Machine Economy Deep Dives: Digital Identity Part III
What on earth is identity management?
written and researched by Moritz Julian and Carolina Soto
Welcome to the third edition of our Machine Economy Deep Dive Series. In our previous articles (Part I and Part II), we focused on the importance of digital identities for interacting in an increasingly digital world, and explored self-sovereign identities drawing on their potential to improve the lives of millions of people in both developing and developed countries.
This new article is all about Identity Management. We will delve into the basic flow for identity enrolment and proofing, illustrate use-cases from the user/company/government perspective, and show some examples of companies working on identity management.
So, let’s get this show on the road.
The term identity management (idM), also known as identity and access management (IAM), enables:
“the right individuals to access the right resources at the right times for the right reasons” (Gartner IT Glossary).
Take for example a car rental situation where a 21 year-old woman in Germany, with a license type B, wants to rent a car for a day. In this case, she needs to prove her identity to the rental company by showing a valid personal identification card and her driver’s license to prove that she is allowed to drive a vehicle. By doing this, the company knows she is the right individual (she is who she claims to be) and can have access to this type of car (and not a motorbike or a truck under the type B license) at this certain time.
Sounds easy, right? Well, identity management is not as simple as it looks. There is a collective of companies behind the curtains working to ensure that each user and service provider can make a transaction and prove its identity.
There are four steps, and one underlying network, necessary for creating and using an identity:
- User identification is the process of identifying a person and issuing an identity credential to reflect that identity. Identities are the collection of personal attributes like name, age, address, credit card number, etc. — ergo the more attributes a user claims, the stronger the identity gets.
- User authentication ensures that the user trying to access her identity is who she claims to be. To authenticate herself, a user can provide a password, biometrics, an access badge, use one-time tokens, etc. depending on the context within which this information is captured.
- User verification helps service providers ensure that the user is who she claims to be. Verification services check various attributes against other sources like databases, social media, or official records.
- User authorization determines what rights and privileges are accorded to the user depending on her attributes, once an individual’s identity is successfully authenticated and verified. Coming back to the car rental example, the user got her identity and drivers license verified, next the authorization process allows her to rent a car — it’s her right to do so based on her attributes.
- Attribute sharing: To collect attributes, a user needs to approach a claim/attribute vendor who knows something about him, and that is willing to advocate for it. Users often additionally provide a list of self-claimed attributes such as their name, or birth date. Claims can‘t be forged and provide service providers with verified and trusted information about a user.
But why is this whole process necessary? Couldn’t the woman have gone to the rental company and say she’s old enough to drive and that she’s been driving for ages, therefore she should have the right to rent a car? The answer is no. With the current setup, individuals need a third party certifying that claims are true, and thus enable transactions. The analog approach to identity and its digital twin are wide open for malicious actors who want to play out of the legal framework, creating mistrust and obstructing the whole system.
Besides this simple car rental situation that takes place every once in a while, there are many other cases where identity management plays an important role. The following chart originally appeared in the Australia Post’s white paper “A frictionless future for identity management”, explaining how identity is used in many moments throughout the year. We have expanded it to cover additional use-cases from the perspective of businesses (e.g. KYC) and governments (e.g. issue identities):
When looking at the table there’s three main findings we have identified:
- Identity management is independent from usage frequency. It is necessary at all times.
- Identity management is use-case agnostic. It is not exclusive to one area (e.g. professional, legal, leisure) but has at least one use case per area.
- Most infrequent use cases happen in the user identification space (bottom layer). These cases include address registration, name change, identity issuance, passport, driving license, and visas.
In the background, there’s a big number of companies around the world working to sustain and encompass the identity management ecosystem.
These companies either specialize in one of the steps (e.g. identity issuance), in many (e.g. authentication and attribute verification), or take a holistic approach covering all five steps. In this article, we have selected a handful of startups with innovative identity management products.
The first one on the list is Procivis, a Swiss startup providing government trusted electronic ID solutions. Its product tackles step 1 — User identification — in the IAM roadmap. To date, Procivis is working closely with the Estonian government to provide an ‘e-government as a service’ solution that facilitates citizens interaction with the government through i-voting, e-tax board, e-business, e-banking, e-school and e-residency.
Taking over step 2 — User authentication — is Auth0, a US-American company providing an ‘authentication as a service’ solution. It helps website and mobile app developers to easily manage identity and authentication for a secure user login. Auth0’s platform allows for single sign on, breached passwords detection, multi-factor authentication, user management and passwordless access. Its solution works within a federated identity approach where credentials of one service e.g. Google or Facebook accounts can be used to log into other services.
When it comes to step 3 — User verification — , BlockScore API is one of a kind. It verifies both people (ID verification) and businesses (due diligence) for anti-fraud and regulatory compliance. To verify people, when a user signs in, he will be asked for basic personal information that is verified by BlockScore against watchlists, and then, using a knowledge-based authentication, the user must answer hard-to-guess questions such as ‘what type of car did you own in 2005’. To verify companies, BlockScore verifies basic incorporation information and federal tax ID (for US-based companies only) and thus reduce compliance burdens for KYC and AML regulations.
The last company on the list is Yoti, aimed at users to create their own digital ID (step 1), authenticate it (step 2), and verify it (step 3) to eventually be authorized to access a particular service (step 4). Its holistic view of identity, where the user owns his personal information and is able to verify it represents a radical shift in the identity ecosystem. With Yoti, people can create a digital ID by scanning their biometric ID/passport and uploading a selfie to the Yoti app, and then use it to connect and verify their details with a range of organizations using Yoti (the attribute/claim sharing network).
Wrapping up, this article intended to shed some light into Identity Management and have a critical view of its current approach.
Among the things we’ve learned:
- Identity management systems are always triggered by a governmental institution building the base layer (identity issuance)
- Private institutions have built a digital solution to provide on top services of authentication, verification and authorization which are mainly set in centralised silos.
- This leaves the identity space as the core of private data in the hands of private players, thus being incentivised to make profits.
With this, we are shifting our view within the next deep dive towards the impact of decentralized ledger technology on identity management and private data ownership.
Find out more about how the identity + blockchain ecosystem is taking shape in the Part IV of our Digital Identity Deep Dive series soon!
📖 Last but not least, thanks for great thoughts, inspiration, content and data go to… (aka sources — check these out for further reading, too)
- Australia Post Enterprise. (2016, December). A frictionless future for identity management. Retrieved from https://auspostenterprise.com.au/content/dam/corp/ent-gov/documents/digital-identity-white-paper.pdf
- Deloitte Digital: Deloitte. (2016). Picture perfect: a blueprint for digital identity. Retrieved from https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Financial-Services/gx-fsi-digital-identity-online.pdf
- Gartner Research. (n.d.). IT Glossary Identity Management — Access Management. Retrieved from https://www.gartner.com/it-glossary/identity-and-access-management-iam/
- Rannenberg, K., Camenisch, J., & Sabouri, A. (2016). Attribute-based credentials for trust: identity in the information society. Frankfurt: SPRINGER.
👏🏼 If you enjoyed reading this piece leave us a clap or comment below. We are curious to hear your thoughts!
🤖 We are the machine economy team of the innogy Innovation Hub and believe in a future that is decentralized and enabled by machine-to-machine transactions.
💌 This is only the beginning! There will be more “deep dives” in future, so make sure to follow our Medium channel to stay updated. See you soon!
💡If you are a startup working in the field of digital self-sovereign identities or are just curious about the topic, feel free to contact us!
moritz.jungmann@innogy.com & andreacarolina.soto@innogy.com
