With digital identity heading towards mass adoption, the arms race to secure identities is stepping up a notch
Like smartphones, wifi or cloud computing, digital identity is heading on the same growth trajectory towards mass adoption. Coronavirus has been a shot in the arm for the industry with vaccine passports for travel, dealing with voter fraud or online access to new services helping to fuel adoption.
Five years from now, many more of us will be using digital channels to verify our identity on a daily basis.
“We foresee over 6.2 billion digital identity apps in service by 2025. This will capitalise upon how important the concept of identity is to our everyday lives,” says Nick Maynard, lead analyst at Juniper Research. Expect rapid growth in emerging markets, particularly in Africa, where mobile-first services help citizens access banks, loans, insurance and government services.
The tech toolkit needed to catalyse the future of this sector is already available. Estonia, which is a poster child for the mass adoption of digital ID, has been using decades-old systems. “Any changes will need social more than technical developments. No tech works without the right social context,” says Dr Garfield Benjamin, researcher at Solent University.
Success tomorrow will depend on societal trust in the sector today. This will be the crucial currency over the next decade, weighed against fears of a surveillance society.
“People trusting in an organisation holding their digital identity data is going to be fundamental to any successful rollout in the future. That’s one reason why social media platforms have struggled with similar concepts,” says Adam Desmond, UK and Ireland country lead for Mitek Systems.
“To drive adoption, government and big tech need to create more everyday use-cases for digital identities. One thing is for sure, if we don’t act soon, we may miss the boat.”
Answer may lie with government
Accessing government services is likely to be a silver bullet. Australia announced last year that digital identity will be a major focus of its AUS$800-million technology budget package. The aim is to help simplify and reduce the cost of interacting with public services. The UK government’s Digital Identity Consultation closed with a commitment to further the use of digital identities.
“We’re definitely seeing a growing appetite in government as we enter the new decade,” says Kevin Trilli, chief product officer at Onfido. “Setting standards will also help overcome the risk of market fragmentation as digital IDs become more pervasive in society. With centralised standards, the government can establish a requirement for interoperability, while still allowing for companies to offer competitive differentiation on the quality of service provided.”
This is where the problem lies as many industry players fear a proliferation in digital identities, similar to countless passwords and usernames, will weigh heavily on the sector. If you aren’t living in Singapore, Denmark, South Korea, Estonia or the Nordic countries where a single, often government-backed, digital ID reigns supreme, expect a proliferation of authentication systems.
“British society has adopted an almost ‘neo-medieval’ approach to digital identities. Individuals are using multiple overlapping identities across different jurisdictions, technologies and commerce,” explains Amanda Finch, chief executive of the Chartered Institute of Information Security.
“Our social media accounts present who we are to the online world, our bank accounts allow us to access our finances, and our national insurance numbers ensure we’re paid and taxed correctly. All these identities remain separate from each other and are not interchangeable.”
It doesn’t help that in the UK there’s been a strong historical resistance to universal identity cards, even though it’s ranked in the top ten by the United Nations e-government listings.
“The biggest barrier to making things happen is it takes years for government departments to even define what their requirements are. This, on top of lengthy, inefficient and bureaucratic procurement procedures, means the technology is often outdated or obsolete by the time it’s in production,” says Donal Greene, chief experience officer at Innovatrics. The spectre of universal credit looms large.
In Estonia, albeit a much smaller country with a strong digitalisation strategy, they’ve had a physical ID card, a SIM card and an app, all tied to a singular digital identity that’s powered by blockchain for a number of years now, the benefits of which are widely experienced across society.
“My ID card doesn’t just serve as my driving licence and national health card, but also as a loyalty card for bookstores and gym membership,” says Florian Marcus, digital transformation adviser at the e-Estonia Briefing Centre. “It’s effectively everywhere. I can also view my tax declaration or log in to my bank.”
Time for self-sovereign identities
For those nations stumbling over personal freedoms and fears of centralised digital IDs, the future could lie with self-sovereign identity, whereby people own their personal data fully without external intervention.
“This is where individuals can create their own portable digital ID,” says Mark Taylor, digitalisation and data partner at Osborne Clarke. “This also chimes well with wider developments in data regulation. The aim would be to raise the level of trust from individuals about how their data will be used and encourage greater data sharing.”
This form of digital ID has privacy by design and citizen empowerment at its core. With this technology there are no central repositories of information that can be compromised.
“Within five years, enterprises and governments may no longer have dominion over digital identities; the power will instead have shifted to sit with individuals themselves. People will be able to set, manage, share and withdraw specific parts of their identity with organisations, based on their needs,” according to Mike Adler, chief product officer for security at RSA.
End of online anonymity
Another driver of change will be the shift away from anonymous or bogus profiles online to one where everyone must prove who they say they are, just as they have to in real life. The recent storming of the US Capitol by supporters of President Donald Trump, incited by social media chatter, has highlighted these concerns. It’s easy to incite all kinds of trouble when no one knows who you are on the internet. This will change.
“Currently, there is very little accountability online. There is a lot of focus on freedom of speech, forgetting the responsibility of speech. We’ll see stronger regulations in this space, making people accountable for sharing illegal or fake information,” says John Erik Setsaas, vice president of identity and innovation at Signicat.
“The need to prove who you are online in a trustworthy way will only increase. Anti-money laundering directives will also become stronger, with higher consequences for organisations and individuals for non-compliance.”
So, what of the future for digital identity beyond the next few years? There are already technologies that offer a new dawn for this sector. Beyond blockchain, quantum computing could completely change how almost every type of credential is stored and verified. This technology in the wrong hands could also allow hackers to crack most centralised databases. The arms race to secure identities may therefore have to step up a notch.
“Research is already underway on post-quantum cryptography, but the speed of this research and its implementation will depend on the success of quantum research and development,” says Kelvin Murray, senior threat researcher at Carbonite + Webroot.
In a decade’s time, the digital identity landscape could look completely different.
Learning from Estonia
Estonia is living proof that having a singular electronic ID for government and some private services can work effectively with buy-in from the general public. The question is whether this is a blueprint for the future of digital identity in other countries. The Baltic state, with a love of all things digital, is small – Estonia’s population is less than 1.5 million people – and internet penetration is high. But is it an outlier?
“We need to dispel this myth of Estonian exceptionalism, it doesn’t help us and it doesn’t help those trying to learn from us either,” says Florian Marcus, digital transformation adviser at the e-Estonia Briefing Centre.
“The most significant problem is lack of political will to change. Some in government simply don’t get digitalisation, others think it’s a mere gimmick. Another group absolutely sees the benefits, but only want to support projects they can finish within their current term in office, so they can capitalise on it.”
Most countries still have to solve the basic question: should the government be the one and only guarantor of a verified digital identity. This may give some citizens in the UK and United States the jitters; in other nations, the private sector is playing a decisive role, such as the banking sector in the Nordic countries.
“It mustn’t be forgotten that it’s taken Estonia decades to achieve this with its digital ID. Programmes cannot be rushed or they will end in disaster,” explains Matt Aldridge, principal solutions architect at Carbonite + Webroot.
“This is not a glory option for any one leader, cabinet or party. It relies on co-operation from a succession of governments to deliver on the promise of a unified national digital identity that is fully integrated into all citizens’ daily lives.”
Estonia’s successful digital ID is now enabling other solutions. The government in Tallinn has partnered with the World Health Organization to create a blockchain-based, coronavirus vaccination certificate.
“The secure, private solution has successfully gained the trust of Estonians, who are used to its technology and understand how it can support public safety during the current pandemic,” says Amanda Finch, chief executive of the Chartered Institute of Information Security.
The Estonian government is also looking to use artificial intelligence (AI) to deliver the kind of tasks that usually require a phone call or an in-person visit to an official agency. Called #KrattAI, the AI-powered bot or virtual assistant could soon deliver public services safely and securely.
“We could also drive this further into the private sector, but that’s where we will face more questions related to ethics and privacy, and rightly so,” says Marcus at the e-Estonia Briefing Centre.
“Imagine you could log in to Facebook or Twitter with your real digital identity. No more spam bots, no more opinion hacking such as we’ve seen with Cambridge Analytica. This could drastically increase the accountability of individuals when it comes to harassment and cyberbullying.
“But also no more secrecy for whistleblowers and a greater potential for government supervision.” There’s a fine balance to be had.