4 Key Problems With Digital ID And Why We Need A New Approach

Digital identity is now much more than a way to authenticate someone to access a resource. Identity and access management (IAM) has matured into a more holistic and consumer-led model, driven by privacy, cybersecurity pressures and greater functional needs.

The services a consumer IAM system now must deliver require a new way of thinking about what a digital identity is and what functionality it has to perform.Organizations and the identity industry need to break out of the point solution mindset. A digital identity now needs to encompass an ongoing, dynamic way of representing an individual, and associated entities. The potential benefits of this are easier onboarding and confidence level assignment, better security and more control.

What is a digital identity when does an identity become a digital life? Are we just playing with words or is this technically achievable and needed?Here’s what I have learned over the years in designing ID services and why I believe that digital identity is more than just a way to authenticate someone to access a resource.

Build for a digital life

I am a practical person at heart. If I make a statement, I have a strong need to back it up with a practical application of the statement. So, when I use the term “digital life” and not “digital identity,” there is both method in my madness and a view of how to achieve that.

First, what do I mean by “build for a digital life”? Life is all about change: We are born. We become independent from our parents. Some people get married or find life partners. Some have children who then repeat the process. Sometimes we get serious health conditions. We grow old. We die.

A change is just an event and software can be very good at reflecting and responding to events. Rules can be applied to act on (be triggered by) an event. So, we need to build this capability into our digital systems. We need to reflect a life, and an identity is defined by a life history. If we create identity services that reflect life events, we add flexibility around areas, including know your customer (KYC), as we can build up knowledge about a person, over time. That brings a balance between ease of online registration and verifying a person to a high level of assurance.

Many will say identity is all about sharing data to do a transaction. It is that, but it can be and often is, much more. In the “more” comes real power in online transactions. Here’s an example of what I mean by digital life:

I have a disability, one that’s hidden and only comes out under certain circumstances. Recently, I tried to verify myself for an online account associated with a financial service. During the process I had to hold a passport and take a selfie at the same time. My hands (sometimes affected by the condition) would not stop shaking and, consequently, the process failed. I ended up with no account and the service lost my business.

Instead, the service could provide a lower threshold, one that encouraged me to engage with it and start a process. By doing so, I would not have left the platform before I began. The service could have offered a relationship based on a lower level of assurance. As time continued, I could build a relationship with the service, providing additional data when needed and at my own pace. The use of the service itself could provide behavioral data. Perhaps, the service could allow a guardian or notary to act on my behalf at some point. The service and the customer would end up with a more intrinsically tied relationship that could develop trust, over time, like we do in our real lives.

Of course, the counter-argument is that if you need a service you may need it immediately. The answer is to provide federation using the digital life service. While it may take time to build a robust digital life, once it reaches a certain level of assurance it could be very useful. Many other services could benefit from the robust authorization inherent in the “identity” expressed as an association of a person’s digital life.

What about the privacy of a digital life? Surely that will be open to exploitation. That is a fair question and does not have a single sentence answer. Privacy (and security for that matter) are key requisites for design consideration. A digital life will draw on behavioral as well as personal data. However, the very nature of services built to reflect a more realistic model of human interactions can also use behavior and other advanced computer techniques, like machine learning, to improve the security and privacy of the service.

What’s wrong with digital identity today

Our current attempts at digital identity systems are naïve. They are attempts at creating a digital version of a person. To do this, verification checks that look at things like identity documents and anti-fraud checks are often used to make sure the person is not a cybercriminal. If you pass, you get an ID.

There are four problems inherent in this static approach:

1. It’s hard to get a digital identity

One of the pushbacks that we see in the industry is that getting an online identity is hard, sometimes impossible. The UK Verify scheme had, at best, a 48% match rate (it had predicted 90%). One reason for this was the bar was set very high. You had to pass multiple checks to get to a level 2 assurance. The level 1 assurance bar was lower, but other hurdles were too complex to go into in this article.

The main issue with Verify and many similar services is that they do not reflect the demographic closely enough. It becomes onerous to go through the often-lengthy process to get an ID. Try doing it for an online bank account and similar issues occur. The trouble is, identity is not a static thing. There needs to be another way.

Trust, which is what successful online transactions are based on, is not an on/off switch. Trust can be a slow-burning fuse. Shutting the door on users who have not met the confidence levels of the service should never be the best-practice option. However, how you differentiate between a fraudulent user and a real person is where the clever stuff comes in.

If an identity system is built to the design remit of a digital life, we can put rules and structures in place that deliver on this more accurately. It can also empower the user by creating a stronger relationship, encouraging caretaking of online identity, rather than a throw-away attitude that comes from having to manage the many online accounts each of us have today (see problem area 3 below).

Folks like Cheryl Stevens and her team at the UK’s Department for Work and Pensions (DWP) are on the digital life trail. They recognize that identity is not an endpoint but a starting point.

2. Digital IDs are easily spoofed and insecure

We talk about building great relationships using digital identity. Well then, let’s do it properly. Synthetic identity is a growing and serious backward step for online identity. I mentioned in an earlier post about my concerns over the use of deepfakes to create hard-to-spot fraudulent IDs.

Placing emphasis on a digital life rather than a digital identity can help to make the use of deepfakes harder over time. Time is the keyword here. A digital life is something that has to persistently pass the muster over time. If it shows signs of unusual behavior, it can be flagged. The same goes for accounts that have been hijacked. The user can receive alerts about the changes in their ID. Does it represent their real-life events?

3.: You have to have an identity for every service you use

Research from Dashlane from 2017 says, on average, consumers have around 150 online accounts. This rings true for me. I struggle to manage my numerous online accounts; I forget I have others. Fraudsters use this fact to great impact. Phishing messages regularly pop into my inbox telling me about an account I have that needs updating. Most are illegitimate phishing, and I am at the point where legitimate account management is like walking the digital plank. Is the email real or spoof?

Many of these accounts are one-time use, too. The accounts stack up; they neither represent me nor are of any further use–wasted data open to abuse.

Build an ID service using a reuse model and you help solve this issue. This takes effort, but such services are being built now that federate existing identities, augment these IDs, and create a new identity that becomes part of an ongoing, developing life.

4. We are not sovereign

We need to be able to delegate digital identity to people we trust in the real world. Digital identity systems have struggled with this for both technical and legal reasons. An identity service must be able to accommodate a service that is flexible enough to handle others transacting on behalf of another.

This means being able to set restrictions over that delegated control, including revocation. This must be under both user control and the control of service admins. The finer details of this are simply not met by most current digital identity services. If you want to add in this level of control and build services that truly reflect times in a person’s life when they cannot go online (e.g., due to illness), then you have to have the ethos of a digital life not just a digital identity.

Perhaps this is summed up best by Phillip Sheldrake;

“Identities allow action and provide protection. If we cannot discover the perfect implementation of digital identity, the least we can do is to look beyond the boundaries of tech discussions and white papers, and learn more about the needs of people, the flows of nature, and the nature of boundaries.”

If you design and build for a digital life, issues such as synthetic identities can be dealt with by spotting patterns of behavior over time. Reusing existing IDs within that platform reduces the throw-away mentality of online identity. It also helps to build and develop a digital life over time.

A system that reflects the changes in our life history as we go through life can be built now. We have the tools such as identity APIs that can create complex data ecosystems to reflect changes in a person’s standing across time and space. It is a case of pulling it together, orchestrating the dance of technology to reflect life events. In doing so, it hardens the very nature of online identity and provides a natural antiseptic to fraud.