The Rise of Digital Identity Part 3: Opportunities for Digital Identity Evolution
The Change in Digital Identity
Background
This is the third article in a Digital Identity series. The first article focused on the growing demand and importance of digital identity solutions, expedited by environmental and technology events and trends; and the second article discussed the changing landscape of digital identity, reflecting the impact on Government and businesses, and the step change to meet increasing customer needs, backed by robust and secure approaches and solutions.
This article looks at the opportunities for digital identity to evolve based on greater understanding and learnings from previous approaches and the availability of new technologies. The use of biometrics to establish identity has been around for many years, adopted by law enforcement to record fingerprints or border force agencies to perform facial recognition, but is reliant on specialist fixed high-quality devices to provide the required level of assurance. The challenge to allow individuals to self-serve and manage their own digital identity has been evolving over recent years with the advent of more powerful and capable personal devices. Whilst the benefits are widely recognised, the ability to automatically match digital identities to an individual with a high level of confidence has been constrained. This is due to technical capability, risk acceptance tolerances on what is considered valid, and external factors that disrupt the process (such as software usability issues, user error and proficiency, and challenges arising from the user’s physical environment).
Significant technological improvements in this area have been made and are continually progressing. The demand for self-service digital identity solutions, coupled with the challenges inherent in more traditional knowledge-based verification approaches, means the future lies with these new approaches. The risk of identity and data compromise and the need for reliability and security will require solutions to continuously adapt to prevent breaches and to meet the changing needs of businesses and their customers.
The Need for Enhanced Identification Techniques
The demand and need for robust and reliable digital identity have never been greater, at a time where the need to converse and transact digitally has become a part of everyday life for the majority of citizens, both as part of their personal and working lives. The explosion of social media over the last 10 years and its adoption as part of mainstream life for the ‘digital native’ Generation Z demographic, means the need for digital technology is critical and is something they have grown up with as the norm. Consequently, the role of a secure digital identity from this point forward will be expected.
Regulation and expectations around the handling of personal data and security by society will only increase, placing a greater onus on organisations to devote significant time and budget to ensure compliance. Similarly, thorough Identification and Verification (ID&V) controls must be established, which must be able to adapt to meet the changing needs of society and counter new risks as they arise. Proactive fraud analysis must drive continuous changes to how digital identity is established through the evolution of digital ID&V approaches, leveraging intelligence gained to keep a step ahead of individuals intent on malicious breach and impersonation attempts.
Historically the level of security applied to digital identity has been weak, but now armed with a greater understanding of the associated risks based on experiences to date, identity providers can apply learnings to provide far stronger assurance and controls.
The UK Government has published a Good Practice Guide (How to prove and verify someone’s identity – GOV.UK (www.gov.uk), providing detailed guidance on when, why and how to check an individual’s identity, including guidelines on the assessment of the evidence presented and how to determine the level of confidence that the person presenting is a valid match. Separately the UK Department for Digital, Culture, Media and Sport (DCMS) has been establishing a digital trust and attributes framework which is intended to “create a clear framework of rules which show what ‘good’ digital identities look like”. Both of these initiatives clearly illustrate the commitment by the UK Government to the importance of establishing reliable and assured processes to verify identity, and recognise the demand and need at this time.
These guidelines reflect the key principles of how to reliably determine and validate an individual’s identity, which is formed on the key tenets of multi-factor authentication (MFA), namely:
-
KnowledgeSomething the user knows. Examples include usernames, account numbers, passwords, secret data, or personal information. These factors on their own are often weak and at risk of compromise as they can be easily guessed or found.
-
PossessionSomething the user has. Examples include bank cards, smart cards, digital keys, USB devices and also known devices (e.g. mobile phones, tablets). Consideration should be given to how the device is tied to the individual to confirm identity, and also what capabilities the device has that can support ID&V e.g. mobile apps, device camera etc.
-
InherenceSomething the user is. Examples include different personal characteristics or traits, typically through biometrics or predictable unique behaviours.
-
LocationSomewhere the user is. MFA was traditionally comprised of the previous 3 factors but can be extended to include user location. Examples include an expected geographic location indicated by GPS or a specific expected computer network
Good practice indicates identity should be established using a combination of factors to increase security and reduce the likelihood of compromise through fraud. A typical approach for verifying a user accessing a website might include prompting for entry of a valid username and complex password correctly, and then submitting a one-time passcode (with an expiry timeframe) that is delivered via SMS to a registered mobile device.
Historically identity verification has been performed using one or both of the Knowledge and Possession factors, however, the maturing of technology to support biometric authentication and provide location details of an individual, means the other factors can be more widely used. The higher potential for compromise of Knowledge factors means the use of biometrics as an alternative is preferable, subject to best practice being followed.
Biometric security is becoming increasingly prevalent and more widely accepted in society, with the initial use of fingerprints and more recently facial recognition on many smartphones to supplement traditional password/PIN security. The reliability and widespread international use of facial recognition with ePassports at Border Control suggest its use will continue. Other forms of biometric verification such as voice recognition, iris recognition and behavioural biometrics have not yet managed to gain widespread adoption, but the need for multiple form factors to increase security and assurance would suggest this is just a question of time.
In the fourth and final part in the series, we will discuss the opportunity to use biometric solutions, key considerations to implement a well-rounded digital identity solution, and what the future holds. Read part 4 now.
Read The Rise of Digital Identity Part 1: An Introduction.
Read The Rise of Digital Identity Part 2: The Changing Landscape of Digital Identity.
