Searching for the right balances in digital ID verification
Identity cards have long been a part of daily life in many countries – if not the UK, whose nascent ID card scheme was canned in 2011 after many years of controversy and hostility over its overly intrusive nature. Yet identity verification today is becoming an increasingly crucial part of our ever-more-digital world – and those involved in it, whether governments or businesses, need to navigate a landscape that has changed beyond recognition, while getting the balance right.
First of all, the ID that takes centre stage in discussions nowadays is digital. Digital identity, however, is not just the digitised version of a formal identity document. In addition to an individual’s personal information (name, date of birth, address) and attribute data (such as a National Insurance number), it can also include biometric identifiers.
Moreover, in the broadest sense of the word, certification data such as university degrees and workplace qualifications can also form part of one’s digital identity, as well as a more dynamic aspect: the trail they leave behind when interacting with financial institutions, mobile network providers or the government.
Digital identity is a thoroughly different proposition from what UK citizens were offered between 2006 and 2011. Back then, the controversial establishment of a central registry, which would contain detailed information on every citizen, was pitted against civil liberties and the argument was lost. But today, a verifiable digital identity today promises speed, convenience and security when getting things done online, so the cost/benefit analysis is – from a position of convenience if not liberty – less one-sided. (The true value of a digital ID was revealed by the pandemic, when many people who’d been made redundant thanks to Covid had to set up accounts remotely.)
In technology we trust (not quite)
But how can an individual prove they are who they claim to be and that their proof of identity is valid without having to show up in a physical branch or governmental office carrying their official documents?
The lynchpin to remote identity verification is the ubiquitous and almighty smartphone. We are increasingly putting our faith in them: we shop and pay, bank and enter into contracts using them. And they do deserve our trust. State-of-the-art smartphones with biometric recognition can identify hard-to-forge fingerprints, faces or, increasingly, our voices.
Ever-more devices are being continually rolled into newer generations of phones. Not only do some have embedded biometric sensors, they also function as NFC readers that can scan chips in our physical passports. They are also able to store the biometric information they collect encrypted in a so-called digital ID wallet independent of the phone’s SIM card.
Rather than just comparing a selfie shot with the mobile’s camera against the picture taken of a photo in an official document – and maybe subjecting the former to “liveness detection” to ensure the picture is of a real person – today’s mobiles can now access the biometric data stored in the document’s chip as too for extra security.
The robustness of the technology is evidenced by the fact that mushrooming national digital ID projects – whether purely mobile-enabled (Estonia, Finland), or card-based with a mobile extension (Germany) – equally rely on it. The match-on-card system, which the Portuguese ID card relies on, for example, circumvents any bans on centralised personal and biometric data repositories by carrying out biometric checks on the card’s microchip, thus avoiding any personal identifiable information leaving the card.
But businesses increasingly find that to stay on top of the catch-up game played with fraudsters, identity biometric comparisons against ID documents are strategically insufficient. Revolut, for example, has teamed up with an identity provider that ensures online identity is validated against external data sources too. An Estonia-type centralised database is an excellent “trust anchor”, but what are the alternatives when it’s not legally viable?
The domestic digital ID-landscape
In the UK, where privacy and data protection have a strong legacy, the government’s Verify scheme was meant to serve as a remote identity verification system for the public and then the private sectors and, eventually, as a global standard. But the public-private partnership, so essential to the success of these national projects, went somehow out of kilter, leading to most of the identity providers involved jumping ship.
Out of the two businesses that have persevered, Dutch Digidentify and the Post Office, the latter seems to have made the most of the ailing project: having teamed up with Yoti, the UK start-up running the d-ID project on Jersey, it can extend its legacy services with cutting-edge offerings such as identity verification and digital signatures. At the same time, it can also address digital exclusion concerns through providing a complementary offline ID service in physical branches.
As Brian Glyck, editor-in-chief of Computerweekly, also suggests, the stumbling block of the failed Verify partnership between government and the business sector has been data access. While identity providers strive for scale and therefore are ready to provide services to both the public and the private sectors, the permission to use data from the Document Checking System (DCS) was granted only to the public sector. (The DCS relies on access to passport office and driving licence data).
To address the issue, the Passport Office is now running a year-long pilot project where – in addition to the Post Office and Digidentify – the 11 participating companies can also “digitally verify users’ identity by referencing the details provided against the HM Passport Office database.”
Another project attempting to bridge the public-private divide is the Trust Framework of the Department for Digital, Culture, Media and Sport (DCMS), which is aiming for developing the digital identity market by certifying and auditing digital identity service providers and their corporate users. Whether these two separate initiatives will eventually converge, or the UK ends up with two separate digital identity ecosystems for business and the public sector, remains to be seen.
One thing, however, is for sure. We will need digital data management solutions that provide robust security against online fraud while limiting government, business and digigtal IDP access to personal data to a minimum. New ID verification methods that reduce the process to yes-or-no questions and answers (confirming, for example, whether a young person is or is not underage rather than checking their actual age) will most probably play a seminal role. And so will the emerging approach of self-sovereign identity (SSI), which puts the online user in control of their digital identities, where who they give access to their private data and for what purposes is entirely their choice.
For the latest updates and insights on digital identity schemes, you can read more on ComputerWeekly.com
To read the latest recommendations of British think-tank Demos regarding the DCMS’s Trust Network, visit https://www.computerweekly.com/opinion/On-digital-identity-the-government-gets-it-wrong-again