Digital Identity for Consumers.
We are born without Digital Identity. We are doing quite well for the first 20 years of our lives. But then we need to get a Digital Identity and to use it carefully, day-by-day, everywhere we go. Indeed- there are bad actors preying for our Digital Identity for the rest of our lives. Multiply these by 3 billion people and you get the scope of the problem.
Two trivial conclusions: Digital Identities are created. Digital Identities must be protected.
Many scholars are debating what Digital Identity is .At this point it is sufficient to say that we may not know what exactly Digital Identity is, but we know when we see it.
Digital Identities must be stored somewhere. But this contradicts our common-sense knowledge that neither Centralized systems nor endpoints are protected enough. Many attributes of our Digital Identities are already in public domain. We are not worried about their protection, because they cannot harm us in any way. Many people know your name and your phone number (just by looking into a phone-book), but it does not worry you, since this data do not authorize anyone for anything. (If it does — you should immediately close this relationship/business account).
So let’s decide that the minimal set of Digital Identity attributes or our Digital Persona will comprise the set of harmless, public-domain parameters.
But Digital Identity is created-by definition. Therefore, we must be sure that Digital Persona is verified, online, by third-parties. Third-parties such as Social Network (Facebook) , Payment network (PayPal) , Enterprise, Government , Bank , Mobile Operator , Healthcare Provider, etc. It is clear that these third-parties are legally free to share, upon consent, non-sensitive Digital Persona attributes such as: First Name, Last Name, Gender, Photo URL, Email, Confirmed Address, Enterprise ID#, IBAN#, National ID# , Mobile Phone #. Third-parties have verified this info and Centralized service for Digital Persona aggregation can leverage it, without any danger to the consumer.
In practice -one would need Digital Persona to open new account at some service provider, due to Know Your Customer (KYC) or Anti-Money Laundering (AML) regulation. This may be a good starting point to establish a relationship, and may be provide some additional info at latter stage.
Another important use case is P2P apps., such as dating, where Digital Persona may be required until reputation is established.
But once we created a new account — we do not carry our Digital Persona with us. We could store all this on our smartphone, but what if smartphone is stolen, lost or destroyed? We need to verify our Digital Persona, wherever it is stored. The data proves nothing, its verification proves everything. This process is commonly called as authentication. It is clear that Digital Persona and its authentication must be bound together, somewhat like Public and Private Key.
If this Digital Persona is online, than one must assign it parameters of Knowledge (for example PIN) , Ownership (for example smartphone) or Inherence(for example behavioral biometrics).
We can safely say, now, that no “silver bullet” has emerged as the best of breed for authentication. Our rule of thumb: get as many parameters, as possible, in the time as short, as possible, to reduce consumer friction.
But our real goal, as consumers, is to get some online service (financial, healthcare, government, etc.). For example — money transfer. Are we authorizing it correctly? This is where things get even more complicated. Our endpoints (PCs, smartphones) are unsafe and can be infested with malware. The process of authentication is generally out of context with user’s intent (request for authorization) and malware can modify it. “What You See is not What you Get”.
Therefore it is imperative that authentication must be in-context, thus binding it with authorization.
What we finally get is the following Triangle:
Why can’t we have three best-of-breed vendors, for each of the three sides of this Triangle?
Securing Digital Identity is a formidable task. The experience shows that the weakest link in the “security dress” is its stitches.
Suppose we have good authentication and good endpoint protection. Do they work together to protect from “man-in-the-browser” attack, resulting in stolen money transfer transaction?
Suppose we have a good “Verified Digital Persona” solution. Does it provide a secure and scalable assignment of authentication parameters of Knowledge, Possession and Inherence?
To summarize: Digital Identity for Consumers can be achieved by binding of Verified Digital Persona, Optimized Multi-Factor Authentication and Secured Intent for Authorization.