In my last post I painted four scenarios for the future of identity. The worst case was identity Armageddon and in the other three there would still have been problems.
So what would be needed to get us to a world where being confident in the identity of our customers, staff, counterparties and their personal information is non-Invasive and easy to manage for both organisations and individuals?
Could there be three steps to identity heaven?
Step 1: Solutions working in harmony
To date, many of the solutions employed to assert identity are “point solutions”: they deal with a specific issue, often at a specific point in time and in a specific way. There are many different ways to verify identity: data-based solutions, biometrics, cryptopgraphy and device based intelligence to name a few. Often these are seen as competitors fighting for the same marketplace.
When one or a few types of solution are chosen to provide identity verification, the dual threats of fraud and false negatives prevails and Identity Armageddon remains on the cards. The first step to identity heaven is to acknowledge that a multi-layered approach is required. The solutions implemented are seen as components that work together. Solutions providers can take the lead in bringing to market systems that are easy to integrate and deliver a robust solution that is stronger than the sum of its parts.
Step 2: A well-understood framework
Identity checking is carried out for many reasons including; protection from fraud, providing appropriate services, or meeting legislative requirements, the threshold for assurance varies across these requirements. This situation is made more complex when considered over the public and private sectors, the type of identification a government-only identity scheme produces may not meet the needs of the private sector, while an identity established in the private sector may not be trusted by government.
To present a solution that works robustly across all sectors the drivers for identity checking need to be scrutinised and agreed identity thresholds determined for the different scenarios. This will lead to a standardised identity service provision and a single scheme which can be cost-effectively deployed for all sectors. The use of strong ‘federated identity’ is on the horizon and the framework is developing. The challenge will be translating this into a service that is also attractive to the commercial sector as well as individuals and where the burden of development is not left with the tax payer.
Step 3: Individuals own their identity
At present, consumers are forced to establish their identity and the key information about themselves with each and every business or service they use – often multiple times. This doesn’t work for everyone; individuals dislike the inconvenience and mulitiplicity of passwords and organisations are engaged in a tricky balancing act, trying to provide a great customer experience while still meeting their identity checking obligations and avoiding fraud. Flipping control of identity on its head by giving individuals the power and responsibility to manage their own identities gives us the 3rd step.
GOV.UK Verify is giving us a taste of a future, where individuals hold a trusted identity with an approved supplier. When they need to prove who they are or information about them to a relying party they simply refer to their identity provider in a seamless and simple process that takes little time or effort.
So are we on the path to Identity heaven?
The development of GOV.UK Verify certainly brings a new dynamic to the market, one where the management of identity sits with the individual and the various credentials can be integrated within the framework it provides. The question of how this is translated into the private sector has not been answered yet. Are UK citizens happy to take on the management and control of their own identities?