• United States




Is the digital identity layer missing or just misplaced?

Jun 28, 20196 mins
AuthenticationIdentity Management SolutionsSecurity

The orchestration of existing services and data could provide a digital identity layer that gives the internet a common way to handle identity for all consumers.

CSO  >  Digital identity  >  personal identity / recognition + access authentication / personal data
Credit: OstapenkoOlena / Getty Images

I recently presented on a panel alongside a UK government identity specialist and an anti-fraud vendor. The conference focused on citizen ID and how the complex world of citizen identity is handled by the current status quo. The general view was that we need to find structures that can drag digital identity into the 21st century, and fast.

At the same time, I hear murmurings in the world of digital identity that all is not well. When I look at the vendor landscape, I see a complicated web of “identities.” For the consumer, this must be both annoying and confusing. We need to remind ourselves: Digital identity, especially for consumers, is a very personal and highly contentious area that we need to get right.

Many in the identity industry talk about the internet having a missing layer that would handle identity correctly for consumers. I say this layer is here; it is just not being used correctly.

The state of the identity nation

To see a problem, you sometimes have to stand back from it. The trees in this forest are a buoyant identity landscape. It is filled with all sorts of “identities.” I’ll stop there. Identity is possibly a misnomer. When a consumer or employee or citizen uses identifying data to do a job online, they aren’t necessarily linking that act to their actual identity (and all the philosophical baggage associated with that). They are, in fact, presenting information as requested to carry out a transaction. That information is usually made up of a number of attributes, depending on the value of the transaction.

High-value transactions like certain government services, banking or large online purchases will likely require personal, financial and even metadata and behavioral data. For lower-value transactions, a verified email address might suffice. Certainly, Sign In with Apple seems to think so.

So, that landscape is a heady mix of identities. or rather identifying data conduits including:

  1. Federated logins (lower assurance): FacebookID, GoogleID
  2. Federated logins (more assurance): Amazon, PayPal, AppleID
  3. Consumer identity access management (CIAM) services
  4. Citizen identity schemes, the EU eIDAS, UK Verify, India Aadhar
  5. Mobile app-based IDs: Yoti,
  6. Decentralized IDs or self-sovereign identity (SSI)

This is what we have at our disposal when carrying out our online business. This is fine; choice is good. But can those IDs hack the 21st-century need for an identity that fits all purposes, is accessible for all, and offers security and privacy, too? Is that too much to ask?

Can we instead find the right ID for the right transactions, at the right time, under the right conditions? That’s a tall order, but it can be done with the right orchestration.

Call off the dogs, the missing identity layer has been found

The idea of a missing identity layer across the internet has been talked about for many years. Possibly, Microsoft’s Kim Cameron first proposed this idea when he wrote about his Laws of Identity. However, this layer has been less missing and more misplaced.

Instead of trying to fix this, we have been shoe-horning the data needed to perform online tasks into services. The result has been a messy, disjointed, confusing mix of disparate data sources. This has, in turn, helped to create multitudes of data silos across the internet for cybercriminals to dip into whenever they wish.

Synthetic identities are awash. Stolen identity is a massive issue. We need to tie this down by controlling the transaction, not the identity. An orchestration layer with anti-fraud checks and other behavior-based checks could do this – but it has to work in unison with the other pieces. It has to be orchestrated to form a coalition of services.

The Babel fish lives and its name is orchestration

Recently, I spoke to a well-known identity practitioner who described the orchestration layer that will pull the identity ecosystem together as a “Babel fish”. In the Hitchhiker’s Guide to the Galaxy, there was no problem communicating with entities from another planet. You just placed a Babel fish in your ear and presto! Any language from any galaxy was instantly translated to your own.

This concept of the Babel fish can be applied to online identity. The digital equivalent of that Babel fish will transform our identity structures. It will become the orchestration layer by bringing already existing services, identity providers, federated logins, verification checks, authentication, and anti-fraud checks together. By doing so, it will become the missing internet identity layer. 

Is self-sovereign identity an identity layer?

Some are saying that SSI is this missing internet layer; I would beg to differ. Whilst there is a place at the table for SSI, it is not the only player in the town called ID. How consumers interact with their data is, and should be, a matter of diverse choice. Let’s keep the digital accounts we already have and add them to the digital Babel fish to reuse them as needed. Rules of engagement can help to establish ongoing relationships, building them up over time.

The coalition of identity services

This layer is a coalition of existing services. Like SSL/TLS, it will pull the parties together. It works in harmony to provide a dynamic engine (dynamic being the operative word) that brings the players together.

Together the diverse needs of this dynamic identity layer orchestration can be met using:

  • Identity data shared under user granular consent
  • Identity verification checks that fit the use case
  • Anti-fraud checks
  • Rules that modify the behavior for all the myriad ways the consumer interacts with the services and their data
  • Adding of data, under consent where, and only where, it is needed
  • Translation of the protocols across diverse services and even more diverse identity providers — the digital Babel fish

Am I a dreamer? No, I am not, I am a pragmatist. We need to stop playing with identity data and build structures to give it power. Digital identity, or rather the data that represents us, is critical to online business and interactions. These data are the lifeblood of digital identity. We need the structures to reach out and pull it in where and when it is necessary.

Give consumers a choice, let them choose where to draw data from, and when. The identity layer that we need to build our identity ecosystem is alive and kicking and called dynamic orchestration.


Formerly a scientist working in the field of chemistry, Susan Morrow moved into the tech sector, co-founding an information security company in the early 1990s. She have worked in the field of cybersecurity and digital identity since then and helped to create award winning security solutions used by enterprises across the world.

Susan currently works on large scale, citizen and consumer identity systems. Her focus is on balancing usability with security. She has helped to build identity solutions that are cutting edge and expanding the boundaries of how identity ecosystems are designed. She has worked on a number of government based projects in the EU and UK. She is also interested in the human side of cybersecurity and how our own behavior influences the cybercriminal.

The opinions expressed in this blog are those of Susan Morrow and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author