There has been a lot of discussion recently on how to improve digital online safety, ensuring that personal information is secure and only used for legitimate purposes. The publication of the General Data Protection Regulation (GDPR) looked to raise the bar in terms of the protections available to EU citizens, with similar discussions and protections being applied around the world. All of this is helping to move the discussion on fraud from scare stories towards real world, actionable and positive steps. Included in this discussion is talk about how citizens should be able to own their data and have the right to be forgotten, at least in terms of their digital footprints.
Three domain identity model
The right to be forgotten digitally presents many technical challenges that need to be considered when defining a secure identity model. One model highlighted is the Three Domain Identity model (3DID). This model establishes a separation between the physical and virtual, with the context being that a person should be able to have multiple digital personas or attributes and for the owner to be able to control the connection between the physical and these virtual identities.
With this model, the real person brokers his/her virtual identity through an authorisation domain. The characteristics and attributes that form the detail of the real person can be accessed in the virtual space, through this authentication domain. The real person has control over who and what is shared. This approach enables the real person to authorise trusted custodians of identity attributes to verify and attest on his/her behalf. An implementation based on this model would also provide services to support a ‘forget me’ option.
How does this model work for organisations that have a legal requirement with Know Your Customer (KYC) challenges? Financial organisations are legally required to address KYC, but in a world where they’re verifying identity attributes through a trusted third-party, where does liability rest?
Attribute (persona) based identity
Identity models have historically been designed around a federated concept and therefore major software providers have focused on delivering large scale federated IAM platforms. The issue here is simple, the data the IAM platform collects provides a single source of identity. If compromised, the implications are vast and far reaching. We have seen a number of high-profile examples of breaches of federated identity platforms in recent times to understand this.
Looking to the conceptual future of digital identity, we are likely to see individuals taking ownership of their identity – the so-called self-sovereign option. A sovereign solution supports attribute-based identity, where the owner governs access to the attributes, but the attributes are held by third parties, such as a bank the owner does business with.
As an example, you need to prove to an organisation that you are you, that you can be trusted and you are an age over a required boundary. You share this information with the organisation, which then attributes keys to check this information with a third party that can attest to its veracity. The organisation can decide if they trust the holding company and can also validate the response with the attribute key.
With a key being required for each attribute held by the owner within their own mobile device, the owner is then able to orchestrate who can access and receive attested details from their trusted identity custodians. Such a solution also opens up the possibility for group attestation, with multiple organisations attesting to the same value of an attribute, such as home address.
With such solutions, the owner need only delete the attribute key they hold and the link to the value is broken and can no longer be retrieved. The value by itself is of limited use as the real person cannot be directly identified. Additional possibilities can also be presented, such as when moving home, I simply inform my bank that the value for my Home Address attribute has changed. They valid this in the usual way. Other organisations that also hold my Home Address attribute token can now be informed of my change of address, without me needing to do anything further.
For such a conceptual sovereign identity solution to be successful, third party adoption plays a large part. For adoption to take place, acceptance of the model is required and parties engaging in the brokering of identity attributes need to be trusted. This means organisations that hold a level of trust have to be involved, ideally early in a process. But then this raises the challenge of including such organisations in a fintech driven initiative that is typically fast moving.
Bureaucracy and the need to account for multiple parties’ desires often is a killer of innovation.
Therefore, fintech partners that offer a strong basis in identity and patented solutions that deliver strong customer authentication will be well-positioned to help realise this vision. Banks can use these secure platforms to establish the identity framework required to deliver attribute-based identity services and be the facilitators of identity services designed for the modern world.
To build these relationships with customers, banks will need not only accurate and useful information, but will also need to ensure that the way in which they interact with customers is convenient for the customer, relevant and occurs in real time. This will allow banks to dynamically fill this gap and become the trusted partner in the identity process that is sorely needed and allows individuals to take greater control of their digital identities.
Simon Rodway, software solutions architect, Entersekt
Image Credit: IT Pro Portal