Open in app

Sign in

Write

Sign in

Making sense of ‘Digital Identity’

Julio Sanjines
6 min readMar 24, 2017

By Julio Sanjines and Prasant Chunduru

The term ‘Digital Identity’ is very much in vogue these days. It is meant to denote a radical new approach to identity, promising to end friction and to enhance security in transactions and interactions.

Identity is extremely critical in enabling a truly frictionless world because it is the fundamental basis for trust. Trust is essential for people to interact and collaborate with each other. In the recent best seller ‘Sapiens’, author Yuval Harari suggests that the reason why homo sapiens have come to dominate planet Earth is our ability of humans to cooperate in large numbers, achieved through shared fiction and trust. This ability explains our success more than even our superior intelligence according to the book.

Identity is extremely critical in enabling a truly frictionless world because it is the fundamental basis for trust. Trust is essential for people to interact and collaborate with each other.

The sections that follow provide a deeper dive into what constitutes ‘Identity’, how it is validated today, and a brief analysis of the innovations in the space. We wish to make a case that while the current innovation in the space is exciting, it is highly incremental and inherits the limitations of existing approaches. In a follow up post, we will outline how the ‘Digital Identity’ of the future should look like and also propose a few foundational principles for this identity of the future.

What is ‘Identity’

Identity is defined as the qualities, beliefs, personality, looks and/or expressions that make a person or group. In its essence, identity is an amalgamation of attributes such as fingerprints, driver’s license numbers, hair color etc. Although there could be countless attributes associated with an individual, they can be broadly classified into two categories:

  1. Inherent attributes: These are the attributes that are created & shaped by nature and examples include DNA, fingerprints, Iris/ Retina, height, weight, hair/ eye color etc. Note that some of these are immutable & static, while others could change over time.
  2. Assigned attributes: These are usually acquired through man-made sources, including Governments. Examples include legal name, passport details, driver’s license, tax ID, credit scores, address, security clearance level, Facebook profile, citizenship etc. There are hundreds, if not thousands of assigned attributes per individual.

As mentioned above, it is important to note that these attributes can also be further classified into two categories based on their changeability:

  1. Static: These are fixed and do not change over time. An example is DNA.
  2. Variable: These can change based on events or with time. An example is citizenship.

The 2x2 matrix below attempts to apply the above classification to some of the common attributes:

How is identity validated?

An often underappreciated and overly simplified aspect, especially on the digital front, is the underlying process in validating identity. Every identity validation process can be broken down into three sequential and distinct steps:

  1. Identification: Acquire the identity information of the individual
  2. Authentication: Validate the information presented and certify the individual matches the identity that was presented
  3. Authorization: Permit access to the authenticated individual based on rules

An example of this in the physical world is getting past airport security. The flow is:

  1. Identification: John, who has booked a flight ticket, arrives at the airport and presents his passport (assigned attribute) to the airline staff.
  2. Authentication: The airline staff verifies that the photo on the passport matches the person presenting it, and in the process, validates that it is indeed John seeking to board the flight.
  3. Authorization: The airline staff then checks whether John is booked on the flight before issuing a boarding pass and thus authorizing John to board the flight. There could be other authorization steps in the middle, for example, verifying John has the required Visa to visit the destination.

A similar transaction in the digital space is a debit card payment and would flow like the following:

  1. Identification: John shops for groceries and presents his debit card (assigned attribute) at the self-checkout terminal. The debit card identifies him as John.
  2. Authentication: The terminal prompts John to enter the PIN number associated with the card to validate that it is indeed John who has presented the card. John enters the correct PIN.
  3. Authorization: The terminal requests John’s bank (via card scheme APIs) to confirm that John has the required funds in his account before processing the transaction. If the bank confirms in the affirmative, the goods are sold and the funds are transferred, concluding the transaction.

As we are painfully aware, the current approaches to identity are riddled with security concerns and many points of friction. Some of them include:

  • Carrying physical identities (ID card, phones etc) at all times is friction.
  • Authentication is pre-dominantly carried out by humans, using their judgment to confirm whether an identity (photo, signature, PIN etc) matches an individual. This is highly unreliable.
  • Lot of private information on the physical and digital IDs, most of which is irrelevant to the transaction, is shared in the process. For example, the driver’s license presented to enter a bar also has the full name and address. This creates major privacy issues that we have come to accept as a necessary evil.

Current innovation in identity

There are numerous startups in the Digital Identity landscape aiming to improve the cumbersome, unreliable and unfriendly processes. Here is a helpful snapshot of this very crowded landscape compiled by One World Identity.

At a high level, the following are commonalities in approaches followed by the innovators in the space:

  • Tie a paper ID to a biometric (predominantly fingerprint). This aims to increase security (fingerprints are harder to fake) and reduce the need to carry a paper around.
  • Create entirely new identity schemes built on top of and by aggregating IDs currently in use. This is the equivalent of creating a mobile wallet that aggregates credit cards.
  • Aggregating multiple logins/ credentials into a single ‘ID’ framework. This is the equivalent of a single-sign-on (SSO) that is prevalent in the corporate space and Government initiatives.
  • Use advanced image recognition, machine learning and behavioral analysis to ascertain that paper/ physical IDs are legitimate.

However, we regard these as incremental innovations that do not holistically address the issues and pain points in the current experience. The primary shortfalls of many of the current approaches are:

  • No significant reduction in friction: Usernames and passwords are not eliminated, just aggregated. Current forms of ID may be replaced by other physical forms (biometrics etc) that require a similar level of effort by the individuals. Presenting your phone at a bar for identification is not much of an upgrade over presenting a license, and hardly revolutionary.
  • Creating honey pots of valuable identity data ripe for attacks: Databases that aggregate identity attributes are major targets for hackers. Adding core attributes like fingerprints to the mix increases the risks and the impact of these attacks.
  • Failing to adequately engage the individual in the process: Smartphones and other tools have made connectivity ubiquitous and allows for the user to be very actively engaged in the identity process. Although there are companies focusing on continuously authenticating users through various data points (mostly through mobile devices), it does not extend to identification.
  • Failing to realize full potential of biometrics: The current application of biometrics in digital identity and security leave a lot to be desired. As an example, when you touch your finger to unlock your phone, your fingerprint is being used to authenticate you as the owner of your phone (your actual identity is still your mobile device). It is not used to recognize and identify you. Try to use a friend’s phone to login to your bank app using your fingerprint — you can’t. On the other hand, if you add your fingerprint to unlock your friend’s phone, it will let you login to any app on the phone that uses the Touch ID. Phones even allow for 5 thumbs to be added!

In the next post, we will seek to outline what the ‘Digital Identity’ of the future should look like and also propose some foundation principles for this identity of the future. Stay tuned …

Identity
Blockchain
Fintech
Digital Identity
Biometrics

--

--

Julio Sanjines

Written by Julio Sanjines

12 Followers

Experience across microfinance, corporate banking and strategy. Now passionate about the promise of Tech and scuba diving. More at www.afinz.com

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams