We should be able to “Tap and Prove” any important facts and figures about ourselves — as easily as we “Tap and Pay” with a smartphone at any one of hundreds of millions of terminals globally.
More’s the point, we should aim for an all-digital experience of presenting facts and figures in-app; we could “Click to Prove” our age, our qualifications, professional licences, travel permits, health certificates or whatever — as easily as we “Click to Pay”.
And I mean exactly as easily. With the same security, privacy and speed. With the very same gadgets.
We should be able to move verified copies of our personal data around the digital economy as safely as we move our money.
Look at the innovation in mobile credentials. With our phones now we can carry and present secure copies (tokens) of payment accounts, boarding passes and even virtual hotel room keys.
In digital life and work, on a daily basis, we need to show things about ourselves — usually discrete pieces of official data, each with its own context. These details often come with special metadata that proves the origin of the data, the validity dates, jurisdiction, and so on. More subtly, there can be additional signals about how the data was carried, plus signature codes to prove how the data was presented.
Smart credit cards are surely the exemplary way to digitally present critical facts and figures.
The primary account number (PAN) in a smart credit card is held in a certificate signed by the issuing bank. That certificate also specifies a key pair of the customer, where the private key is held in the smartcard chip. Every time the smartcard is used for a purchase and presented in a terminal, the chip creates a fresh signature on the transaction data, which among other things serves to prove that the legitimate card holder was in control of the purchase.
This works because the signature is provably unique to the private key in the chip, the chip can only be activated by presenting the correct PIN, and the signature proves that the cardholder was in control at the time of the transaction.
Exactly the same cryptographic techniques are used inside a smartphone wallet holding virtal credit cards. Smartphone chips have a “card emulation mode” which enables them to mimic smart credit cards. In fact most smartphones can also emulate smartcard readers, which makes it possible, through a software app, for phones to act as digital payment terminals.
Credit cards have steadily evolved since the 1950s, from cardboard through magnetic stripe to chip and now smartphones and watches. Personally, I have had a credit card account with the same bank since the 1990s, and have seen this evolution first-hand.
My user experience of the very same account number has got better and better, while my customer agreement has stayed the same throughout.
We should now extend this powerful data protection infostructure from credit cards to other forms of personal data.
Consider the fact that the global credit card networks only exist in order to prove the truth of a certain piece of data, a 16-digit number, presented by customers to merchants anywhere in the world.
We could leverage the processing schemes, terminals, smart devices, standardised contracts, and fee arrangements for verifying any facts and figures we routinely need to prove about ourselves: licences, qualifications, memberships, school grades, age, official government IDs, health identifiers, medical results, vaccination records. and so on.
State governments in Australia are well advanced in digitising all manner of citizen credentials so they can be conveyed peer-to-peer from mobile phones. The user experience is evolving from QR codes through to instantaneous radiofrequency interfaces — of exactly the same type used in mobile phone payment wallets.
This digitisation is taking place without changing any of the meaning or the rules around the credentials. There’s no fuss, and there’s little or no complication around “identity”.
The mission is simple: progressively digitise all the facts we need to know and show.
Simple data wallets are leaving federated identity for dead. While digital services have developed ever more rapidly, digital identity — which was supposed to be the essential underpinning — has stagnated.
We made digital identity too hard by solving for the wrong problem. Personal human identity is always going to be rich, relative, subjective and analogue. On the other hand, the things we really need to know about people in the digital domain are really quite simple. And they boil down to quality data.
We know how to solve for data reliability: by blending cryptography with established governance.
That’s the guts of the credit card evolution! We’ve gone from watermarked pieces of cardboard in leather wallets to digitally-signed verifiable credentials in smartphone wallets. Each generation of data carriers carry exactly the same core data, but over time they come with ever more sophisticated metadata, built in to prove that the core facts and figures are true.
The digital identity industry has arrived at cryptographically verifiable credentials. This technology can be married to existing rules frameworks to create infostructure to verify any data anywhere across cyberspace and the digital economy. We’ve done it for credit cards. Now let’s do it for data.
This blog is an update to my Identiverse 2021 conference speech Why Isn’t Identity Easy? Post updated April 2023 to add the all-digital “Click to Prove”.