For many types of transaction, digital or otherwise, organisations need to know who they are dealing with and what that person is able, or eligible, to do. The rise of Identity Theft means that organisations cannot rely on a person simply claiming to be who they are, independent verification and risk checks are required. Equally, genuine individuals may try to present false information about themselves in order to gain access to goods, services or environments that they do not have the eligibility for. Examples where trust is needed, and the risks to be mitigated are:
Users interact with many different types of organisation online, for many different purposes:
Organisations providing services to users typically have their own tailored ID Solution that enables them to:
This model has a number of challenges for each party:
A Digital Identity may enable a user to provide trust in their identity to any organisation.
The Digital Identity can help organisations do two key things:
A Digital Identity can help to enable a user to explicitly consent to or permit sharing of information about themselves that may be held digitally.
When a user interacts with an Organisation they can use their Digital identity to provide access to verified attributes and evidenceof who they are and/or what they are eligible to do. This may be by providing access to different elements of verified evidence, or by providing a level of assurance based on collected evidence, that meets the needs of that organisation. The minimum amount of information required to fulfil the transaction should be provided.
For ongoing access to the Organisation’s services, instead of issuing each user with organisation specific authenticators (e.g. a username and password), the organisation could choose to rely on a trusted Digital identity.
The Digital Identity enables the user to prove who they are, to many different Organisations:
Firstly – this is likely to be an evolution, not a revolution. Organisations will move towards using Digital Identities over time.
Organisations may also still need their own ID Solution to manage the user’s privileges within that organisation.
Users may use an identity provider to create and manage their Digital Identity (1), or might create and manage it themselves (2) (although this will often be via some form of Digital Identity Wallet, where arguably the wallet provider is the identity provider).
An identity provider might allow a user to collect trusted evidence about themselves that they can then share with organisations. An identity provider may go further and establish a level of trust in the user to a level of assurance that the organisation then relies upon.
There may be multiple identity providers in a particular market. This may be enforced to ensure a competitive market, or driven by market forces alone and consumer choice. Or an ID market might be formed by a consortium of companies who already issue IDs to a critical mass of users, such as Banks or Telcos.
Organisations will not want to contract with, and separately interface to, Digital Identities from different identity providers, so brokers (3) are likely to emerge, who aggregate identity providers and / or evidence issuers into single services.
Evidence issuers offer two types of evidence: identity evidence and eligibility evidence. Evidence verifiers ensure the evidence collected is genuine, belongs the user and also assess identity fraud risk. Organisations might choose to use a Digital Identity to access some pre-obtained and verified identity evidence for a User, then access other evidence issuers or evidence verifiers, directly or through a broker, for additional identity evidence or eligibility evidence.
The reliance on third parties to undertake identity services on behalf of an organisation means that contracts will be required between the different parties. All parties will need to work to commonly agreed rules and standards that meet the trust needs of different organisations.