Of all the changes that the global pandemic has brought to daily life, one of the most profound has been the rapid shift to digital experiences.
Face-to-face meetings have been replaced with video conferences, manual workflows have been automated, and a high proportion of retail transactions are now online. Trends that might have taken years to play out have occurred in just months.
Yet there is one part of the puzzle yet to be completed: digital identities. Key to ensuring personalised and streamlined user experiences, digital IDs are a fundamental element of online activity.
Unfortunately, however, proving identity in a digital world is still a work in progress. Often, individuals are simply handed a number of accounts and passwords and are then expected to make it all work. The concept of consistent, robust ID security remains elusive – and this needs to change.
Managing digital IDs
Interestingly, at present, third parties tend to have significantly more control over digital identities than individuals. A person may own their identity, but other parties own the verified records of their behaviour.
For example, telling someone that you have a million frequent flyer points doesn’t have as much validity as an airline saying you have those points. You may own your identity, and you might be able to make a claim that you’ve earned the points, but that assertion is more credible when you share the carrier’s record of your flight behaviour.
In this sense, external organisations have more control over identities than individuals do. Being able to self-declare is problematic, because the history and the information isn’t just about who an individual is, but also covers the relationships they have with each different organisation with which they interact.
Who owns your ID?
For many years, the notion of digital identity has often been expressed in the context of workforce identity, which is fundamentally different from customer identity.
This because you don’t own and control your workforce identity. You may “volunteer” yourself into an employment situation, but your digital identity gets granted to you via the credentials that get you into the network, a corporate email address, or some other identity feature. Your only control in that identity is choosing to stay employed at the company.
However, in the consumer world, just because you might choose to be forgotten from the customer system doesn’t mean that you disappear. Your digital identity, which exists in all of your relationships with companies today, persists beyond your relationships with those companies. Furthermore, describing someone as a ‘workforce user’ or as a ‘customer user’ is a company’s way of describing the person, not the individual’s way of describing themselves. You interact with governments, employers, and with companies you do business with, and there is currently no way to represent that long-lived identity in a digital sense.
The total picture of all your different activities exists somewhere in the digital exhaust of the identity management systems of all the organisations with which you interact. The question is how much of your digital identity do you control, what is its role in the evolving digital world?
An increasing pace of change
The issues around secure digital identities have been brought into sharp focus during the current pandemic because there is now often little choice but to make use of digital channels for interactions.
In many cases, the mobile phone has become one of the most powerful digital identity elements that can be used. This always-on, always-connected device can be unlocked with a biometric that’s not shared outside of the secure platform of the phone, and it is allowing individuals to have some empowerment in the execution of their own security.
The darker side of the pandemic, however, has been a solid, real-time exposure of the massive security fractures that exist, not just in individual, corporate or government infrastructures, but in the connection points between those organisations. This, unfortunately, has led to cases of identity theft that has had serious ramifications for those involved.
The upside is that, because the pandemic has led to an increase in the pace of change, solutions are being developed at a much faster rate now than they were just 12 months ago. Lessons are being learned and acted upon.
Shifting control to the individual
Any digital identity system is only as good as the level of assurance associated with verification. There might be strong authentication, behavioural analytics, real-time access control, and risk signals galore, but if they’re associated with the wrong user who first created the account, there’s going to be problems. This is why it’s important to get identity verification correct.
For this reason, moving control of digital identity to the individual will dramatically change current identity and access management systems. This is the most effective way to secure digital IDs and ensure they can only be used by the person they represent.
Taking this approach to ID management will ensure all individuals can make the most of digital experiences and services without sacrificing security. The goal of having secure IDs will have been realised.
