Digital identity schemes promise not only to provide a secure, convenient digital alternative for individuals to assert their identity but also open essential pathways for the unbanked and disenfranchised to access financial and welfare services. They have many benefits including reduced administrative burden and economic growth for governments and can help facilitate Know Your Customer (KYC) processes for financial institutions as well as enable access to the unbanked.
Critical to their success is privacy of user data. An example of how this can be accomplished is the EU Digital Identity Wallet (EUDIW) a large-scale initiative already in pilot that aims to provide all 447.7 million EU citizens with decentralized, interoperable digital tools to store and exchange identity documents and credentials, securely and conveniently, while having full control over their data. Organizations, such as government agencies, banks, universities, travel companies, and more will be expected to accept the EUDIW as official identification.
Failure to educate key audiences that adequate measures have been taken to secure user privacy could see low uptake of the scheme and jeopardize the success of the project. Similarly, without resilient identity verification at enrolment and throughout the user lifecycle, digital IDs present risks in addition to the opportunities – they could be misused for fraud, money laundering, and other illicit activities.
Now in its second iteration, eIDAS is the trusted framework for implementation of the EUIDW. One new element of eIDAS 2.0 mandates identities should be created to Level of Assurance High – the highest identity assurance regulation standard – while several current national schemes are built to Level of Assurance Substantial, the next level down and would require considerable work to ensure it meets the highest standard. An example of this is the hugely successful Italian SPID system, with nearly 35m active users who would all need to be onboarded again to qualify for eIDAS 2.0 identities.
Building the necessary technical standards is also not straightforward, work is now underway to review and revise existing standards around requirements for delivering the high level of assurance proposed. The underlying standards themselves (W3C Verifiable Credentials) are evolving which present further challenges.
The EUDIW is the first international scheme to be based on Verifiable Credential technology which until now has been a utopian aspiration for technologists. Verifiable Credentials maximize the prospects of a level playing field and technological advances in the delivery of wallet services and adoption by the EU will lead to the broader take-up of this technology elsewhere.
Some jurisdictions are already so far ahead they will likely continue their own path. For example, Singapore and Estonia have incredibly successful, universally adopted digital identity schemes that work so well that there is no reason for change. Others like the US have not yet decided on a way forward yet.
The digitalization of identity credentials can bring huge security and accessibility benefits for both consumers and businesses alike. Yet with benefits there are also several risks to be considered. There are worries regarding big tech companies having too much control and influence in this area with the likes of Apple, Google, and perhaps other large platforms competing with EU wallets for consumer attention. The recent Apple Vision Pro announcement integrating driver’s licenses raises fresh concerns over the monetization and protection of personal data.
Control of digital identity data has high commercial value to platform operators whose revenues depend on advertising or the monetization of access to their platform. Those bigger vendors who can more easily add identity data to their suite of revenue-generating services could create barriers to those seeking to develop alternative, competitive wallets and identity initiatives.
The UK’s Online Safety Bill contains proposed powers for Ofcom, the UK’s communications regulator, to take a more active stance in the development of guidelines for platforms that adopt digital identity or age verification services. The Information Commissioner’s Office (ICO) has also recently established a new function dedicated to ensuring that biometric technologies are developed and rolled out with respect for privacy, security, and data protection at their core.
From a security perspective, traditional identity assurance technologies rely on either possession, like a device, or knowledge, such as a password. Passwords can be stolen or shared, and devices can be compromised or lost, meaning they don’t provide the necessary defense against today’s threat landscape, or meet user demands for convenient, low-friction digital experiences. Biometric face verification resolves the security and usability issues of traditional authentication methods and can enable convenient identity verification for remote onboarding. To be successful, biometric face verification solutions must incorporate resilient liveness detection for digital identity programs to provide high accessibility and assurance that remote users are who they claim to be and that they are authenticating at that time.
Risks of generative AI technology bring a sense of urgency to the adoption of digital identity solutions. The ability to create deepfake images and voices, is available to almost everyone and creates at least two challenges. Firstly, bad actors will make it even more challenging for consumers and organizations, to identify attempted fraud. A 2022 study by Idiap Research Institute found that only one in 24 people could detect a deepfake demonstrating that it’s virtually impossible to identify fake images online without sophisticated analysis and detection tools.
The second challenge is that law enforcement will find it increasingly difficult to identify and target resources against genuinely malicious actors. For efficiency and security, organizations must adopt automated systems which include advanced liveness detection solutions. Solutions which rely on human review will rapidly either become too slow to be attractive to consumers seeking rapid verification of their identity or too vulnerable and easy target for malicious actors compared to more sophisticated automated services.
While the benefits a digital identity scheme could bring to any society are plentiful, a scheme that’s successful on all levels must deliver widespread accessibility as well as respect for privacy, trusted security and ease of use. This is crucial for it to benefit all citizens and be inclusive for all in society to confidently participate.