Insights on Digital Identity

Introduction

The next time you set up a new mobile app and you choose the option of signing up via one of your social media accounts, you are providing an answer about who you are by referencing a pre-existing identifying document (in this case, a digital one). Similarly, when you open an account with a bank for the first time and the institution asks to see your passport or driver’s license, you are certifying who you are by reference to pre-existing identifying documents (in this case, physical ones) issued by a government.

As twenty-first century consumers, we are now so used to asserting our identity every time we register for yet another online service or app that we rarely stop to consider how complicated our individual collections of identities have become: from identities certified by government paper, to identities linked back to social media profiles, to identities thought up on the spur of the moment (“what was my username and password for that music app I tried out last year?”), there’s an awful lot of “versions” of each of us out there.

Digital identities based on social media profiles are convenient for users, but because such profiles are self-created, they are wholly unsatisfactory for doing business when significant value or risk is involved: you’ll never be able to buy a house using only a social media profile to identify yourself and take ownership. But more authoritative, government-issued identifying documents are typically physical, which means you have to travel to the site of the business transaction in order to present your identification and be visually authenticated – a requirement that undermines the digital economy’s promise of fast, seamless, convenient, and secure transactions that can be conducted through any channel.

“33% annual growth in identity theft”

The problem is worse than that, however, because insecure methods of identification open the door to both identity theft – the incidence of which has been growing at an average of 33% a year over the past three years – and identity fraud, which is now regularly costing Canadian businesses more than $200 million per year.*

Canadians need to be able to do business with, and register for services from, not only Canadian organizations but international ones too – and they need to do so without worrying about their security. With so much of our economy now reliant on digitally-based transactions – and with this proportion growing continually – it is essential to address these problems now. Reaping the full benefits of a twenty first century economy will only be possible if we create digital identity and authentication methods for Canadians that are highly secure, ubiquitous, and convenient.

*Source: Canadian Antifraud Centre; values scaled up from reported numbers based on CAFC estimate that the reported numbers are roughly 5% of total ID theft, fraud and fraud losses

Trusted Brand

Because an identity is both deeply personal and foundational to important matters like wealth and access to services, widespread adoption by individuals and even organizations will depend not only on the technical capabilities of a particular solution, but also (and likely even more so) on the general level of trust a solutions provider has been granted.

A truly successful and durable identity and authentication solution will be one offered under a brand that has already earned the trust of Canadians by providing secure and reliable services in related areas over a long span of time. Indeed, even the development of the solution itself will be enhanced if led by a trusted brand, because marshalling technical partners and engaging with and leading numerous stakeholders are activities best accomplished by organizations with strong track records and reputations as effective collaborators.

User Control & Convenience

A successful identification and authentication solution must be based on core values of user control and consent. Users must feel fully confident that their personal information is their own property, and that only with a user’s express permission will an organization or service be able to obtain, use, and/or store the user’s information and attributes.

Likewise, a security technology that is difficult to use is one that will not be used by many people, so it is critical to design security with convenience as one of its core attributes. Fortunately, our experience in working with financial institutions to secure digital payments shows that a thoughtfully-designed system can be both highly secure and more than convenient enough for daily or hourly transactions. In building a digital identity infrastructure, it will be important to remember that security and convenience are not opposing criteria that must be “balanced” against each other, but partners in creating a successful system.

Ubiquity

As discussed earlier, at the moment we’re living in the opposite of a ubiquitous identity infrastructure: our physical documents are kept in wallets, pockets, kitchen drawers, safety deposit boxes; our digital identities are varied, disconnected, and distributed across tens or hundreds of databases owned by different organizations and businesses – and each digital vendor we do business with either demands fresh identifiers from us applicable only to their service, or relies on social media identities unsubstantiated by anyone but ourselves and invalid for any large-value or legally-binding transaction.

A ubiquitous infrastructure, by contrast, would eliminate this confusion and the many walled gardens of identity we have to navigate (so many walls to pass through, so many different keys in our pockets…) – and at the same time it would offer consistent access to all of the services, transactions, and agreements in our lives that currently require government-issued physical identification. Organizations would no longer have to choose between or invent their own ways of identifying and verifying customers or clients, and individuals would no longer have to create new identifiers out of thin air for every new service they engage with. The same methods would apply to everything Canadians use, and to everyone Canadians do business with.

Security via abstraction

A ubiquitous system, however, shouldn’t mean that Canadians are sharing digital versions of their birth certificates, drivers licenses, and passports with every organization that needs to identify them – and doing so would only increase the likelihood and impact of identity theft as these “foundational” documents (or their unique identifying codes) are transmitted to and saved by numerous parties over and over.

Instead, security should be enforced through data abstraction, replacing each person’s unique private identifiers (like a driver’s license number) with unique public identifiers that prove their identity without revealing any information about the foundational documents they possess. This process can be implemented through “tokenization”, a method that we use every day to secure transactions made wirelessly by mobile devices: a user’s real personal account number is tokenized, replaced by a randomly generated account number that a merchant can use to receive payment from their financial institution, but which has no value to snoopers who might intercept the data from that transaction. Likewise, an individual should be able to register for a service or prove their identity to conclude a transaction by using a tokenized identifier that can be treated with the same authority as that person’s foundational documents, but which is not vulnerable to identity theft.

Building with Standards

In order to ensure that any digital identity framework is widely adopted – and that ultimately it will be able to interact with identity frameworks set up in other jurisdictions – it is critical that it be built to support agreed standards developed jointly by industry and governments, like those set by the International Civil Aviation Organization for traveler identification devices and chips, or, with a broader scope, the Pan-Canadian Trust Framework* we’ve been helping to develop in partnership with the Digital ID & Authentication Council of Canada and its other members.

In this way, standards ensure not only that a framework is treated as common to all, but also that it is developed as a comprehensive solution to the identity and authentication problem, from one end of the process to the other. Moreover, by defining a set of mandatory requirements for any system, standards allow innovation to occur by creating incentives for various players to build additional functionality – a framework that everyone can use means that new offerings built for that framework can be used (and potentially purchased) by everyone too.

Openness

Just as standards are needed to ensure full adoption and encourage innovation, a successful system will be an open system – one that allows entrepreneurs and established vendors alike to invent new features and functionality for individuals, businesses, and governments in the knowledge that they’ll be able to plug their offerings seamlessly into the national identification and authentication framework. Because while standards are essential for ensuring that a system meets its most important requirements, it is openness that allows competition and innovation to build on that foundation, to adapt to an ever-changing marketplace, and to uncover what a system is ultimately capable of.

The Shape of a Solution

We believe that a secure and convenient digital identity and authentication solution, based on the above principles, is already within our grasp. There are three essential functions it will perform:

1. Create a foundational digital identity and supporting pieces

At birth or as a part of the citizen and immigration process, governments will continue to collect core personal and demographic attributes from a user, enabling the creation of a secure digital and authoritative record of identity at foundational levels (e.g. birth certificate, citizenship).

Tokenized credentials associated with the original authoritative record will then be issued to the user by a token service provider for everyday use at the supporting levels (e.g. driver’s license, passport, health and banking credentials).

2. Add contextual and behavioral attributes

Public and private sector entities may collect user attributes that relate to specific contexts or behaviours according to the business need, while private sector partners may aggregate those attributes, and manage the exchange of attributes and the permissions granted to users by their services only by obtaining the express consent of the user. This principle is fundamental to ensuring that personal information is always protected.

Relying parties will use the combination of tokenized credentials and/or attributes approved by the user for use by a given service. This activity will run back and forth between users and services on a secure set of “identity rails”, the operator of which will also provide services like identity confidence scores and the monitoring and management of identity fraud risk.

3. Authenticate and use digital identities

The “identity rails” operator will authenticate users on behalf of identity providers, enabling secure and trusted digital interactions and transactions. Identity attributes will be verified as required for a given level of assurance by the identity providers themselves, while additional private sector partners will provide products and services – such as biometrics and document authenticity – that bolster security.