The future of digital identity

0

The pandemic has both highlighted the problem of the lack of secure digital identities and accelerated the search for workable solutions. With digital transformation, identity is now the fundamental element of cybersecurity. However, around the globe nearly 1 billion people have no legal form of identity, while another 3.4 billion have some form of identity but no digital trace. Also, there are several competing standards and approaches to digital identity, all trying to strike the right balance between privacy and convenience.

This lack of a commonly accepted approach to digital identity is a major impediment to global growth and creates the potential for an even greater divide between the haves and have-nots. From tech giants to standards bodies to governments, the race is on to find a solution that will see the market size for global digital identity solutions grow to $30.5 billion by 2024. However, the world is not moving at the same pace or in the same direction:

  • framework of trust – This leads to cross-border concerns and interoperability challenges between domestic private and public service providers and identity systems in other jurisdictions. Here the technologies diverge from PKI (centralized) to blockchain (decentralized) with the common goal of providing a chain of trust.
  • Privacy Policy – Compliance with privacy concerns varies greatly from country to country – GDPR, CCPA (California), LGPD (Brazil) and POPI (South Africa) are all examples of privacy laws that are fundamentally similar but differ regulatory in implementation.
  • consumer confidence and self-sovereignty – Although done for the right reasons, complexity arises when regulations allow granular control by the identity holder. As an example, the European digital identity initiative will allow people to choose which aspects of their identity, data and certificates they share with third parties and give them the ability to track and monitor them.
  • Local Legislation – Some countries are mandating a “man in the middle”, which would require a change in legislation to deploy a fully automated digital identity system. France, Germany and Spain all require a human verification step by law.
  • Lack of consistency in identity definitions and trust levels – There is a need for more consistent international identity definitions and more granular levels of assurance (LOAs). Be it eIDAS, UK GPG 45, ISO/IEC TS 29003:2018, NIST 800-63A or others, none are aligned, leading to confusion and regionalized approaches to LOAs. Additionally, we expect KYC/AML requirements to be raised to higher LOAs, particularly as EU countries complete updating current national ID programs to include security in line with ICAO MRTD 9303 standards and the use of chip-based verification for include issuance of digital IDs and verification.

Decentralized Identity is gaining traction with many standards bodies, including the Decentralized Identity Foundation and the World Wide Web Consortium (W3C). And there is great potential in the widespread adoption of W3C Verified Credentials to facilitate the acceleration of trust and interoperability of digital identities. However, governments can hardly afford to fully replace what works today for the “promise” of a decentralized identity, making it more likely that they will experiment with one program after another, fueled by proofs of concept, while seeing the successes in the private sector, particularly in finance, modeling and banking, but at a higher level of identity assurance.

As of August 2020, governments around the world had adopted approximately 165 digital or partially digital identities schemes. In addition to Estonia, Singapore, Australia, New Zealand and Canada, there are already established examples of EU Member States with advanced digital ID programs with basic government leadership and/or support, including MitID in Denmark, FranceConnect and Italy’s public digital identity system (SPID). As mentioned, the recent European Commission directive obliges EU member states to provide citizens with a secure digital wallet. This sends a clear message that the EU intends to lead the digital economy and accelerate adoption to boost growth and competitiveness while empowering all citizens to participate and benefit. We expect EU governments to embrace the shift to digital credentials and the provision of citizen services. There are clear signs that the EU is moving towards a decentralized identity and that citizens will be given control over their own data sharing as a key principle.

From the tech sector, Apple has filed a number of patent claims related to “verified identity claims” and is taking a decentralized approach, announcing the company’s intention to control the presentation and verification of traditional forms of identity, such as driver’s licenses and passports, via the iPhone. And they had some early success with several US state governments. However, it remains unclear whether other governments, banks and corporations — particularly outside the US — will be willing to hand that power over to a tech giant. And how will consumers and citizens feel about Apple managing their digital identity and associated digital footprint? Then there’s the recurring challenge of interoperability—not everyone owns an iPhone and Apple isn’t known for playing particularly well with others.

While solving the problem of digital identity is a shared goal of governments and businesses around the world, the path to get there is less clear. Learn more about how Entrust enables trusted digital identities.

The post The Future of Digital Identity first appeared on the Entrust Blog.

*** This is a Security Bloggers Network syndicated blog from Entrust Blog written by Jenn Markey, Shelley Bryen. Read the original post at: https://www.entrust.com/blog/2022/01/the-future-of-digital-identity/

Share.

Comments are closed.