By Nick Mothershaw, Chief Identity Strategist at the Open Identity Exchange
Digital ID is a major focus for governments around the world. In the UK, the government is certifying digital ID providers to start working with the businesses that will come to accept these digital IDs for onboarding and managing their customers. Almost every business, regardless of size or sector, will be impacted in some way. The sooner they take steps to adopt it fully, the better position they will be in.
Our work at OIX is to make sure digital ID meets the needs of these businesses. We are finding that there is still a lack of understanding, particularly among many smaller businesses. We have sought to provide clarity on some of the key questions being asked.
Is digital ID adoption relevant for my business?
Businesses, digital or otherwise, that need to know who they are dealing with and what those customers – consumers or businesses – are eligible to do, will benefit from digital ID adoption.
Currently, customers have to prove who they are to each business, each time they want access to services. With each business having its own process, these customers end up with multiple usernames and passwords, which can easily be forgotten. It’s a frustrating and time-consuming process for customers that want and need to access those services quickly. Many abandon the process and businesses lose those customers. There is also the cost of verifying customers over and over again, as well as the cost to recover forgotten usernames and passwords.
With digitalisation and subsequent growth in identity theft, this ability to establish trust is growing more complex.
Digital ID will be a game changer in how trust is established, conveyed and embedded. Businesses can onboard customers to their services more quickly and with less hassle. They can spend less time proving who their customers are and concentrate instead on providing their core services. Digital ID is safer and more secure, and it makes the customer’s life a lot easier.
What is a digital ID?
A digital ID is both digitised real-world credentials (eg passport) and derived credentials that allow users to prove their status (eg over 18 or a specific level of trust). Both give businesses the assurance needed instantly, so services can be accessed straight away. Digital ID is re-usable, so customers only need one to provide trust in their identity to any business.
How will it work?
The first time a customer, or user, goes through the process of setting up a digital ID to access a service, it is through a digital ID provider selected by the business providing the service. The user will go through a proofing process with the chosen ID provider and set up their data in their digital ID, such as name and address.
The digital ID stores the proof of who they are in a protected format on the user’s own device or in a user specific space in the cloud. The user can then use their digital ID again and again, anywhere and with any business to access many services instantly. Businesses can simply accept the digital ID the user has set up through another digital ID provider in order to confirm their access rights are legitimate.
Will it cause greater levels of fraud and ID theft?
This is one of the biggest myths around digital ID. Digital ID is in fact safer and more secure than existing processes. This is ensured by trust frameworks – essentially a set of strict legal and technical rules that the digital ID providers must follow. These digital ID providers will undergo a tough assessment before they are certified, so the businesses that accept the digital IDs can be confident that their customers have been proofed meticulously and their data stored securely.
With this also comes an improved multifactor authentication approach, which is stronger ID proofing and more robust biometric authenticators. Simply put, it makes it far more difficult for fraudsters to access.
What happens if a data breach occurs?
Digital IDs providers often use a ‘decentralised’ approach to data storage, which means they do not have one single database to all IDs that can be breached.
If a data breach does occur, the ID provider of the breached digital ID will have to suspend or close the user’s ID, notify the real end user and all organisations impacted. Additional ID proofing or authentication may be put in place when the user next uses their ID.
Liability for the breach will depend on the rules of the specific trust framework or contractual position between the ID provider and the accepting business. In general, however, if the data breach is because of an ID provider failing to follow the trust framework rules, they may be held liable.
Who controls the digital ID?
The digital ID itself always belongs to the user, regardless of which ID provider has been used to set it up. They control what data is stored in it, who their data is shared with and what data is shared. Only the information needed to access specific services will be shared. For example, if they are eligible for a bus pass, only their age will be confirmed. Their date of birth will not be shared. Any changes to a user’s details will be verified and updated by the digital ID provider, and business will be informed automatically.
Finding answers to the questions around digital ID
Digital ID is complex and can be confusing, but there are organisations, like the OIX and sector specific digital ID federation schemes, ready to provide advice and support on adopting digital ID.
With more people accessing services remotely, businesses have to know with confidence who they are dealing with and what that person is eligible to do. Now is the time for business to adopt digital ID, or they will find themselves struggling to catch up.