Digital ID evolution has reached a critical point and we’re on the brink of full digital ID adoption becoming a reality. But there are still ten of thousands of organisations across all sectors that haven’t even begun to consider the adoption of digital ID. When they do they must understand what ‘good’ digital ID looks like.
Nick Mothershaw is Chief Identity Strategist at the Open Identity Exchange (OIX). Having worked against fraud and with regulations for over a decade and a half at Experian before moving to OIX, Mothershaw is very well placed to explain how digital ID can help organisations stop fraud and improve security. Amongst many achievements, Mothershaw led Experian’s development, launch and operation of a full “Identity as a Service solution”, which included ID proofing to a defined Level of Assurance and strong credential management.
With all this in mind, Mothershaw explains why organisations need to understand that digital ID adoption is a massive priority now:
A perfect nexus of conditions for a digital ID reality.
- Covid-19 forced organisations across the globe to rapidly progress their digital transformation programmes, whether they were ready or not. It proved to be a breaking point for many that weren’t prepared. And it’s thrown a more urgent focus on the need for organisations to confidently and securely ensure customers are who they say they are during digital transactions and interactions.
- The availability of digitally presentable credentials has increased significantly from various places and forms. It’s not just passports and driving licences. The NHS vaccination certification can now be presented electronically in the NHS app. Open Banking has also introduced banking information into this eco-system enabling people to prove who they are as well as their financial status.
- Biometric technologies have matured. Providing a unique identification of an individual, biometrics match success rates are now at commercially acceptable levels. Already standard in many aspects of people’s lives (unlocking phones), airports are increasingly using biometrics to authenticate travellers against their identity documents in automated border control (ABC) systems.
- From a legal and regulatory perspective, digital ID use is already approved in anti-money laundering and terrorism regulation. And it’s quickly gaining recognition in other high trust areas. HM Land Registry recently adopted digital ID enabling people to prove who they are in property conveyancing transactions.
- Governments are creating Trust Frameworks. They’ll be crucial in enabling the various parties (users, service providers and ID providers) to trust each other. Trust Frameworks are a comprehensive set of rules for digital ID, including proofing, verification, security, technical standards, certification, liability and compensation.
In the UK, the OIX provided extensive feedback on what good trust frameworks should look like. The majority was adopted by the government in its latest version of its digital identity trust framework, providing clarity on the standards digital ID services will need to comply with to enable relying parties to trust them.
- In parallel, sector specific projects are actively pushing the adoption of digital ID in finance, house buying and selling, payments, pensions, employment vetting, age, travel and education.
- And technology giants are pouring billions into this space to make the move to full trusted digital transactions happen.
Why aren’t those who’ll come to rely on digital IDs moving just as fast?
Everyone’s talking about digital ID, technologies are ready and Trust Frameworks are being developed, but there’s still significant uncertainty about how it will fit in and how it will work. While there are many conferences on the topic taking place across the globe, they are exploring, addressing and solving problems around digital ID. They are not aimed at parties that have to think about the end consumers, manage their ID and what they can access. They need to understand what a ‘good’ digital ID looks like.
There’s a clear need for initiatives squarely aimed at this audience that will clarify the three key areas of uncertainty they have.
- Can digital IDs be accepted from a legal and regulatory perspective? This is a big question for organisations that will come to rely on it. They have confidence in their existing due diligence processes as there are clear regulatory rules and guidelines. With digital ID, however, the absence of regulatory rules, and the legal implications of establishing digital ID securely and retrieving the right information from it, means that relying parties are nervous.
That said, regulation is moving rapidly in the right direction. Trust Frameworks will play a vital role. Some areas are already there e.g. anti-money laundering. There are TISA projects looking at using AML for financial account opening across ISAs, mortgages and credit cards, while Home Buying and Selling Group is looking at it in property sales. The Home Office guidelines already approve the use of digital ID.
- Will fraud increase and who’ll be liable? Inevitably fraudsters will attack digital IDs, but will fraud levels be more or less than they are today? Organisations are currently responsible for their own front door, so liable for their losses. If it is outsourced to a digital ID provider that services many organisations, and fraud occurs, who’ll be held liable?
Digital ID brings with it multiple proofing methods and more robust authenticators (eg biometrics), making it more effective in mitigating fraud. Trust Frameworks will provide clarity around liability. The risk of fraud should be reduced with digital ID and there are many pilots underway that’ll soon provide the evidence needed.
- The business case – how much will it cost? The technology needed is affordable. The true benefit will be in the long run as the overall cost per user will come down. User success rates at the point of onboarding will increase as users have a ready-to-go trusted ID, enabling positive engagement both first time and when they return. Fraud rates will go down thanks to strong ID proofing and robust authenticators. Compliance will be simpler and more achievable. User experience will improve dramatically, reducing the risk of loss. And it will enable a smooth shift to digital.
Conclusion
The UK Trust Framework is close to being complete. The EU’s eIDAS regulation is evolving to ensure all citizens can have a Digital ID wallet. Stakeholders across the globe are coming together to make it happen. Organisations not preparing for the adoption of digital ID now will find themselves scrambling to catch up as they face a very real and urgent risk of getting left behind.
