Digital identities are the foundation for how we interact with the online world, making it vital to have a sustainable digital identity platform. To create such a platform, we must develop a user-centered solution that enhances safety, provides control and benefits, and ensures no one is left behind.
Not all use cases for digital identities require the same strength of identity proofing process and the types of credentials used for authentication while performing an online transaction.
This article will discuss what makes a good 'digital identity' and examine the different identity assurance levels that organizations can use to render digital services to individuals.
The increasing digitalization of services: A strong case for digital identities
The digitalization of everyday services has multiplied. With the widespread availability of the internet and mobile devices, these services are much more accessible. But there is a caveat: To access the digital world for its plethora of services like music streaming, online banking, telehealth check-up, etc., we need to have one thing in place: our DIGITAL IDENTITY!
Digital identity: Overview and elements for creating a good identity
Digital identity helps identify an individual in the digital ecosystem, it is a unique representation of a user within that ecosystem. A good 'digital identity' can be verified/validated/authenticated to a high degree of assurance across all digital channels. The assurance level reflects how identity information risks are managed. The process used to verify a subject's association with their real-world identities is called 'identity proofing'.
According to a World Economic Forum report, a good digital identity helps an individual in the following aspects:
1) Fit for purpose:
Each service provider may need to verify different parameters to assess an individual's eligibility to use a service. Hence a good identity must fit the required purpose and help build trust between the consumer and the service provider. For example, a music streaming app requires only the consumer's mobile number to use the service. In contrast, online banking services require many more identity verification parameters than just a mobile number.
2) Inclusive: (for types of identity)
The identity does not discriminate based on identity-related data and has an identification process that includes all sections of society. It enables anyone and everyone to establish and use their digital identity.
3) Useful:
A good digital identity is easy to use and helps individuals unlock a wide range of valuable services.
4) Offers choice:
The identity data is under the user's control, as they can choose what type of data to share for a particular interaction with the service provider.
5) Secure:
Checks and balances are built into the identity platform to ensure that only authorization is shared and protect individuals, organizations, devices, and infrastructure from identity theft.
As we embark upon the Fourth Industrial Revolution (powered by the cloud, social, mobile, internet of things (IoT), and artificial intelligence (AI)), the opportunity to create value through verifiable digital IDs is ever-increasing due to:
- Improvements in technology,
- cheaper cost of implementation,
- and increased access to smartphones and the internet
As per McKinsey's digital identification report:
- Close to a billion people in the world have no form of legal identification available
- The others (about 6.6 billion people) have some form of identification available, but its usage in the digital landscape is limited.
- Potential to unlock economic value equivalent to 3 - 13 % of the GDP in 2030 for seven diverse economies with high adoption rates – Brazil, China, Ethiopia, India, Nigeria, United Kingdom, and the United States.
- Digital identity platforms can help save around 110 billion hours using streamlined e-government services, social protection, and direct benefit transfers. Institutions can gain from customer registration, lesser onboarding costs by up to 90%, and reduced payroll fraud, saving up to $1.6 trillion globally.
Transitioning from a purely physical ID to a digital one will help consumers and service providers benefit from a digital infrastructure's efficiency and inclusion benefits. This will result in higher customer acquisition and a lower servicing cost.
Digital identity: Assurance levels
A digital identity must always be unique to an individual for consuming a digital service. However, a digital ID does not need to identify the individual distinctively in each case. Hence, for some services, it may not be necessary to know the underlying real-life identity. For example, to access an online music streaming service, the app needs a unique mobile number to register the user but does not care about the user's identity. In such cases, identity authentication will ensure that the same person uses the service with reasonable risk-based assurance. In other words, it may not be necessary for each service provider or for each digital service to identify the subject at the same level of assurance.
This leads to the concept of varying levels of identity assurance or different identity assurance levels associated with each digital identity. Different assurance levels mean that the services corresponding to an assurance level can be made available to the individual as soon as their digital profile reaches that level. As per NIST (National Institute of Standards and Technology), assurance levels are of the following types:
Source: NIST digital identities Guidelines (Version 3)
Creating digital identities of varying assurance levels: Underlying technology
In the physical world, customers must validate identity to establish trust using factors like the person's physical presence/appearance and/or the person's ID proof (a photo identity card). Similarly, in a digital world, authentication challenges can be broken into what we know, what we have, and what we are. Let us look at each of the factors individually:
a. What we know: This authentication challenge is based on the user's knowledge. For example, the person's PIN, Password, secret question, passphrase, etc.
b. What we have: This authentication proves that the information about the registered medium is the same as in the service provider’s system, such as the person’s mobile number, email, etc.
c. What we are: This authentication challenge irrefutably proves that the person at the other end is indeed the same person by authenticating through details that are very unique to that person like a matching biometric scan.
As the value at risk increases, one can use a step-up authentication mechanism by combining all the three identification factors: what I know, what I have, and what I am. Some factors can easily be faked; this is why more online service providers look for a combination of all these factors, along with other contextual aspects, like device used for a particular transaction, geolocation, time of day, etc. A combination of all these factors helps service providers uniquely identify each individual and can be used during the sign-up process for an online service offering.
Similarly, for identity verification, one can connect with multiple trust providers, such as government institutions, financial/telecom institutions, based on the use case. A well-connected platform enables multiple identity verifier choices so that no strata of the population are missed and then helps multi-modal (PIN, password, biometrics, tokens, etc.) assertion factors to be enrolled and authenticated (based on the value at risk). This can be the perfect catalyst to trigger all the operational efficiencies that a digital intervention can bring.
Assurance levels: The need
Assurance is, "How sure am I that you are who you claim to be?" In other words: How confident is the service provider that the presented credentials are with the consumer whose identity is being asserted?
The level of assurance needed is based on the consequence of authentication errors and misuse of credentials.
- As the consequence of an authentication error increases, the level of assurance should increase
- Similarly, informal or low-value requests would require less stringent verification.
- Higher value or legally significant requests will require more stringent assurance.
TABLE: Maximum potential impacts for each assurance level
Conclusion
In a nutshell, different contexts may result in different risks. The identity assurance levels help manage the risk of a service provider by ensuring that the organization is dealing with the right individual consistently and coherently, regardless of the context.
Nagarro, with its technical expertise, can help clients deliver a seamless digital platform that enables onboarding of digital identities authenticated via multiple ID providers. This platform can subsequently marry that digital identity with various assertion mechanisms like PIN, passwords, biometrics, etc. It can further be enriched to automatically step up or step down the authentication challenges, basis the use case or transaction that is being performed.
Do you have a use case in mind? Let's connect!