Digital IDs in the UK: Friend or foe? asks Paul Inglis, SVP EMEA at the digital identity product company ForgeRock.
There’s few news agenda items that appear to be as divisive as digital IDs. For many, imagining a time when not having to provide a utility bill to prove your identity, or not having to register at a new GP, dentist, or hospital ever again is one of many things to look forward to. But it also has its sceptics – often drawing attention to whether the general public can trust government-controlled data schemes.
Earlier this year Lord William Hague and Tony Blair set out to encourage the widespread adoption of digital ID cards as one of many recommendations looking at productivity and innovation in the UK, and since then barely a week has gone by when it hasn’t been a news moment.
Despite the inherent distrust in this country, what’s interesting is that much of the UK population already have physical government-issued IDs in play, from driving licences through to NHS documents. This doesn’t seem to anger people in the same way that the prospect of formal digital identity cards does. It seems that many would be more willing to keep these various forms of ID in a disjointed manner, despite the inconvenience and inefficiency. Yet, the key issue here is trust, and the public needs to believe there is no overreach when they log in to a service.
To build trust and enhance security simultaneously, a long-term strategy needs to be put in place that would eliminate passwords altogether. Time and time again we are seeing hackers claim control of an account to steal credentials via phishing campaigns. It’s been found that this phishing represents one of the most significant security threats for UK businesses and consumers, so a government ID system needs to be impenetrable against such campaigns. Realistically, the issue needs to be tackled at the source – removing the need for passwords throughout the system. This would represent a critical step in building the trust of historically sceptical UK citizens in digital identification.
Distrust between public and government
What’s clear is that the public is more accustomed to indiscriminate government tracking and usage of our data than they realise. In the context of the NHS, 81% of UK citizens admitted to being comfortable with the NHS using their data for a ‘particular purpose’. This exchange of data allows the NHS to make data-led decisions concerning national health, such as the tracking of diseases, like COVID-19. Even so, that doesn’t necessarily mean that the public isn’t fearful about the security of their data and potential uses of it by unknown third parties.
Trust is the one recurring theme when thinking about different exchanges of data in society. The digital ID movement can only progress if it is underpinned by a transparent and reliable framework, backed by safeguards. The government’s digital identity and trust framework released earlier this year begins to address the issue, but lacks a standards-based approach that would ensure consumers remain in control of their data.
The Australian government has gone some way to protecting the public’s privacy and security simultaneously, after introducing a digital ID document and successfully rolling out their digital infrastructure. The scheme allows users to prove who they are online and access a range of government services, so they have the reassurance that their personal information is protected from being collected, sold, or used for other purposes, such as advertising.
At a time when trust in the system is often the number one reason citizens appear apprehensive to any form of digital ID adoption, it has to look at what has been successful in other countries and apply the learnings to its own programme. Australia’s example shows what can be achieved when a robust framework and a set of fundamental best practices are put in place.
Pillars of a future ID system
So where does the UK go from here? Users of any online service often want the same thing – simple, seamless and secure access without the burden of having to remember or manage countless passwords. If we are serious about any digital ID, we need to ensure we have:
●Superior control and privacy: Allowing citizens the ability to manage their own data so they can decide what gets shared, when, and with who.
●Robust data security: Eliminating passwords would lessen the risk of account takeover and compromise, supported by passwordless technology.
●Revolutionary digital experiences: Making it easier for people to access a range of online services safely, from anywhere. Whether that’s proving your identity when picking up a parcel or opening a new bank account, the removal of unneeded friction would transform the user experience.
●Efficient business operations: UK businesses would also benefit from less complex processes and have the opportunity to become more agile.
Eliminating the weakest link
The proliferation of generative AI has provided malicious actors another attack vector for committing fraud on consumers and businesses. The technology is equipping cybercriminals to produce compelling and convincing emails and messages in the voice and tone of corporate executives. The trend is underlining the issue that remains prevalent within our operational digital infrastructure: that passwords are not secure. In fact, 83% of UK businesses that suffered a cyberattack last year reported the attack type as phishing, according to the Government’s Cyber Security Breaches Survey 2022.
We need stronger defences against people being tricked into letting their guards down and passwords be stolen; by encouraging organisations to adopt a passwordless system. By eradicating this avenue, unauthorised access can only be made if threat actors could potentially fake the exact keystrokes, IP address, MAC, physical location, and facial biometrics of a user all at once. An almost impossible scenario. At the same time, consumers and employees alike can feel empowered with an online experience without being asked to input a password. This, in turn, reduces the risk of human error and compromise and improves overall trust across the organisation.
It might be some time before the public fully accepts a formal digital identification system, but the government can make strides in improving sentiment in the meantime. By helping UK citizens become better accustomed to a seamless logging-in process – that doesn’t require a password for access – they can empower better and more secure digital experiences. Then once fully established, and making sure that any digital divide is addressed, they could connect systems and have self-driving digital citizens services without the need for a singular digital ID number.
