Digital identity — creating systems for secure ID authentication and verification

Digital identity offers an easy way to sign up for a service or prove who you are online. Even more importantly, for approximately one billion people who don’t have ID documentation, digital identity offers a path to actually having a usable proof of identity. For many, digital identity is the first step to gain access to basic financial services and help lift them and their families out of poverty.

Fundamentals of identity

Many of us take for granted our official identity documents, but in some parts of the world, the idea of having an identity is a luxury. Identity is the fundamental key that unlocks the ability to open a bank account, vote, drive, start a job, receive medical and government services, fly on a plane, participate in online marketplaces, and even buy products and services with one click.

Effective identity systems are a cornerstone element of a modern, functioning society. They help to establish trust between organizations and individuals to ensure products and services are delivered to the right person. A reliable identity system can mitigate the risk of fraud and effectively manage access to various levels of service.

To fight against corruption and terrorist financing, organizations require identity systems to help meet compliance requirements, such as Know Your Customer (KYC) and Anti-Money Laundering (AML) rules. These requirements can’t be understated; identity rules are the front line in the fight against criminals, as bad actors try to hide who they are when laundering money.

Digital identity for different use cases

Technically, the ISO/IEC 24760-1 standard defines identity as a “set of attributes related to an entity.” So, digital identity determines which set of digital attributes to ascribe to an entity.

In this era of big data, there’s a lot of information collected on people and their digital activities. What set of data is most effective for building trust? Offers the most security? Protects personally identifiable information (PII)? Delivers effective levels of risk mitigation? Ensures compliance? Provides a seamless onboarding experience?

There isn’t one use case, so there’s not one answer; different data sets will offer different trade-offs and it’s up to the parties involved to determine how they balance the value of each set.

That’s not to say it’s impossible to create a workable digital identity framework. But a universal digital identity needs to be adaptable, offering effective levels of security, be reliable and allow the individual certain controls over their information.

To provide the proper levels of trust and assurance for securely transacting business, a digital identity solution must answer multiple questions:

Global identity schemes

The world is going digital; according to IDC, 60% of the world’s GDP will be digitalized by 2022. To help counter the threat of money laundering, terrorist financing, fraud and other financial crimes, digital identity systems must operate as safely, securely and reliably as face-to-face customer identification historically does. As the guidance states, though, digital identity holds “great promise for improving (emphasis ours) the trustworthiness, security, privacy and convenience of identifying natural persons.”

There are numerous digital identity schemes in various phases of development and implementation across the globe. As these schemes get real-world results, the models, systems and public applications can learn and adapt to improve results.

eIDAS

In Europe, eIDAS “seeks to enhance trust in electronic transactions in the internal market by providing a common foundation for secure electronic interaction between citizens, businesses and public authorities, thereby increasing the effectiveness of public and private online services, electronic business and electronic commerce in the Union.”

eIDAS lists 77 objectives to build trust online and create a digital identity system that works across the EU. The regulation will apply to public services and requires member states to accept the electronic identity schemes of other member states. Creating a proper digital identity scheme is an arduous and complex task. For example, eIDAS stipulates 52 articles to reach the objectives.

Pan-Canadian Trust Framework

In Canada, on September 15, the Digital ID and Authentication Council of Canada (DIACC) launched the Pan-Canadian Trust Framework ™ (PCTF), “a set of rules and tools designed to help businesses and governments to develop tools and services that enable information to be verified regarding a specific transaction or particular set of transactions.”

Aadhaar

In 2016, Paul Romer, the former chief economist of the World Bank, called Aadhaar – India’s national identity scheme — the most sophisticated ID program in the word. Aadhaar covers more than a billion people across one of the most geographically, culturally and ethnically diverse regions in the world. Ten years since its launch, close to 89% of India’s 1.4 billion (approx.) population has an Aadhaar card. From port cities straddling the Indian ocean to Himalayan villages perched 4,500 meters above sea level, the Aadhaar has become the most widely used identity document in India.

Improving Digital Identity Act of 2020

While the U.S. doesn’t currently have a national digital ID strategy, there’s a proposed Improving Digital Identity Act  intended to “enhance the security, reliability, privacy and convenience of digital identity solutions that support and protect transactions between individuals, government entities and businesses, and that enable Americans to prove who they are online.”

Not all digital identity schemes are from countries which are considered to be at the leading edge. Samoa, a small Pacific Island country of 190,000 people is planning a national digital ID system. Estonia has had digital ID capabilities on its national ID card since 2001. There are 60 different countries that currently offer some form of electronic ID.

Appropriate levels of trust

While adoption of new identity schemes helps advance the use of digital identity and offer clarity within jurisdictions, other considerations include cross-border business, travel, payments and other international identity use cases.

Depending on the use case, these technical standards can offer the necessary level of confidence — the higher “levels of assurance” — that meet the lofty standards required by regulated industries for handling sensitive information.

As the FATF recommends financial institutions apply a risk-based approach, conducting Customer Due Diligence (CDD) will require determining “an appropriate level of trustworthiness” for digital ID systems:

• What level of assurance does the system technology, architecture and governance provide in terms of reliability and independence?
• Is the level of assurance appropriate to the risk level of potential money laundering, terrorist financing, fraud and other risks?

With the various use cases and values placed on attributes (security vs. privacy, individual power vs. central control), having one grand identity scheme doesn’t seem practical.

Even with all the support from EU nations behind eIDAS, it only covers public entities at this point. Extending it to cover all private companies is a work in progress.

Digital identity networks

While one single digital identity system might be unattainable, on a more practical level, it doesn’t matter. With digital information that is configurable, translatable, adaptable and computable, digital systems can communicate with each other automatically to determine verification and authentication.

As long as systems account for the various stipulations, scenarios, requirements and limitations, the objective is the same – an identity system that effectively verifies individuals so they can participate in the services and opportunities that they want and need.

The model of digital identity networks is tearing down barriers to digital access. An identity network is a marketplace of hundreds of data sources, verification processes and tools that work together to identify who a person is — no matter their unique set of identity attributes and risk profile. Linked together, digital identity networks have the potential to create a global web of verification —  what the World Economic Forum (WEF) might call a “truly transformational digital identity system.”

A digital identity network fills the gap that individual digital identity services can’t. This marketplace approach lets businesses take a holistic look at all their identity risks and add in whatever verification layers are needed to provide assurance and build trust. Businesses can use the network to access the verification methods needed to satisfy KYC requirements and build trust online.

Anyone on a digital identity network issues or accepts an identity, and users choose which counterparties on the network to trust. When combined, these networks create a global, interoperable system for identity verification.

The identity network infrastructure includes all the verification methods and data sources needed for secure transactions. Each time a company wants to verify a customer or business entity, the network does the hard job of verification based on the company’s risk tolerance and the workflow (such as onboarding). In this way, the identity network can offer multiple levels of assurance that the individual is who they say they are.

The promise of digital identity is one that is easy to use, both for consumers and businesses. It’s secure, allowing only legitimate users access to the specific service. It ensures compliance. It builds trust online, across the globe.

The fact is, this digital identity ideal state is closer than you may think. Smart companies are building it now. Before long, all global citizens will have access to digital identity and we’ll all be able to partake in the full range of opportunities the future holds.

This post was originally published July 26, 2018. It has been updated to reflect the latest industry developments and best practices.