Governments best suited to oversee, not issue digital identity wallets: OIX white paper

Governments can enforce the security and privacy protections that people want in and maintain oversight over digital wallets through trust frameworks, while avoiding cost and complexity by not issuing digital wallets themselves, the Open Identity Exchange (OIX) argues in a new white paper.

The “Governments and Digital Wallets” white paper considers a number of options for who issues and owns digital identity wallets, taking into account the benefits to end users, relying parties and governments. Various OIX working groups contributed to it, OIX Chief Identity Strategist Nick Mothershaw explained during a launch presentation.

Mothershaw reviewed OIX’ work so far this year, and noted that the Open Identity Foundation has taken up the group’s call for digital identity data to be standardized across protocols. Open Identity is going to start by aligning JSON and Verifiable Credential content as part of its OIDC for IDA standard.

The fundamental question addressed is one governments are already asking themselves, according to  Mothershaw: Should governments directly issue wallets to their citizens, or should private sector wallet providers, under specialized regulation, be empowered to “allow independent control and innovative features to attract users to their services?”

Some of the other options include smartphone providers offering “captive wallets” and relying parties issuing wallets specific to their needs.

OIX presents four models. Three involve governments providing digital wallets, either to hold only government-issued credentials, to hold government and private sector credentials, or to compete with private sector wallets for holding government-issued credentials. The final model is for only the private sector to issue the wallets.

The paper starts from the assumption that there will be private sector digital wallets, as governments are not going to want to address all functions for all people.

OIX runs through the pros and cons for each stakeholder group of the different approaches. In a scenario where both government and private sector wallets are used to store the kinds of credentials they issue, relying parties from the private sector are likely to want access to both types of credentials, introducing the complexity of accessing multiple wallets for a single transaction.

Wallets should be smart enough to gather the credentials the end-user needs to carry out the transaction they are attempting, in OIX’ view. People should not have to sort out which credentials they need, and which wallet to find them in.

In addition to complexity, security, cost and trust challenges arise in various scenarios.

Government defined trust frameworks will need to be in place to address some of the trust and security issues if government credentials are going to be issued into private sector wallets. People are more likely to feel they are safe from being tracked by the government if, for instance, they can use their passport from a private-sector wallet, as a kind of intermediary, Mothershaw says.

Ultimately, the lowest-cost option for governments is to avoid issuing digital wallets at all. Since enabling simple transactions (using a single wallet) while preserving security and trust requires the establishment of a trust framework, the private sector-only wallet issuance model is seen as providing the most important benefits of the other models, with relatively few drawbacks. Possible fees from private sector wallets for access to government credentials, and less control for government over the credentials they issue are cited as the two main risks for this type of approach.

Private sector wallet providers are better positioned to innovate and find delivery models that work for all people, including those without mobile phones, OIX argues. Governments can use this approach to encourage a more decentralized data management architecture, and cross-border user may be easier.

OIX will look at what form those wallets issued by the private sector should take in future papers.

Article Topics

digital ID  |  digital wallets  |  Open Identity Exchange (OIX)  |  standards  |  verifiable credentials