A digital identity can be described as information used to represent individuals, organizations, or even machines and devices in information systems and networks. Our digital identities are what we present ourselves as, when online. These have legal and social implications depending upon the platform where we present our identity. For example, it’s easy to assume any digital identity on a social networking site like Facebook or Gmail but the same is not true of a banking website. A new study from the Secure Identity Alliance (SIA) points out that eServices rollout and a trusted digital identity are intrinsically linked and it is impossible for the former to be successful without the development of the latter.
There exists an uncoordinated network of identity credentials where each application and institution manages its own digital identities and credentials and a single real identity has multiple digital identities. Different organizations and countries follow different standards and policies and have their own legislative requirements. It has therefore become crucial to develop a federated global Digital Identity Management mechanism guided by economic and social objectives.
The Case for Trusted Identities
The creation of a trusted framework where all digital identities are validated is a herculean task involving massive cooperation from governments, standards organizations, business processes, and individuals. But, the root identity – the one trusted digital identity upon which all will be based, has to start with Government. According to the Secure Identity Alliance’ survey, it’s a task that would allow governments around the world to realize some $50bn annual savings through effective e-Services provisioning by 2020.
As providers of essential online services to the whole population, governments can take the lead in establishing a clear national policy strategy for digital identity management that benefits all and enables the creation of innovative online public and private services. If not directly involved in digital Id issuance, they can help by acting as the national validation gateway for ID service providers.
Many countries have adopted systems for establishing national digital identities. The United States, the United Kingdom and Canada have adopted federated models. New Zealand, India and Estonia have syndicated models, with high-assurance, government-issued credentials incorporating biometrics designed to enable digital service delivery.
· Trusted Digital Identity Framework, Australia
The Digital Transformation Office of Australia will work across government and with the private sector to develop a Trusted Digital Identity Framework to support the Government’s Digital Transformation Agenda. The Framework will establish a set of principles and standards for the use of accredited government and third-party digital identities to enable individuals and businesses to access services in an easier manner.
The tiny state of Estonia is an eGovernment role model with over 400 government services fully integrated online. State issued ID smart cards unlock all government eServices and even allow Estonians to send and receive encrypted emails. Some of the services are, tax registration, voting, e-Health records and even birth registrations.
Private sector initiatives include the work of organizations such as the FIDO Alliance, Open Identity Exchange and Edentiti.
· FIDO Alliance
The Fast IDentity Online or FIDO Alliance is an industry consortium launched in July 2012 to address the lack of interoperability among strong authentication devices and the problems users face owing to multiple digital identities. PayPal and Lenovo were among the founding members of the alliance. The FIDO Alliance plans to change the nature of authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services.
· Open Identity Exchange (OIX)
OIXnet is a new registry for online trust in human attributes produced by different Identity Providers. Self assertions made by Identity Providers are backed by legal liability that the claims are legitimate.
· Open ID
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the end-user based on authentication performed by an Authorization Server, as well as to obtain basic profile information about the end-user in an interoperable and REST-like manner. Users can have their own OpenID service or they can use a third-party OpenID provider like AOL, Google, or Yahoo. A key advantage of OpenID is that it requires no client-side software and works with any standard Internet browser. The open standards for OpenID are maintained by the non-profit OpenID Foundation (OIDF).
The Question of Authentication
Depending upon, the nature of the resource under consideration, it is recommended that multi-factor authentication be performed before granting access. Some of the commonly used credential types are:
Credentials Representing the Knowledge Factor
These are the most basic type of authentication credentials and should never be used alone for sensitive or financial applications. Typical credentials falling in this category are passwords, PINs, patterns etc. Unfortunately, the use of these credentials is still widespread across financial institutions and is primarily responsible for bank and credit card frauds.
Credentials owned by a User
This represents the class of credentials that a user needs to possess to provide proof of identity. ID cards, mobile phones, hardware tokens, digital certificates, smartcards etc. belong to this category of credentials. The latest trend is to use mobile phone based credentials. Some of the common schemes in this category are SMS-based OTPs, TOTPs, QR codes and also digital certificate based authentication where the private key is stored on the device.
There have been many proposals advocating the use of mobile phone as a means of establishing digital identity. One proposal goes to the extent of using the mobile number as the digital identity. However, this is fraught with risk as the onus for identity verification will then be shifted to the MNOs.
In late 2014, social networking company Twitter introduced Digits, a tool that allows users to sign up for mobile apps and authenticate their identities without the need to create new login credentials. Users can log in using their cell phone numbers in place of user ids. When an individual tries to sign in using his or her phone number, a code is sent to the number by SMS. The user then enters the code into the verification field for authentication.
Credentials inherent to a User
This class of credentials is inherent to the identity and is usually a biometric characteristic of the identity being verified. A wide variety of biometric-based authentication techniques have been developed including fingerprint, retinal pattern, DNA sequence, voice, face etc.
iPhone 5S introduced Touch ID that allows users to unlock their smartphones and tablets using fingerprint and also enables access to certain operating system applications. iPhone 6 has introduced Apple Pay, a mobile payment system. The combination of Touch ID, Apple Pay, and Apple’s native Passbook app represent a digital identity and wallet that enables a user to authenticate their digital identity at PoS using biometrics and NFC and pay using their mobile wallet.
The next trend in authentication of digital identities will be context aware authentication, where the identification method will be chosen based upon the identity and the resource being requested. For example, multi-factor authentication involving biometrics can be added if required.