Transformative digital innovations are those that promise to reshape how we live and do business. And sometimes they sneak up on us, writes Chris Briggs, Senior Vice President of Identity, at the digital identity verification product company Mitek.
For all their potential benefits, some pose risks that we in the security community recognize immediately and must prepare for. Think generative AI and the many ways it can be misused by bad actors. Other innovations may have similar benefits, but also offer the potential for risk. For example, the current move to digital identities.
A number of factors are fuelling the move from paper-based digital identity documents to digital-first systems. At the top of the list: security.
• Integrating digital identity protection into companies’ security protocols is now an essential part of safeguarding online transactions.
• Because of the level of online fraud and growing concerns about consumer welfare, governments worldwide are scrutinising digital identity frameworks.
• In places where it has been tested, people value the convenience of being able to safely access identity documents across their devices.
Embracing Digital-First Identities over Physical
While these influences are similar around the world, the way countries are responding differs. Physical-first is the current standard. In most regions and countries, identity documents are still physical. In the United States, for example, if you are an Apple customer, you can scan your driver’s license, store it in your phone’s digital wallet and call it up whenever you need to confirm your identity. However, the digital image in the wallet isn’t issued by a state’s Department of Motor Vehicles. While it is a verifiable credential, it isn’t a true digital identity document.
More recently, digital-first identity systems offer a true digital credential. While a physical version may or may not be available, the digital version is recognised in the same manner as the physical one. For example, Estonia issues digital driver’s licenses as part of its e-identity program, while India has rolled out the largest national digital identification program in the world.
Advancing Toward Individual-First Digital Identities
Several countries and organisations are already creating technical standards drafts that focus on the practical aspects of creating a secure digital identity system. They are looking into how a person will register or enrol, how the information that person provides will be authenticated and how federation will be created across governmental and geographic boundaries.
Although these points are essential, we also must look at the development and adoption of those standards within a larger individual-first digital identity ethical framework.
An individual-first digital identity system would ensure that people and their rights are at the centre of any digital identity system. It would provide the benefits of digital identities—the highest levels of online security and safety available—while, at the same time, giving consumers and governments confidence that personal identity information would be respected. An individual-first identity system would be centred around a person’s right to control their own identity and related data. At its most basic, it would require:
• Individual consent before the collection of personally identifiable information.
• Full transparency about how, where and by whom an individual’s information could be used as well as the ability to remove personal information if asked.
• A strong focus on privacy and security by design, an ability to recover individual identity data if it’s lost or compromised, and provisions for strong enforcement.
Trust in the Future Digital Identity Ecosystem
The security community can play an important role in shaping individual-first digital identities, achieving our security objectives while also protecting individual rights. The fundamental question before us: how can we actively influence and foster the development of such identities? I see three areas where our expertise can help steer governing bodies in a positive direction:
• We must make sure our voices are heard, as government and business reimagine the concept of identity. It transcends mere documentation; it embodies the unique attributes of each individual. Shifting our mindset from document-centric to rights-based identity allows us to focus on granting individuals the entitlements they rightfully deserve. For example, accessing financial accounts, crossing borders or making travel arrangements.
• Practicality should guide our approach. Identifying essential identity verification requirements and tailoring business models accordingly ensures efficiency without compromising privacy.
• Most importantly, every initiative must be founded on ethical principles: avoid collecting unnecessary data, make sure you obtain explicit consent, and handle information with care and transparency. Seamless execution, grounded in these principles, will reinforce trust and integrity in the digital identity ecosystem.
By working together to make our voices heard, we can encourage and influence the development of digital identity standards and regulations that, when mindfully deployed, will provide a powerful new component of our fight against digital fraud while at the same time set new standards for individual identity protection. That’s progress I am confident we are all ready for.
