Whether operating as an employee, consumer or citizen the lines between our physical and digital lives continue to blur. Organizations are under more pressure than ever to know with whom they are doing business. From a consumer/citizen perspective, possessing some form of digital identity is increasingly a pre-requisite to able to access healthcare, financial services, government services, ecommerce and more.
It’s not hard to fathom a world where digital identity is foundational to social and economic mobility presenting significant regulatory, ethical and practical implementation questions. As well, digital identities pose new security risks including biometric identity fraud compromising an individual’s own unique genetic code and synthetic identity fraud where a new identity is created by blending the information of several different people. So, what constitutes a “good digital identity”? According to the World Economic Forum, there are five components of good digital identity:
- Fit for purpose – offering a reliable way for individuals to build and maintain trust as they interact digitally
- Inclusive – enabling everyone to be able to establish and use their digital identity, free of discrimination
- Useful – being easy to establish and use across a wide range of services
- Offers choice – empowering individuals to share what data they want to share with whom for what specific purpose
- Secure – protecting individuals, organizations, devices and infrastructure from bad actors
With password proliferation a not-so-distant memory, everyone is keen to avoid a similar situation with digital identities introducing the debate around centralized vs. decentralized approaches and the role governments can and should play. While a government-led centralized approach with a single source of truth could provide the most seamless user experience, it also represents a single point of failure and poses the risk of the state abusing its power. This approach also raises privacy and data protection concerns. Indeed, many citizens are uncomfortable with the balance of power shift towards the state with a centralized approach.
Decentralized identity offers the promise of more privacy and convenience with less fraud. As highlighted in our colleague Greg Wetmore’s recent blog for the Entrust Cybersecurity Institute, CIOs and CISOs are being challenged to make decentralized identity happen. Indeed, decentralized identity is gaining traction as evidenced by standardization forums including the Decentralized Identity Foundation and W3C Verified Credentials. There is great potential in the broad adoption of W3C Verified Credentials to accelerate digital identity trust and interoperability. In upcoming years, decentralized identity is expected to play a key role in several government initiatives like the EU Digital Identity program.
Regardless of the approach taken, ownership and control of digital identity information, especially across international borders, is a hotly contested topic – after all, who “owns” identity? The issuer, the data controller or the individual? In many jurisdictions there is a groundswell of support to have individuals be the owner and controller of their own identity information. One specific implementation of decentralized identity is self-sovereign identity (SSI) which is designed to give an individual or company more control over their digital identity, employing a digital identity wallet with identifiers verified using public-key cryptography and supported by a distributed ledger. However, while promising, SSI initiatives target very broad, non-specific use cases which is problematic. The rate of global adoption by the public and private sector, and ultimately the end users, will determine its real-world value.
Learn more about Identity Verification from Entrust.