Blog

Digital Identity: The Key to Privacy and Security in the Digital World

Wednesday, September 7, 2016
Irving Wladawsky-Berger

From time immemorial, our identity systems have been based on face-to-face interactions and on physical documents and processes.  But, the transition to a digital economy requires radically different identity systems.  In a world that’s increasingly governed by digital transactions and data, our existing methods for managing security and privacy are no longer adequate.  Data breaches, identity theft and large-scale fraud are becoming more common.  In addition, a significant portion of the world’s population lacks the necessary digital credentials to fully participate in the digital economy.

Last month, the World Economic Forum (WEF) published an excellent report, A Blueprint for Digital Identity.  The report lays out a framework for the creation of digital identity systems, discusses the benefits that these systems would bring to its various stakeholders, and argues that financial institutions should lead their development.  It also includes a primer on identity, which clearly explains what identity is all about.

Identity plays a major role in everyday life.  Think about going to an office, getting on a plane, logging to a website or making an online purchase.  While all around us, we generally don’t pay much attention to our identity credentials unless something goes wrong.  But, it’s a highly complex and interesting subject.  I found the report very helpful in helping me better understand it.  Let me summarize some of what I learned.

“Why is identity important?" the primer asks.  “In an increasingly borderless and digital world, privacy and security cannot be ensured through the construction of walls around sensitive information. Identity is the new frontier of privacy and security, where the very nature of entities is what allows them to complete some transactions but be denied from completing others.  To understand the importance of identity and the criticality of strong identity protocols that protect against cyber-risk and suit the needs of transacting parties, it is essential to understand what identity is, and its role in enabling transactions.”

What is identity?  Whether physical or digital in nature, identity is a collection of individual information or attributes that describe an entity and is used to determine the transactions in which the entity can rightfully participate.  Identites can be assigned to three main kinds of entities:

  • Individuals, the entity we most associate with identity;
  • Legal entities, like corporations, partnerships, and trusts; and
  • Assets, which can be tangible, e.g., cars, buildings, smartphones; or intangible, e.g., patents, software, data sets

The identity for each of these entities is based on all its individual attributes, which fall into three main categories:

  • Inherent : “Attributes that are intrinsic to an entity and are not defined by relationships to external entities.”  Inherent attributes for individuals include age, height, date of birth, and fingerprints; for a legal entity it includes business status - e.g., C CorporationS CorporationLLC -  and industry - e.g., retail, technology, media; and for an asset it includes the nature of the asset and the asset’s issuer.
  • Accumulated :  “Attributes that are gathered or developed over time.  These attributes may change multiple times or evolve throughout an entity’s lifespan.”  For individuals these include health records, job history, Facebook friends lists, and sports preferences.
  • Assigned : “Attributes that are attached to the entity, but are not related to its intrinsic nature.  These attributes can change and generally are reflective of relationships that the entity holds with other bodies.”  For individuals these include e-mail address, login IDs and passwords, telephone number, social security ID, and passport number.

These attributes enable entities to participate in transactions, by proving that they have the specific attributes required for that particular transaction.  For example, to buy alcohol, individuals must prove that they’re over the legal drinking age; to vote, they must prove that they’re over the legal voting age, are citizens, and reside in that jurisdiction.

An identity system generally includes four key roles:

  • Users . “Entities for which the system provides identity, for the purpose of allowing them to engage in transactions”
  • Identity providers . “Entities that hold user attributes, attest to their veracity and complete identity transactions on behalf of users”
  • Relying parties. “Entities that accept attestations from identity providers about user identity to allow users to access their services”
  • Governance body . Entity that “provides oversight for the system and owns the operating standards and requirements” 

Let’s illustrate how an identity system works using passports as an example.  Users are the individuals asked to present their passports as proof of identity to enter a country or open a bank account; the identity provider is the government of the user’s country issuing the passport; the relying party is the entity that accept the passport based on trusting the issuer and verifying that the passport is valid and the bearer is its true owner; and the governance body includes international agreements among passport agencies and passport standards agreed to by the International Civil Agency Organization.

The report notes that, “The fundamental concept, purpose and structure of identity systems have not changed over time, while methods and technology have made huge strides forward… A digital identity system has the same basic structure as a physical identity system, but attribute storage and exchange are entirely digital, removing reliance on physical documents and manual processes.”

Five key trends are driving the need for digital identity systems:

  • Increasing transaction volumes . “The number of identity-dependent transactions is growing through increased use of the digital channel”
  • Increasing transaction complexity .“Transactions increasingly involve very disparate entities without previously established relationships,” e.g., cross-border transactions
  • Rising customer expectations . “Customers expect seamless, omni-channel service delivery and will migrate to services that offer the best customer experience”
  • More stringent regulatory requirements . “Regulators are demanding increased transparency around transactions,” requiring greater accuracy and protection of sensitive identity information
  • Increasing speed of financial and reputational damage . “Bad actors in financial systems are increasing sophisticated in the technology and tools that they use to conduct illicit activity, increasing their ability to quickly cause financial and reputational damage by exploiting weak identity systems.”

In general, a digital identity system consist of multiple layers, each of which serves a different purpose.  The WEF report identifies six distinct such layers:

  • Standards - Standards must govern the overall operation to avoid consistency and coordination issues
  • Attribute Collection - The necessary user attributes must be accurately captured, stored and protected
  • Authentication - Mechanisms must be provided to link users to attributes to avoid inconsistent authentication
  • Attribute Exchange - Mechanisms must be provided provided for exchanging attributes between different parties without compromising security and privacy
  • Authorization - Proper rules and relationships must be applied to authorize what services users are entitled to access based on their attributes
  • Service Delivery - Users must be provided with efficient, effective, easy-to-use services 

The report argues that “Financial Institutions [FIs] are well positioned to drive the creation of digital identity systems,” citing three major reasons for its conclusion:  FIs already serve as intermediaries in many transactions; they’re generally trusted by consumers as safe repositories of information and assets; and their operations - including the extensive use of customer data - are rigorously regulated.

“FIs could derive substantial benefit from investing in the development of digital identity solutions,” the report further adds.  These benefits fall into three main categories:

  • efficiency, including process streamlining and automation, improved service delivery, better customer experiences, and reduced human error;
  • revenue opportunities from new products and services, including identity-as-a-service; and
  • new business models that would enable them to reach new customers beyond their existing core capabilities.
  • Digital technologies are increasingly intertwined with the evolution of blockchain infrastructures.  Along with the publication of A Blueprint for Digital Identity, the World Economic Forum released The future of financial infrastructure: An ambitious look at how blockchain can reshape financial services.  Blockchain technologies can play a major role in identity applications, as both an information storage and transfer mechanism, while digital identities are key enablers of blockchain-based applications in a variety of industries.  Going forward, the two have major roles to play in the historical evolution toward a 21st-Century digital economy.

This blog first appeared on Aug. 29, here.