Exploring Digital Identity

This is the second article in a Digital Identity series. The first article presented the growing demand and importance of digital identity solutions, expedited by the exponential increase in digital interactions since the outbreak of the Covid pandemic, and the maturing of technology capabilities to provide more usable, accessible, and secure solutions. Part 3 looks at the opportunities for digital identity to evolve based on greater understanding and learnings from previous approaches and the availability of new technologies – read it here.

This article reflects the ‘changing of the guard’ and the next iteration of emerging identity solutions. These solutions build on lessons learned from their predecessors and provide a more inclusive digital approach by leveraging the increased choice of technology options available. The universal acceptance by society, business, and government of the need for digital identity solutions to enable fast, secure, and seamless interactions, has accelerated the need for progressive digital strategies that sit at the forefront of everyone’s immediate strategic plans.

Governments worldwide have had to embrace this changing landscape and accept that it is not ‘if and when’ robust digital identity is needed, but also to act on the immediate requirement to answer ‘how’ it will be satisfied.

Identity Foundations

An Identity is something that uniquely defines an individual, with a Digital Identity providing an online digital representation of this. It allows them to be Identified (the process of establishing an identity based on a set of credentials) and Verified (the process of confirming that the person presenting matches that identity). An ID is a tangible representation of a person’s identity, typically a physical document such as a passport or driving licence, with a Digital ID being an electronic version such as a digital COVID-19 certificate. Therefore, an ID can be used to prove an individual’s identity as part of an identification process.

Historically approaches to determine a person’s identity have either been very manual (for example, a challenge to provide an account number, known personal details or present a national photo ID); or they have relied on specialist biometric devices such as those used by law enforcement agencies (e.g., to record a person’s fingerprints and be able to identify them at a later stage). These approaches have typically required an individual to present themselves in person. Alternative scenarios include call centres that rely solely on knowledge-based identification via a call operator or automated IVR and are more susceptible to fraud by impersonation where the details requested have been acquired. Weak passwords and secrets are easily compromised and unfortunately are representative of the security controls on many digital identity accounts.

The explosion of online services offered by commercial businesses over the last decade has been exponential, with online accounts for customers, a necessary means to allow them to transact and manage their details and data. Initial account identity services provided were basic, relying solely on a username and password combination, with varying levels of controls such as password complexity and password rotation. Weak controls have resulted in compromises with sites such as haveibeenpwned.com reporting over 11 billion hacked accounts to date. In many cases, mass identity breaches are a prime cause, even for well-known companies like Facebook.com where over 500 million subscriber records were exposed in April 2021. The implications of these types of breaches are highly significant for businesses, often resulting in brand damage and customer abandonment, and even financial penalties or compensation in some cases. As a result, businesses have been forced to react and have introduced stricter controls such as multiple knowledge-based checks to authenticate account identity and the use of multi-factor authentication, typically using a one-time password delivered to a registered mobile device.

Mirroring the private sector, UK citizens increasingly started to demand access to public services through online channels, which aligned to government digital initiatives to increase citizen self-service and reduce back-office administration costs. The lack of a central identity solution previously meant departments had to provide their own, to maintain momentum and meet their new digital objectives. The Government Digital Service (GDS) spearheaded the GOV.UK Verify initiative to address this challenge, with the aim of providing a single central identity solution where citizens could select an approved company to verify their identity to a required level of assurance.

After 5 years this service has failed on several fronts, including:

  • a reduction in available identity verification providers from 8 companies at the outset to just 2 companies that now remain
  • the late launch of the service in 2016 instead of a planned launch in 2012
  • a poor 47% success rate in verifying individuals (reported in Oct 2018)
  • a lack of coverage of edge cases where users have no access to technology or lack the required documentation from government, utilities, or financial institutions to provide verification

Whilst the GOV.UK Verify service has been extended for a further 2 years, this is a transition arrangement, and it is due to be replaced. Inclusivity must form a key part of any new solution which must aim to be accessible to the entire population.

Drivers for Change

The initial attempts at digital identity across both the public and private sectors provided crucial insights and learning into adaptations required for future solutions. The partial success of solutions like GOV.UK Verify has provided just the start of the journey and should be viewed as forerunners to inform the new solutions that are now emerging.

Robust and inclusive digital identity solutions that continuously adapt to meet the needs of both the organisation and its customers, must form a key pillar of any digital strategy. This was reinforced by Gartner who named Citizen Digital Identity as a top 10 Government technology trend for 2021. They acknowledge some of the Nordic countries as leading the field, with a high proportion of their populations utilising a digital identity to access online public services. Other countries by comparison have an inflexible culture that impacts citizen adoption, and Gartner states they must focus on governance, technology, and user experience to ensure a successful working model.

The regulation also represents a clear and ongoing challenge for businesses with the risk of fines being imposed for non-compliance. Acts such as the General Data Protection Regulation (GDPR) and the Payment Services Directive (PSD2) mandate strict compliance criteria relating to the handling of personal data and the need to enforce strong (multi-factor) authentication when processing financial transactions, both of which must be underpinned by robust and reliable digital identity as the gateway to secure data.

The recent COVID-19 pandemic has forced people to transact and work online without compromise. Restrictions imposed on movement outside of the home by the government have forced people to rethink how they live and work, resulting in an exponential increase in digital interactions, supported by a necessity for assured digital identity. The speed with which the pandemic has escalated has accelerated digital thinking for many organisations, bringing it to the forefront of their business agendas.

Robust digital identity is at the heart of any data-driven business and delivers concrete benefits, such as customer confidence and loyalty, better data privacy controls, improved fraud mitigation and fraud identification, and enables a more personalised and targeted customer experience.

 

The Emerging Picture

In a study conducted in 2019 by McKinsey, they estimated an economic value equivalent to 3% of GDP could be unlocked by extending full digital ID coverage in the UK. The ultimate goal to establish a single digital ID per individual would enable joined-up services across both public and private sector organisations and sharing of permitted data to provide a seamless and personalised experience.

Organisations must carefully consider how they will address key challenges to deliver new digital identity solutions, to meet the demanding needs of their customers, whether that is organisations or individuals. Consideration and importance should be placed upon:

  • The initial registration process to ensure an individual is correctly identified using assured facts to establish a known identity. This challenge increases with remote online registration.
  • The means of Identification (establishing a valid identity on record based on the credentials presented) and Verification (establishing that the person that presents themselves matches that identity). The challenges presented to a user should be within the context of the services they are accessing and meet the risk appetite of the organisation.
  • Managing edge cases to ensure inclusivity through a detailed assessment of user personas, and taking cognisance of individuals needs and circumstances.
  • Safeguarding against fraud through account impersonation or an account being compromised. The 2021 Fraud’s cape report by Cifas indicates increased identity fraud levels since the COVID-19 pandemic started, with numbers for the first 6 months of 2021 showing an 11% increase on the same period in 2020. The greatest proportion of identity fraud victims was in the 31-40 and 51+ age range, with the plastic card and banking sectors the most affected.

The desire to achieve a single identity vision across the UK government was initiated via the GOV.UK Verify programme but ultimately was unsuccessful. However, in March 2021, Julia Lopez MP set out a vision for a ‘One Login for Government’ aligned to the direction of the Government GDS Strategy to overcome the issues previously encountered. The new initiative will intend to provide a seamless customer experience that presents a unified set of Government services, regardless of the department that provides them, through a single digital identity. This will be underpinned by a new ‘UK Digital Identity and Attributes Trust Framework’ that sets out the core principles and provides the basis for identity verification. The cross-government collaboration will be critical to the success of this initiative, to ensure identity requirements are met consistently and inclusively, but also to provide an enhanced and personalised experience for the individual.

Similarly in the private sector, demands for online identity verification have never been greater. Businesses in the UK and worldwide largely operate independently with citizens maintaining numerous account credentials to manage separate online accounts, with no concept of a single central digital identity. Individuals are faced with the challenge of setting up many different accounts, with the same personal details (name, address, bank details). Very often approaches to account management and choice of credentials is poor, with the reuse of passwords common, and weak passwords selected for ease of recall. Identity providers such as Google and Facebook provide federated identity verification, but there remains a level of scepticism and lack of trust over the intentions of these types of companies. The challenge of establishing a single central identity for online personal use that transcends private sector services is yet unresolved.

What is clear is that we have reached a significant turning point in the evolution of digital identity, but we are by no means at the end. The nature of digital security means companies will need to continuously adapt and aim to stay one step ahead of malicious attempts to compromise identity.

The gradual maturing of biometric technologies and devices to support them provides new opportunities to extend digital identity and identification processes to utilise much more unique personal characteristics that may be harder to breach, yet also require a level of sophistication to provide confidence and assurance in their capability. New disruptive technologies such as Blockchain which can support a decentralised digital identity capability, may provide one type of digital identity solution for the future.

The final article in this series will explore some of these new technologies, how they have evolved over recent years and their applicability for the digital identity solutions of the future.

Read part 1 The Rise of Digital Identity: An Introduction.
Read part 2 The Rise of Digital Identity: Opportunities for Digital Identity Evolution.

You can find out more information about Version 1’s Digital Services here.

About Version 1

As the chosen Digital transformation provider of central governmental departments, local government authorities, leading energy companies and major retailers – the impact of Version 1 digital solutions is evident at scale across multiple industries. We are leading the charge in empowering our public and private sector customers to become recognised as digital leaders.