By Hal Lonas, chief technology officer, Trulioo
If it wasn't already apparent before COVID, the future of identity is digital. The fact that the pandemic imparted an almost overnight shift to an online-only world has only accelerated this vision. Indeed, consumer technologies like that of an iPhone are already pointing the way ahead.
Soon, we won't rely on driver's licences, passports, or ID cards to prove our identities. We're already seeing a shift to digital – a case aptly demonstrated within the current dialogue around vaccine passports – where biometric data is becoming more prevalent. However, one of the reasons this concept is being so widely debated is that there are extremes of preparedness for this type of identity-led initiative across the entire spectrum of society. There are also questions about how personal data of any kind is used and it is once again shining a spotlight on the role of a digital custodian to store identity information and safeguard control.
A multilayered problem
The question of how we effectively and securely identify people online and enable them to perform digital tasks in a safe and secure manner is one of the fundamental issues of our time. The first challenge to overcome is clarity and consistency over what digital identity is and how it is quantified. One way to understand it is to view digital identity as a multilayered problem. At the bottom are the standards that govern system operation and include basic information like name, date of birth and National Insurance or passport details. At the top is service delivery, which must be efficient, effective and seamless to users. In between are authorisation, attribute exchange, authentication and attribute collection. Each of these has its own set of challenges.
Many efforts today address one layer but not others. For instance, authentication technology solutions tend to rely on attributes that have already been collected. These solutions provide a better experience for users and ensure that the same person is transacting each time, but it doesn't help identify who that person really is. Other solutions address a particular type of transaction only. They might facilitate the delivery of a government service, for example, and that's all. This approach also ends up collecting "tombstone" data—things like name and date of birth—rather than data that paints a more nuanced picture of the user.
We are not the answer
There are many who believe surrendering this identity right is in and of itself flawed and that we as individuals should be responsible. Ultimate guardianship comes down to trust so the key question is, 'do we trust ourselves? We've all had to click on the 'reset password' button many times and no doubt got passwords stored on our phones, in notes and with many replicated PINs and log-ins. This is before you consider multi-factor authentication. Hands-up if you have been tied up in a bind when we lock ourselves out of our banking platform to have to reset every stage of authentication again?
With a self-sovereign identity, each user has a private key, designed in such a way that a brute force attack is close to impossible. This is clearly a good thing, as it prevents others taking over your digital identity. But putting the only possible key to access the digital identity in the hands—and forgetful brains—of the users invites disaster. There is no back-door. There is nobody to call. It's not just forgetfulness we need to worry about, as people have accidents or illnesses which can affect their memory. And when they die, and assets are to be passed on, the private key needed to access your digital identity is lost forever. We need to consider a worst-case scenario, such as someone's house burning down, traumatising them into losing their memory—and the recovery codes, carefully noted down and put in a sealed envelope, are also gone.
No, individuals are not the answer.
Challenging the status quo
Of course, the obvious question here is, who? In many countries, and over centuries Governments have been the "owner" of identity – they issue birth registration documents which mean we exist, and from these documents we can prove eligibility to work, be able to access other services such as welfare, and can gain further proofs of identity such as passports and driving licenses. This is the established status quo but the speed and advancements in technology, combined with challenges around regulation and ownership – regional, local, national or international, mean that governments are an analogue solution for a digital age.
Another often cited guardian are banks. Perhaps this is unsurprising given how much personal information our bank already possesses of ours and that they have incredibly rigorous safety measures in place. These institutions also tend to be at the vanguard of emerging technologies. But in an era of GDPR, and when financial institutions are already a prime target for cyber criminals for the information they hold, would they be open to taking on more responsibility here – particularly as being an identity custodian won't necessarily come with a revenue stream? Indeed, would we want to give up more of ourselves to our bank than we already do?
Preventing identity custodian progress
One of the critical concerns here is security. Losing a bank card or passport is irritating but completely manageable simply because it is only one singular piece of data. If we package up our identity in a box, hand it over to a yet-to-be-defined custodian and it was hacked, the ramifications for damage are far greater. It's another justification for using blockchain technologies. This will create a secure, public and anonymous storage platform for the identity data, and if this is combined with the requirement to use biometric authentication — something that, unlike a password, cannot be lost and is much more difficult to steal — as the means to claim identity, the process is both transparent and secure.
While completely founded, it's not just security fears that are holding identity custodian progress back. Self-sovereign identities will only become mainstream if governments relinquish their sole responsibility for issuing and storing our identity information. It will also require new technologies, such as blockchain, to gain traction and be trusted, which takes time. A cultural shift will be paramount, too. At present, some of us are all too willing to give up our data to get access to better offers or cheaper goods and services.
Whatever the solution is, it must be usable and mainstream technology, backed and trained by humans – this cannot be perceived to be man v machine because it will negate the critical factor of trust for many. Progress will also require the solution to scale massively and cheaply, like DNS with a distributed database that looks to "root authorities" for the authoritative answer.
Due in part to the global pandemic, technology has taken a huge leap forward in the last 12-months and this is particularly acute for digital identity. The development of biometric-based, digital and electronic identity and document verification services have been critical in providing a means to effectively identify people online, enabling them to perform digital tasks in a safe and secure manner while operating remotely.
Unsurprisingly, we have seen a large increase in the demand for those services with this trend likely to continue in the future. And with it, so too will the need for ownership and source of identity – something everybody has a right to. Because everybody is somebody and if the last 12 months has taught us anything, it is that people matter.