Not too long ago, everything that could prove your identity was literally found at your fingertips. Fingerprints and signatures used to be a trustworthy component of your acceptance or approval – especially in matters concerning finance and law. As the world changes, most of our financial matters have moved seamlessly online. Our digital identity is lagging in terms of adoption but it is only due to the sensitivity of the matter at hand.
Digital identity is used in relation to two similar concepts: identity from a recognition stand point, and identity from an authentication and authorization view. The first, is our online presence: accounts, digital footprints, what we do online, who we connect with and what we provide in the digital world. The second, has more depth as it relates to sensitive data, financial but not only, being accessed through this identity. We will discuss more the second view.
Digital Identity is the data that uniquely describes a person or entity. It holds information about the person’s relationships and history. From a technical perspective digital identities are part of a network that is used for identification in digital transactions, with electronic devices being the entry points to this network.
In its core it can be seen as the combination of key and entry codes, that opens doors in the digital world. Its security and uniqueness should at all times allow the network to validate and provide access to a “room” for a specific digital entity.
Trusting the link between the real and digital identity is the first priority of today’s efforts. Centralized models are being used to validate this identity combination, and to prove a virtual person is indeed the same person in real life. The more value an identity has access to, more effort and work is required to validate and establish secure authentications for it.
Airbnb, one of the fastest growing tech companies within the last years, added an identity verification service. This was in response to trust concerns their users had.
For those unfamiliar with, Airbnb allows travellers to rent a room or an entire apartment online. As you either receive a stranger in your home, or stay at his, it only takes one security incident to cast doubt over the safety of this model. The company created a way to check and prove that users are “real people.”
And this is where the Digital Identity story begins.
Airbnb’s “Verified ID” service uses offline and online methods to ensure the user’s identity. There are two main features relevant in this scenario.
Offline validation is performed on a driver’s license or passport photo upload. Jumio, a third party company, handles the verification of these offline ID’s.
Online validation is achieved through Facebook or LinkedIn authentication. Users are asked to connect their account to Airbnb, and the company makes a brief analysis of the profile to ensure these are real. Consideration are: created date of the profile, account activity etc.
Last, the online and offline identities are matched and approved.
It is a fairly rigorous and extensive process, and there is little room for error, unless someone has carefully planned a fake ID and social profile for a longer period of time.
But the question remains from the user perspective, how safe is the data at this moment in time, as there are at least 3 companies that are used to verify and probably store personal information.
How should digital identity work?
Considering the Airbnb example, the best solution for the company and the user, would be to rely on a party or set of parties that are commonly accepted by both as trustworthy. While I have nothing against Jumio, I simply do not know them nor do I want to. Who I do know and trust with sensitive information though, is my bank. They already have all my physical ID’s and contact details, as well as a history of my financial transactions. They know if I am trustworthy or not.
I could login to Airbnb, in the verification service be redirected to my bank for authentication, and authorize the bank to confirm my identity to the company. No sensitive information is exchanged, and the bank would merely confirm that my name and email address from Airbnb, match their records.
Good solutions not yet gaining critical mass
In today’s modern economy, digital identity is mainly managed by a third party identity provider. These trusted entities store and manage personal identifiable information: address, date of birth, age validation or even a bank account number.
Ecommerce is one of the main areas where an identity can be used. Online vendors can validate identity information without actually accessing it. For example, if a transaction is performed where the consumer needs to be over 18 years old, the vendor can receive a positive or negative response from the party managing the consumer’s identity. If the user trusts the merchant with the birthdate for example, than the response can validate that his information is accurate.
Continuing on the ecommerce path, European Bank Association sets a new paradigm in their opinion whitepaper. Identity can be used to replace check-out procedures with a check-in procedure. This gives merchants a new sense of trust as users are already authenticated, and more opportunities to increase conversion rates. In the check-in model merchants already know that a consumer has the ability to pay, is allowed to purchase, and can enhance offers and experience on the website based on consumer’s preferences on other merchants for example. Delivery costs will also become more transparent through knowing the address of the consumer, and adding them from the start. If we have a digital ID managed by a bank, the payment process can again be as easy as authorizing the transaction directly with the bank.
Other use cases can be envisioned around credit rating, car insurances, document signing and approval.
Norway’s DNB bank has created a digital id (BankID) that is focused on online authentication and signing. Consumers can use this service across websites where the BankID is used. Returning to the original Airbnb use case, this is as close as we can currently find as a good example.
From a technical standpoint, the Dutch eMandates encompass both of the BankID’s functions but are used only in connection with one another. eMandates are authenticating the users and allowing him or her to sign a mandate already created in the system. Given a more open approach, The Netherlands might consider breaking eMandates into an authentication and document signing, which will allow for broader use cases, whilst maintaining the current modus operandi and considering mandates as one of many documents.
The Netherlands has though been also involved with ‘eHerkenning’ (e-Recognition) for some time now. Next steps in the Digital Identity for the country is a new solution based on existing ‘DigiD’ which will allow companies and public administration to verify someone’s identity, be it citizen or corporation. As part of this systems rebirth the government is looking at the bank’s two-factor authentication solutions, as identity providers.
Finally, mobile phone providers will probably integrate digital identity into phones and applications, as people increasingly begin transacting and requiring authorization on the go. M-Pesa in Africa is a solid example of funds being transferred wallet-to-wallet by non-banked consumers.
The importance of solid digital identity is key for the citizen and corporation of the future, be it in financial transactions or not. Using parties that are trusted by everyone as the central point for digital identity is key, but as blockchain technology is advancing, decentralized digital identity could become a feasible option.