SureID provides a service whereby people can enroll to get a verified digital identity. It's a commercial service, so you can go to a UPS store, provide proper documentation proving who you are, and get a digital identity (which includes biometrics) that you could use online in a few places to validate you are who you say you are.
Linked-in, which focused on professional identity, is now looking to help people establish their Enterprise identity, that is all the things you would like to identify about yourself in the context of your Enterprise, but not externally (teams you worked with, projects you worked on, etc).
Docusign is a system allowing for secure online digital signing of documents, replacing traditional pen signature with certificate based signing.
The main discussion of the panel is how you can achieve online trust in identity: proving you are who you say you are. This requires a source of trust which can verify you, and provide you with a digital identity that cannot be forged.
Currently, business are struggling to know who is coming to use their digital services. An example sited was dating sites, where many identities are fake, or embellished, and there's no real way to get trusted information about the person you're connecting with.
Another interesting point raised is that there are multiple levels of verifications to consider. First, there is the basic verification that you are who you claim to be. However, then comes the question of the information you attribute to yourself - is it also verified? The system can identify you are John Doe, but how does it know you are 21 as you claim to be? That you are 6' tall? That you have an engineering degree? Conversely, if the digital identity has all this information, you don't always want to expose all of it, or sometimes you only want to expose categories of it. For example, if a site needs to know you are at least 21 years old, you don't want it to be able to access your age from the digital identity - only to confirm that it's 21 or more. This is a level of sophistication not currently available, but which will need to be considered.
Currently, we have dozens or more digital identities – most web sites we register to manage their own ID, which forces the user to remember multiple passwords to each identity. The risk with this is that forgetting a password to one of your identities is frustrating and may cause a user to drop out of a service.
What can be used as the single digital identity? On the one hand you have social network identities, which are well established: Facebook connect, for example, is the biggest identity network in the world. Unfortunately, though, it is not at all reliable - cats and dogs have Facebook accounts.
Alternatively, more secure identification methods are not as available, require more effort to sign up for, and may be costly as well. Business do not want to force them because they have not reach mass adoption, and people won’t go to the effort of adopting them until they are usable in a lot of places. The process of adoption will have to be enforced by strong entities like governments or banks. Right now they lose most, and can force the issue to reduce their liability. An example given was fake tax returns, submitted by people impersonating others, and which costs the US government billions of dollars annually.
In Europe the governments are more active in trying to formalize digital identification. Estonia, for example, has a digital identity platform which they are opening up to other countries. But it still requires you going to an Estonian embassy to get it.
In the Nordic countries, banks and government have collaborated to create a Bank ID which has reduced bank fraud substantially. However there is no universal solution – each country does its own thing (e.g. Israel, with the biometric database).
A driver’s license is a good example of a locally verified document, but very few people know how to identify a fake one, so the enforcement mechanism is limited. Also, it’s only as up to date as the date it was issued.
A passport is an example of a globally accepted identification document, which is accepted for a wide variety of applications. However it suffers the same limitations as a driver’s license in terms of authentication and being up to date.
Notaries are a traditional form of identity verification, which has lost its usefulness; a notary will usually validate you presented a document to them that identifies you, but the document itself may suffer the same weaknesses described above.
What is the future of digital identity?
- Social networks like Facebook and Linked-in have hundreds of millions of identities, and may have an interest in making them more reliable as a digital identity
- Individuals need to be more motivated to use strong digital identity, which would require digital identities to be more convenient. Also, the unification of digital identity is a must, one digital identity that can be used multiple times.
What is the future of digital identity theft?
- More than half of US fraud is online fraud
- Personal information is already out in the open now, so if we keep relying on personal information we will never get ahead of identity theft
- We overshare to compensate for our inability to trust digital identity – identification processes force us to give more and more information about ourselves, which feeds into the fraud problem.
No comments:
Post a Comment