Solving the UK's digital identity dilemma
Earlier this year, a report was published in the UK with the aim of tackling the UK’s productivity and innovation crisis. Tony Blair and Lord William Hague are fronting the recommendations made, with a particular view to encourage the widespread adoption of digital ID cards. This has driven a discussion around the general public’s distrust towards government-controlled data schemes.
What’s interesting is that much of the UK population probably don’t realize just how many government IDs they already have; think tax returns, benefits, council payments and, of course, driving licenses. But even so, does this mean the UK is ready for a formal digital identity card? Many are more than happy to keep these various forms of ID in a disjointed manner, despite the inconvenience and inefficiency. Yet, the key issue here is trust, and the public needs to believe there is no overreach when they log in to a service.
Building trust starts with enhancing security by putting a long-term strategy in place that would remove the need for passwords altogether. One of the easiest routes a hacker takes to take control of an account is to steal credentials through phishing campaigns. In fact, this nature of attack now represents one of the most significant security threats for UK businesses and consumers. To eliminate passwords, is to eliminate the threat of phishing.
Therefore, removing this attack vector would represent a critical step in building the trust of previously skeptical UK citizens in digital identification. Looking ahead, the government could then work in the back-end to connect services so the need for a singular digital ID is never needed.
How big is the gap in trust between the public and the government?
As briefly mentioned, the public is more familiar with the government indiscriminately tracking and using their data than they assume. According to a survey by the UK government, 81 percent of UK citizens admitted to being comfortable with the NHS using their data for a 'particular purpose'. This allows the NHS to make data-led decisions regarding national health, such as identifying macro disease trends, like with Covid-19. That’s not to say the public isn’t worried about the security of their data and potential uses of it by various third parties.
This returns us to the question of trust. The digital ID movement can only progress if it is underpinned by a transparent, reliable, and unbreakable framework backed by safeguards. Released earlier this year, the government's digital identity and trust framework begins to address this issue but still lacks a standards-based approach. This would ensure consumers remain in control of their data.
A step in the direction has been made by the Australian government, which introduced a Digital Identity document earlier this year following the successful roll-out of their digital infrastructure. The scheme helps to protect the public's privacy and security, while allowing users to prove who they are online and access a range of government services. Users have the reassurance that safeguards have been put in place to protect their personal information from being collected, profiled, sold, or used for other purposes, such as advertising. The Australian system also promises a high level of security that constantly undergoes rigorous assessment and testing, serving as an example for other nations to follow.
Digital identity best practices
Consumers of online services want simple, seamless and secure access without the burden of having to remember or manage countless passwords. To encourage adoption from businesses and consumers, any future ID system should follow fundamental best practices, including:
- Improved control and privacy: Providing citizens the ability to manage their own data so they can decide what gets shared with who.
- More robust data security: Eliminating passwords would lessen the risk of account takeover and compromise.
- Enhanced digital experiences: Making it easier for people to access online services safely, from anywhere. Whether that’s proving your identity when picking up a parcel or opening a new bank account, the removal of unnecessary friction would transform the user experience.
- Increasingly efficient business operations: If processes become less complex, UK organizations have the opportunity to become more agile.
Tackling the problem at the source
The more pressing security problem facing operational digital infrastructure in the UK is, quite simply, that passwords are not secure. A staggering 83 percent of UK businesses that suffered a cyberattack last year reported the attack type as phishing, according to the Government’s Cyber Security Breaches Survey 2022.
To compound the issue, generative AI is now empowering threat actors to produce compelling and convincing emails in the voice and tone of corporate executives with malicious intent. We need stronger defenses against people being tricked into letting their guards down and passwords be stolen. The only genuine way to level the playing field against hyper-efficient phishing campaigns is to eradicate passwords completely.
Organizations that adopt a passwordless system effectively remote one of the most commonly used avenues through which phishing campaigns are made, ensuring no unauthorized access is made. Consumers and employees alike can feel empowered with an online experience permitting authorized access to required information without the need to remember and input a password. This, in turn, reduces the risk of human error and compromise and improves overall trust across the organization.
Encouraging adoption of digital IDs
We may be a way off from fully convincing the nation to accept a digital identification system, the government can begin to improve sentiment by empowering better and more secure digital experiences. This will help UK citizens to become better accustomed to and appreciate a seamless logging-in process. Then once fully established, and making sure that any digital divide is addressed, they could connect systems and have self-driving digital citizens services without the need for a singular digital ID number.
Image credit: ekkasit919/depositphoto.com
Paul Inglis is SVP EMEA at ForgeRock.