The Challenge of Online Identity: First things First!

Over the last 15 years, Governments around the world including the UK, along with many private sector firms, have poured huge amounts of time and money into attempts to solve the problem of online identity assurance (that is, making sure that people are who they claim to be when doing a transaction where they are not physically present).

So far, very little has come of this investment. A workable, scalable solution still seems a long, long way away. The UK Government’s latest change in policy on its identity project Verify is the latest case in point.

Why is this? There is a simple but very important answer. When it comes to identity, we’ve been asking the wrong question — which has led us to pursue the wrong solutions.

The situation today

Assuring online identity is important because, without it, organisations struggle to serve different individuals efficiently and effectively and fraudsters have a field day, creating endless problems for everyone else. Historically, solutions to this problem grew like topsy with each organisation attempting to find its own answers, build its own processes and so on.

Result? A dysfunctional mess with massive levels of duplicated effort. Individuals have to go through some sort of identity check every time they want to do business online with an organisation (our ongoing username and password nightmare). Organisations offer clunky and inconsistent user experiences that are expensive to operate and still result in persistently high levels of fraud.

Multiple solutions have been sought but they have all failed for various reasons. Attempts to create national ID cards and schemes have struggled with excessive costs, burgeoning security risks and system complexities. That’s on top of widespread fears about the civil liberties and privacy implications of the State collecting so much data about its citizens. Partial solutions like signing in with Facebook or Google have emerged. But they don’t reach the levels of assurance many organisations need to do business and they come at a price: individuals leaking huge amounts of data to data profiteers.

The Verify scheme seemed a good idea at the time. If the Government could create an identity for individuals that works, say, for the Department of Work and Pensions which pays out billions in benefits, it should also work for all other Government departments and the private sector. By creating one identity that can be used in multiple places and situations — embracing the principle of ‘collect data once and use it many times’ — we could save huge amounts of time, money and hassle for both citizens and ‘relying parties’ (organisations seeking to assure identities).

But it proved difficult and expensive to create these identities. We (Mydex) should know. We were one of the five organisations chosen by the UK Government to lead the charge with Phase 1 of its Verify Programme. As it turned out, too many citizens struggled to obtain the proofs that were needed by the system. And most organisations were reluctant to pay for those identities that were created.

The common factor behind all these issues? The lack of easily, freely available ‘Verified Attributes’ — the core bits of information that go into creating an assured identity.

Verified Attributes

A verified attribute is any piece of information about a person that has been checked by a responsible trustworthy body and made available to another party. For example, a driving licence provides multiple verified attributes including the holder’s age / date of birth, address and other aspects of their identity including a picture of their face and their signature. The issuing body, the DVLA, is widely acknowledged as having robust processes to check these details.

As well as being used to verify that an individual is entitled to drive, a driving license’s verified attributes are widely used for other purposes. For example: by young people wanting to prove they are old enough to buy alcohol or enter a club and by citizens wanting to collect a parcel from a post office. And so on. In fact, most citizens probably use driving licenses far more for things other than actually proving entitlement to drive.

Our last blog examines Verified Attributes in much more detail, but for now the key point is that the difference between ‘a Verified Attribute’ and ‘an Assured Identity’ highlight the multiple misconceptions that dog the identity ‘industry’.

Misconceptions about identity

The first and most important misconception is this: identity is not a separate ‘thing’. It is just one of many use cases made possible by the availability of one particularly important form of personal data — Verified Attributes — and it is a by-product of this availability. For over a decade the identity ‘industry’ has been asking the wrong question. It has asked “how can we deliver safe, efficient assured identities at scale?”. But this question begs a prior one: “how to ensure mass, low-cost, safe sharing of the Verified Attributes that are needed to create these identities in the first place?”

Another misapprehension is that an identity has to be a ‘product’ that a specialist manufacturer that ‘makes’ and ‘sells’ it. In reality, online identities are made up of collections of many different Verified Attributes, and the nature of these Verified Attributes differ according to the needs of the relying party, including the degree of the assurance they require. Recognising a customer who wants to buy something from you is a different kettle of fish to knowing that someone is disabled in a particular way, and is therefore entitled to certain benefits and particular, targeted services. So there never will be a single, one-size-fits-all ‘identity product’ or ‘identity solution’ that meets all relying parties’ needs in the same way. Instead, the best way to meet these varying needs is to be able to easily access and use the unique sets of Verified Attributes that they each one requires.

This helps explain another misapprehension: that identity is a potential ‘market’ for firms to make lots of money in. In fact, most of the costs incurred in identity today — and therefore most of the potential revenue streams for ‘identity solutions’ — arise because it’s not possible (currently) for relying parties to access the Verified Attributes they need easily, quickly and at low cost. Indeed, many of these Verified Attributes are not available at all, because the organisations with the data are not prepared to share it.

If and when Verified Attributes become widely available and shareable at low cost, the costs of identity assurance will drop rapidly towards zero as access to the data becomes an automated part of online processing, thereby removing today’s unnecessary ‘border checks’ and barriers that dog most people’s online experience most of time.

The historical approach to identity was to accept existing infrastructure and restricted availability of data inputs as a given, and to provide a work-around service on top: a ‘cost plus’ approach to ‘a market’ in order to make money out of it. In reality, identity should be a universally available utility where the goal is to remove as much cost, effort, friction and risk out of transactions and services as possible. It’s not ‘making money out of’. It’s ‘taking cost out of’.

The way forward

If you ask the wrong questions, you are almost certain to get the wrong answers — and for the last decade (and more) a massive identity bandwagon has been asking the wrong questions. Here’s an analogy. It’s been asking ‘how can we create a market for Porsches and Ferraris?’ in a world where the roads are still made out of mud and cobblestone and petrol is made in different grades in small batches by craftsmen.

The ‘petrol’ of identity assurance is Verified Attributes. They need to be made available on a mass scale, free, in interoperable forms, as part of implementation of new citizen rights under GDPR. The ‘roads’ are the infrastructure needed for safe, efficient data sharing. The only such infrastructure that can work at scale without creating nightmarish privacy and data protection problems is for each individual to have their own personal data store, where their Verified Attributes can be accumulated, stored and maintained safely and securely and automatically and shared under the individual’s control.

Only when these two things have happened — availability of key inputs (Verified Attributes) and an enabling data sharing infrastructure of Personal Data Stores (the petrol and the roads) — will the dream of online identity be realised.

Cracking the challenge of identity remains a huge opportunity to reduce cost, risk, effort, friction and hassle for both citizens and organisations. But to succeed we need to recognise this really is a case of ‘first things first’.