Does the Future of Digital Identity Offer Us Greater Security and Convenient Experiences?
Much of the promise associated with future digital identity infrastructures is associated with greater automation of the identity lifecycle and the provision of greater control of personal data to end-users. But automation also has the potential to reduce rather than increase user control of personal data. So how can we ensure that future digital identity infrastructures increase convenience while not compromising on security?
New interest in digital identity
New approaches to digital identity aim to provide more autonomy to end-users and to enforce a separation of concerns between the organization that initially verifies an identity and organizations that rely upon the trustworthiness of that identity at a later time. Within this paradigm, there are currently several initiatives in motion to explore what modern-day digital identity could look like. Last year, the UK government launched its digital identity and attributes trust framework which defines foundational principles for a scheme that allows users to share verifiable credentials between services. Meanwhile, the European Union is currently in the process of creating a European Digital Identity and predicts that by 2030 80% of Europeans will be using it. While the planning of such schemes proceeds at a political and ideological level, we should start to prepare for some of the potential challenges to security and usability on an operational level.
User-centric identity
With the user playing a privileged role to control the disclosure of personal data, user-centric identity has become a de facto paradigm for future identity infrastructures. However, while the user centric mission to provide users with control of identity is an important direction for privacy, it does come with limitations. Firstly, it places more responsibility on the actions of the user and can create complexity on user interfaces. Secondly, a weaker aspiration for user control became commonplace under the banner of “user centric” that well suited large companies providing privacy invasive web sign-on technologies.
Self-sovereign identity (SSI) is one proposal that aims to extend and strengthen the privacy promises of the user-centric model. The user should be central to the administration of the identity, and all information disclosures should originate at the device of the user. The privacy of the user is paramount. The central technology deployed by SSI is public-key cryptography - with a particular emphasis on digital signatures. Additionally, SSI schemes incorporate decentralized computing techniques into their architecture like distributed ledgers. Distributed ledgers, or blockchains, are crucial to the promise of SSI because these techniques have the potential to improve the privacy provided by the identity architecture. Specifically, they can help to alleviate the problem of an identity provider occupying a position of power and building an activity profile on each of its users. Hyperledger Indy is one example of how distributed ledgers can be tailor-made for applications of digital identity. Hyperledger Indy incorporates emerging standards for verifiable credentials, and decentralized identifiers, and is reasonably secure even in the face of malicious attacks to disrupt its consensus mechanism.
A digital identity wallet provided to users is the second crucial element of the SSI promise of user-centricity. It will act as a “hub” that receives requests for access to personal information and record consent as well tools that enable operations such as creating and verifying digital signatures and, performing respectful information disclosure to online services, for example, zero-knowledge proofs. This digital identity wallet could be implemented as a bespoke hardware device, or a mobile application depending on the security requirements and needs of the context.
SSI is a promising and concrete proposal for the next generation of digital identity since it embodies the spirit of user-centricity and aims for stronger forms of privacy. We need to carefully consider the inclusivity of some aspects of the SSI vision. For example, the usability of the identity wallets that users possess, and their fit with the experiences of those of the older generation and other groups that have disabilities. Digital Identity is a universal need and we shouldn’t use technology to re-introduce the limitations of our old ways of working.
Learn more about the security challenges in Web 3.0 in this interview with Security Guy TV
Fraud resistance
A new digital identity infrastructure must mitigate high levels of fraud. In 2020, US consumers lost $56 billion to identity fraud creating around 49 million victims. Regardless of the sophistication of technology that is deployed in future banking identity schemes, fraud will still be a risk at multiple points in the identity lifecycle. Future identity technologies must increase efforts to reduce the threat of synthetic identity, impersonation fraud and improve the usability and security of user authentication.
Organizations based in countries with no national identity infrastructure face the systemic risk of synthetic identity since the task of determining if an identity is real is based upon probability. In this case, to reduce the risk of synthetic identity, an authoritative body is required to verify the existence of an identity while also respecting the privacy of citizens. In the UK for example, there is a pilot project concerning the government’s Document Checking Service (DCS) which provides an authoritative ‘yes’ or ‘no' answer to a query from an online service about passport validity. This, in combination with similar authoritative digital services, could help to reduce the risk of synthetic identity at the point of establishing the identity of a consumer.
Impersonation fraud is another risk to be considered when someone is onboarded to a service using stolen identity information. While there are mitigations to this risk, a future digital identity scheme can create a culture where verifiable identity information such as W3C verifiable credentials - the usage of which is subject to local authentication on a device - can over-time reduce the need to conduct "from scratch" identity proofing. Furthermore, the evolution of an open ecosystem of identity providers will allow those with the most resilient identity proofing process to provide the majority of identities in the ecosystem. This will not only edge out identity providers with less secure processes in place but also help to strengthen the overall resistance of the eco-system to fraud where portable identities are used.
After a user-centric identity has been established, user authentication methods are required at multiple points, for example, local authentication to secure the user’s wallet and reduce the risk that issued credentials or privileges of the device are accessible to unauthorized individuals. Remote authentication across a network is also needed to re-establish access to online services after the customer has successfully onboarded. In a survey conducted by the CMO Council, 44% of respondents said biometrics are considered an easier and better method of authentication than alternatives. Open authentication standards such as those from the FIDO Alliance support biometrics for local authentication and also mitigate the risk of phishing during remote authentication.
The adoption of digital identity seems almost certain at this point. Its potential benefits are vast and banks, FIs and governments are attuned to these opportunities. However, as development moves forward, digital identity initiatives and the organizations driving adoption will have to tread several thin lines. It must be simple and user-friendly while maintaining the highest security standards. It must also provide end-users with control over their personal data without overwhelming complexity – or worse, the opportunity to overshare their information with fraudsters or scammers. If we can tread these lines successfully, digital ID is set to transform digital banking for decades to come.
This blog, written by Paul Dunphy, principal researcher at OneSpan, was first published on HelpNetSecurity.com on March 10, 2022.