Goodbye, physical identities: How organizations can prepare for digital identity challenges
By Philipp Pointner, Chief of Digital Identity at Jumio
Gartner predicts that half of U.S. states and one-third of national governments will offer citizens digital identity wallets by 2024. In a digital identity system, citizens can upload their driver’s license to their phone and present it at various locations that accept these forms of identification. With many U.S. states, countries and organizations like American Airlines already adopting digital identities, this prediction is well on its way to becoming a reality.
At the same time, identity fraud and theft rates have never been higher. Research released just a few weeks ago shows that 84 percent of companies suffered an identity-related breach in the past 12 months. Despite being a gamechanger for many consumers in terms of convenience, will digital identities end the surge in identity fraud plaguing businesses, or will they do more harm than good?
Let’s dig into the security and privacy challenges that may arise with digital identities, as well as how governments and businesses can create a secure system that consumers can trust.
New security challenges are on the horizon
In 2019, New South Wales launched a digital driver’s license (DDL) system where users were able to present their digital identity at venues such as stores, hotels and bars. Despite the security safeguards that were in place, including ephemeral QR codes and watermarks that matched the user’s real-world driver’s license photo, security researchers eventually identified numerous design flaws that would allow fraudsters to bypass the authentication safeguards in place. Through several hacking techniques, they discovered that fraudsters could combine stolen driver’s license information with their own photo to pose as another individual.
Furthermore, whenever a new technological advancement, such as a digital identity system, is rolled out, it creates a new avenue for cybercriminals to probe around for new attack vectors. With identity fraud continuing to grow globally, it’s apparent that these attempts are oftentimes successful. In 2021 alone, identity fraud losses amounted to $52 billion and impacted 42 million U.S. consumers. As consumers increasingly open new online accounts and share their data with various online organizations, they become more prone to identity theft and other types of fraud, raising a myriad of data privacy issues.
Data privacy implications are growing stronger
From a privacy standpoint, a digital identity system opens up a new gateway for organizations and governments to track consumers’ data online. Whenever a consumer uses their digital identity on the internet, they leave a permanent trail of data that adds to their digital footprint. Verifying third parties will also want to contact a user’s digital identity issuer to confirm whether it’s valid or not. For instance, a grocery store may contact the DMV to confirm if a customer’s digital identity is authentic after it was presented during an alcohol or other age-restricted purchase. Without the consumer’s knowledge, governments can use this data to track where and when they have used their digital identity. To this end, consumers using their digital identities must have more control over their data and what third parties, including governments, can do with it.
Recommendations for a secure digital identity system
A trustworthy digitized world can only be created if both organizations and governments follow the proper framework. A few fundamental elements of this framework must include:
- Decentralized data storage: Considering the number of data breaches and leaks that have occurred from centralized storage systems, companies shouldn’t be storing large databases with consumer data. Instead, decentralized data storage should be used to give power back to consumers by ensuring their data only resides with them on a secure device they own.
- Full transparency and control to the end user: Consumers should have complete control over who is accessing their data, what data is being accessed and who their data is being shared with. When requesting a consumer’s digital identity, organizations will need to be completely transparent about the data they plan to use and only collect the data they truly need. For example, if an organization needs to verify a user’s address, they should only be allowed to collect their address and nothing else.
- Digital identity verification tools: Organizations must also adopt cybersecurity technologies that can verify every digital identity is legitimate and confirm every user is who they are claiming to be. An online identity verification platform can connect a user’s digital identity to a physical identification document issued by a trusted authority, such as a passport or driver’s license. From there, it leverages the power of AI and biometrics to compare the presented document to a real-time selfie, further verifying that the user is present.
About the author
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.