Digital Identity

In the world of the Internet you are fundamentally anonymous and equally accepted to share information. Its beauty is also its drawback: nobody really knows who you are. Digital identity was an afterthought. This is a major weakness in terms of cybersecurity and long-term sustainability of the digital economy. The security of personal data and identity is a major concern for consumers. The Mobile Ecosystem Forum (MEF) surveys annually the level of trust and recently found a clear gap between expectations and experience. The gap for mobile apps and services keeping data secure (vs. the expectation) is 27 percentage points, indicating a breaking point in the level of trust between users and product. The gap for privacy does marginally worse at one percentage point higher. The situation looks serious.

Concern over personal data security and privacy is now a reason to delete an app (37%), avoid installing one (33%) or to stop using a service altogether (29%). Globally, 59 per cent of enterprises surveyed cited security and fraud prevention as key drivers for digital identity and authentication. The ecosystem has been active in developing solutions, and the use of biometrics is becoming established to link the proxy of a person digitally to the actual individual.

Solutions based on a mobile device are increasingly important. Over 50 per cent of organisations are now using these, from SMS one-time passwords to more sophisticated approaches from SIM swaps to mobile digital identity proofing. Dramatic changes in approaches to personal data and authentication are driven by the threats we are facing online and by the need to verify who we are.

Governments and industry responding with a series of initiatives and solutions. After cyberthreats, compliance is the largest driver for enterprises adhering to various organisational and regulatory requirements. Of the 450 enterprises surveyed globally, around 22 per cent cited compliance as the main driver for adoption of digital authentication with a couple of countries, including Germany, seeing it as more important than fraud or security. These compliance requirements can be global, regional, country-specific and even sectoral. Research by Gartner indicates 10 per cent of the world being subject to people-centric regulations. This will increase to 60 per cent in 2023. Enterprises need to understand how to comply, manage and implement these requirements. Three architectures are being developed across the globe that link individual attributes to databases. The differences among them imply different applications and threats. Biometrics are common to all three.

• Centralised model - often operated by a government or a consortium of financial institutions. Individual information is then handled on a centralised database from cradle to grave and offers simplified means of establishing digital identity for services.
• Federated model – this operates with a series of distributed databases that represent very different groupings and where parties can access personal data in one of those databases. The European eIDAS system is an example where trusted service providers can issue and deliver digital signatures and identity. There are several countries who are now adopting this model, they include both the Netherlands and Italy.
• Self-sovereign identity model – this one has no real centralised database.The individual owns, manages, and controls their data.

Each model must ensure that the digital identity provided by a trusted service provider has strong authentication. In practice, a new model is emerging based on three. Consider this the establishment of digital credentials. An example is individual Covid status. This would allow a person to obtain their signed and verified health credentials which would then be trusted for access to venues or travel. Clearly, there are issues around maintaining individual privacy and how authentication fits into the process. Standards are developing which can provide further reassurance. Furthermore, there is the issue of regulation, how liability is distributed in this model of verifiable credentials, and how data is controlled and handled under regulatory requirements such as GDPR.

Mobile is a truly personal service, always present and mass adopted: it has carved a role as an identifier. What is emerging is, firstly, a move towards devicebased technology and using the hardware device itself to authenticate the user and produce a result, such as face ID or fingerprints. Secondly, is the role that the mobile operator can play by using the unique assets of a mobile device and knowledge of the SIM, such as ‘Mobile Connect’ which has been very successful in India. Finally, there is significant growth in approaches independent of either the device or mobile operator.

These can be used when a device is unavailable, for example, when it is lost or out of a coverage area. A mobile identity (as well as other biometrics) would be maintained through a Cloudbased interface or another distributed means of authentication.

The ecosystem is fighting back against the threats from cyberattacks and we will see more innovative solutions emerge. The global economy needs solutions to the challenges personal identity and authentication present.

There are three major pillars to these solutions: the role of the individual, trust with organisations, and handling the online experience. When reviewing or defining an internal solution all three need to be covered.