Signs of life: authentication and digital ID in Web 3.0
A new, decentralised World Wide Web beckons - one that places users at the helm. While the internet ushers in an era of people-first platforms, what's next for identification and authentication procedures?
In a bid to climb the digital transformation curve, many businesses are, or will soon be, adopting the technologies that underpin Web 3.0.
Although still a work in progress, this next iteration of the internet will be defined by the core pillars of improved user utility, decentralisation and openness. Crucially, the shift is expected to foster more adaptive and democratised virtual ecosystems that prioritise peer-to-peer connections.
“Users will expect portability and much higher ownership of their data and digital assets in Web 3.0,” says Fraser Edwards, co-founder and CEO of Cheqd, a startup which helps individuals and businesses control their data. “This means people are much more likely to migrate across platforms, and businesses' systems will also have to handle data flowing in and out of their environments to individual customers,” he continues.
So, what will happen to our current identification and authentication practices? In the Web 2.0 paradigm, customers are expected to hand out several data points to access their funds or assets. But identification in Web 3.0 will instead be predicated around self-sovereign identity (SSI), allowing users more control over their information and effectively removing the need to store identifying information on a central platform.
Travis Spencer, CEO of identity and access management platform Curity, says these SSI keys will, in essence, replicate identification processes we’re accustomed to in the physical world in the digital realm. “We identify ourselves all the time using decentralised identification cards issued by governments, schools, employers, and other authorities,” he says. “Why do the receivers of these identity cards believe that our biographical information on these identity cards is true? They trust the issuer of the identity information.”
Spencer explains this system is predicated on “trust frameworks” where users obtain credentials from trusted parties and can then access their assets held on another platform.
Properly implemented, these frameworks have the potential to create more inclusive identification practices. “Users are often people, and people are all different,” says Spencer. “We need security systems that don't discriminate based on race, education, disabilities, or anything else.”
He continues: “Businesses need to tailor their security systems to users’ needs by creating protocols, standards, and technologies that give people choices and ensure that they can opt out as easily as they can opt in.”
The security protocols set to gain traction in Web 3.0 are wide-ranging. Multi-factor authentication and the use of biometric data will persist while other identifiers using SSI, such as passkeys, and unique codes hosted in a wallet or physical device, are becoming increasingly common. And advancements such as zero-knowledge proofs will also afford users people oversight of their data.
“When a user is requested to provide a certain piece of personal data, they're not forced to give everything all in one go,” says Jason Tucker-Feltham, head of crypto sales at identity proofing platform IDnow. “They only provide the piece of information which is required to satisfy a certain question. Paring back is integral to advances in decentralised identity technologies.”
Of course, with nascent technologies, there are risks involved for both individuals and businesses. Early adopters on both sides run the risk of jumping into a relatively unknown world with undue care.
“With users owning or controlling their own data and digital assets, they have a much higher chance of losing either or both of these,” says Edwards. “For companies, there could also be the issue of jumping too far into Web 3.0 without considering the user experience. The last thing they want is to create clunky processes for customers that will dilute their brand.”
Protecting from cybercrime in this new landscape is also a key concern for businesses and their customers. Tucker-Feltham warns of bad actors exploiting technical vulnerabilities in smart contracts (programmes that run using blockchain technology once an agreement is made between two parties) as an area where crucial identification processes could be circumnavigated.
These abuses should become less prevalent as agreed frameworks come into effect. Notably, the EU Markets in Crypto-Asset Regulation, established at the end of last year, seeks to bring a harmonised set of rules for managing digital financial assets across the continent.
“A lot of cybersecurity professionals are collaborating now, and they're creating new standards for what should be done with blockchain technologies to ensure that it's not misused and subject to unnecessary vulnerabilities,” says Tucker-Feltham.
And while there is a promise of less intrusive and more effective security in Web 3.0, the implied association with cryptocurrencies could slow adoption. High-profile market crashes and the recent FTX scandal may have muddied public opinion. A poll by CNBC at the end of 2022 found just 8% of Americans have a positive view of crypto, compared to 19% the year before.
For businesses adopting SSI, articulating the benefits of more straightforward and less intrusive authentication processes will be essential.
“I would suggest that organisations couch these new capabilities in terms of benefits,” says Spencer. “Data reduction, for instance. Instead of collecting a user’s location, you can explain that these new technologies allow you to simply collect the fact they are in a sanctioned country. This is a whole lot less data that should help many users feel a lot safer.”
Early adopters stand to gain a competitive advantage. Edwards believes companies that can provide a streamlined customer experience with SSI can differentiate themselves from incumbents and competitors while also delivering other benefits.
“As well as improving customer satisfaction, building better identification and authentication can reduce fraud rates and exposure, and a smoother customer journey can improve conversion,” says Edwards.
Spencer agrees, pointing out that by reducing the need to hold reams of personal identifying information (PII), organisations will have to worry less about data regulation and can accelerate their digital transformation.
“By limiting requested data to non-PII, organisations won’t have to protect it so carefully,” says Spencer. “This will make it easier to comply with regulations, reduce audit burdens, and limit the scope of security safeguards.”
And by reducing data handling requirements, those early adopters will be poised to outcompete the laggards.
De-risking highly regulated industries
Some sectors make better targets for fraud than others. How are the most at-risk industries keeping their customers safe - and happy?
Putting a price on identity is not something that most of us have given much thought. Even still, the black market for sensitive personal information is flourishing. From bank login credentials to complete medical records, almost nothing is off limits to artful and ambitious cybercriminals operating on the Dark Web.
As businesses and their customers increasingly depend on digital platforms to set up accounts and secure transactions, protecting those online spaces needs to be a priority. And while this rationale applies across sectors, nowhere is it more crucial than in highly-regulated industries.
Government agencies, healthcare and financial services have become attractive marks for bad actors, where a successful hack can be highly lucrative, either as a result of stealing funds directly or pinching valuable data.
Mike LaCorte, CEO of the investigations, security and intelligence agency Conflict International, explains: “As well as assets, they hold a whole load of highly confidential data - whether that’s financial or other information - that cybercriminals can use to their advantage, especially in a layered fraud type scenario.
“So not only are these regulated institutions subject to fraud, it’s not just the asset that’s at risk, it could be data that can subsequently be used elsewhere for a secondary fraud event,” he continues.
For many years, firms in highly regulated sectors have relied on outdated technology to protect customer data from unauthorised access. Often that has enabled fraudsters to stay one step ahead, according to Chris Michael, co-founder and CEO of open finance platform Ozone API.
“Many of these technologies were based on the concept of a hard shell - firewalls and strong passwords - but with a soft centre containing large honeypots of data, all in one place and often not encrypted in transit or at rest,” says Michael. “Once a bad actor gets in, they get access to almost anything.”
But even with top-of-the-line tech, cybercriminals often focus their attacks on individuals who may lack sufficient fraud awareness and can easily be duped into clicking on a malicious link.
“There’s a whole human element side of fraud that is sometimes overlooked,” says LaCorte. “You could spend millions in having the best firewalls and cyber defences, and then just a simple email or phone call can let them in. Fraudsters are always looking for vulnerabilities and loopholes they can take advantage of.”
More than half of businesses with $10 billion or more in annual revenue said they had experienced fraud in the past 24 months, according to PwC’s 2022 Global Economic Crime and Fraud survey. All of this, combined with a rise in fraud more generally, means that firms must take a dual approach to risk management that incorporates both technology and training.
A number of firms have already started to implement much better tech to protect their data, says Michael. For instance, more firms are adopting concepts such as ‘zero trust’ - a set of principles that effectively discourage firms from implicitly trusting networks or devices used to access and store data.
Instead, companies need to devise new policies and build systems to ensure strong identity verification that validates devices and users prior to granting access, he says.
Some are also seeking to go passwordless and instead use a blend of cryptography, secure devices and biometric authentication to remove the need for customers to use passwords, given how easily they can be shared or stolen.
When it comes to training, employees must be able to recognise tell-tale signs of fraud. Discrepancies in invoices or new payment instructions that involve sending money to an unrecognised account should immediately sound alarm bells, says Knut Ronning, CFO at Xledger.
“You need to have a proper way of verifying that changes to payment instructions are right and ensuring who you’re talking to is the right person. Not everyone is who they appear to be,” says Ronning.
Organisations also need to be warier of third-party risk. If suppliers have gaps in their defences, fraudsters can exploit them and gain access to systems through the back door.
“You need to understand your suppliers’ systems and controls in the same way that you would your own,” says Peter Hucker, head of operations at Xledger. “This is really about finding the weakest link, and if your supplier is the weakest link, then you have a problem. That often can be a place that businesses slip up.”
Some firms are taking a tiered approach to customer risk profiling, where customers that pose a higher risk may be subject to more stringent controls.
“We give customers a choice of controls depending on their level of risk,” says Hucker. “So we might demand more of users of our finance system. To some extent, we let our customers decide on their level of controls, providing it doesn’t fall below our overall security measures.”
This underscores the challenge many regulated firms face when reconciling risk management and compliance controls with successful customer experience.
“It’s about what is proportionate in order to preserve the customer experience but keep the integrity and the compliance of the organisation that is holding the data,” says LaCorte. “But it is a balancing act. There isn’t a simple answer as to where to draw that line.”
How people-first identity solutions are redefining CX
Digital ID isn’t just about galvanising security protocols. It’s a chance to redefine customer journeys and drive inclusion
When the European Union’s second payment services directive (PSD2) came into force in 2020, the aim was to crack down on vulnerabilities and enhance security in the payments industry. Most notably, the regulation calls for strong customer authentication (SCA) to be enforced as a minimum requirement in banking and financial services.
Despite its departure from the EU, Britain continues to adhere to the security requirements mandated by PSD2, and more robust authentication practices have made their way into citizens’ online interactions.
The SCA guidelines, which have been rolled out across the continent, require organisations to verify two factors of identification. These can be knowledge-based, involving standard passwords or security questions; possession-based factors, linking to trusted devices or inherent through biometric identifiers such as face or fingerprint ID.
But while SCA-compliant transactions are a boon for security, businesses could be subject to some unfortunate side effects. A study by Visa found that since the onset of PSD2, 11% of shopping baskets are abandoned as shoppers switch between applications to prove their identity. Meanwhile, research by Forrester Consulting and Docusign revealed that 37% of users feel online identification processes in financial services are too time-consuming.
Rob McKechnie, director of credit products, IDFC and strategic alliances at Equifax, believes organisations and financial institutions will need to work harder to keep customers happy. “It’s about finding a balance between offering a low friction journey for customers that doesn’t lead to abandonment, but also ensuring regulation is followed and ultimately that the customer is protected from fraud and fraudulent behaviour,” he explains.
Other behind-the-scenes checks that verify trusted devices or personal attributes can contribute to a secure and frictionless customer journey. However, it is still essential for front-end processes to be air-tight for the user’s peace of mind.
McKechnie points to technologies such as optical character recognition - a process which converts an image of text into a machine-readable format - and instant likeness checks, which will continue to improve financial service providers’ ability to verify identity in near-real time.
“There is a level of reassurance that comes with demonstrating that thorough checks are being performed,” says McKechnie. “With that comes a level of trust that an organisation is not only protecting their own interests but those of their customers.”
Despite early teething issues, the transition towards SCA has matched consumer demands and behaviours. Cybersecurity provider iProov polled 16,000 financial services users in eight countries to find that 72% of respondents already use biometric authentication to access their accounts.
“Customers are more comfortable with biometrics, in great part thanks to our devices having inbuilt biometric technology for login,” says McKechnie. “Banks are also supporting the adoption of biometrics for access to accounts and further authentication to verify purchases. So it’s becoming safer, but also possible to authenticate in a matter of seconds.”
Despite these advances, McKechnie argues that it will still take some time for all users to adopt new authentication methods and that organisations should still provide alternative journeys that don’t exclude customers from accessing products and services. More traditional methods have previously led to large sections of society being unable to access financial services. In 2022, the World Bank reported that 1.4 billion adults globally remained ‘unbanked’.
Many of these newer methods of identification still rely on the provision of documents such as passports or driving licences. However, by using the different types of verification required by SCA, financial services providers can offer a route to better financial security for people that have been excluded.
“For those with UK bank accounts, it’s possible to leverage open banking technology, which allows clients to benefit from the SCA required from banks and check for anti-impersonation,” says McKechnie. “For those who don't have a formal ID but have had a credit history in the UK, knowledge-based authentication has a place in verifying an individual's knowledge against their history with a wide range of configurations possible that can meet an organisation’s risk appetites.”
Historically, marginalised groups have faced issues in using biometric identifiers. A 2018 study by MIT found that imagery datasets skewed predominantly towards white men, resulting in significantly higher rates of inaccuracy for ethnic minorities, in particular dark-skinned women.
McKechnie believes advancements in technology have sharpened accuracy in biometrics, resulting in greater uptake from end customers. Embedding this in regulations is crucial for inclusivity. The upcoming Digital Identity & Attribute Framework announced by the UK government in 2022 marks a step toward solidifying standards to improve customer experience for users of all backgrounds.
“Inclusion monitoring is one of the key areas that organisations will be required to report on, which will help track and develop solutions, so they become as inclusive as possible moving forward,” says McKechnie.
The shift towards biometrics indicates that customers want and expect digital onboarding, says McKechnie. Customers expect streamlined processes and will also likely expect more control of their data as the internet iterates towards Web 3.0, which promises the ability to share only essential information with organisations through technologies such as digital wallets.
Organisations that can marry meticulous security with frictionless identification processes, regardless of how that authentication is carried out, will stand to win customers in the near future.
Answering the call for intuitive digital onboarding
Banks and financial services providers are spearheading the transition to tech-heavy onboarding. But why?
Are attitudes to digital ID really changing?
Concerns about identity theft and increased fraud risk during the economic downturn may be softening long-held fears about digital ID
When former UK prime minister Tony Blair introduced plans for a national ID card in the mid-2000s, the scheme gained little traction and plenty of opposition, with the coalition government eventually scrapping the cards in 2011.
Now, almost two decades on, the Labour grandee and former Tory adversary William Hague are calling for the introduction of a new national digital ID card as part of a broader tech push to ensure the UK maintains its relevance in an increasingly digital world.
And the mood in Britain may also be starting to shift. A snap Times survey in February showed around 80% of readers were in favour of every person in the UK being issued a national digital ID. Other countries are already pressing ahead with digital ID schemes of their own, paving the way for greater acceptance on British shores.
The European Union has announced its plans for a trusted European e-identity that will be recognised across all member states. The scheme will kick into gear in 2024, allowing EU citizens to do anything from filling out their tax forms to renting a bicycle with the same set of credentials.
Part of the swing in attitudes may boil down to the fact consumers are more attuned to the risk of fraud and identity theft. The UK saw a 17% jump in fraud in 2022, according to fraud prevention organisation Cifas, with identity fraud representing almost a third of all cases recorded in the National Fraud Database.
Another potential driver is the successful pilots of various digital ID initiatives. Last year, digital ID company Yoti successfully trialled a digital age verification programme at certain supermarket self-checkouts in the UK. Shoppers purchasing alcohol could choose between using facial age estimation technology or a digital ID app - removing the need for people to carry around a physical ID.
“There are many different areas of life where you need to prove who you are or how old you are where digital identity can play a part,” says Julie Dawson, chief policy and regulatory officer at Yoti. “It can reduce friction, and it can reduce fraud.”
The current cost-of-living crisis and increasing rates of fraud may further accelerate the mainstream adoption of digital ID programmes. In the convenience economy, there is a clear argument for streamlining mundane processes, but the added benefit of protecting both individuals and companies from fraudsters has made these initiatives considerably easier to greenlight.
“It’s a bit of a win-win,” says Katherine Holden, head of data analytics, AI and digital ID at TechUK, a trade association. “Fraud is a classic example of why digital ID is a benefit on the consumer side, but also on the business side.”
The UK faces a number of digital ID challenges beyond consumer adoption that could slow projects down, particularly when it comes to government-backed programmes. IT and business consulting firm Netcompany was one of a number of firms involved in the NHS Covid Pass scheme, which highlighted the complexity that sits behind any government system in the UK.
“The UK struggles more than some other European countries because we don’t have a unique digital identifier, and that does make it very difficult when you’re trying to deliver something new,” says Richard Davies, UK managing partner at Netcompany, which is also working on the EU digital ID scheme. "You’re effectively having to stitch together or at least navigate what’s under the covers."
The regulatory and policy backdrop also needs more clarity. To that end, the UK is currently developing its Digital Identity and Attributes Trust Framework, which will set out rules around how digital ID can and can’t be used.
“It’s more important now than ever to make sure that we have a clear and robust regulatory framework in place so that companies who are looking to invest here in the UK have a really clear sense of how they can use digital ID technology,” says Holden.
However, unless the UK adopts a single digital ID - and Holden doesn’t believe the UK will go down that path - it could lead to a situation where consumers have multiple digital IDs across different platforms.
“One of the risks is that we actually end up in a situation where if you’re using a private sector application or a service, you have one identity, then if you’re using a public sector service, you have a different one,” says Holden. “What we really need to look at doing in the UK is making sure there is greater coordination between our public sector identity and the private sector and giving individuals the choice of which credentials to use when they sign up for a service.”
For UK consumers to really trust digital ID initiatives - be they government or private sector-backed programmes - and for attitudes to continue to soften, that choice will likely be essential.