As businesses and consumers alike expand their use of digital services, what does this mean for identity? From online banking to e-commerce, proving you are whom you say you are has always been paramount. However, with cyberattacks seeing a considerable rise during the pandemic, are digital identities under attack?
According to IBM, $112 billion has been stolen through identity fraud in the past six years, equating to $35,600 lost every minute. What is clear is that the humble username and password that had served for decades must evolve into a more comprehensive security method.
Security and convenience have not been great bedfellows. Often diametrically opposed, today, businesses and consumers are demanding that these aspects of digital identity are bought together to deliver the levels of security needed in today’s hosted digital environments. IBM concluded: “Where do users most appreciate the criticality of security, and where do they make trade-offs for convenience? It turns out that users place more value on certain types of data, and as a result, will prioritise security and privacy in some cases, while prioritising speed and convenience in others.”
With Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre, telling Silicon UK: “Security and data privacy are closely linked, but nothing implies that security, by definition, must come at the expense of usability. Where security becomes an encumbrance its most likely the result of placing functionality ahead of security requirements and then ‘bolting on’ security after the fact. By taking a privacy by design approach to the Digital ID Trust Framework, the UK Government is designing security in from the outset.”
The use of biometrics for identification has been expanding for the past decade. The fingerprint has become commonplace, with facial recognition familiar to smartphone users. Voice is also evolving, as is retinal scanning in specific environments. Ultimately protecting digital identities and proving personal identification will use several identifying factors. Current online banking services are an excellent example, with three-factor authentication now widespread.
Businesses have a remit to protect their staff when using digital services and their customers. COVID-19 has shifted consumer behaviour with a massive expansion of e-commerce. Consequently, the threat landscape in this space has become a significant issue as businesses often struggled to adjust to the huge expansion of commercial traffic across their networks. And this behaviour looks set to become permanent. According to GBG, 47% of consumers opened a new online shopping account this year, with a third also opening a new online bank account.
Speaking to Silicon UK, Gus Tomlinson, General Manager, Identity Fraud Europe at digital identity specialists, GBG, explains: “Today, digital identity isn’t equal for everyone. For example, credit history and physical documents, like passports and driving licenses, are currently used to verify an individual. But in the UK, many people don’t have these documents – more than 11 million Brits do not have a passport, for example. And this leads to people, often the most vulnerable people in society, being excluded.
“As we begin to rely more on online services, it is fundamental that digital identity is made equal and accessible for all. To do that, the government needs to open up access to the data it holds – school records, National Insurance Number, medical records – so that we can more easily identify everybody in society. When it comes to digital identity, we need to consider how we use data and technology to make society better and more inclusive, rather than worse.”
In addition, “COVID-19 has made proper management of your customers’ digital identities even more important,” states Deloitte. “The Decisions of organisations and their senior leaders concerning digital identity strategies and operations will help define your customers’ digital experience. This digital experience, in turn, will determine their willingness to become customers in the first place, their loyalty level and their inclination to recommend you to others.”
Identity matters
How we secure, our digital identity is continuing to evolve. Mastercard, in their report, states: “We are still in the early days of the human digital transformation and almost certainly do not yet have a grasp of how truly fundamental an understanding of digital identities will be to the future human experience. Digital ID, today understood as how we can prove that we are who we say we are, will likely become the primary mechanism through which we construct our digital selves and engage with and inhabit tomorrow’s digital spaces.”
News that the UK government’s intention to create a trusted digital identity system has drawn support and criticism in equal measure. Digital Infrastructure Minister Matt Warman said: “Whether someone wants to prove who they are when starting a job, moving house or shopping online, they ought to have the tools to do so quickly and securely. We are developing a new digital identity framework so people can confidently verify themselves using modern technology and organisations have the clarity they need to provide these services. This will make life easier and safer for people right across the country and lay the building blocks of our future digital economy.”
The ICO (Information Commissioner’s Office) response states: “The ICO supports the introduction of a UK digital identity and attribute framework. Such an overarching framework can bring many economic as well as privacy benefits over reliance on paper identity records. Government’s proposed framework and accompanying governance regime also has the potential to bring individual protections and trust to the existing digital identity ecosystem. However, development of the framework must proceed carefully and in accordance with data protection law.”
However, speaking to Silicon UK, Professor David Chadwick, product director at Crossword Cybersecurity Plc and co-author of the W3C Verifiable Credentials standard, says: “I was very disappointed with it. It read as if they wanted to enhance Verify, their failed digital identity system, rather than saying” “we need to move to a situation where people can start to carry their digital identities with them in wallet apps on their smartphones, conforming to the W3C Verifiable Credentials Data Model Recommendation”. This model does not differentiate between digital identity and attribute providers, as the UK government does.”
Chadwick concluded: “Your digital identities are different combinations of your digital attributes, and these are provided by many different identity providers – called issuers in the W3C recommendation. Each digital identity you assert is bound to a cryptographic key when you present it, so that you can prove that you own this digital identity. However, users do not need to be aware of this, as the keys can be ephemeral and thrown away after the presentation. Separating as it does, a digital identity from attributes is a major failing of the UK government’s framework in my opinion.”
GBG also state: “There is a clear aversion to the ‘new’, but technology is beginning to show signs of catching up: almost half of consumers now consider their mobile phone number (47%) and email address (46%) as core parts of their personal identity – with newer aspects like biometrics (27%) also entering the identity mix. This creates a conundrum for businesses looking to prosper online, as our identities are increasingly composed of a fragmented set of digital characteristics – there is still work to be done on educating and building trust in new technologies.”
Across Europe, digital identity protection is gaining prominence. Indeed, the European Digital Identity and Wallet framework unveiled in June 2021 looks to create an integrated digital wallet to connect multiple aspects of a citizen’s digital footprint to secure these assets from malicious attack.
Margrethe Vestager, Executive Vice-President for a Europe Fit for the Digital Age, said: “The European digital identity will enable us to do in any Member State as we do at home without any extra cost and fewer hurdles. Be that renting a flat or opening a bank account outside of our home country. And do this in a way that is secure and transparent. So that we will decide how much information we wish to share about ourselves, with whom and for what purpose. This is a unique opportunity to take us all further into experiencing what it means to live in Europe, and to be European.”
New normal ID
The use of AI within digital security applications and services will continue to mature. Machine authentication is a growing sector within digital security as a whole. As other areas of business and customer-facing services become increasingly automated, the use of these systems within new security applications is almost inevitable.
Are technologies like the blockchain and distributed ledger how digital identity will be managed? “It’s too early to say, but I think it looks like a good possibility,” says Gil Kirkpatrick, Chief Architect, Semperis. “Blockchain-based distributed identities have some interesting characteristics that could make it possible for people to take over the management of their identity information in a way that is secure, privacy-preserving, and cost-effective. On the other hand, I’m unconvinced that people are ready, or even interested, in the responsibility of managing their own identity information. How many times have you clicked through the GDPR cookie warnings on a website? Did you even bother to read it? Or think about it? We’ll see.”
Professor David Chadwick concludes: “The problem today is that no agreed set of standards exists. We have widely disparate views of what these should be. Everybody has their own favourites. In one camp, we have people who believe the future is a completely new set of digital identity technologies: blockchains, DIDs, new cryptographic algorithms, and the DIDComm protocol stack (which is really little more than S/MIME with onion routing), and those like myself who believe we should build the verifiable credential digital identity eco-system on today’s existing ubiquitous standardised protocols and cryptography, such as X.509, OpenID Connect, W3C Web Authentication (FIDO2) and JWTs.”
The state of digital identification continues to react to changes in consumer behaviour and the broader commercial landscape they inhabit. As citizens and businesses alike expand their digital services, identification and authentication must remain a central and supporting pillar for secure communications.
Silicon in Focus
Matt Cox, Managing Director, EMEA, Fraud, Cyber and Compliance at FICO.
Matt Cox is managing director, EMEA, Fraud, Cyber and Compliance. Matt is a well-rounded business leader and professional with 20 years of global experience within the Financial Services industry, specialising in Fraud and Financial Crime across all products and services. Matt has successfully led significant transformation programs across various products and geographies, ensuring the right people, processes and technology are built up for the future. One of Matt’s many achievements includes best in class recognition within several European countries. Matt joined FICO from Barclays, where he was global director of Fraud. Before Barclays, he led the fraud team at EnterCard in the Nordics, worked in a second line role at ABSA and also worked at Santander, where he played a critical role in transforming the fraud operating model following the acquisition of Abbey National.
From cookies to multi-factor logins, how has digital identity fundamentally changed over the last few years?
“Digital identity has changed quite rapidly in the last few years. This is due to a much higher focus on the importance of strong identity management and the need for a much wider understanding from users of the importance of layered controls in combatting the increasing identity and fraud threats. In areas such as financial services, for example, in the online banking and retail channels, user demands for seamless authentication and growing data privacy and cybersecurity considerations have led to the gradual adoption of more sophisticated systems for digital identity management.
“However, basic controls such as cookies and knowledge-based elements are not fit for purpose in isolation when building a strategy on digital identity. Fraudsters and malicious actors are now compromising account data and passwords so quickly and on such a scale that the security to mitigate this has had to adapt. Improving the layered approach to identity and authentication is critical – having practical barriers and adaptive measures in place to remove the predictability and easily compromised elements of authentication.”
Will COVID have a lasting impact on digital identity?
“Worldwide, COVID-19 accentuated a major and sudden need for individuals to take up or increase their use of digital services. COVID will undoubtedly have a long-lasting impact on the way consumers and businesses interact with each other across a wide range of digital services but particularly when it comes to digital identity, where we have seen a real shift to digital-first servicing. The ongoing investment in digital-first and digital transformation to meet the growth in the number of consumers expecting to be able to process and complete applications and transactions online means providers must have in place adequate identity controls that are robust and stringent enough to ensure they remain safe from developing fraud threats, whilst balancing compliance requirements and consumer experience. Those that invest in scalable technologies and resilient frameworks around identity will be able to shift with expectations and mitigate the challenges and impacts that COVIDhas bought.
There will be a new focus on prioritising the benefits of digital identity schemes and identity landscapes across many regions as access to key services such as banking, healthcare and education become increasingly required through online channels. The lead on this discussion will undoubtedly be led through governments and existing identity providers, resulting in new innovations coming to market in this space.
What is your view of the UK government’s policy paper for a digital ID and attributes framework?
“The UK’s digital identity debate is not a new one. We have seen in the past previous false starts and unsuccessful policy papers on creating framework guidance and pilots on digital identifiers led by government departments and research teams. However, in the UK, these have all fallen at early stages. In the UK, one of the main challenges in identity management is that identity data sets remain largely disparate. We as individuals use services, accounts, and systems for identity remain unconnected, and online profiles that connect all our activities across our digital footprint do not currently exist. The reason for this is simple – we lack a unique digital identifier, something that could be used to connect our online activities to us as a verified individuals in a way that other regions such as Sweden, Denmark and Estonia do.
“The opportunities are clear when it comes to investing in digital identifiers and have been demonstrated in these regions. Enabling an easy, convenient, and most importantly, trusted single identifier would offer consumers and businesses a quicker, more transparent, and less complex method to onboard and maintain trusted relationships with each other whilst minimising the risks of account takeover, identity theft and fraud that comes with existing physical documentation and manual processing.
“The UK government so far, though, has come up against barriers in public opinion as they have an inherent mistrust in the government and allowing further access to data than is strictly necessary, something that is not likely to change in the short to medium term for this consultation. Having said that, and whilst any early adoption of such a scheme is still a long way off. With many hurdles to navigate, as the shift to digital activities and services intensifies, governments and policymakers who have taken the opportunity to review and re-position the goals and benefits of such a programme have possibly the best opportunity to find traction across the ecosystems in creating a centralised framework and embedding a foundation that will enable growth in coming years.
“The message of enabling greater flexibility on service providers and centralised access to data is a positive narrative when it comes to creating and maintaining the trust of that identity and registration. These new policies could allow digital identities to be built on a greater range of trusted datasets – such as those managed by the DVLA, or the GRO for birth certificates. This would enable businesses to ask government authorities to confirm whether a piece of information, such as someone’s age or address, is valid and matches their records.
“The balancing act for identity going forward will be an interesting one. The government notes that it is committed to not making digital identities compulsory in the UK, something that will absolutely encourage the organic growth of such a scheme, but just as importantly, it also wants to ensure that people in the future are not forced to use traditional identity documents if these are not strictly required and ensure that any digital identifiers have a similar status to the existing physical documents in trust levels. This will provide a level playing field for providers and businesses when managing their compliance, KYC and AML strategies across accounts and users.
“Most crucial of all will be the transparency in design and inclusion. One of the key elements from the debate on National Identity Cards and the process of qualifying for one was that it exacerbated pre-existing inequalities and discrimination of people’s rights and access to public and private services data privacy must be included as a fundamental principle, the protection of the integrity of an individual’s data and accessibility of that data will be of the highest priority. All these challenges again must be addressed sufficiently to see more progress made this time.”
Is biometrics the future of digital identity and authentication? Will the password become a thing of the past?
“Biometrics, of all kinds, have become very important in the identity and authentication landscape across all verticals and industries – particularly for mobile channels where the consumer uptake and trust in utilising biometrics such as fingerprint and facial biometrics are high. Biometrics can be extremely effective across all digital channels and give a level of trust and insight. If used correctly can provide a multi-layered approach to identity verification and trust for service providers and customers whilst maintaining the ability to balance security and convenience in a competitive space.
“There is a shift happening across many global regions to move from outdated models of identity and authentication that are modular and functional towards a more continuous and adaptive approach to establishing and maintaining trust with and of a user’s identity throughout the consumer lifecycle. Passwords are inherently weak for several reasons, all of which are well known. The goal in any digital space should be to move away from sole reliance on static based knowledge credentials and focus on authenticating users rather than passwords.
“The distinct mixture of biometric capabilities available across physiological elements such as fingerprints alongside the growing importance of behavioural biometrics that identify a user’s unique characteristics such as keystroke analysis and neural profiles offer a passive route to confirming a user’s identity in which even if a credential or password is compromised, the likelihood of a malicious actor replicating the legitimate user’s behaviour is incredibly low. The combination of these biometric technologies enables a way for both consumers and businesses to increase security whilst requiring no hardware or remembering of multiple passwords and will no doubt play a major part in the next generation of identity and authentication.”