The pandemic has both highlighted the problem of not having secure digital identities and accelerated the drive to find workable solutions. With digital transformation, identity is now the foundational element of cybersecurity. Yet around the globe, almost 1 billion people lack a legal form of identity while another 3.4 billion have some form of identity, but no digital trail. Plus, there are multiple competing standards and approaches to digital identity each trying to strike the right balance between privacy and convenience.
This lack of a universally accepted approach to digital identity is a huge impediment to global growth and creates the potential for an even greater divide between the ‘haves’ and ‘have nots’. From tech giants to standards bodies to governments, the race is on to find a solution with the market size for global digital identity solutions projected to grow to $30.5 billion by 2024. However, the world is not moving at the same pace or in the same direction:
- Trust frameworks – This creates cross border concerns and interoperability challenges across private and public service providers domestically, as well as identity systems in other jurisdictions. With a common goal to provide a Chain of Trust, this is where technologies diverge from PKI (centralized) to Blockchain (decentralized).
- Privacy regulations – Compliance with privacy concerns vary widely from country to country – GDPR, CCPA (California), LGPD (Brazil) & POPI (South Africa) are all examples of privacy acts that are foundationally similar but regulatorily different in implementation.
- Consumer confidence and self-sovereignty – Although done for all the right reasons, complexity arises when regulations allow detailed control by the identity owner. As an example, the European Digital Identity initiative will enable people to choose which aspects of their identity, data, and certificates they share with third parties and allow them the ability to track and monitor.
- Local legislation – Some countries mandate a “human in the middle” which would require a change in legislation to deploy a fully-automated digital identity system. France, Germany and Spain all mandate a human verification step by legislation.
- Lack of consistency in identity definitions and assurance levels – There is a need to have more consistent international identity definitions and more granular levels of assurance (LOAs). Whether eIDAS, UK GPG 45, ISO/IEC TS 29003:2018, NIST 800-63A or others none are aligned, leading to confusion and regionalized approaches to LOAs. Additionally, we expect that KYC/AML requirements will be raised to higher LOAs, particularly as EU countries complete the update of current national ID programs to include security consistent with the ICAO MRTD 9303 standards and use of chip-based verification for digital ID issuance and verification.
Decentralized identity is gaining traction with many standards bodies including the Decentralized Identity Foundation and the World Wide Web Consortium (W3C). And there is great potential in the broad adoption of W3C Verified Credentials to facilitate the acceleration of digital identity trust and interoperability. However, governments can ill afford to completely replace what works today for the “promise” of decentralized identity, making it more likely they will experiment with one program at a time, driven by proofs of concept while modeling the successes in the private sector notably finance and banking but to a higher level of identity assurance.
As of August 2020, governments around the world had launched approximately 165 digital or partially digital identity schemes. Besides Estonia, Singapore, Australia, New Zealand and Canada, there are already well-established examples of EU member states having advanced Digital ID Programs with foundational government leadership and/or support including MitID in Denmark, FranceConnect and Italy’s public digital identity system (SPID). As mentioned, the recent directive of the European Commission mandates EU member states to provide a secure digital wallet to citizens. This sends a clear message that the EU intends to be a leader in the digital economy and accelerate adoption to increase growth and competitiveness while allowing all citizens to participate and benefit. We expect EU governments to embrace the shift to digital identity credentials and citizen service delivery. There is clear indication the EU is moving towards decentralized identity and that citizens will be put in control of their own data sharing as a key principle.
From the tech sector, Apple has registered a number of patent claims related to “verified claims of identity” and is pursuing a decentralized approach foreshadowing the company’s intent to control the presentation and verification of traditional forms of identity like driver licenses and passports via the iPhone. And they’ve had some early wins with several US state governments. However, it remains unclear if other governments, banks and enterprises – particularly those located outside of the U.S. – will be quite so willing to hand over this power to a tech giant. And how will consumers and citizens feel about Apple managing their digital identity and associated digital footprint? Then, there’s the recurring challenge of interoperability – not everyone owns an iPhone and Apple is not known to play especially well with others.
So, while resolving the digital identity conundrum is a common goal of governments and enterprises around the globe, the path to get there is less clear. Learn more about how Entrust enables trusted digital identities.