Future Digital Identity Solutions

Background 

This is the fourth and final article in a Digital Identity series. The previous articles discussed the growing demand and importance of digital identity solutions, how the landscape for digital identity is changing, and the opportunities that are presenting themselves for digital identity to evolve. This final article looks at the opportunities for digital identity to evolve based on greater understanding, learnings from previous approaches and the availability of new technology. If you missed the previous articles they are linked at the bottom of this page.

Biometric Identity Verification

The use of biometrics to perform identity checks has been around for a long time; for example where it is used by law enforcement agencies to record fingerprints of suspects or by border control to match facial images of people moving through airport security checkpoints. These types of scenarios are supported by specialist devices that provide captures of large high-resolution images, increasing matching capability and confidence.

The advent of highly powered personal devices with increasingly sophisticated cameras, microphones and GPS capabilities has provided the opportunity for self-service identity checks that can support true multi-factor authentication across a range of different form factors. This has resulted in many companies (such as Jumio, Onfido and iProov) providing mobile apps and SDKs which provide document verification checks (e.g. supporting passport and driving licence recognition and authenticity checks), facial capture and matching, and liveness checks (e.g. blinking, nodding etc.). This type of approach, coupled with additional data-based verification (e.g. passport validation, driving licence number checks, and verification of personal details such as name and address presence), provides strong digital identity-checking solutions.

Other companies in the market also support alternative biometric checks such as voice recognition, iris recognition, and even vein recognition. These can be used in combination with other authentication factors or alongside other biometric checks, for example, Monzo the challenger bank, provides self-service account registration for new customers using a combination of national ID checks, facial recognition, and liveness checks, and also capture voice footprint for subsequent verification checks. More recently, companies are also providing behavioural biometric solutions that can match an individual using attributes such as typing speed or mouse movement patterns, which provide a less intrusive and more seamless customer verification experience.

Biometrics as a form factor for digital identification provides stronger attribution to an individual due to its unique characteristics and is, therefore, less capable of impersonation, providing the means of capture is well controlled. To be effective, an individual, must be matched with a high level of confidence and without error. This is in part subject to the error thresholds imposed that determine acceptance and may give rise to false positives (where the subject has been incorrectly accepted) or false negatives (where the subject has been incorrectly rejected). An understanding of the trade-offs between these scenarios occurring is therefore important based on the organisation’s risk appetite in the context of what the user needs to do.

In terms of what this means for digital identity, the use of biometrics can occur at different stages of a user’s digital interaction. Like any of the forms of authentication, they must be verified against an authoritative known source.

Firstly, in terms of initially identifying and verifying an unknown individual for the first time, biometric verification can be used to support facial recognition against an authentic photo ID document, e.g. the photo of an individual on a passport or driving licence. Success for this initial process is subject to many factors surrounding the quality of the static image extracted and the selfie of the individual. This can be mitigated by performing quality checks as part of the process, or by using the stored high-resolution image on the passport chip if supported.

Secondly, once initial ID&V has been established, the individual can be prompted to provide additional biometric details which can be stored against their digital identity. This can include any biometric form factor providing there is the capability to use it in the future for verification, e.g., facial image, voice speech of a standard phrase, iris capture etc. Secure storage and management of special category data is critically important, and controls need to be established to ensure strict compliance needs are met. Once in place, an individual can quickly confirm their identity against the saved biometric. If necessary, this can be refreshed over time.

Correct use of biometrics in addition to document recognition as part of any identity checking is compelling: it allows for remote identification and verification without human intervention, reducing costs, providing an entirely self-service user journey and a fast and efficient experience. Success is heavily dependent on the technology options available and how they can meet the challenges inherent in the types of identity checks performed.

The Home Office published a Biometrics Strategy document in 2018, indicating their recognition of the use of biometrics for public sector services relating to law enforcement and security. Given the fast-moving nature of this space, it is expected this will adapt and evolve further over time.

Implementation Considerations

Several factors should be considered as part of any digital identity implementation in light of the new technology options available; to ensure a more robust and broader solution.

  • Ensure the digital identity recorded provides support for several authentication factors, allowing different identity challenges according to risk profile.
  • The make-up of digital identity should incorporate the characteristics and information that defines a person. This can be data elements (such as name, date of birth, unique assured identifiers, e.g. NI number) and characteristics (height, hair colour, eye colour, facial structure, voice, behaviour etc.).
  • Employ multiple identification challenges to validate an individual’s identity covering different authentication factors.
  • Consider the target audience, the likelihood of fraud being committed, and the impact of breach considering organisational loss and the gain for the perpetrator to inform choices.
  • Consider the best technology choices appropriate to the user base. Align to standards such as the U.S. National Institute of Standards and Technology (NIST) and the FIDO (Fast Identity Online) Alliance, and guidance such as the ID4D identification principles provided by the World Bank.
  • Aim for a proactive and personalised user experience that is seamless and transparent.
  • Ensure security is the top priority. Reliability and usability are also key and will affect user adoption and continued use.
  • Record metrics throughout the process to provide insights that enable continuous improvement and identification of unsatisfied edge cases that need to be addressed.
  • Use data-driven intelligence to allow any solutions to adapt in an automated manner and present additional identity challenges based on each scenario encountered.
  • Produce fraud analytics from metrics gathered to identify and address security concerns.
  • Consider how data sources can best be used to support identity challenges and provide enhanced levels of assurance and verification e.g.
    • Downstream data-based checks to validate knowledge-based responses and also to check facts from verified documents against authoritative sources
    • Complete checks against available government data sets, e.g. Passport Office, Driver and Vehicle Licensing Agency, Electoral roll.
    • Perform further validation against trusted third party sources e.g. credit data, address verification etc.
  • Ensure data privacy laws are respected, considering cross-border and sovereignty differences, and regulation is met, e.g. GDPR.
  • Ensure data is secured, based on the type and classification of data being stored to support a digital identity, e.g. special category data. Data Privacy Impact Assessments should be completed with any risks and issues addressed.

It is important that careful planning and design thinking is applied to any digital identity solution to ensure it meets the key requirements of the use cases it must support. Given this is an area that is expected to evolve significantly over the next decade with the introduction of new technology and identity capabilities, any solution should be flexible and extendible to accommodate change.

The Future

Digital Identity is a necessity that allows people to transact and interact in what is now a fully online world covering personal and work environments. The COVID-19 pandemic has just accelerated a need and resulted in a faster and broader uptake across different demographics within the UK and Ireland.

The UK Government Digital Service (GDS) has initiated a multi-million pound project to deliver a native mobile app that will provide citizens with a ‘one stop shop’ to access services that span government departments. This will be designed to support mobile payments and scanning documents containing biometric chips and may be extended to incorporate forms of biometric authentication.

The Government has also established a set of new legislative measures. These include:

  • A new Office for Digital Identities and Attributes (ODIA) with oversight of the new identity and trust attributes framework, and accrediting organisations against a standard
  • Enablement of secure digital checks and identity verification by accredited organisations on behalf of public sector bodies
  • Sharing of data by public bodies through the legal gateway

This further demonstrates the Government’s commitment to an area that it sees as the future for digital citizen enablement, ensuring citizens are engaged with the right level of trust and assurance.

The future of Digital Identity will only continue to evolve at a pace. Biometric technology and the devices which support verification will mature further and solutions may emerge using other technologies such as Blockchain to provide a distributed and decentralised digital identity model. Solutions will likely extend to other personal devices such as smart assistants (with use increasing significantly in the home), smartwatches and other wearables.

Data-driven intelligence and automation should underpin the digital identity solutions of the future. Analytics should be used to proactively mitigate risk, for example, by determining identification challenges according to the risk profile of an individual, and by analysing the outcomes of identification processes to further refine and strengthen solutions.

It is not inconceivable that before long, digital identity will be carried in person, with the individual, on a trusted device, and used to connect with the physical world to provide tailored real-world experiences relevant to their location and the context of what they are doing, e.g. recommendations and offers for preferred shops upon entry to a shopping centre where it recognises their presence.