The future of identity is self-sovereignty
It’s no secret that Americans are becoming increasingly concerned about their digital identities.
Take the recent case in Louisiana, where a whopping 6 million public records were exposed as part of a global attack on third-party file transfer app MOVEit. The attack made users more wary of trusting their data to often-obscure third parties. A recent survey, conducted across 1,000 U.S. consumers by Thales found that 44 percent are afraid their identity will be stolen in a cyberattack, and a quarter have no confidence in the protection of their personal data.
The potential repercussions of identity theft go far beyond monetary. At stake are the biometric data from driver’s licenses and passports; bank account details; and demographic information, ultimately threatening the victim’s livelihood, financial capacity, and more. With less confidence in how their personal data is being protected by service providers, many users are seeking greater control over their digital identities, a trend known as self-sovereign identities (SSI).
The Self-Sovereign Era
So, what exactly is a self-sovereign identity (SSI)?
At its core, SSI is about giving individuals more direct control over their digital identity, who they share that information with, and for what purpose. The challenge with adopting SSI is that the legacy technology underpinning the digital identity ecosystem was designed for centralized control of identities. As such, a new technology architecture and new standards are required to make SSI a reality.
Unlike with centralized identity management, self-sovereign identities allow individuals ownership of their digital identities. They can store their data on their devices in 'digital wallets,' and selectively share and revoke access with third parties they want to interact with. With SSI, there is no central data repository nor intermediary tracking the information exchange. As we look to the future of digital identity and privacy in the U.S., self-sovereign identities can put individuals right at the center of the identity ecosystem.
In a world where data is everything, offering SSI-centric interactions to customers should be top-of-mind for organizations to ensure loyalty, security, and trust. But this won’t come for free. Organizations will need to rethink many different aspects of the overall digital journey that they provide for their users. This means relying on four key capabilities.
Onboarding & Credential Issuance
Every digital interaction begins with identity. In the physical world, personal ID cards, drivers’ licenses, or other forms of identification are only as trustworthy as their issuance process. The same goes for digital identities. But what do you do when you can’t fall back to physical interactions or face-to-face interviews to validate someone’s identity? It is still important that proper verifications are performed during the initial onboarding experience for users. This becomes the root of trust for all credentials that are issued and ultimately shared in the SSI ecosystem.
Fortunately, there are technologies available today that allow you to prove your real-world identity in the digital world and so protect against identity theft or fraud. Thales’ survey found that 41 percent of consumers feel their digital identity is less secure today than it was five years ago. Relying on, say, biometrics and encryption can significantly decrease the chances of identity fraud, duplication, or falsification.
Access Control & Authorization
Organizations usually control access to digital resources through a combination of authentication, typically in the form of usernames, passwords, and static permissions. These mechanisms are cumbersome to maintain and provide a false sense of security, or in many cases, require an extra level of friction for identity assurance. By contrast, with SSI, credentials that are issued by one organization and stored in the end user’s digital wallet are cryptographically signed to prove their authenticity. Users no longer need to remember long random passwords to access services. Instead, a digital service may request evidence about a particular attribute of its user -- Are you over 21? Are you a citizen of New York? Is your account balance paid? -- and end-users need simply present the appropriate credential in their digital wallet and consent to its use.
With SSI, instead of having to re-authenticate themselves for every action, the end user can control all stages of their digital journey without unnecessarily handing over sensitive data, a concept known as "zero knowledge proof." As this develops, it will grow more complex, granting a range of options for accessibility by region, industry, company, etc., and how they are each allowed to leverage user data. The explicit granting of consent is a cornerstone of the SSI ecosystem.
User Experience & Interactions
When it comes to identity management solutions, enterprises traditionally had to choose between having data privacy, high levels of security, or an optimal user experience (UX). With SSI, there is no need to choose; it balances privacy and security with user-friendly interfaces. A strong UX and compatibility are essential for SSI users to take full advantage of an organization’s services.
SSI also improves customer/organization interaction. Easy accessibility and selective data-sharing help users personalize and enhance their experience with an organization. Organizations, in turn, can guarantee personalization with full consent and awareness, which ultimately elevates consumer trust.
Compliance & Data Governance
Organizations are struggling to manage cyber risks due to siloed, inefficient processes and costly unproductive systems, which result in poor visibility and high compliance costs. In addition, the rapid deployment of advanced technologies means enterprise operating systems have become more complex and interconnected than ever before.
To combat this, newer cyber regulations like the General Data Protection Regulation (GDPR), the Network & Information Systems (NIS) Directive, and the California Consumer Privacy Act (CCPA) are taking an objective approach over compliance approach. It is no longer sufficient to adopt a checkbox style approach; instead, organizations are encouraged to take a more mature risk-based approach. With more people demanding transparency, accessibility, and ownership of their personal data, organizations need to align their operating systems and technologies with the new regulations for compliance.
SSI can help them achieve it. We’re already seeing this successfully implemented in the UK: The Bank of England is working with payments and identity firm Nuggets to build a Central Bank Digital Currency (CBDC) identity and privacy layer, which will use zero-knowledge proofs to protect user privacy and ensure regulatory compliance.
Let SSI be your Guide
As digital identities become the norm -- such as U.S. Homeland Security’s efforts to digitize credentials like green cards and increase data privacy in digital wallets -- and as demands for greater data privacy convert into policy, the self-sovereign identity will become more of a reality in North America. But to support its rise, organizations need to take a proactive stance and begin adapting their internal processes and identity technologies to smoothly enable the transition.
Organizations that move ahead with the key capabilities will successfully optimize operations to increase end user trust and make the self-sovereign identity a reality in the US.
Image Credit: Minerva Studio / Shutterstock
Jason Keenaghan is the Director of Product Management, IAM, at Thales. He leads strategy and roadmap execution for unifying market leading workforce access management, strong user authentication, and recently acquired customer identity and access management (CIAM) capabilities into a highly optimized and differentiated identity platform. Prior to Thales, Jason served as the Director of Offering Management for IBM’s IAM and Fraud portfolio, and as a product manager for DataPower Gateways. With 25 years of experience in the software industry and 10 years focusing on cybersecurity, he has leveraged his expertise to rejuvenate struggling organizations and drive client success.