Claim that DTC ‘is the strongest digital identity’ under the microscope
Many more people have and use digital identities than even a year ago, but there is significant variety in the forms they take. This has given rise to consideration about the relative merits of different digital IDs, as the debate about what constitutes “good” ID meets real-world choice for consumers and businesses.
Digital travel credentials (DTCs) are one of the more prominent candidates, with some obvious advantages, like international interoperability. DTC pilots, including the DTC-1 credential developed by SITA and its strategic partner Indicio, appear to have been successful, and more implementations are being planned.
Indicio CTO Ken Ebert argues in a recent blog post that digital identities issued under eIDAS 2.0 and mobile driver’s license (mDL) programs in many countries and U.S. states do not deliver the same digital trust as DTCs.
Biometric Update reached out to a selection of influential voices and thought leaders in biometrics and digital identity to get their thoughts on Indicio’s bold claim.
How do DTCs stack up against other digital identities in terms of assuring digital trust?
Ebert states that the trust electronic chips bring to passports is transferred to DTCs via scans of the chips and comparisons of biometrics and liveness.
“Biometrics also bind the app and the device to the person, so there are multiple layers of protection against someone who isn’t the subject of the passport using it,” he explains.
The four industry leaders point out that DTCs are an extension of the ICAO 9303 passport standard.
FaceTec SVP of North American Operations Jay Meier says the system delivers digitally signed data which is “therefore easily verifiable and irrefutable,” and that “transferring that irrefutable data to the mobile wallet makes sense.” He does not view the essential elements of the system as “particularly new,” however, and still sees a potential trust gap.
Thales Head of Business Development and Strategic Marketing and new International Biometrics + Identity Association (IBIA) Board Chair Neville Pattinson notes the promise of W3C verifiable credentials, and the way they are being built into trust frameworks for identity and other credentials.
“These are way beyond what a government organization would likely issue,” Pattinson says. “They will have their place in the cyber-connected world of web interactions and ecommerce, ignoring political borders and countries.”
World Privacy Forum Founder and Executive Director Pam Dixon says that DTCs function “beautifully for cross-border travel, and it functions well for law enforcement and national security purposes. That is what it was designed for, and the system works.”
However, she cautions that passports in all iterations have limitations from a privacy perspective that make them unsuitable to serve as “for the foundation for a national or local ID ecosystem especially when thinking of this as bound to a smart phone. There are privacy considerations here with the data and the data flows, and there are multiple security considerations regarding the data being on the smartphone that require a lot of policy work.”
Meier emphasizes that “biometrics are the only trust factor derived directly from a physical human being and, therefore provides the strongest potential binding to that human,” and the importance of the data security architecture.
Any identity solution must be designed to manage risk, which is contextual, Goode Intelligence CEO and Chief Analyst Alan Goode notes. He says Type 1 DTCs “do a good job of assuring trust in the context of travel and border crossing.”
Goode has just completed a major market report on travel digital identity, and he also cautions that DTC Type-3, which will not require the traveler to carry their physical passport, “is probably many years away.”
What is the strongest form of digital identity in production or advanced piloting today?
Goode says that the answer depends on what the digital identity has been designed for. “DTCs are designed for high-assurance scenarios along with the supporting infrastructure so would be classified as being a strong form of digital identity.”
“Digital identity requires a system of symbiotic systems,” is how Meier puts it. He notes Utah’s mDL as an example of a well-implemented biometric system.
Dixon emphasizes that for many of the world’s people, DTCs are removed from anything they will ever experience.
Pattinson notes that for the U.S., once all states are issuing mDLs to the ISO 18013-5 (or -7) standard, “and a trust service is available to verify issuers digital signatures there will exist a highly interoperable and powerful federated digital identity trust framework to enable interaction with government and commercial relying parties.
“Watch W3C prove its worth in ecommerce and international communities on the web,” he adds.
How would you rank the relative importance of cryptographic verifiability, decentralization, and effective biometric liveness in establishing the trustworthiness of digital IDs?
The three characteristics are equally important, according to Goode.
Meier makes the point that “what matters is whether the stored data, however and wherever it’s stored, cannot be reused,” and decentralization is one of several ways to do this.
Pattinson makes a similar point to Meier’s earlier one on the centrality of biometrics, but also vouches for the necessity of the other two elements.
Overall, Goode says Indicio’s argument is sound.
“DTCs are designed to be secure and reflect the critical nature of securing a border. They, therefore, are amongst the strongest digital identity solutions,” he says, and lauds Indicio and SITA’s work in Aruba.
“DTC without Quantum Crypto (DTC still relies of RSA and Elliptic Curve) is going to fail badly and undermine the entire DTC trust framework with quantum computing availability,” Pattinson says.
“A DTC has been created for a specific situation and can be used beyond the travel industry of course, but it’s not the only player in this new emerging digital landscape.”
Dixon notes that like passports, smartphones are still inaccessible to billions of people. GSMA notes in its 2023 State of Mobile Connectivity Report that 46 percent of the population does not own a smartphone.
DTCs have a growing place in an unsettled ecosystem, at least for now.
Pattinson says, “We are only now seeing the beginnings of our digital identity future and will surely see new and more secure ways of ensuring we are not a dog on the internet when we interact virtually.”
Article Topics
biometric liveness detection | biometrics | digital ID | digital travel credentials | FaceTec | Goode Intelligence | Indicio | Thales Digital Identity and Security | World Privacy Forum
Comments