Culture digital change Security

Real identity, it’s not just authentication

Digital identity can be used for a lot of aspects of digital life, including authentication. Sadly however, solutions that are purely authentication – are claiming to be digital identity just because they utilise claims within a credential.

Digital identity is gaining greater traction with each passing day. However, I believe its approaching a dangerous point, where the premise of a digital identity gets watered down to help sell outdated technological approaches or to solve a small niche area.

No other area claims to provide true verifiable digital identities more than that of authentication. By this I mean the use of cryptographic verifiable credentials, being presented to provide authentication. This sounds perfect, until you understand how the user got the credential and what credentials are being supported. Most authentication solutions are simply issuing a verifiable credential down to the user who has just been created. This misses the entire point of a verifiable digital identity, as the credential is doing nothing more than confirming a user account – to the point of asking, “why do I even need the credential?”

The issuing process

The UK has been working on its Digital Identity Attribute Trustframework for some time now, because it understands that a digital identity is only worth having if it can be trusted. A digital identity can only be trusted if you trust in the technology to secure it, and equally import you trust in the process that was undertaken to issue it in the first place.

For example, firm A sets up a new user on its cloud-based identity service, it could be Azure Active Directory or something equally popular. Firm A did this because the user filled in an online form. Firm A then issues the user with a cryptographic verifiable credential, which it claims proves identity. Yes, attributes within it may be name, address, some unique reference, my permissions within the system etc but does it really prove identity, or does it allow me to prove authentication? Firm A has issued the credential so that the end user need only present the credential to get authenticated, to login and to have a better (and more secure) experience. But in terms of identity, it’s not verifiable at all, because the process of issuing that identity holds no weight. It’s simply an authentication identity.

For a true digital identity to be verifiable, you not only need the technology to make that possible (yes that’s cryptographic verifiable credentials) but you also need to trust the issuers process of issuing the credential. If an issuer independently and securely verifies the claims made by the end user, then the credential that is issued does prove and verifies the bearers identity.

Trust and oversight

Though a user presents their digital identity themselves, the beauty of Self-Sovereign Digital Identity is that the technology provides total cryptographic trust in the identity/credential data. The organisation that is verifying the identity, is therefore assessing the trustworthiness of the issuer and their processes, not the data or the method of data exchange. This means organisations can place their own level of trust on an issued credential based on a credential by credential, and issuer by issuer basis.

Let’s look at example using the different types of identity credentials ID Crypt Global issues. The first is an identity credential that confirms the ownership of a specific email address. The process behind this proves a user owns a specific email address. However, it doesn’t prove that the owner is over 18 years old, even if the email address requires that at sign-up. No, the credential simply proves ownership. Lets say I am an organisation that runs a dating website, I want to verify the new users email address, and their age so the profile they build is accurate (at least in terms of their age). This credential if great for email ownership, but it shouldn’t be trusted to make a judgement on the users age, even if the email that it verifies operates policies that you must be over a certain age to operate the email address.

The second credential is that of ID Crypt Global’ “global passport” based identity. The process followed to issue this identity is very different to that of proving ownership of an email address. The process verifies a government issued passport, it verifies the passport authenticity, and it verifies biometrically the person applying for the identity with the biometric data captured in the passport. Only if all of these matches will the identity be issued. Claims made in this identity credential can be trusted because a great deal of verification steps have been undertaken. This credential is more trustworthy and more secure than if a user arrives with their government issued passport and hands it over to you for verification. This credential can therefore be accepted and trusted if I need to verify my age. In our earlier example, as an organisation running a dating website, I can now take data from this credential and verify the end users age range – ensuring accuracy on their profile.

Some organisations need more than trust though, they want to take a position of “knowing” that a process is followed. In the world of financial services, oversight is a concept that many financial regulators and organisations are familiar with. Identity issuers should not be afraid of this oversight model, as it brings transparency to process, and as such bring additional levels of trust.

The concern…

The digital identity space is still very young, and while it is young, the proposition and its capabilities risk being watered down. Organisations therefore need far greater education around digital identity, what it means and what an identity can / should be used for. Greater focus and transparency therefore is critical around the issuing process of any verifiable credential – because the risk is, organisations buy into digital identity and trust it, when all they can trust is simply an authentication process…

Leave a Reply