right of identity and defining the digital identity domain · an identity, verifying and proofing...
TRANSCRIPT
w w w . f o l i o l t d . c o m
The Identity Revolution Whitepaper
Part 1: The basic human right of identity and defining the digital identity domain
THE IDENTITY REVOLUTION WHITEPAPER | WWW.FOLIOLTD.COM 2
Maria was aged 59 but her face, wrinkled from a long life of farming beneath the unrelenting sun, made her appear to be in her 80’s.
With both hands, she held her first freshly issued national ID: a small piece
of plastic the size of a credit card, with a picture of her face, name and other
data. She raised it towards the sky her gaze fixated, and cried. Slow tears
flowed as she smiled and said triumphantly: “I exist! I finally exist!”.
THE IDENTITY REVOLUTION WHITEPAPER | WWW.FOLIOLTD.COM 2
THE IDENTITY REVOLUTION WHITEPAPER | WWW.FOLIOLTD.COM 3
This account is real, I witnessed it myself a few
years ago in South America. Citizens, that do not
have an identity card, cannot transact. They can’t
buy or sell property, they can’t vote, they can’t enrol
in college or have access to proper healthcare.
In legal parlance this is known as “Legal Invisibility”.
There are between 1B and 1.5B people in the world
in this state - without an official identity. That’s a
staggering 21% of the global population. As Maria
herself expressed, it is almost as if they don’t exist.
Stemming from the Universal Declaration of Human
Rights, the right to identity is considered now among
the most basic human needs. It is a key that unlocks all
other individual rights and is crucial to society at large.
The United Nations own Sustainable Development
Goals lay out a target to address this –
“Target 16.9: By 2030, provide legal identity for all, including birth registration”
UNITED NATIONS DEVELOPMENT GOALS *1
Being recognized is a simple thing to expect, and it’s a
huge deal. The challenges here aren’t limited to remote
parts of the developing world or the 1 billion plus people
without any credible proof of identity. According to
Mckinsey*3, 3.5 billion people that actually do have ID’s,
cannot use them online. Regardless of our location,
we are all emerging citizens of the ‘global village’ – the
internet. We transact and live much of our lives through
digital channels, particularly on our smart phones
and yet half of us cannot access high-value or high-
sensitivity services through digital channels because
we are unable to prove we are who we say we are.
It is hard to imagine how an inclusive, global society
can properly develop without the cornerstone of good,
trusted digital identity. Digital identity can super-
charge global inclusivity and stimulate economic
growth. It enables the billion-plus individuals who
are currently financially excluded to participate
in the financial ecosystem expanding developing
economies by up to 13% of GDP. These same forecasts*4
suggest a 3% average GDP uplift for even the most
developed economies, that would mean around
$600 Billion increase to GDP in the USA alone.
The basic human right of identity
Identity fraud in the UK is reaching “epidemic
levels” with people in their 30’s most vulnerable.
C I F A S *5
THE IDENTITY REVOLUTION WHITEPAPER | WWW.FOLIOLTD.COM 3
THE IDENTITY REVOLUTION WHITEPAPER | WWW.FOLIOLTD.COM 4
These are exciting predictions, but unfortunately
for Maria, that little plastic card that made
her so happy is already obsolete.
Global economic costs relating to the prevention
of fraud are mind-boggling with Mckinsey
estimating the reduction in payroll fraud alone
could save up to $1.6 trillion globally.
To take advantage of these economic drivers,
organizations are trying to reinvent the old world
of in-person identity validation across industries,
departments and channels and; early attempts at
providing genuinely convenient forms of digital
identity have accomplished only mixed results.
We have all experienced cumbersome systems,
designed for the government department,
corporate or bank process – the user is often a
victim of self-serving, paranoid service design.
Proving you are who you say you are is one challenge,
nefarious actors masquerading as you, are another.
The balance of convenience, security and trust
has rarely been found and in a recent Experian
study of business leaders, “84% said that if they
were certain about a customer’s identity, the need
for fraud risk mitigation would be reduced.”*4
A digital identity solution should make life much
harder for fraudsters by raising the level of assurance
for key processes and operate more conveniently,
almost invisibly, to the mobile, digital user.
With 20 years of practical expertise from real world, complex, identity-centric solutions we aim to set out in this paper a definition of identity and explore the existing paradigms in a framework to guide sensible, strategic choices.
THE IDENTITY REVOLUTION WHITEPAPER | WWW.FOLIOLTD.COM 4
THE IDENTITY REVOLUTION WHITEPAPER | WWW.FOLIOLTD.COM 5
“From the moment we are born, we each have the human right to an identity. It’s Article 8 of the Convention on the Rights of the Child, but it lasts for life. As an enabler for our other rights to function, it’s the bedrock of a healthy and diverse society.
Billion people that have ID’s, cannot use them online
3.5
With a legally recorded identity we become citizens of society, able to enjoy essential social services such as health care, education and judicial protection. Without an identity we are invisible to the state and cannot flourish.”
AMNESTY INTERNATIONAL *2
THE IDENTITY REVOLUTION WHITEPAPER | WWW.FOLIOLTD.COM 6THE IDENTITY REVOLUTION WHITEPAPER | WWW.FOLIOLTD.COM 6
THE IDENTITY REVOLUTION WHITEPAPER | WWW.FOLIOLTD.COM 7
Defining the Digital Identity Domain
THE IDENTITY REVOLUTION WHITEPAPER | WWW.FOLIOLTD.COM 7
THE IDENTITY REVOLUTION WHITEPAPER | WWW.FOLIOLTD.COM 8
Creating unfaltering confidence that a
human being’s actual, physical identity
is represented correctly as a precise,
tamper-proof, digital equivalent.
1Enabling convenient, low friction
experiences for users to access critical
services and exclusive content from a high
value ecosystem off line and online.
2
One of the challenges of moving identity into the digital, mobile-first age is the natural trust model that has evolved in face-to-face interactions between human beings over thousands of years.
efficiently and vastly lower the risks for all parties. But
while all roads may lead to Rome, many competing
paradigms and models are emerging for identity.
Governments are central to the success of all future
paradigms; they have always been the primary
authorities of identity and will continue to be the pivotal
trusted source. Why? To unlock the sort of benefits
in the previous chapter, identity must be recognized
in a court of law, and it is for this matter that identities
that are not government sanctioned have little
chance of making a meaningful impact. Self-sovereign
identity systems for example, tend not to consider
legal validity and government recognition. It is hard
to predict success for such a model in the near term.
This paper will focus on their relevance to two foundational needs, that on
initial inspection may appear to pose an unresolvable tension:
This is why the most complex and sensitive
transactions have always been undertaken face-to-
face, and why, in some industries and cultures, the
resistance is greater to adopt new approaches.
The power of the handshake, the bow, the embrace
all contribute to the intimacy, privacy and trust
made possible by the physical meeting. But, there is
a widening body of research that these interactions
are more complex than most of us understand, more
open to unconscious bias and manipulation.
Digital identity will replace all legacy forms of proof
of identity, not overnight but in the near future. It will
give the individual more convenience and control than
traditional plastic and face-to-face meetings, scale more
Balancing these two is fundamental; both are essential to deliver the full potential of digital identity. They
are the core to any shift from a legacy physical world to an online, digital, mobile-first economy.
Digital Identity must be trusted to support critical services like:
9 Healthcare access
9 High value payments
9 Know-your-
customer
9 Right to work
Identity needs to be thought of as a critical lineage of phases,
a lifecycle rather than a set of infrequent, isolated tasks .
Unfaltering confidence and low friction experiences need to
be delivered in context across this identity lifecycle.
RegistrationThe process of initiating the application for
an identity, verifying and proofing the claim of
identity, creation of requisite records.
1
These categories should be considered linear phases. It is NOT possible to Authenticate somebody if they have not been registered and issued a form of proof of id. Issuance cannot occur before a successful registration.
Government
Digital Services
In person services
Creation and activation of a new token for the
registered identity. Credentials bound to the user
stored and sent securely for use by the individual,
with renewal and replacement processes.
Issuance2
3 AuthenticationUse of credentials to confirm appropriate level of
assurance of the users identity to a relying party.
THE IDENTITY REVOLUTION WHITEPAPER | WWW.FOLIOLTD.COM 9
THE IDENTITY REVOLUTION WHITEPAPER | WWW.FOLIOLTD.COM 10
RegistrationTHE PROCESS OF INITIATING THE APPLICATION FOR AN IDENTITY, VERIFYING AND PROOFING THE CLAIM OF IDENTITY, CREATION OF REQUISITE RECORDS ( SOME COMMERCIAL INDUSTRIES REFER TO THIS AS ‘ONBOARDING’)
1
The first challenge is establishing that it’s really you – right at the
very beginning! Unless you’ve got that truth wholly accepted
to start with, it is very difficult to build trust from there.
The outcome of a human identity ‘registration’ process is the
origin of an identity, a binding ‘certificate’ that opens up the door
of trust that the registree inherits from the authority. Due to the
potential subsequent value this process delivers and the burden
of proof on any individual, this process can be far from trivial.
Consider these scenarios:
a. The individual has a valid physical form of identity from a
trusted authority such as a government issued passport.
b. They have some form of identity, but it is either partial or not from entirely
trusted providers such as a birth certificate with no photo or address details.
c. They have no form of identity. This is more common than
you might think as outlined in the previous chapter,
These contexts need to be equally considered in any paradigm of digital identity,
because if any solution cannot cope with people in these circumstances, it fails.
In some developing countries where there are no citizen databases, the only way to create an ‘original identity’ is to have the ‘town elders’ and local witnesses to vouch for someone’s identity. That then becomes the official legal identity of the person.
THE IDENTITY REVOLUTION WHITEPAPER | WWW.FOLIOLTD.COM 11
IssuanceCREATION AND ACTIVATION OF A NEW TOKEN FOR THE REGISTERED IDENTITY. CREDENTIALS BOUND TO THE USER STORED AND SENT SECURELY FOR USE BY THE INDIVIDUAL, WITH RENEWAL AND REPLACEMENT PROCESSES.
3
This can vary from the simplest actions like assigning a username / password pair to the most
complex, such as producing a passport, appending a national database with a digital record,
printing a plastic card with a hologram, or chip that complies with international standards.
Of course, login/password pairs, membership cards, national id cards, digital membership
tokens, driving licenses, loyalty cards, and passports are all forms of identity tokens
today, and they are all issued by some “authority”, either private or public. But the
level of confidence any relying party applies to these, is understandably not uniform,
and various ‘combinations’ are then required to be collected and kept up-to-date.
2
AuthenticationUSE OF CREDENTIALS TO CONFIRM APPROPRIATE LEVEL OF ASSURANCE OF THE USER’S IDENTITY TO A RELYING PARTY.
Authentication is the process of determining whether someone is, in fact, who they declare
themselves to be. Depending on the sensitivity of the service or access being granted,
different levels of assurance (or LOA) may be required. Different industries and use cases
determine requirements for LOA as well as political, social and regulatory contexts.
Many standards exist to give structure, consistency and guidelines for
the appropriate LOA given certain scenarios, most notably:
• NIST 800-63 (USA)
• ISO/IEC 29115
• ICO eIDAS (EU)
• Gov.UK GPG45 (UK)
• Trusted Digital Identity Framework (AUS)
They are not all strictly equivalent, but they have much in common in purpose
and implementation. The table below is a consolidated, normalised view of
LOA to illustrate the spectrum and bring in some data points for context.
THE IDENTITY REVOLUTION WHITEPAPER | WWW.FOLIOLTD.COM 12
When advised to use this level
Where any compromise could represent a significant danger to life.
Confidence Low Medium High Very High
Example use cases
• Border control• Employment in a
critical industry• Control of
infrastructure such as an airport
Proofs required, processes and technology
• Many checks on identity documents
• Multi-spectrum scan,
• Electronic chips, • Range of other
data sources• biometric checks
Typical Factor level deployed
Three Factor(Something you know, something you have and something you are)
• Relying party needs to know the same user returning
• Does not need to know who that user is
• Parcel collection• social media• gaming• gambling
• A smart device or• Computer • Access to the
internet
Single Factor(Something you know)
Username and password-based fraud means this is a high risk LOA.
Datapoint: 33% of adults in the U.S. admit to sharing their account names and passwords with others.
Issues
Know, on the balance of probabilities, who the user is
• Provision of utility• access to select
government services
(Gov.UK Verify is still currently at this level and provides access to services such as tax returns and land registry)
• Existing photo ID• Digital records held
by trusted parties • Government issued
physical documents
Two Factor(Something you know and something you have)
This LOA is often the default for more critical verification, may involve an easily interceptable one-time-passcode.
Datapoint: Verify has less than 35% successful even at LOA 2 and only 3 million active users.
Know, beyond reasonable doubt, who the user is
• Protecting vulnerable people from physical or financial harm
• Confirming material payments across borders
• Government issued photo id
• 3 documents from• different sources
and data stores. • Facial matching
is required
Three Factor(Something you know, something you have and something you are)
The expense and user friction is very high and risks user frustration
Datapoint: 25% of bank applications are abandoned due to KYC Friction.
Extremely expensive and almost always involves an in-person phase using a range of expert human judgement, varied data and experience-based checks.
Friction Low Medium High Very High
LOA 1 LOA 2 LOA 3 LOA 4
THE IDENTITY REVOLUTION WHITEPAPER | WWW.FOLIOLTD.COM 13
One takeaway from this? As the LOA increases – the cost and effort, both for the relying party and the user step up dramatically. One goal of shifting to a digital identity paradigm is to bring these into mutual alignment – the unfaltering confidence delivered, not at the expense of low friction experiences.
Imagine if LOA3 was streamlined to be as simple and convenient to authenticate as
the procedures of LOA1. More organizations would reduce their risk by enforcing
such a level of assurance. Why wouldn’t every consumer, every citizen, prefer to
engage with the highest levels of confidence if their reputation, their financial risk,
their identity, could be protected with seamless, low friction experiences.
The next chapter outlines some of the most prominent
categories that digital identity solutions fall into.
THE IDENTITY REVOLUTION WHITEPAPER | WWW.FOLIOLTD.COM 13
THE IDENTITY REVOLUTION WHITEPAPER | WWW.FOLIOLTD.COM 14
The Identity Revolution
W H I T E P A P E R
H E L L O @ F O L I O LT D . C O M | W W W . F O L I O LT D . C O M / T R Y F O L I O @ T R Y F O L I O
88 Baker Street, LondonW1U 6TQ, United Kingdom
U K
2450 Colorado Avenue Suite 500Santa Monica, CA 90404
U S A
PH Level Suite 32, Suntec Tower Three,8 Temasek Blvd. Singapore 038988
S I N G A P O R E
In Part 2
“The lost battle of the old identity paradigms”
In Part 3
“The super identity”
We examine five competing models for identity that are being deployed in some global contexts today – how they are performing, risks that need to be managed and their respective impacts on the user.
We lay out 5 of the key design axioms that are required to support the most seamless, open, secure model for digital identity and reset the direction of travel toward a more interoperable future.
If you would like to read Part 2 and 3, please register at
w w w.fo l i o l t d . c o m / T h eId e n t i t y Revo l u t i o n