Why are so many organizations still playing the waiting game with digital ID?
By Nick Mothershaw, Chief Identity Strategist at the Open Identity Exchange
The digital ID eco-system is rapidly expanding, with ID providers going through rigorous certification processes and global initiatives working out the parameters for the safe interoperability of digital IDs across borders. In some places, like Estonia and Singapore, access to government or private sector services is already happening through a single and joined up digital ID.
There are, however, many organizations still playing a waiting game. These are the parties that will benefit the most from digital ID adoption, the ones that will come to accept it and for whom it will become a vital part of the way they operate. Our in-depth work with them, as well as governments and trade bodies across various sectors, keeps throwing up the same myths and questions around digital ID. This is stopping many from fully adopting it.
“Data will not be as safe in a digital ID.”
With fraud levels soaring to levels never seen before, is it any wonder that the safety of data has come into question? But this is one of the biggest myths around digital ID that we are coming across.
The question we are being asked is, will the data be as safe in a digital ID as it is under existing methods? The answer is yes, if not improved. This is being is ensured by trust frameworks, through which all ID providers must undergo tough assessments to become certified to global security standards for data access and management. They will require data to be encrypted in transit and, where appropriate, at rest. Organizations that accept digital ID can be confident that the ID providers are proofing users properly and storing their data securely.
Another key feature of digital ID is that data will be protected by robust authenticators, such as biometrics, which are inherently difficult to copy or reproduce.
Moreover, in many countries digital ID works in a decentralized way, so users’ data is not kept in a central database. It’s distributed and kept in a protected format on the user’s own device or in a user specific space in the cloud. This makes it less vulnerable to attack. Even if a person loses their device, their digital ID is usually securely backed up in the cloud in a distributed way, so it can be easily recovered to a new device. However, it’s best for organizations to look for digital IDs that are not reliant on one device.
However, a data breach can still happen, because of course, fraudsters will still look for ways in. The trust framework will require the provider of the breached digital ID, or specifically breached credential, to suspend or close the user’s ID. The ID provider will also be required to notify the real end user and all organizations impacted by the fraudulent use of the stolen ID. Additional ID proofing or authentication may be put in place when the user next uses their ID.
Along with the concerns around increased levels of fraud naturally comes questions around the liability position. This will depend on the rules of the specific trust framework or contractual position between the ID provider and the accepting party. In general, if fraud takes place as a result of ID providers not following the trust framework rules, they may be held liable.
The positive thing about a market full of certified digital ID providers to choose from is that competition will help ensure that they are always innovating and striving to provide the best service.
“Data in a digital ID will be easier to exploit by organizations.”
This is also a myth. Local data protection legislation, such as GDPR, will still apply and the use of digital IDs will have to strictly be within them. Ultimately, only the person who owns the data will be able to access and manage it. Only they can consent to its release to third parties and can ask for it to be deleted at any time.
If a user updates the data, the new data will firstly be validated and verified, so that there is trust present when that data is shared. Where information cannot be validated, this will be highlighted with each attribute having a validated or un-validated status attached. If information is found to be incorrect, it can be raised with the ID provider who will liaise with the end user.
Only the user can then choose which of the organizations that previously had access should receive an update. Organizations can subscribe to update services.
“More people will struggle to access their services or be excluded entirely.”
This myth is driven by concerns around whether digital ID will be available to everyone, or work everywhere. The last thing organizations want is to make existing access and inclusion challenges even worse.
There has been a lot of progress to ensure that anyone who wants a digital ID can get one. Where individuals can’t establish a digital ID because they do not have digitally presentable evidence, such as a driver’s license or passport, or need assistance presenting it, initiatives are underway to make secondary options available to them. Our proposal for a Digital Vouch with Photo capability, for example, would enable users with no documentation to be included by a voucher acting on their behalf.
Not everyone will want a digital ID, so there will still need to be alternative methods, such as direct proofing and account issue by service providers, as happens today, to access services. A good trust framework will ensure that.
Digital ID is maturing, it’s time to get on board
The reality is that many of the perceived ‘problems’ either have or are being addressed. Digital ID is proving far more effective in enabling trust, which in today’s world has become so complex, than the IDs issued directly by organizations. And full digital ID adoption will be critical to the growth of any sector.
Organizations that still have unanswered questions and unresolved concerns must reach out to the parties, like Open Identity Exchange, that are driving actions to ensure the safe and inclusive use of digital ID everywhere.
About the author
Nick Mothershaw is Chief Identity Strategist at the Open Identity Exchange (OIX), a non-profit trade organization on a mission to create a world where everyone can prove their identity and eligibility anywhere through a universally trusted ID. Working with organizations across the globe, Nick is leading the development of clear guidance around inter-operable, trusted identities. In his previous role as Director of ID and Fraud at Experian, he led the development, launch and operation of a full ‘Identity as a Service’ solution – the first live example of a digital ID that is seamlessly interoperable across public and private sector in the UK.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.
Article Topics
biometrics | data protection | decentralized ID | digital ID | digital identity | fraud prevention | interoperability | Open Identity Exchange (OIX)
Comments