In the last two years, due to the pandemic, which has increased interactions for fully digital channels, digital identity has won great attention from banking and financial players.
There are many initiatives, public and private, proposing to customers digital identities, i.e., systems that create and manage users’ personal information, simplify access to online services without having to provide their own data every time. According to research conducted by the tech company HYPR, 78% of people had to reset a password they forgot in the past 90 days [HYPR Releases 2.5-year Password Usage Study | HYPR], while according to a Signicat survey, 63% of consumers have abandoned onboarding to financial service applications due to the amount of time needed. [Signicat, “Digital Onboarding Playbook for Europe”].
There are at least six classes of digital identity providers:
1. Social Media providers
3. Financial Institutions or banks
4. Mobile network operators
5. Digital identity companies
6. Digital Identity networks
We are all acquainted with social identities, like Facebook Connect and Google Sign-in, which are very common on the Web, mostly where no sensitive information is asked. In many countries, like Sweden or Canada, banks are leading the way. Concerning mobile network operators (MNO), it is clear that they have an established reach and a long customer relationship management experience. As of August 2020, 23 MNO’s worldwide have made a shared initiative, “Mobile Connect”, to make authentication service available for users, while a further 11 are piloting it. Digital identity companies offer users the opportunity of creating a digital identity by following a registration process backed up by already existing ID documents (e.g., driving license, passport), social media identity, or other certificates, and at the same time increasing the security of these identities with biometric tools such as facial recognition. Eventually, digital identity networks are a sort of facilitator between identity providers and service providers, with the aim of creating large ecosystems where multiple identities and service providers can easily and securely exchange identity information depending on the use cases.
In the opinion of the writer, despite the visible liveliness of the sector, some difficulties remain, of a technical and strategic nature, not yet fully resolved.
1. What is the best framework?
There are important government initiatives, in the United States, the NIST, in Europe the eIDAS regulation, currently under review, in India Aadhaar.
Just as Bitcoin has revolutionized finance by decentralizing, the blockchain allows you to decentralize digital identity management; that is the Self-Sovereign Identity world, the future of digital identities: an open, decentralized system based on cryptography. An innovation that, on the wave of Bitcoin and the blockchain, allows anyone to guarantee anti-tampering digital identities, not having to go through authorized identity providers, as it is currently the case in the eIDAS framework.
SSI addresses the difficulty of establishing trust in online interaction. That is why many private initiatives were born, by foundations and consortia, to offer a single SSI framework, for now missing the objective. Indeed, even if the W3C released a “verifiable credential” standard at the end of 2019, we have at least three ways the issuers’ format claims and use cryptographic signatures suites to sign the information seal the credential.
2. What technologies are used to be sure of the person’s identity?
A person’s identity is generated by relating three factors:
- the external appearance, which biometric devices can capture;
- one’s awareness of being an individual, and the memorization of facts about self;
- In a government registry, the registration of specific information concerning the individual (date and place of birth, name, and surname).
The relationship between these three factors generates identity documents, which simultaneously contain personal information and a summary of the external attributes (condensed in the photo of the face).
The possession of an identity document usually becomes sufficient for the identification procedures required in everyday life, yet, it is a practice jeopardized by the presence of a thriving market for false or stolen documents. In general, it is possible to see a failure for each of the three essential factors mentioned above, as well as the derivative factor, the credential. Indeed, you change as you age. You can change some external aspects (colored lenses, hair dye); severe brain damage can erase one’s memory. Finally, stateless people who escape from failed states risk no longer having any third trace of their identity.
No safety factor, taken in isolation, can guarantee a person’s identity: it is, therefore, necessary to build sophisticated verification processes capable of using multiple factors, with the risk of enormously burdening the user experience.
3. Nash equilibrium
Everyone is waiting to understand which format will have the best chance of winning: by doing so, they are risking to lose the ability to influence decisions or to adapt the technology to one’s specific needs. It is necessary to start carrying out tests in the real world to understand the real potential of many promising technological solutions. But this requires investments in research, with the risk of losing everything if the adopted standard won’t impose: a risk that not all operators are willing to take, or that perhaps only the largest can face, with the risk of maintaining the dominant position of Big Tech. One potential solution could be creating several business ecosystems, connecting digital identity providers, users, all the components of the value chain. Although I am seeing several attempts in this direction, I am experiencing many difficulties inside this approach: we still lack clear revenue models, and, consequently, it is hard to figure out how to share investment and maintenance costs.
4. Applications with bad UX
There are several applications on the market that are useful for managing digital identities in innovative frameworks such as Self-Sovereign Identity. Like each other, they allow the user to interact with the DLT that keeps the cryptographic keys and, therefore, receive and show digital certificates. At the moment, due to the lack of real use cases, many of these apps are struggling to win users and, therefore, do not receive feedback to improve themselves.
5. Many “nice to have” solutions, no killer applications
So far, I have had the experience of many experimental initiatives, which have never taken off.
The problem they all shared was the same: the improvement of the service was limited in the face of the need to modify in-depth the IT infrastructures of the companies that adopted them. That was especially true in the banking and financial sectors, where there is a long tradition of IT solutions to automate processes and assist analysts in their daily routines. Unfortunately, during the years, many layers of software have accumulated, making system integration extremely costly.
Granting the best level of cybersecurity while providing a smooth user experience comes with a high cost: sometimes paper shows itself safer and cheaper than biometrics.
6. A big Threat: Effective Government IDs
All the innovations in the world of identification, from biometric recognition to anti-fraud systems, risk a lot from adopting effective governmental IDs. Why having to scan the identity document and verify the selfie when I can use a digital ID issued by my country in high-security conditions? Certainly, we can imagine that governments are not immediately able to meet the challenge of security and usability and that it pays, at the moment, to have multiple systems competing. But until when?