In this article, we will cover the bigger picture of Digital Identity. We will not be getting into the depth of any of the topics, but we attempt to provide an overall picture of the digital identity landscape.
In simple terms, digital identity is electronically captured information (attributes) of a real entity(subject), such as a person, device, thing, or business which can be verified by digital systems to authenticate that entity. Digital Simple example of this could be an email/password and a more complex example may be e-passports with embedded NFC, which hold more details like your name, aliases, date of birth, nationality, place of birth, etc.
The last few years have seen much innovation around digital identity, to the point where it is crystallizing as a highly important market. It is estimated to be an $80 billion start-up market There are many factors responsible for the growth of digital identities.
The explosion of digital services due to digital transformation
The effort by United Nations, World Economic Forum, and World Bank on stressing the need for legal identities and digital identifies for sustainable development by 2030.
Accelerated by the COVID pandemic the demand for contactless digital services in e-Governance, Banking, Insurance, Travel and Mobility, and more.
Most of us can prove our identities using physical IDs like Driving licenses within a regional boundary or using passports if we travel to another country. However, proving yourself in a digital world is not that simple. From a technology standpoint, it is possible to capture all your physical ID details electronically however there are a few key issues that need to be addressed in the digital world
How a digital system (a Relying Party) requests such information? What standards exist for the interoperability of digital identities? We will cover these topics in detail in a future article.
What information is necessary for each context e.g., do we provide a date of birth or an adult (18+) attribute to a relying party requesting the information? What is the current understanding of data privacy and data governance?
What is a trust framework? How can two parties trust each other?
So, what does a good digital identity look like?
Identity systems today can be categorized into three archetypes: centralized, federated, and decentralized.
Centralized: This is a traditional model in which an organization owns and manages the system. The system owner could be a government (such as Estonia’s e-ID or India’s Aadhaar) or a privatesector organization, such as social media, bank, or large corporation (in the context of their employees).
Federated: When two or more central systems establish a trust mechanism and establish standards or protocol to accept each other’s digital identity systems. such as eIDAS provides for in the European Union,4 or as ICAO standards do for international cross-border travel. Protocols like Open ID connects allow user verification based on credentials issued by various social media companies e.g Google, Facebook, LinkedIn, Twitter, etc.
Decentralized: It is a trust scheme that gives the user much control over their data without a need to reach out to a centralized organization for authenticating the credentials. However, this scheme also can’t do away with central issuers who are the holder of the user information e.g., government, educational institutes, healthcare organizations, banks etc.
The digital ecosystem comprises various actors:
Entity -Individual, Business, Thing, or Device who wants to transact in the digital world.
Relying Party: Organization that relies on digital identities to allow access to goods, services, and data
Trust Anchors: Entities who are the custodian of authoritative attributes of an entity
Identity Providers (Idp): 3rd Party services provide services that provide identity assurance using Trust Anchors and various other available resources. Identity providers may use a trust framework e.g. eIDAS
IAM/CIAM: 3rd Party Software/SaaS providers which act as a gateway for authenticating a digital identity and providing them access to resources as per their eligibility. IAM/CIAM may use IdP services for onboarding an entity in the system and have their rules eligibility rules for onboarding.
Regulators: Regulators, who mandate and/or guide how to manage and use identities
So, we hope that what is a digital identity and what a good identity looks like. We tried to provide a bigger picture with some thought-provoking questions that we will answer in subsequent articles.