Tuesday, 28 June 2016

I not the person I used to be

Digital identities are set to revolutionise how we transact with business, with governments and with each other.  A secure binding of our real world identity to a secure digital token that will allow us to perform trusted transactions online.

At the moment, there is a lot of focus on how we onboard the real world identities and create the initial trusted binding to the digital token.  In India, the Aadhaah identity scheme have been creating a national register of identities for over 6 years - collecting the biometrics of over 1 billion residents.  In the UK, the GOV.UK Verify scheme has 8 private sector identity providers competing for the enrolment of citizens at the point in time when service provision is required.  Norway, Sweden and Canada use Bank issued identity credentials.  The different models used are based on national circumstances, customs and practices.  Though the common theme is that this initial registration process is a huge commitment for both the identity provider and the end users.

The other area of focus is on authentication; once we’ve bound the real world identity to the digital token, how we allow the end user to assert their ownership time and time again.  Credentials range from the humble password, through the convenient if you have it to hand usb key, to mobile apps / codes.  With the war on the password recently being stepped up by Google, we’ll start to see biometrics, behaviour and characteristic probability added to the mix.  

The biggest challenge though is how to maintain the link between the real world and the digital token.  Things in the real world have an annoying habit of changing - so how to keep the digital token in sync whether through genuine change or fraudulent use is an area that needs to be addressed before the hard work of on boarding is corrupted.  The monitoring, fraud controls and background rechecks that are sufficient today will be lacking tomorrow as more trust and more services become reliant on the digital identities that exist.

Using authentication to strengthen the binding of the real world identity to the digital token over time is an exciting opportunity.  If the identity provider can distinguish to a high degree of probability that I am the one authenticating against my digital token then they no longer need to check against mortality records to ensure that I am still alive in the real world.  If they know that I sign in from my home location, they can also confirm to a high degree of probability that my real world address is still valid.  The reverse of this is that they can also identify that my digital token may be being used fraudulently, either by me or another party (identity theft).

The propagation and growth of the digital identity market makes the need for more intelligent re-proofing and re-checking back to the real world identity a higher priority than it currently is.  Time or frequency based checks that are sufficient today will be reduced to real time verification.  Whilst the authentication services may not be sufficiently mature yet (in terms of implementation) to allow our behaviours and characteristics to be used for asserting our identity now is the time to start looking at how they can be used for protecting and verifying the link between our real world identity and the digital representation of it.

There are certainly challenges around privacy and data consent to be addressed - though if we don’t start doing the thinking now we’ll lose the trust and therefore the hard work that went in to establishing the original link.  Otherwise, how confident will service providers be in 2 years time that my digital identity is still the person I used to be?

Read my other posts
Just in Case - From early adoption to maturity
I have control - Can we truly own our identity
Tipping the balance - Getting the right balance between security and user experience
You don't know what you're doing Poor security practices are putting users at risk 
I didn't say you could touch me - Biometric authentication and identity
You don't need to tell me - Impacts of the EU General Data Protection Regulations
Coming together on being alone - The need for a clear government digital strategy
Distributed Identity has no clothes - Will distributed ledger technology solve identity
Bring Your Own Downfall - Why we should embrace federated identity
Unblocking Digital Identity - Identity on the Blockchain as the next big thing
Tick to Agree - Doing the right thing with customer's data
The Kids Are All Right - Convenient authentication: the minimum standard for the younger generation
The ridiculous mouse - Why identity assurance must be a rewarding experience for users
Big Brother's Protection - How Big Brother can protect our privacy
I don't know who I am anymore - How to prove your identity online
Three Little Words - What it means for your business to be agile
Defining the Business Analyst - Better job descriptions for Business Analysis
Unexpected Customer Behaviour -  The role of self-service in your customer service strategy
Rip it up and start again - The successful Business Transformation
Too Big To Fail - Keeping the heart of your business alive
The upstarts at the startups - How startups are changing big business 
One Small Step - The practice of greatness
In pursuit of mediocrity - Why performance management systems drive mediocrity

About me

Bryn Robinson-Morgan is an independent Business Consultant with interests in Identity Assurance, Agile Organisational Design and Customer Centric Architecture.  Bryn has near 20 years experience working with some of the United Kingdom's leading brands and largest organisations.

Follow Bryn on Twitter: @No1_BA

Connect with Bryn on Linked In: Bryn Robinson-Morgan

No comments:

Post a Comment