right of identity and defining the digital identity domain · an identity, verifying and proofing...

w w w . f o l i o l t d . c o m

The Identity Revolution Whitepaper

Part 1: The basic human right of identity and defining the digital identity domain

THE IDENTITY REVOLUTION WHITEPAPER | WWW.FOLIOLTD.COM 2

Maria was aged 59 but her face, wrinkled from a long life of farming beneath the unrelenting sun, made her appear to be in her 80’s.

With both hands, she held her first freshly issued national ID: a small piece

of plastic the size of a credit card, with a picture of her face, name and other

data. She raised it towards the sky her gaze fixated, and cried. Slow tears

flowed as she smiled and said triumphantly: “I exist! I finally exist!”.



This account is real, I witnessed it myself a few

years ago in South America. Citizens, that do not

have an identity card, cannot transact. They can’t

buy or sell property, they can’t vote, they can’t enrol

in college or have access to proper healthcare.

In legal parlance this is known as “Legal Invisibility”.

There are between 1B and 1.5B people in the world

in this state - without an official identity. That’s a

staggering 21% of the global population. As Maria

herself expressed, it is almost as if they don’t exist.

Stemming from the Universal Declaration of Human

Rights, the right to identity is considered now among

the most basic human needs. It is a key that unlocks all

other individual rights and is crucial to society at large.

The United Nations own Sustainable Development

Goals lay out a target to address this –

“Target 16.9: By 2030, provide legal identity for all, including birth registration”

UNITED NATIONS DEVELOPMENT GOALS *1

Being recognized is a simple thing to expect, and it’s a

huge deal. The challenges here aren’t limited to remote

parts of the developing world or the 1 billion plus people

without any credible proof of identity. According to

Mckinsey*3, 3.5 billion people that actually do have ID’s,

cannot use them online. Regardless of our location,

we are all emerging citizens of the ‘global village’ – the

internet. We transact and live much of our lives through

digital channels, particularly on our smart phones

and yet half of us cannot access high-value or high-

sensitivity services through digital channels because

we are unable to prove we are who we say we are.

It is hard to imagine how an inclusive, global society

can properly develop without the cornerstone of good,

trusted digital identity. Digital identity can super-

charge global inclusivity and stimulate economic

growth. It enables the billion-plus individuals who

are currently financially excluded to participate

in the financial ecosystem expanding developing

economies by up to 13% of GDP. These same forecasts*4

suggest a 3% average GDP uplift for even the most

developed economies, that would mean around

$600 Billion increase to GDP in the USA alone.

The basic human right of identity

Identity fraud in the UK is reaching “epidemic

levels” with people in their 30’s most vulnerable.

C I F A S *5



These are exciting predictions, but unfortunately

for Maria, that little plastic card that made

her so happy is already obsolete.

Global economic costs relating to the prevention

of fraud are mind-boggling with Mckinsey

estimating the reduction in payroll fraud alone

could save up to $1.6 trillion globally.

To take advantage of these economic drivers,

organizations are trying to reinvent the old world

of in-person identity validation across industries,

departments and channels and; early attempts at

providing genuinely convenient forms of digital

identity have accomplished only mixed results.

We have all experienced cumbersome systems,

designed for the government department,

corporate or bank process – the user is often a

victim of self-serving, paranoid service design.

Proving you are who you say you are is one challenge,

nefarious actors masquerading as you, are another.

The balance of convenience, security and trust

has rarely been found and in a recent Experian

study of business leaders, “84% said that if they

were certain about a customer’s identity, the need

for fraud risk mitigation would be reduced.”*4

A digital identity solution should make life much

harder for fraudsters by raising the level of assurance

for key processes and operate more conveniently,

almost invisibly, to the mobile, digital user.

With 20 years of practical expertise from real world, complex, identity-centric solutions we aim to set out in this paper a definition of identity and explore the existing paradigms in a framework to guide sensible, strategic choices.



“From the moment we are born, we each have the human right to an identity. It’s Article 8 of the Convention on the Rights of the Child, but it lasts for life. As an enabler for our other rights to function, it’s the bedrock of a healthy and diverse society.

Billion people that have ID’s, cannot use them online

3.5

With a legally recorded identity we become citizens of society, able to enjoy essential social services such as health care, education and judicial protection. Without an identity we are invisible to the state and cannot flourish.”

AMNESTY INTERNATIONAL *2

THE IDENTITY REVOLUTION WHITEPAPER | WWW.FOLIOLTD.COM 6THE IDENTITY REVOLUTION WHITEPAPER | WWW.FOLIOLTD.COM 6


Defining the Digital Identity Domain



Creating unfaltering confidence that a

human being’s actual, physical identity

is represented correctly as a precise,

tamper-proof, digital equivalent.

1Enabling convenient, low friction

experiences for users to access critical

services and exclusive content from a high

value ecosystem off line and online.

2

One of the challenges of moving identity into the digital, mobile-first age is the natural trust model that has evolved in face-to-face interactions between human beings over thousands of years.

efficiently and vastly lower the risks for all parties. But

while all roads may lead to Rome, many competing

paradigms and models are emerging for identity.

Governments are central to the success of all future

paradigms; they have always been the primary

authorities of identity and will continue to be the pivotal

trusted source. Why? To unlock the sort of benefits

in the previous chapter, identity must be recognized

in a court of law, and it is for this matter that identities

that are not government sanctioned have little

chance of making a meaningful impact. Self-sovereign

identity systems for example, tend not to consider

legal validity and government recognition. It is hard

to predict success for such a model in the near term.

This paper will focus on their relevance to two foundational needs, that on

initial inspection may appear to pose an unresolvable tension:

This is why the most complex and sensitive

transactions have always been undertaken face-to-

face, and why, in some industries and cultures, the

resistance is greater to adopt new approaches.

The power of the handshake, the bow, the embrace

all contribute to the intimacy, privacy and trust

made possible by the physical meeting. But, there is

a widening body of research that these interactions

are more complex than most of us understand, more

open to unconscious bias and manipulation.

Digital identity will replace all legacy forms of proof

of identity, not overnight but in the near future. It will

give the individual more convenience and control than

traditional plastic and face-to-face meetings, scale more

Balancing these two is fundamental; both are essential to deliver the full potential of digital identity. They

are the core to any shift from a legacy physical world to an online, digital, mobile-first economy.

Digital Identity must be trusted to support critical services like:

9 Healthcare access

9 High value payments

9 Know-your-

customer

9 Right to work

Identity needs to be thought of as a critical lineage of phases,

a lifecycle rather than a set of infrequent, isolated tasks .

Unfaltering confidence and low friction experiences need to

be delivered in context across this identity lifecycle.

RegistrationThe process of initiating the application for

an identity, verifying and proofing the claim of

identity, creation of requisite records.

1

These categories should be considered linear phases. It is NOT possible to Authenticate somebody if they have not been registered and issued a form of proof of id. Issuance cannot occur before a successful registration.

Government

Digital Services

In person services

Creation and activation of a new token for the

registered identity. Credentials bound to the user

stored and sent securely for use by the individual,

with renewal and replacement processes.

Issuance2

3 AuthenticationUse of credentials to confirm appropriate level of

assurance of the users identity to a relying party.



RegistrationTHE PROCESS OF INITIATING THE APPLICATION FOR AN IDENTITY, VERIFYING AND PROOFING THE CLAIM OF IDENTITY, CREATION OF REQUISITE RECORDS ( SOME COMMERCIAL INDUSTRIES REFER TO THIS AS ‘ONBOARDING’)

1

The first challenge is establishing that it’s really you – right at the

very beginning! Unless you’ve got that truth wholly accepted

to start with, it is very difficult to build trust from there.

The outcome of a human identity ‘registration’ process is the

origin of an identity, a binding ‘certificate’ that opens up the door

of trust that the registree inherits from the authority. Due to the

potential subsequent value this process delivers and the burden

of proof on any individual, this process can be far from trivial.

Consider these scenarios:

a. The individual has a valid physical form of identity from a

trusted authority such as a government issued passport.

b. They have some form of identity, but it is either partial or not from entirely

trusted providers such as a birth certificate with no photo or address details.

c. They have no form of identity. This is more common than

you might think as outlined in the previous chapter,

These contexts need to be equally considered in any paradigm of digital identity,

because if any solution cannot cope with people in these circumstances, it fails.

In some developing countries where there are no citizen databases, the only way to create an ‘original identity’ is to have the ‘town elders’ and local witnesses to vouch for someone’s identity. That then becomes the official legal identity of the person.


IssuanceCREATION AND ACTIVATION OF A NEW TOKEN FOR THE REGISTERED IDENTITY. CREDENTIALS BOUND TO THE USER STORED AND SENT SECURELY FOR USE BY THE INDIVIDUAL, WITH RENEWAL AND REPLACEMENT PROCESSES.

3

This can vary from the simplest actions like assigning a username / password pair to the most

complex, such as producing a passport, appending a national database with a digital record,

printing a plastic card with a hologram, or chip that complies with international standards.

Of course, login/password pairs, membership cards, national id cards, digital membership

tokens, driving licenses, loyalty cards, and passports are all forms of identity tokens

today, and they are all issued by some “authority”, either private or public. But the

level of confidence any relying party applies to these, is understandably not uniform,

and various ‘combinations’ are then required to be collected and kept up-to-date.

2

AuthenticationUSE OF CREDENTIALS TO CONFIRM APPROPRIATE LEVEL OF ASSURANCE OF THE USER’S IDENTITY TO A RELYING PARTY.

Authentication is the process of determining whether someone is, in fact, who they declare

themselves to be. Depending on the sensitivity of the service or access being granted,

different levels of assurance (or LOA) may be required. Different industries and use cases

determine requirements for LOA as well as political, social and regulatory contexts.

Many standards exist to give structure, consistency and guidelines for

the appropriate LOA given certain scenarios, most notably:

• NIST 800-63 (USA)

• ISO/IEC 29115

• ICO eIDAS (EU)

• Gov.UK GPG45 (UK)

• Trusted Digital Identity Framework (AUS)

They are not all strictly equivalent, but they have much in common in purpose

and implementation. The table below is a consolidated, normalised view of

LOA to illustrate the spectrum and bring in some data points for context.


When advised to use this level

Where any compromise could represent a significant danger to life.

Confidence Low Medium High Very High

Example use cases

• Border control• Employment in a

critical industry• Control of

infrastructure such as an airport

Proofs required, processes and technology

• Many checks on identity documents

• Multi-spectrum scan,

• Electronic chips, • Range of other

data sources• biometric checks

Typical Factor level deployed

Three Factor(Something you know, something you have and something you are)

• Relying party needs to know the same user returning

• Does not need to know who that user is

• Parcel collection• social media• gaming• gambling

• A smart device or• Computer • Access to the

internet

Single Factor(Something you know)

Username and password-based fraud means this is a high risk LOA.

Datapoint: 33% of adults in the U.S. admit to sharing their account names and passwords with others.

Issues

Know, on the balance of probabilities, who the user is

• Provision of utility• access to select

government services

(Gov.UK Verify is still currently at this level and provides access to services such as tax returns and land registry)

• Existing photo ID• Digital records held

by trusted parties • Government issued

physical documents

Two Factor(Something you know and something you have)

This LOA is often the default for more critical verification, may involve an easily interceptable one-time-passcode.

Datapoint: Verify has less than 35% successful even at LOA 2 and only 3 million active users.

Know, beyond reasonable doubt, who the user is

• Protecting vulnerable people from physical or financial harm

• Confirming material payments across borders

• Government issued photo id

• 3 documents from• different sources

and data stores. • Facial matching

is required

Three Factor(Something you know, something you have and something you are)

The expense and user friction is very high and risks user frustration

Datapoint: 25% of bank applications are abandoned due to KYC Friction.

Extremely expensive and almost always involves an in-person phase using a range of expert human judgement, varied data and experience-based checks.

Friction Low Medium High Very High

LOA 1 LOA 2 LOA 3 LOA 4


One takeaway from this? As the LOA increases – the cost and effort, both for the relying party and the user step up dramatically. One goal of shifting to a digital identity paradigm is to bring these into mutual alignment – the unfaltering confidence delivered, not at the expense of low friction experiences.

Imagine if LOA3 was streamlined to be as simple and convenient to authenticate as

the procedures of LOA1. More organizations would reduce their risk by enforcing

such a level of assurance. Why wouldn’t every consumer, every citizen, prefer to

engage with the highest levels of confidence if their reputation, their financial risk,

their identity, could be protected with seamless, low friction experiences.

The next chapter outlines some of the most prominent

categories that digital identity solutions fall into.



The Identity Revolution

W H I T E P A P E R

H E L L O @ F O L I O LT D . C O M | W W W . F O L I O LT D . C O M / T R Y F O L I O @ T R Y F O L I O

88 Baker Street, LondonW1U 6TQ, United Kingdom

U K

2450 Colorado Avenue Suite 500Santa Monica, CA 90404

U S A

PH Level Suite 32, Suntec Tower Three,8 Temasek Blvd. Singapore 038988

S I N G A P O R E

In Part 2

“The lost battle of the old identity paradigms”

In Part 3

“The super identity”

We examine five competing models for identity that are being deployed in some global contexts today – how they are performing, risks that need to be managed and their respective impacts on the user.

We lay out 5 of the key design axioms that are required to support the most seamless, open, secure model for digital identity and reset the direction of travel toward a more interoperable future.

If you would like to read Part 2 and 3, please register at

w w w.fo l i o l t d . c o m / T h eId e n t i t y Revo l u t i o n

right of identity and defining the digital identity domain · an identity, verifying and proofing...

Documents