Next-gen digital identity protection calls for system reform

By Petros Efstathopoulos, Global Head of Research, NortonLifeLock

Our digital identity is the key that unlocks an entire world of essential services – from banking to healthcare to everyday tasks such as going to the gym.  If it is compromised, our financial and social wellbeing can be put at risk.

The ways in which we use our digital identity are proliferating. We work remotely, access digital healthcare, verify our identity and make our bank transactions online. Unfortunately, this increasingly makes our digital identity the target of cybercriminals who want to exploit weaknesses in a system that has grown organically over many years.

Consequently, the need for robust, dynamic digital identity protection has never been greater, and governments are responding with increasingly bullish electronic identity (eiD) targets.

But what factors are driving the need for system reform, and what will it take to implement an eID system suitable for the future?

Why reform is needed now

At the beginning of the digital age, many of the initial threats that arose were countered by digital identity protection. For instance, numerous methods of identity theft were suppressed by the application of tools that could rapidly detect and respond to them. Since that time, technology and online habits have evolved, particularly regarding the rise of online transactions and credential verification.

We have arrived at a critical moment as businesses and institutions begin to recognise the need for change. Above all, a new way to secure legitimate transactions and verify digital identities must be devised, one that moves beyond the need for physical credentials like ‘wet signatures.’

A new system should also mitigate the oversharing of personal data, which exposes sensitive information unnecessarily. For example, when you are asked to provide photographic proof of your ID, it can often result in more data than necessary being captured and stored during verification. This is just one limitation of existing systems and understanding them all will provide a basis from which to map out a solution.

Existing system challenges

Oversharing personal data: The example above illustrates a primary weakness of most existing eID solutions: the lack of data control precision during verification. This existing method contributes to the weakening of identity security, with users routinely having to expose an unnecessary amount of information from their passports and driver’s licenses. A next-gen solution must feature selective attestation, minimising data exposure.

A highly fragmented, susceptible landscape: Many existing eID approaches utilise identity element attestations, which further limit security due to being highly susceptible to tampering and theft. Compounding this challenge is the fragmented nature of the eID landscape, which forces consumers to use multiple accounts. This complexity increases room for human error and security weak points for identity thieves to target. Despite these inefficiencies, eID developers and many other service providers are continuing to develop disparate, ‘purpose-built’ systems that may worsen the fragmentation. The security of these systems is commonly based on inadequate email and password pairs, and in most cases do not adhere to a common standard.

An overly complex ecosystem: The current complexity of regulatory compliance is also presenting a significant challenge, hindering the transmission of verified credentials. To remedy this aspect of the problem, a system is needed that simplifies the process, while also considering cross-border compatibility and self-sovereignty.

An eID for the future

The next-gen approach must provide users with greater control of their data exposure and streamline the digital identity protection process. A design that delivers these capabilities is Decentralised Digital Identity (DDI) technology. Otherwise known as Self-Sovereign Identity, the technology consolidates various credentials within a digital wallet and can alleviate much of the existing complexity.

Once credentials have been stored within a digital wallet, DDI technology enables cryptographic proof to be shared with verifiers. It is through this capability that specific elements of identity can be shared, rather than sending photographic proof and revealing entire sets of irrelevant personal data.

Solutions built on this technology will also provide a native and highly processable format, enhanced transmission security, and increased privacy. In addition to this raft of benefits, this next-gen solution would also promote and streamline options for user consent, as well as standardising the verification in general. Perhaps most significantly, DDI has been standardised by the World Wide Web Consortium (W3C) and is supported by many other key stakeholders. This level of support enhances the potential success of the standard, even if it is implemented by completely different entities.

The digital identity revolution

Digital identity protection must be as innovative as the services and opportunities that emerging technology provides. Ensuring that verification capabilities are prioritised is essential to the safety of the increasingly digital lives we now lead, and for the realisation of digital transformation itself.

An opportune moment has now presented itself to reform identity systems, to bring about a next-gen, standardised approach. This is due in no small part to the appetite of governments, legislators, and regulators to support the development and evolution of eID systems. Experts and technology providers stand ready to deliver the necessary support to help bring about this digital identity revolution.

What the banking and finance sector can do to protect customers now

Given the intimate nature of information shared during banking and financial transactions, this sector is one which will be most impacted by stronger eID systems. Daily banking transactions are not only prime opportunities for cybercriminals to access accounts and siphon money from individuals – a burden ultimately bore by the banking institution – they are also vehicles for large-scale identity theft.  While system reform will be crucial to a safer future online, banks can help keep their customers identities safe today. This can be achieved by providing the tools to customers to help identify identity theft and assist restoration of their identity if it is compromised. By doing this, banks can keep their customers safer can ensure their trusted relationship is maintained. As a step further, embracing the upcoming next-gen identity technologies, will help make transactions safer and frictionless.

To learn more about this topic, and solutions available today, Norton will be at the Banking Transformation Summit, 29 June in London.