Digital ID Jargon Explained
The identity industry, just like any another industry, loves to use its own specialist terms. This often causes confusion as every term with broad meaning may have a specific definition in the identity ecosystem. This list of terms and their identity industry meanings should help bring clarity in this space. More information on how the identity ecosystem works can be found in the OIX Guide to Trust Frameworks.
Issuer. An organization that can issue the user with a credential to store in their Digital ID and share with others. Many organizations can be issuers of credentials. This includes authoritative sources, such as government agencies or education establishments, as well as third parties who might digitize a paper version of a user's identity credential. Indeed, a digital identity itself might be empowered to issue credentials on behalf of the user, such as 'is the user over 18?'
Relying Party. The party who accepts the Digital ID from the user. When they accept the digital ID from the user, they are relying upon the trust that the digital identity conveys about the user or their credentials, thus the term relying party. Relying Parties (RPs), sometimes called Service Providers (SPs), are organizations that need to establish and maintain the identity of their customers, suppliers or partners. An RP can also be an organization that needs to verify an attribute of a person’s identity, such as a person’s age. Examples of RPs are banks, utility companies, telecoms operators, insurance firms, and local authorities.
Self Sovereign ID. An identity that is owned and controlled by the end user.
Decentralized and Centralized. Centralized ID ecosystems involve the storage of identity information in databases held by the identity provider. These centralized databases hold the identity data for many users at once. Decentralized ID ecosystems hold each users identity information seperately in a distributed manner.
Credential. A credential is something that helps show who the user is or what they are eligible to do. Examples of credentials include passports, driving licenses, education certificates, vaccination certificates, national ID cards, tickets, boarding passes and premises access cards.
Verifiable Credential. A credential that can be verified as being genuine and belonging to that user by reference to its issuer. Facts about a person's identity that are verifiable by an authoritative source, which is both independent and trusted. Facts provided by an individual to a recognised issuing authority must be checked and verified by them as a trusted source, prior to them issuing an official document. Once checked, credentials issued by the trusted organization can be consumed by other organizations as verifiable credentials.
ID Provider. Someone who provides the user with a software tool to manage their identity. Increasingly, these software tools are referred to as digital wallets.
GPG45. The UK standard for identity proofing and verification for individuals.
Hub Provider. Someone who allows a user to choose who their identity provider is and connects that identity provider with a relying party on behalf of the user.
Orchestrator. A provider of technical connections between relying parties and identity providers, often involving the user in identity provider choice via a hub.
Attribute. A piece of data that describes something about the user, such as their name, address, height, eyecolour, driving permissions, vaccine type, vaccination date...etc.
Claim. An unverified attribute associated with a user.
Verified Claim. An attribute that has been verified by an authoritative source as belonging to the user.
Electronic Attribute Attestation. An electronic collection of one or more attributes associated with a user.
Electronic Signature or e-Signature. A way to sign an electronic document. There are three types of e-signature: simple electronic signatures which allow traceability to the user but do not verify who the user is. Advanced electronic signatures which also allow traceability to the user with a more robust set of authenticators, but still do not verify who the user is. Qualified electronic signatures which include advanced authenticators, as well as confidence in who the user is. Please see the OIX publication Explaining Electronic Signatures for more information on this topic.
Wallet. A software tool that allows the user to gather, manage and share credentials. A wallet may operate on a user's device or in the cloud.
Data Minimization. Ensuring that only the minimum amount of data is provided by the user to the relying party to meet the needs of the specifc transaction. For example, knowing that the user is over 18, or is identity proofed to a required level, may be all that is needed to meet the needs of the relying party.
Selective Disclosure. Simular to data minimization. Only the attributes that are required to meet the needs of the relying party's transaction are disclosed from the user's Digital ID.
Zero Knowledge Proof. This is a method by which one party (the prover) can prove to another party (the verifier) that a given statement is true while the prover avoids conveying any additional information apart from the fact that the statement is indeed true.
Frequently Asked Questions about Digital ID
Is data safer in a Digital ID?
A key approach to Digital ID is decentralization. This means the users data is not kept in one central database that may be vulnerable to attack. Instead, a distributed approach means the user’s data is kept in a protected format on the user's own device or in a user specific space in the cloud. In addition, Digital IDs are protected by robust authenticators, such as biometrics, ensuring only the genuine user can access their data.
Is the user in control of their data?
Always. The users own their data, consent to its release and can ask for it to be deleted at any time. Digital IDs operate within local data protection legislation, such as GDPR.
Who can access the data in a Digital ID?
The data in a Digital ID belongs to the end user. Only they can access and manage the data in their ID. Only they can agree to the data being released to other parties.
What if a user wants to move or delete data?
Digital ID ecosystems must work within data protection regulations and allow portability of data and deletion of data. Users should be able to permit the movement of their data from one identity provider to another.
What happens when a user updates their data in the Digital ID?
Firstly, the new data is validated and verified, so that it can be trusted by those the user shares it with. The next step is to share the updated data with organizations that the user wants to inform. A list of organizations the user has previously shared their data with can be presented to the user for them to select who should receive an update. Organizations may choose whether to subscribe to such update services.
I want to be inclusive for my customers. Can everyone get a Digital ID?
Digital ID ecosystems must be designed to be inclusive. Where a Digital ID ecosystem primarily relies on user self-establishment of a Digital ID by digitally presenting evidence of who they are, secondary options must be available to allow those who do not have digitally presentable evidence or need assistance presenting it. OIX operates an Inclusion Steering Group that includes representatives from public, private and third sectors with the objective of ensuring all users who want one can get a Digital ID.
What if users lose their device?
The user will be able to recover their ID to a new device. The user's Digital ID is usually securely backed up in the cloud in a distributed way. However, RPs should look for IDs that are not reliant on one device.
Will Digital ID remove passwords?
Providers of Digital ID are moving to newer, more robust authenticators, such as biometrics or tokens, which will see the use of passwords decline over the next few years.
What if there is a data breach with a Digital ID?
The provider of the breached Digital ID, or specifically breached credential, will be obligated to suspend or close the user's Identity. Depending on the nature of the breach, additional ID proofing or authentication is sometimes put in place when the user next uses their ID to ensure that the genuine user is accessing the ID.
What if a Digital ID is in the hands of an ID fraudster?
A good trust framework will require the providers of Digital ID to deal with fraudulent use of an ID. This will include notifying the real end user and all organizations where the ID may have been fraudulently used. If the provider of the Digital ID has not been following the trust framework rules and this has allowed the fraudster to gain control of a Digital ID, that provider may be held liable for any resultant losses. This liability position will depend on the rules of the specific trust framework or trust scheme under which the provider of the ID operates.
What if a Digital ID is incorrect?
A key feature of a Digital ID is that the information it provides you has been validated as being correct and belonging to the user. However, some information cannot be validated. Where this is the case, you should be informed of this when you receive the information from the user, each attribute they share with you should have a validated or un-validated status attached. If information is found to be incorrect, you should be able to raise this with the end user.
What happens if I have an issue with a Digital ID Provider?
A key feature of a trust framework is that if you have an issue with a Digital ID provider that you cannot resolve with them directly there should be an escalation procedure. This should initially be to the operator of the trust framework, possibly backed up with access to an independent ombudsman service. The OIX Guide to Trust Framework Issues and Complaint Services can help you understand more about what to expect.
Myths around Digital ID
Digital ID is a national identity card through the back door.
This is not true, a Digital ID is not a digital national identity card. As Digital IDs come from a diverse range of suppliers, servicing different use cases in difference sectors, there is no single national ID database. Also, there are alternatives to a reusable digital ID for users to choose from. This is how trust frameworks for Digital ID are designed in the UK and Canada, for example.
Digital ID will eradicate identity fraud.
This is not true. Whilst Digital ID has some key features that mean identity fraud will be reduced, such as strong identity proofing when a digital ID is created and strong authenticators to ensure only the genuine user can access a digital identity, no digital ID ecosystem is entirely free of fraud. Fraudsters will inevitably find a way to obtain identities of existing or for synthetic people. Digital ID trust frameworks must design to ensure fraud is minimized and actively managed across the ecosystem.
Biometrics are inconvenient to use.
This is not true. Many biometrics, such as facial verification, are already used on a day-to-day basis to open phones and approve transactions. This experience is very convenient for users and is not intrusive. A good Digital ID will carefully choose the biometric used and in which circumstance to ensure convenience and minimize intrusion.
Biometrics are risky.
This is not true. Biometrics are inherently difficult to copy or reproduce; face, fingerprint or iris are unique. Uniqueness is a key trait of all biometrics. Where biometrics are stored (as with other information) in a digital ID, they should be stored in a distributed manner that ensures any access to one individual's identity is not an access to many individuals' identities. Moreover, the biometric itself must be encrypted in a way that means any stolen biometrics cannot be leveraged or replayed by fraudsters.
Biometrics intrude on privacy.
This is not true, as the user is always involved in and aware of the use of the biometric. This is known as 'active' biometric use.
Digital ID causes inclusion issues.
This is not true. Digital ID should be designed to be inclusive. There must be alternative methods for users to obtain a Digital ID. It must not be a prerequisite that the user has documents, such as a passport or a driving license, in order to obtain a Digital ID. Other proofing methods must be available to ensure all users who wish to have a Digital ID are able to obtain one. OIX’s proposal for a Digital Vouch with Photo capability shows how users with no documentation may be brought into the Digital ID ecosystem by a voucher acting on their behalf. Equally, assisted digital capabilities must be available to ensure those who need help obtaining or using a Digital ID are able to access it.
Digital ID will be used to monitor my behavior / whereabouts.
This is not true. A key part of the privacy design for Digital ID is to ensure that the provider of the Digital ID cannot access the user's data or position without the user's permission.
Digital ID will be mandatory.
This is not true. A good trust framework for Digital ID will ensure that users have alternative methods to access services, which means they do not require a Digital ID. This may include other digital methods to access services, such as direct proofing and account issue by service providers as happens today. Or it may include the use of non-digital means of identification, such as traditional identity documents.
Digital ID will replace all paper forms of ID.
For the foreseeable future, we expect Digital ID and paper forms of ID will co-exist with both forms of ID being recognized and accepted with equal parity by relying parties.
Digital ID will not work offline.
This is not true. Another key feature of a good Digital ID trust framework is that it will require Digital IDs to operate when there is no network signal available. This is achieved by the Digital ID holding local secure signed copies of credentials that can be presented without the need to reference the issuer directly.
Digital ID providers will be liable for fraud.
Typically, if a Digital ID provider can show that it is operating within the rules of the trust framework to which it has been certified, then it will not be held at fault for any fraudulent identities that it asserts. Some implementations of Digital ID offer some capped liability in the event of fraud. This is a commercial feature of such Digital ID implementations.