The need for identity trust — what successful Trust Frameworks must encompass
By Nick Mothershaw, Chief Identity Strategist at the Open Identity Exchange (OIX)
A shared digital future has to work well for everyone involved and the most crucial ingredient for this is trust. The growth of identity fraud has made the ability to establish trust far more complex than it has ever been. With more people needing to, and wanting to, access services remotely, organizations have to know with confidence who they are dealing with and what that person is eligible to do. For users, they need to be able to provide trust in their identity to any organization, so that they can access the services they are entitled to.
How trust is established, how it is conveyed and embedded, will come down to digital ID, and it promises to be a game changer.
As such, digital ID ecosystems have grown rapidly. So has the need for some form of governance framework to facilitate trusted identity transactions between participating entities.
Around the world, several forms of Trust Frameworks are being developed and evolved, while many more countries are just at the start of their journey. These frameworks aim to provide the rules and guidelines needed for effectively governing the collection, verification, storage, exchange, authentication, and reliance on credentials about an individual person, a legal entity, device, or digital object.
Our work over the years on the governance of digital ID and, more recently, our evaluation and comparison of existing Trust Frameworks around the world, has identified a number of salient components. We believe that these components need to be considered for any Trust Framework, wherever they are in the world, to be successful and deliver on the promise of a shared and trusted digital future.
Starting with the end user
This seems obvious, but as it stands many Trust Frameworks have started with the needs of the parties developing the frameworks, rather than the needs of the parties it is designed to serve: users and the organizations who want to get trusted information from that user. However, in the design of a detailed Trust Framework, the implementation should ensure the user’s needs are met first. This is vital if a Trust Framework is to be successful for all the parties involved. This doesn’t imply that the needs of other participants in the Trust Framework should be compromised. Achieving a user-centric yet balanced approach is the art of a successful Trust Framework.
It is worth looking towards those frameworks that are being developed under the self-sovereign ID approach. They’ve started their journey with the right principle – the end user – by empowering users with the ability to control their own ID. There have, however, still been some challenges for this community. It is still down to the user to work out which digitized credentials, or parts of them, are needed for each transaction. The challenge with this is that it can be very confusing for the user, especially if the rules keep changing.
A smarter way
If we want digital ID to be the enabler that it has the potential to be, then we must go further than simply digitizing real-world credentials. Each organization, be it a bank, an airline or a retailer, will be following its own industry-specific processes and rules to proof users. It is unreasonable to expect the user to understand all the processes and rules, work out what is needed and fulfil the criteria for each transaction. If the user journey is difficult and the experience painful, then it will become a barrier to digital ID success.
Digital ID, therefore, needs to be smart and ‘help’ users through the processes, without requiring them to understand the complexities surrounding them. All the user needs to see and approve is that they’ve been asked to get or share certain information. The detail of how credentials are assembled, assessed, derived, minimized, collated or packaged to achieve this should not be transparent to the user. The smart ID must do it for them.
Trust Frameworks will be vital in facilitating this. As more countries develop standards to govern digital ID ecosystems, it’s vital that they are designed to support smart digital ID.
A ‘framework of frameworks’ for interoperability
If digital ID is not interoperable across different frameworks, then it will become another major barrier to digital ID adoption.
Understandably, there are many questions that need to be addressed around compatibility and trust. Without agreement on how common credentials or the same data from different credentials are presented, organizations on the receiving end are left trying to interpret the data. And how will trust be established? What are the Trust Framework rules for a bank in the Ukraine wanting to release a bank ID to an organization in the Philippines? How well ‘proofed’ is that individual? What if something goes wrong? Who is liable? What does the Trust Framework in the Philippines say about the trustworthiness of the organization receiving the bank ID? What about data management in the Philippines and the obligations of the organization receiving the data? Can they use it for anything other than the purpose for which the data was a granted?
We believe that a ‘meta’ framework approach that enables many frameworks to trust each other through independently assessing their alignment and compatibility may be the most efficient way of achieving mass interoperability between frameworks. We are exploring this idea of a ‘meta’ framework that will enable translation between one framework and another so that interoperability across borders is enabled.
An evolution, not a revolution
The specific needs and requirements for digital ID in one country will differ from those in another, but the key concepts that the parties developing these frameworks must fully embrace now are the same everywhere.
The biggest benefits for all parties will be seen when digital ID becomes smart and Trust Frameworks must be developed to enable this. And the needs of the user must feature heavily at the start, center and ongoing evolution of Trust Frameworks. Finally, they must provide a solid base for trust to be established between parties, across all sectors and across all borders.
Trust Frameworks are an evolution, and will continue to evolve regardless of where they are in their journey. And they will play a vital role in ensuring future global digital ID success for everyone involved.
About the author
Nick Mothershaw is Chief Identity Strategist at the Open Identity Exchange (OIX), a non-profit trade organization on a mission to create a world where everyone can prove their identity and eligibility anywhere through a universally trusted ID. Working with organizations across the globe, Nick is leading the development of clear guidance around inter-operable, trusted identities. In his previous role as Director of ID and Fraud at Experian, he led the development, launch and operation of a full ‘Identity as a Service’ solution – the first live example of a digital ID that is seamlessly interoperable across public and private sector in the UK.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.
biometrics | data protection | digital ID | digital identity | fraud prevention | interoperability | Open Identity Exchange (OIX) | regulation | self-sovereign identity | standards | trust framework