The Need for Identity Trust
For many types of transaction, digital or otherwise, organisations need to know who they are dealing with and what that person is able, or eligible, to do. The rise of Identity Theft means that organisations cannot rely on a person simply claiming to be who they are, independent verification and risk checks are required. Equally, genuine individuals may try to present false information about themselves in order to gain access to goods, services or environments that they do not have the eligibility for. Examples where trust is needed, and the risks to be mitigated are:
How Organisations Establish Trust Today
Users interact with many different types of organisation online, for many different purposes:
Organisations providing services to users typically have their own tailored ID Solution that enables them to:
- Ensure that the user is who they are claiming to be. This is done on a risk mitigation basis and / or to a standard that is prescribed, usually on a per-sector basis (e.g. finance). Organisations often leverage external ID proofing, verificationand risk services from evidence issuers or evidence verifiers to establish the user is who they are claiming to be.
- Ensure the user is eligible for the goods, services or environments they are trying to access.
- Issue the user with organisation specific authenticators to enable them re-access the organisation on an ongoing basis (e.g. a username and password). The authenticators used are, again, usually determined on a risk-based approach, but increasingly also by sector-based regulation (e.g. PSD2 SCA for the finance sector).
- manage the user’s privileges, accesses and entitlements within that organisation.
This model has a number of challenges for each party:
A better way of doing this - Digital Identity?
A Digital Identity may enable a user to provide trust in their identity to any organisation.
The Digital Identity can help organisations do two key things:
- facilitate access to verified trusted information about the user, known as attributes or claims, that are supported by evidence.
- also allow the rganisation to trust that the user is who they claim to be.
A Digital Identity can help to enable a user to explicitly consent to or permit sharing of information about themselves that may be held digitally.
When a user interacts with an Organisation they can use their Digital identity to provide access to verified attributes and evidenceof who they are and/or what they are eligible to do. This may be by providing access to different elements of verified evidence, or by providing a level of assurance based on collected evidence, that meets the needs of that organisation. The minimum amount of information required to fulfil the transaction should be provided.
For ongoing access to the Organisation’s services, instead of issuing each user with organisation specific authenticators (e.g. a username and password), the organisation could choose to rely on a trusted Digital identity.
The Digital Identity enables the user to prove who they are, to many different Organisations:
- The user’s verified personal information can be passed to each Organisation (with the user’s consent) to save the user repeatedly entering the same personal information into different Organisation’s sites.
- The user does not need a logon and password for each organisation, their Digital Identity becomes their way to authenticate to all accepting organisations.
How Might This Market Evolve?
Firstly – this is likely to be an evolution, not a revolution. Organisations will move towards using Digital Identities over time.
- Some organisations might only use a Digital Identity from an identity provider to onboard the user and will continue issue the user with their own organisation-specific authenticators.
- Other organisations might move to fully embrace the use of Digital Identities for both account opening and ongoing account access.
- Whilst another set of organisations not rely upon a Digital Identity, but may still work with the commonly agreed (or mandated) rules and standards applicable to their sector whilst continuing to issue users with their own organisation-specific identity. Drivers for this include brand protection, high volume transactions and high-risk transactions. These organisations might choose to access the service of evidence issuers or evidence verifiers either directly or through a broker who offers access to these services.
Organisations may also still need their own ID Solution to manage the user’s privileges within that organisation.
Users may use an identity provider to create and manage their Digital Identity (1), or might create and manage it themselves (2) (although this will often be via some form of Digital Identity Wallet, where arguably the wallet provider is the identity provider).
An identity provider might allow a user to collect trusted evidence about themselves that they can then share with organisations. An identity provider may go further and establish a level of trust in the user to a level of assurance that the organisation then relies upon.
There may be multiple identity providers in a particular market. This may be enforced to ensure a competitive market, or driven by market forces alone and consumer choice. Or an ID market might be formed by a consortium of companies who already issue IDs to a critical mass of users, such as Banks or Telcos.
Organisations will not want to contract with, and separately interface to, Digital Identities from different identity providers, so brokers (3) are likely to emerge, who aggregate identity providers and / or evidence issuers into single services.
Evidence issuers offer two types of evidence: identity evidence and eligibility evidence. Evidence verifiers ensure the evidence collected is genuine, belongs the user and also assess identity fraud risk. Organisations might choose to use a Digital Identity to access some pre-obtained and verified identity evidence for a User, then access other evidence issuers or evidence verifiers, directly or through a broker, for additional identity evidence or eligibility evidence.
The reliance on third parties to undertake identity services on behalf of an organisation means that contracts will be required between the different parties. All parties will need to work to commonly agreed rules and standards that meet the trust needs of different organisations.