Digital identity predictions for 2020
What does 2020 have in store for digital identity? Here are some of our predictions.
More countries will begin to adopt national ID schemes
A national identity scheme tells us much about the state that creates it. Schemes come in many forms, with the government taking many roles from identity issuer to regulator. Gemalto has visually explained the ecosystem.
Here’s an example of the UK system:
The case is slightly different in Estonia where identity is given a more citizen-centric point of view with the government taking the role of identity issuer. Each citizen receives a national identity card (so far 98% of the country is covered) and this card allows them to access online services.
In countries like Sweden and Finland, the banking industry has taken on a key role as the issuer of digital identities. While no country has the perfect ecosystem, newer countries, like Kenya, that adopt these systems have lessons to learn and ideas to build upon.
2020 will see more national identity schemes launched and more projects to be announced. The world is realizing the benefit of giving citizens a national ID that can help them access the banking sector and public sector.
The digital identity landscape will get less complex
One World Identity has been helpful in segmenting companies in the Identity and Access Management space. Their document mapping the identity landscape looks a little heavy right now, and there are no signs of slowing down. Companies are starting each day to solve new challenges in the industry or gain a piece of a growing market share.
Companies solely dedicated to Identity Verification, Know Your Customer, Identity Proofing and Compliance are mapped with trade organizations and password managers.
We don’t think we’ll see a slowdown in companies popping up in this space anytime soon but we do think that companies will start to build partnerships and collaborate more with API-driven approaches. This will lead to one-size fit solutions that will become the norm. Identity verification, issuance, federation, and brokerage are areas where we can see good opportunities for joint ventures and API-driven workflows. For a business that doesn’t want to deal with complex identity data, this partnered one-size fits all solution will be useful.
Phishing attacks will increase – This time, with a thirst for identity data
As security gets more complex, so does a cybercriminal’s strategy. Password complexity hasn’t changed much, and people still tend to use the same passwords for most accounts, but there has been the adoption of multi-factor authentication that hackers are now trying to bypass with a new type of authentication attack.
By tricking users into pretending to be a company they trust, hackers can ask users to identify themselves with a fingerprint or a picture of their faces. This biometric recognition is then stolen and used to gain access to their accounts.
There has already been a couple of attacks that have sought to get access to a user’s biometric data. These types of attacks don’t show any signs of slowing down.
The ownership and control of identity will be a major topic of discussion
There is consensus in the industry that identity attributes should belong to and be controlled by the people who own them. Citizens.
Organizations shouldn’t have to issue digital identities. Instead, each person should bring their own identity, choose which information they share with the company and an independent authority would verify this data before a digital information exchange takes place.
When it comes to the advantages of using blockchain to store identities, the list is endless. The control of data is with the person who owns it, they can revoke access to data by third-party companies, update the data themselves and delete information they don’t want. Everything that GDPR regulators would die for.
Since Satoshi Nakamoto released his white paper on Bitcoin in 2008, we still haven’t seen widespread adoption of digital identity. Why?
There are a few answers to this question. The first is that there is still a lot of debate about what we would use to authenticate ourselves online. Right now, we typically use a password and username, and in higher-level situations, we have to identify ourselves with a bank account, address, passport, or driver’s license. Some experts say that we could use identity attributes like proof of bank account ownership, library memberships, government accounts online, etc. Some argue that we should use biometrics like facial recognition or fingerprints, but both have already been successfully hacked. Others say we could move towards a model using identity attributes based on our behavior, but most consumers find this terrifyingly dystopian. And many experts say the answer is a mix of all the above.
“Whenever things as sensitive as biometric templates are written to an immutable ledger, you don’t know what will happen with that data years into the future.” Says Ed Eykholt, VP of Engineering for non-profit biometric service provider iRespond, in an interview for Biometric Update.
But what counts as an identity attribute? How do you regulate this and stop sensitive data from being accessible to hackers? These questions are still up for grabs, and W3 org has a working group that has been making a good start.
The industry has already put to bed ideas of using blockchain for identity because running sensitive identity data in the blockchain would be tricky to do securely. A centralized identity service on a decentralized data exchange platform appears to be the way forward, but who becomes responsible for this data? Would you trust the government with it? Or your bank?
We’ve already seen what security issues a nationwide identity database can create, thanks to India’s Aadhar hacking incidents. The fact is, there are still a lot of questions to be answered and a lot of collaboration between private and public companies all over the world to make this work.
The banking industry will be focused on trust
2020 will be a busy year for banks. Banks were traditionally trusted with safeguarding the gold bullion, but today, banks have a much larger responsibility to safeguard our data. There have been significant challenges in doing so, especially as Open Banking encourages the sharing of data via APIs with third-party providers and FinTech.
The move will bring about significant benefits for consumers and allow greater market competition, but it does create more layers for data to leak or be exploited. One that banks and financial technology companies alike will have to work hard to close.
Banks are also having to think about Know Your Customer (KYC) checks and what they can do to improve a system that is already being exploited. According to UK Finance:
“Unauthorised financial fraud losses across payment cards, remote banking and cheques totalled £844.8 million in 2018, an increase of 16 per cent compared to 2017.”
AnticMoney Laundering (AML) and KYC checks are not sufficient enough. While Legal Entity Identifiers have the potential to greatly reduce fraud, improve KYC and shorten onboarding times on the side of B2B, there’s still a gap when it comes to B2C transactions. Could LEIs also be the answer to B2C? We’ll have to wait to find out the answer!