Continuing my rethink of digital identity, here are some realisations that help form a fresh vision.
It’s often said that “the Internet is missing an identity layer” but it’s really missing an authenticity layer.
It’s rare that we need to know who someone really is. Instead we usually need to verify some specific fact about them, disclosing as little identity as possible. We need facts and proofs—that is, contextualised authenticity signals—not more identity.
Today, authenticity is a far bigger issue than identity, and is in urgent need across all digital resources and actions.
There is no such thing as identity theft; there is only data abuse.
Data breaches do not represent an “identity” problem but a data problem. Twenty-plus years of experience has proven how hard it is to standardise identity, simply because different groups of parties need to know different things about each other. On the other hand, we know very well how to protect data against tampering and counterfeiting.
KYC processes remain reasonably robust in physical account opening.
Criminals no longer buy counterfeit passports and driver licence cards for opening fake bank accounts in branches; instead, they use stolen data to fool online KYC procedures. KYC would be equally robust online if the ID document data was more dependable.
Digital identity is nothing but data; it can’t be anything else but data!
When we deal with someone digitally, data is all we got. Our “digital identity” problems are really data quality challenges.
If we generalised digital identity as a matter of verifiable data then we could apply our proven identity technologies to the bigger and more urgent problem of cyber fraud.
All fraud and scams probably boil down to bad data.
That is, erroneous data, including misappropriated identifiers, stolen and co-opted biographical details, synthetic identities, Deep Fakes and so on.
Authenticity lies in metadata.
The signals that convey authenticity (such as origin, provenance, authorship, endorsement and so on) can be codified as metadata. And metadata is the essence of verifiable credentials. A VC is a data structure containing information about a Subject and an Issuer. Usually that information centres on the Subject’s name or other designation and a qualification of some sort, plus administrative data. But a VC can assert any attribute about the Subject. And the Subject need not be a human; VCs are being issued to other sorts of agents, such as IoT devices and AI agents.
We could extend verifiable credential technology even further, for verifying any interesting attribute of any thing or any data.
Diversity of identification—sometimes described as “fragmentation”—is not all bad.
AML-CTF regulations and the National Identity Proofing Guidelines provide direction to organisations but leave them free to maintain identification procedures suited to their local conditions and risk appetites—as they should. For instance, when a customer does not hold a photo ID, variations can be designed into onboarding procedures to suit them. In security practice, we call such variations compensatory controls. There is a wealth of experience with the many IDs in use today, as to their veracity, particular vulnerabilities, regional differences and so on, which can be applied to fine tune compensatory controls. All that diversity and risk management experience would be nullified in switching to a brand-new general purpose Digital ID.