The Future of Secure Digital Identity
As I’ve been discussing future trends and challenges with Chief Digital Officers and other execs recently, a common topic of discussion is digital identities. There’s a strong consensus that we need a new approach.
The fact is, we’ve been using the
username/password model of login authentication since the dawn of the consumer internet in the early 90s. Today, our way of making that old-fashioned approach more secure is to just layer a second form of authentication on top of that (generating a code that gets texted to your phone to confirm that it’s you, for example).
But none of that actually provides verification of legal identity. For example, to open a bank account you still need to go to the bank and show them paper (driver’s license, passport, articles of incorporation, etc). Once you do that they will open an account for you and give you a login, but they keep all the data for your account. And if you then open an account from another financial institution you have to show them the same set of paper documentation (and then they keep all the data for that account). Not very efficient, in the digital age.
Distilled all the way down, there are two problems with the digital identity model we currently use:
- There’s too much friction for consumers. In addition to the paper verification for legal identity described above, consumers hate having to remember usernames and passwords for all the different online services they use. Plus, there’s a growing awareness that letting corporations control your personal data is an inherent conflict of interest.
- Hacks happen. As soon as you turn your social security number, address, and credit card information over to a second party you are at risk of that second party being hacked , with potentially ruinous implications for you personally.
People much smarter than me have been working on this for a long time. OpenID, developed in 2005, is an open source distributed identity system supported by Google, Amazon, and many others (this what allows you to use your Google account to log into many 3rd-party sites and services). Similarly, Facebook has Facebook Connect. These have the benefit of making it easy for users to use one set of credentials in several different places, but the problems are:
- The user doesn’t really control their identity – Facebook or Google could terminate their account at any time and the user might be locked out of every other service.
- It doesn’t provide any legal proof of identity (you can’t open a bank account using Facebook as your legal proof of identity).
- Private companies have an ulterior motive – the reason Facebook offers Facebook Connect for free is that it helps them to collect more data about you which they can then monetize.
The approach being used in some countries is for a central government authority to issue digital IDs. India, for example, has a national identity database (Aadhaar) but there has been concern about leaks and/or hacking vulnerability when a centralized database run is by the government.
The emerging consensus on the best solution for us to move toward is something called Self-Sovereign Identity. The general concept is that people and businesses should be able to control their own identity on their own devices. They then provide that identity to those who need to validate it, without relying on a central repository. A public key/private key system would replace the current username/password. Your identity is “self sovereign” because you control it.
Authorities can then provide “attestation”. For example, you could pass a request to the DMV asking them to attest to the fact that you are over 21 and have a driver’s license. Once confirmed, that attestation is then attached to your digital identity. Now when you purchase alcohol online the merchant can see that the “over 21” flag is on and verified, without them actually getting your date of birth. So if the merchant is hacked, the hackers have no way of getting your date of birth and other common elements of identity theft.
How would such a system be built? Probably with a distributed ledger approach, such as Blockchain (I’ll save a discussion of these buzzwords for a future post).
As I said, people much smarter than me are working on this problem. Getting all the stakeholders to agree on a single approach is difficult (understatement).
But there is universal agreement that we need a way of having authenticated, legally-valid personal digital identities that are more secure, useful, consumer-friendly than the 25-year-old paradigm we have been using. Stand by, because it’s gonna happen.
– – – – – –
If you want to read more about this topic, I recommend this excellent overview of Self-Sovereign Identity and this very good history of the evolution of digital identity.