In 2019, the identity sector began to open its eyes, rubbing the sleep out of them, as the world awoke to the purpose and power of identity.
Digital identity has risen from the ashes of traditional identity and access management (IAM) to become a central tenet of cybersecurity. Identity is all in a world increasingly digital. Across every device, identity sits, like a central pin, with the potential to control not only access to resources but the data they consume.
The human in the machine is key to security as well as actual identity. Data breaches increased by 54% in the first half of 2019. Our data is our identity. To empower the human, we must empower the identity. Will the 2020s bring identity to a new age of maturity to digital identity?
Where are we now?
The current identity landscape is a messy place made up of a mix of identity providers, data attribution services, social accounts and associated logins, and app-based IDs. Here is an overview of some of the highlights of these players in the identity ecosystem.
Identity and the API
In 2019, traditional identity platforms re-emerged as APIs as many older identity companies rebadged themselves and recoded to create API versions of core products. This makes sense. Digital identity is really just a fancy way of saying personal data.
The identity we use online is often used to prove a transaction or lay claim to a resource. This proof is part of a wider chain of events and data shares. Claims within the identity account are a portal to access resources; they can drive tasks and deliver services.
Getting on the API bandwagon is a natural progression that reflects the fluid nature of modern, data-rich digital identity. Using an API-approach to digital identity provides the flexibility to connect across our increasingly wide matrix of consumer apps and services. One such service, driven by the European Union’s Payment Services Directive (PSD2) regulation, is the requirement of banks to offer open APIs to third-party providers (TPPs) for integration. This connecting of the dots across user accounts, driven by user authentication and identity claims, is a crucial part of the maturity of online identity.
Citizen identity
In 2019, citizen identity schemes waxed and waned. In the UK, the government’s Verify identity initiative lost many of its branded identity providers -- losing a core feature of user choice. In India, after the massive Aadhar identity data breach that affected 1.2 billion citizens, the government attempted to redraw the identity scheme, although the initiative has had vocal concerns aired. Citizen identity continues to be explored across many world governments including Canada, with the Pan-Canadian Trust Framework via Digital ID & Authentication Council of Canada (DIACC). New schemes came on-board in countries such as Cameroon, Belgium, Japan and Italy.
Self-sovereign identity
One area of identity provisioning that had a “shock of the new” feel was the decentralized (self-sovereign) identity movement. In 2019, self-sovereign identity (SSI) or decentralized ID, felt, in many ways, like it represented the extreme end of a spectrum of identity. Whereas identity data, to date, has been centralized, with data sovereignty being in the hands of the issuing authority, typically a government, self-sovereign was all about putting the user in charge of their data.
In 2019, industry experts either loved it or hated it. Indeed, many of those in the latter camp kept quiet, fearing rebuttal. In 2019, I asked three questions of the SSI community around the commercial application of decentralized ID. Phil Windley, chair of the Sovrin Foundation, attempted to answer those questions in a personal follow-up blog. Phil concluded, “While it may not be the only way to skin a cat, it's the only way that is universal. Other identity systems and protocols will continue to exist and interface to the identity metasystem.”
The heady mix of the ID community
Digital identity is a messy business. It is a crowded and often fuzzy landscape filled with services and apps that provide a piece of a much larger puzzle. This puzzle, or the “identity metasystem” that Windley refers to, is made up of a mix of self-sovereign, citizen, consumer and app-based IDs or partial IDs. It draws in data from other services, including identity proofing, fraud checking, attribute providers, and login services, including social platforms like Facebook. The identity metasystem is nothing if not wide in scope and complex in nature.
“Sign in with Apple” entered this heady mix of identity players across the metasystem in 2019. Apple’s offering is a privacy-enhanced rival to sign-in using social providers such as Facebook and Google. AppleID is largely based on the identity protocol, OpenID Connect (OIDC). The OpenID Connect Foundation published an open letter to Apple in 2019, asking them to look at a number of areas including interoperability and testing. Apple responded, fixing issues to become fully compliant with OIDC.
Facilitating identity through orchestration
One key idea that has matured over 2019 is that identity is truly (and finally) a fully fledged ecosystem. The API-approach bedded down, exposing the full capability of identity and data. Bringing all the players of the identity ecosystem together is the silver bullet, one that I believe will empower the individual and the enterprise. Orchestration services will give new life to an expanded identity ecosystem that can be applied to everything from access management to know your customer (KYC). Bringing the API pieces of the puzzle together using orchestration engines, offers a new era in identity management that can cross the boundaries of consumer needs and enterprise wants.
What next for digital identity?
The United Nations and the World Bank have a goal. Using the ID4D initiative, they want to ensure that everyone on the planet has a legal identity by 2030. In 2020, I hope we can begin to work toward this goal. Here is my take on what may happen in the next year or so:
- Self-sovereign ID coming to an identity service near you? There have been a few pilots exploring the possibilities of SSI. A few governments are looking at self-sovereign identities as a possible option in servicing citizen ID. It is early days for decentralized ID, but it has many forceful and knowledgeable people in the sector pushing it, so it will likely raise its head even more in 2020.
- More choice through orchestration? The use of digital identity is about sharing personal data or supplying information in some manner to drive a transaction or access a resource. Data sharing is not binary. 2020 will be the year that “data-fluid” hits home. Organizations and individuals, alike, need to have highly flexible data services to make the most of the online experience. They also need to make use of the billions of existing accounts out there.
Reinventing the wheel can take time and a lot of money. Orchestration and the API-approach to data and identity will allow identity ecosystems to finally flourish. - More data breaches? I’d be surprised if there weren’t more data breaches because data is valuable. I mentioned in a previous article that I fully expect that deepfakes will enable crimes such as sextortion and business email compromise (BEC). The deepfakes need to be fed, however, and identity data is the food of choice. Data breaches will include more behavioral data and images, including those captured using facial recognition. We need to harden our identity systems and any accounts that hold identity data against deepfake data harvesting attacks.
What I want for digital identity in 2020
I’d like to come back this time next year and say that all the problems of digital identity had been solved in 2020. Things like making identity accessible for all and ensuring that disabled users, those with little or no digital footprint--refugees, for example--have the right to an online identity that is secure and usable. Others cannot obtain a digital identity because of complications in system design, such as the case of the Kenyan government’s digital identity scheme as discussed by Grace Mutung’u.
System design is the key area in identity where I would like to see progress made in 2020. Identity is something that we all, increasingly, need to partake in. It is the cornerstone of online transactions; we use it in our personal life and at work.
The design of identity systems, however, is one of the most complex areas in technology. Digital identity ecosystems cover everything from security to privacy to accessibility to usability. On a consumer level, they must be extremely scalable, responsive and highly connected. They need smart rules to allow them to change as circumstances decide. They should have users keeping tabs and taking control over their own data and the transactions it drives. I hope great, well-designed identity systems await us in 2020.
They say it takes a village to raise a child, I say it takes a world to create great digital identity for all.