresses or other information that may be shared among organizations in the ecosystem.
-Strong digital identity systems should enable bi-directional trust. That is, governments need to know that authorized citizens are accessing services and information. But citizens also need to trust that they are interacting with a legitimate service, that their personal information will be protected, and that they can efficiently access services.
As noted, trust should extend throughout the full range of identity and service providers in the identity ecosystem. Although federation tools exist that help with technical interoperability (i.e. does the format of the data make sense?), there still remains a gap in defining “rules of the road” that can quantify the trust embodied in an identity credential: That is, are we really sure that the person presenting the credential is who they claim to be?
With respect to incentives, there is the potential for data-sharing among participants within a digital identity ecosystem. Such data could include shared threat signals, information on new vulnerabilities, profiles of emerging threat actors and broad information that helps unlock identity ecosystem-wide security capabilities in support of trusted transactions. This would allow governments and commercial organizations to deploy a layered approach that dynamically adjusts security controls based on the current known situational and transactional risk. It would also enable all participants of the broader digital identity ecosystem to have more confidence in the data that they rely upon and therefore encourage a richer set of participants.
With the pandemic forcing greater online interaction, it is likely that a more virtual society will persist beyond the crisis. As such, a dynamic and cohesive digital identity ecosystem will be needed to enable citizens and consumers to more efficiently and conveniently navigate online, while governments and commercial organizations gain the assurance that they need to determine that benefits and services are going to the correct individuals. This virtual society will have many diverse circumstances – with use cases spanning a wide range of requirements for digital identities. But it is critical to achieve the right degree of trust and incentive that will instill the user confidence needed to drive economic growth for years to come.
*Managing Director, Cyber Risk, Deloitte
**first published in: www.weforum.org