The challenges of electronic IDs
By Malte Pollmann, CSO of Utimaco
Digital fraud has never been more prevalent. It is possible that fraud will cost the world $10.5 trillion USD annually by 2025, a truly staggering sum. At the heart of online fraud is a fundamental problem: how do you tell that a person is who they say they are on computers?
In real life, we have clearly identifiable markers of our identity, from our faces to fingerprints and DNA, supplemented by certified documents like passports and drivers licences. There will always be a limit to a person’s ability to pass themselves off as somebody else. Online, if a person (or increasingly an automated bot) enters the correct username and password on a website then they can do everything that the person who really set up the account can do. There is clearly a need for digital identities that are as strong as our offline identities.
The term “digital identity” is not clearly defined. In one sense, we create a new digital identity every time we register for an online service, and in many applications, it is irrelevant whether this corresponds to the real identity of a user. Most internet users have an e-mail address that is not based on their real name and in forums, social media sites like Twitter and Instagram or online dating pseudonyms or outright invented personas are the norm. Over decades of Internet use, the average user will accumulate dozens of combinations of usernames and passwords. There are various approaches to simplifying this chaos: using password manager or logging in via Google or Facebook. Microsoft is already moving towards making passwords obsolete by switching to fingerprints, facial recognition and authenticator apps.
The internet has moved on from BBS groups and forums full of colorfully named but anonymous users. Now it is a place where we conduct an increasingly large portion of our lives, including those that involve sensitive data like banking. How can we create a digital identity for the way people use the internet today?
How do we guarantee identity?
The classic or analog identity check is based on a document with a high level of protection against forgery which is issued by a trustworthy authority, such as a government. Of course, that trust generally only extends as far as a country’s borders, so there are times when an ID issued in one jurisdiction won’t fulfill its purpose in another. With the internet being a worldwide phenomenon, the question becomes how to create digital identities for a connected world.
Currently, for important digital transactions like opening a new bank account, analog identity documents have to be uploaded into apps and websites which are then checked by either automated systems or human beings. The former generates false declines, as anyone who has used these systems can tell you, and the latter is expensive and difficult to scale. What is necessary then is a way of bridging the gap between digital and analog: companies like IBM are already working on this with blockchain-based solutions.
Biometrics have always been touted as a way to circumvent the need for a trusted authority to issue IDs and are widely used on mobile devices. They are useful, but there are drawbacks – unless there is a centralized, worldwide database of fingerprints, something very unlikely to happen, the only way to ensure that a set of fingerprints belong to a person trying to set up a new account with an online service is through the analog forms of identity mentioned above, so hypothetically a fraudster could steal an identity and set up a new account with a loan provider under that identity’s name, using their own fingerprints. They are very useful for quickly signing in to existing accounts but only partly solve the central problem of connecting a digital and physical identity.
Taking identity from analog to digital
The transfer of an analog proof of identity, whether that is a utility bill or a fingerprint, into the digital space is only one of the challenges with electronic identities. The other is to protect eIDs against misuse and data leaks. This means that there must be a simple way for a verifying authority to determine whether an eID presented to it is genuine. The authority that issues and manages the digital identity plays a major role here: your integrity is guaranteed either by the fact that it is issued by government institution or through certification and audit procedures if it is a private company.
If electronic IDs become widespread, companies and the countries that regulate them will have to decide which they can consider trustworthy. However, it still remains to be clarified whether any given certificate they are presented is genuine. This is where asymmetric cryptography comes into play: each eID will contain both a simple public key and an exponentially larger and more complex private key. If you have a private key, it is relatively easy to generate its corresponding public key, but doing the reverse is functionally impossible. The public key can be available to anyone, but there will only be one private key that matches it. Think of it as being like the story of Cinderella: any number of glass slippers can be made but they will only fit one foot.
The only problem with this approach is that the private keys must absolutely remain secret. Hardware security modules (HSMs) are built for the purpose of creating, storing and protecting private keys, hence why they have been the standard when establishing a ‘root of trust’ in any application.
Future electronic identity documents will likely be a combination of biometric, blockchain-based and private-key based methods, so it is important that companies working in this space understand and start building their infrastructure towards solving one of the 21st century’s key problems.
About the author
Malte Pollmann is CSO at Utimaco. Malte Pollmann has been a member of the Utimaco Management Board since 2008 and CEO from 2011 until 2019. He currently holds the position as CSO (Chief Strategy Officer). Previously, he was Product Director and Business Unit Leader at Lycos Europe NV (a Bertelsmann company). With a master’s degree in Physics from the Universities of Paderborn and Kaiserslautern in Germany, Malte also received a general management education at INSEAD in Fontainebleau, France. In parallel to his work at Utimaco, he also serves on the Supervisory Board of the International School of IT Security – isits AG in Bochum.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.