Articles

The UK government is expanding its digital identity program, with plans to digitise most government credentials by 2027. This includes allowing people to use their phones to verify their age for alcohol purchases and introducing a digital driving licence. These credentials will be stored in a new government app.

However, the government's approach has raised concerns among private companies in the digital identity sector. They worry about uncertainty regarding how the government will engage with the private sector and the potential impact on their own digital identity services.

2024 saw continued work on digital identity projects around the world.  Here we  highlight the importance of inclusive and accessible systems, emphasising the need to develop systems that fulfill diverse user needs. The UK's recent decision to allow digital identities for age verification presents an exciting opportunity, though prioritising user privacy and building a robust ecosystem will be crucial for widespread adoption.

The digital identity landscape is evolving rapidly. The updated NIST guidance emphasises privacy and equity, while advancements like mobile driver's licenses and Google's digital passport are gaining traction. However, concerns remain regarding the security and oversight of Big Tech solutions. A strong regulatory framework and adherence to rigorous standards are crucial for a trustworthy and inclusive digital identity ecosystem. Big Tech companies like Google must adhere to the same standards and certifications as other identity providers to ensure fairness and security.  Alignment between NIST, TSA, state DMVs, and tech companies (like Google and Apple) is crucial for successful and secure implementation of digital identities.

The draft Implementing Acts for the EU Digital Identity Wallets present several concerns, particularly regarding the mandatory inclusion of birth names in Personal Identification Data (PID). This requirement can compromise privacy for individuals who have changed their names for personal or safety reasons, and it may create barriers for those who struggle to provide accurate or complete birth name information. Additionally, verifying name changes can be complex, especially for individuals with multiple name changes or who live in different countries. To encourage wider adoption, the enrolment process should be simplified, and the system should promote pluralism and competition among identity providers.

The article "One Industry, Separated by a Common Language" by Bryn Robinson-Morgan discusses the challenges faced in the digital identity sector due to the lack of standardized terminology. This inconsistency creates barriers to collaboration and understanding both within the industry and for those outside it. Robinson-Morgan emphasises the need for a common language to improve clarity, efficiency, and trust across different stakeholders, ultimately aiming to create a more inclusive and interoperable digital identity ecosystem.

Bryn Robinson-Morgan discusses the impact of EU regulations on digital identity and privacy, using a 2018 tweet about cookie consent as an example of the complexities involved. Despite existing regulations, user privacy often remains compromised. The revised eIDAS regulation aims to provide every EU citizen with a digital identity wallet and mandate its acceptance by public bodies and essential private services. However, there are significant uncertainties about its implementation, scope, and the balance between security and convenience. Robinson-Morgan emphasizes the need for private sector engagement and innovation to realize the potential benefits of a unified digital identity infrastructure.

Bryn Robinson-Morgan discusses how disruptive technology, like artificial intelligence (AI), impacts businesses, drawing parallels with historical examples like Blockbuster and Kodak. He highlights the challenges companies face in adapting to technological changes and the nuanced realities of such transitions. Robinson-Morgan emphasizes the accelerating pace of AI development in 2023, its regulatory challenges, and the need for cybersecurity measures to address AI misuse. He urges businesses providing digital trust services to evaluate their future relevance and innovate to stay competitive, predicting significant changes in the digital trust landscape over the next decade.

Reflecting on the dynamic changes of 2022, the need for adaptation and learning is clear. Progress in digital identity is evident, but challenges remain. Collaboration between BigTech and governments is crucial for successful digital wallets. Governance is vital to prevent exclusion and mitigate fraud in the adoption of Mobile Driving Licences. Governments must balance sovereignty with innovation to foster digital identity adoption. Interoperability should prioritise operability and user needs. Embracing change, challenging norms, and leveraging collective support are keys to progress in 2023.

2020, dominated by the pandemic, transformed how we live and work. Travel ceased, and digital services became essential for bridging physical and online worlds, from telemedicine to virtual exercise classes. Personal experiences, like staying connected with my mother during her illness and eventual passing, highlighted the importance of seamless digital interactions across all channels. The pandemic underscored that work is about activity, not location, and flexible working should continue post-pandemic. We must embrace change, be bold with technology, and create resilient, adaptable digital services to build a better, more robust future.

As digital interactions increase, the way we identify ourselves is set to transform dramatically. Incidents like Facebook's privacy breaches highlight the need for better control over our data. Digital identity can offer transparency, consent, and efficiency, putting individuals in control of their information. With evolving technology, including AI, we must address biases to avoid discrimination. The future will see physical identity documents becoming obsolete, replaced by secure and convenient digital identities. Embracing this change is essential to avoid becoming outdated and ensure a better, more connected society.

I experienced credit card fraud recently, and while my card company blocked the transactions, the inconvenience of getting a new card overshadowed concerns about security. The process to resolve the fraud issue felt outdated and cumbersome, highlighting my preference for convenience over security. Despite my card company's attempts to secure my new card, the delivery process wasn't secure. Interestingly, adding my new card to Apple Pay was seamless and convenient, making me overlook potential data privacy issues. Generally, convenience remains my priority, and unless my card company emphasizes and educates me on security importance, their security issues will continue to be their problem, not mine.

At the International Monetary Fund and World Bank's Spring Meeting in Washington D.C. to present on Digital Identity at the FinTech Exchange iLab sessions. The focus was on the challenges financial firms face with Customer Due Diligence (CDD) and Know Your Customer (KYC) requirements and how national digital identity programs can help. We also examined how to combat social, digital, and financial exclusion and the implications for policymakers and regulators.

Key takeaways:

• Immediate Benefits: Deliver tangible benefits of digital identity to users today.

• Abandon Status Quo: Move away from inefficient and insecure practices.

• Embrace Change: Adopt digital identity decisively for better compliance, security, and customer experience.

One of the greatest digital innovations is the SatNav, which evolved from custom devices to smartphone apps using real-time data for navigation. Initially, it eliminated arguments over directions, but now, real-time updates make it far more efficient. However, trust erodes when unexpected issues occur or arrival times increase, making the SatNav's guidance more reliable than a passenger's input.

In digital identity, trust is crucial and hard to rebuild once lost. Estonia's swift response to a security flaw in their identity cards highlighted the importance of trust in digital systems. Unlike Estonia's mandatory system, other countries must incentivize citizens to adopt digital identity schemes. Both government and private sectors need to balance security, user experience, and cost.

Key takeaways:

1. Trust Erosion: Trust in digital identity is hard to regain once lost.

2. Security vs. Cost: Cutting corners on security to reduce costs can backfire.

3. User Experience: Customers expect security but dislike excessive hurdles.

4. Balance: Achieving a balance in security, cost, and user experience is essential for successful digital identity systems.

About 15 years ago, I wanted a wallet with plenty of card slots due to numerous loyalty and credit cards. Now, I have more store cards but they’re digital, and my preferred payment method is my smartwatch. However, I still carry my wallet for those "just in case" moments when digital payments fail or aren’t accepted. I also keep my driving license for identification, despite new digital alternatives like smartphone licenses and smart-wallet passports emerging.

While technology progresses, adoption lags, necessitating backups. My hope is that in 15 years, digital identities will eliminate the need for physical IDs and wallets. But for now, I keep my old DVDs and wallet, just in case.

Balancing security and usability is crucial for product success. Authentication often suffers from clunky implementations like SMS codes or inconvenient tokens. Contextual awareness can revolutionize this. For instance, a smartphone in a car could use behavioral biometrics to adjust security dynamically. If it recognizes a familiar user context (like driving), it can grant more access without additional prompts, enhancing both security and user experience. This approach, integrating multi-factor authentication with behavioral insights, offers a smarter way to achieve a secure yet user-friendly authentication process.

Biometrics are becoming mainstream for user authentication, with fingerprint sensors widely adopted and facial and voice recognition gaining traction in apps. Future smartphones may include iris scanning technology. However, using biometrics for identity verification requires a clear link between the biometric data and the individual. Facial recognition can compare against official identity documents, but voice and fingerprint biometrics lack verified commercial sources and pose hardware challenges.

On-device biometrics like fingerprint scanning on iPhones allow multiple users to authenticate, but authorization remains specific to the features permitted. Clear consent is crucial; enabling biometric authentication should require explicit user approval, akin to sharing a PIN for bank cards. As smartphones transform digital interactions, careful design and understanding of implications are essential to prevent misuse and uphold user trust.

Post-Brexit, the UK aims to assert sovereign control but must navigate its role in the global digital sphere. Cybersecurity, digital identity, and online regulation transcend national borders, posing challenges. Despite leaving the EU, the UK's influence in cyber policy is pivotal globally, necessitating strong leadership to maintain its voice and international standing. The Digital Single Market's eIDAS regulations are crucial for cross-border digital transactions, highlighting the need for interoperable identity systems like GOV.UK Verify. UK's future in cyber industries post-Brexit hinges on a cohesive digital strategy that fosters innovation, security, and global leadership.

Digital identities are poised to transform online transactions by securely linking real-world identities to digital tokens. Countries like India with Aadhaar, the UK with GOV.UK Verify, and Norway, Sweden, and Canada with bank-issued credentials each have unique models for registering identities. Authentication methods range from passwords to biometrics, and the challenge lies in maintaining the link between the real world and digital tokens amid changes or fraud. Strengthening this link over time through authentication offers opportunities, but requires robust measures to prevent fraud and maintain trust. Addressing privacy concerns now is crucial to ensure digital identities remain reliable in the future.

A report by the Government Chief Scientific Advisor, Sir Mark Walport, endorsed the potential of distributed ledger technology (DLT) like blockchain to revolutionize government services, sparking widespread enthusiasm. However, many proponents lack a deep understanding of blockchain, identity, or the problems they claim DLT will solve.

Key issues include:

• Identity vs. Transaction: Identity isn't transactional; it's about attributes like age, not data to be transferred.

• Identity vs. Entitlement: Entitlement (e.g., legal drinking age) often gets confused with identity itself.

• Security Risks: Centralizing identity data on a blockchain increases its attractiveness to attackers and creates security challenges.

• Dynamic Nature of Identity: Identity information changes over time (e.g., moving house, changing names), making immutable records quickly outdated.

While DLT may play a role in identity management, its current hype is overblown. The real application will likely be different from the current bandwagon's vision.

Startups have been disrupting big businesses for decades, with Steve Jobs' unconventional methods now seen as normal. Today's entrepreneurs face fewer barriers to market, leveraging cloud tech and open APIs to disrupt the status quo more easily. Startups can operate without the burdens of established brands, making them more agile and capable of rapid innovation.

For corporates to stay relevant, they must adapt by fostering startup culture in meaningful ways. This might include funding startups, creating innovation hubs, reducing internal bureaucracy, or restructuring to support innovation. Those who embrace these changes will be more likely to succeed in the future, while those who resist may struggle to stay relevant. The startup disruptors of today could become the leaders of tomorrow.

Centralized citizen identity schemes are outdated. A decentralized or federated model enhances user control, security, and usability. Blockchain, known from Bitcoin, is emerging as a potential solution for digital identity due to its privacy, security, and user control features. However, Bitcoin's relative infancy, security issues, and unregulated nature pose challenges.

The General Register Office in the UK exemplifies a successful distributed identity model, registering births, deaths, and marriages locally and issuing user-controlled certificates. While Blockchain has niche financial uses and potential in identity management, the best approach might integrate the strengths of centralized, federated, and distributed models. The key is balancing easy identity claiming for real users with preventing identity fraud. The future of citizen eID may lie in a hybrid model combining the best elements of all three approaches.