Digital Identity: Market Trends

Key Trends in Biometrics 

While the underlying capture and recognition technologies continue to evolve for fingerprint, face, and iris recognition, no major technology disruptions are anticipated. For instance, sensors have become more  accurate and can read data from longer distances through contactless fingerprinting and iris-at-a-distance scanners. Fingerprint matching technology has advanced to the point where some matching algorithms can perform more than 1 billion matches per second. High-resolution (1000+ dpi) scanners are being piloted for infant biometrics, and facial biometrics algorithms are advancing to better accommodate  off-axis, lower resolution, and poorly illuminated faces. Across all of these modalities, sensors are evolving  in ways that make it more difficult to trick a biometric-recognition system. 

 

Experts expect to see as many as 600 million devices with biometric authentication by 2021. By 2020, 50  billion Internet of Things (IoT) devices are forecasted to be in use, and 500 million biometric sensors will  be deployed for IoT by 2018. Indeed, IoT will be a major enabler for combining analytics and continuous  assessment to generate an adequate level of assurance, in real-time, that an individual is who he or she claims to be. 

 

Meanwhile, multimodal biometric systems using a combination of iris, fingerprint, and face modalities will likely be the most promising for identifying and authenticating an individual. Face-authentication technology is now almost as accurate as fingerprinting for authentication with attention to photo quality as prescribed in the associated standards and best practices from ISO and International Civil  Aviation Organisation (ICAO). However, this is not always the case in developing countries where legacy data is of very poor quality and enrollment guidelines are poorly enforced.  

 

For some applications, governments or organisations will use behavioural recognition as a means for  continuous authentication to ensure that an individual who was authenticated at the start of the session  remains the same throughout the session. Some of the earliest deployments of continuous authentication  to date have been in the European banking industry. To achieve continuous authentication, system  operators could use multimodal biometrics as well as behavioural parameters like geolocation, commuting  and work patterns, and passive voice and face recognition. 

 

Key Trends in Cards  

Digital ID cards in global circulation are expected to increase from 1.75 billion in 2013 to 3.3 billion in 2021.  Of this, a total of 3.2 billion national ID smart cards will be issued by 103 countries.

 

As of early 2017, 82% of all countries issuing official ID cards have implemented programs that depend on  smart cards or plastic cards and biometrics.93 

 

Other innovations in cards include NFC—wireless communication that permits the exchange of data  between devices that are just a few centimetres apart. NFC-enabled devices, together with mobile eID  applications, enable mobile authentication in Germany’s ID card system. Bluetooth low-energy beacon  technology is an innovation in the optional card characteristics domain. The beacon can find the location of a  smart device and use transmitters to push pertinent information to Bluetooth-enabled devices.  

 

Many countries are now implementing cards with built-in biometric security for their respective national  ID programs. The government of Maldives has recently launched a biometric smart card-based national ID  called “Passport Card” for its citizens in collaboration with Mastercard. It contains a unique combination of dual-interface chips for contactless and contact card reading. This card functions as the cardholder's passport,  driving licence, and national ID and can be used to provide health and e-services by the  government. It also functions as a payment card to make payments.94 The card contains 10 fingerprints for  secure verification.  

 

Contactless smart cards are increasingly being adopted by many national identity programs, such as the  German Identity card and MyKad—the identity card issued by the Government of Malaysia to its citizens.  MyKad is a multipurpose contactless smart card issued by the Government of Malaysia that functions as  an identification card, driving licence, passport, transit card, and health document. The card stores the  cardholder’s fingerprint information that can be accessed by a reader to verify the individual. 

 

The German identity card is a contactless smart card issued to the citizens of Germany. The contactless smart card is based on RFID technology and can be read from a distance of only 4 centimetres. Moreover, the chip is protected by a PIN which protects the data from being released unless the correct PIN is entered.  Communication between the card and reader is also encrypted. This identity card can also be used as a  valid travel document between European Union countries.

 

In the future, biometric cards will likely have a built-in biometric sensor instead of just storing a biometric template. The integrated sensor on a card model will replace the need for PINs and passwords and will work only after the cardholder activates it using his or her biometric information. While  fingerprint remains the primary biometric used on such cards, there is potential to use other metrics such  as electrocardiography (ECG).

 

Key Trends in Mobile Solutions 

Biometric smartphones have proliferated, with more than 500 models introduced since early 2013 and 1 BN  of these devices in use today. Projections show that by 2020, there will be 4.8 BN biometrically enabled smart mobile devices. As the technology gets more portable and less expensive, portable registration of remote populations in developing countries may increase. Voter registration in several African countries and population registration in Tanzania are examples of how mobile technologies can help governments  bring mobile registration to the people, versus the other way around. 

 

Mobile ID is also increasingly emerging as a preferred choice for implementing digital ID systems. Consider  these examples: 

 

 

  • Estonia’s Mobile ID, launched in 2007, lets individuals access personal data and information on their mobile devices and authenticate online transactions using secure public key infrastructure  (PKI) technology. SIM-based mobile ID can be used exactly like a regular physical credential with  300-plus organisations in Estonia’s private and public sectors. The electronic signature function of mobile devices enables all of this and holds a legal equivalence to a “wet” signature.  

  • Mobile ID is also available in Austria, Azerbaijan, Belgium, Finland, Germany, Iceland, Japan, Lithuania,  Moldova, Norway, and Sweden. 

  • In 2014, Oman became the first country in the Middle East to complement its electronic ID card with a mobile-ID scheme. Qatar and UAE later followed suit.  

 

Mobile registration, where a registration authority uses mobile technology in the enrollment process, is  becoming easier, more accurate, and more cost-effective as specialised mobile devices are integrated  with existing smartphones. For example, the BioID facial-recognition mobile app lets people pre-enrol in  BioID with just a few clicks and capture facial images. Tascent’s M6 is a mobile accessory that integrates  with the iPhone and adds dual-iris capture along with dual-fingerprint-capture capability; along with the  mobile app, it also provides capabilities for enrolling, de-duplicating, and authenticating subjects. Other  emerging technologies are using software-only solutions for mobile registration. For example, Element  Inc. uses the existing cameras on mobile devices for biometric data capture powered by deep-learning  algorithms. Element’s software can enrol multiple modalities (face, palm) without requiring connectivity or specialised hardware. The software is also accessible through software development kits (SDKs) or  stand-alone applications, allowing common smartphones and tablets to become biometrically enabled. 

 

Other advancements (such as SIM-based mobile ID, derived mobile ID, and NFC-based mobile ID) will  enable users to identify themselves seamlessly to gain access to government services. Mobile apps are  also adopting dynamic authentication techniques based on geolocation and users’ transaction histories.  Innovative applications are enabling multimodal biometric data capture, and some governments are  combining such capture with deep-learning algorithms to create maternal and child health registries.  

 

Meanwhile, the Mobile ID SIM applet now allows individuals to confirm their identity and sign documents  directly from their mobile phone by entering a unique user-selectable PIN. Unified, personalised, multi-channel and multi-platform solutions are expected to emerge, using existing technologies like AI, voice recognition, and geolocation. These technologies will be easy to use, making tasks like authentication seamless and efficient. 

 

Governments are also increasingly exploring a variety of public-private partnerships (PPPs) and revenue-sharing models to generate funds for the additional hardware and network strength investments that mobile authentication systems require. In some of these models, mobile operators charge end users a fee for using mobile signatures and pass on part of the income to the government, as was done in Moldova.

 

Geopolitical Trend

Various governments around the world have launched identity initiatives including:

 

  • Austria. Austria’s Citizen Card is designed to provide a secure and privacy-friendly form of identity  management. The critical technological feature of the Citizen Card that makes it a good model for emulation is the use of un-linkable sector-specific identifiers (and associated cryptographic keys and digital certificates).  Positive aspects of the approach include 1) Comprehensive data protection law; 2) Independent data protection authority; 3) Limited data kept on the card; 4) Separation of identities by sector, and 5) Integration with 12 government services. Drawbacks, however, include concerns about the security of card readers.

  • Estonia. The Estonian e-ID card includes an embedded PKI application that enables online authentication and digital signature with electronic certificates. More than 600 online government services are available through the use of the online authentication system; companies have access to more than 2,400 services.  In the past decade, no security breaches have been reported. Positive aspects of the system include 1)  Comprehensive data protection law, 2) Independent data protection authority, 3) Logging that enables auditing, and 4) Minimal data provided to service providers. The drawback is that excessive data is held on the card.  

  • The United Kingdom. GOV.UK Verify is an identity scheme that establishes a private sector marketplace for digital identity, with private sector organisations creating and managing digital identities on behalf of citizens. Positive aspects of this approach include 1) Comprehensive data protection law; 2) Independent data protection authority; 3) Decoupling of identity providers and service providers; 4) Minimization of data sharing, and 5) Focus on end-user experience. Drawbacks include the potential for tracking and surveillance to occur as a result of a “matching data set” in all identity transactions. 

 

As a result, the United States is destined to play catch-up with—and be impacted by—the rest of the world.  European developments like GDPR impact U.S. banks and, in some cases, conflict with U.S.-based law—for example, the requirement to notify the government of a data breach within 72 hours of its discovery.24 According  to Andy Roth, a partner at the law firm Cooley LLP: 

 

“A European data subject can make requests on what data the bank has on it and can make changes and request deletion of the data. These require business practices that banks don’t have in the U.S.”

While the United States fiddles around with what to call the Consumer Financial Protection Bureau (the current director claims the legal name is Bureau of Consumer Financial Protection, and there’s a bill in the House to change the name to the Financial Product Safety Commission), Rome is burning—the U.S. banking system, that is. Meanwhile, digital identity issues go unaddressed. 

 

Market Trends Affecting Digital Identity

 

The current needs of the digital identity market arise broadly from the condition of the online environment. These will be discussed in this section, detailing how each is shaping the future of digital identity.

 

The COVID-19 Pandemic, Remote Working, and Access Control

No report on digital identity management in 2020 would be complete without reference to the impact of the COVID-19 pandemic. Companies all over the world have been forced to turn to home working to stay productive. This has created challenges for enterprise IT teams, particularly in the areas of cybersecurity. Cybercriminals have taken advantage of not just extended but fuzzy networks where Shadow IT is common. Shadow IT is where systems are deployed by departments other than the central IT department to work around challenges with centralised systems. This is combined with the now massive variety of devices and networks that users are working on, driven by an explosion in remote working. The advent of the malicious ‘remote insider’ only adds complexity to the needs of traditional enterprise Identity & Access Management (IAM) systems.

 

Providing robust and effective access control in an environment outside the enterprise's direct control requires a change in approach. The August 2020 NIST Special Publication 800-207 update on implementing a Zero Trust Architecture (ZTA) defines a process to create

an effective ZTA with an emphasis on monitoring, NIST states: ‘When balanced with existing cybersecurity policies and guidance, identity and access management, continuous monitoring, and best practices, a ZTA can protect against common threats and improve an organisation’s security posture by using a managed risk approach.’

 

On the subject of remote employees, NIST says:

‘Remote enterprise subjects and assets cannot fully trust their local network connection. Remote subjects should assume that the local (i.e., non-enterprise-owned) network is hostile. Assets should assume that all traffic is being monitored and potentially modified.’

 

The situation in regard to online consumer accounts has reached a tipping point. Credential management has gone beyond onerous. Dashlane estimates that, on average, a US adult has around 150 online accounts. It is becoming extremely difficult to manage the credentials. Usually, a password is required to access these accounts. Coupled with this, many people reuse credentials to avoid remembering multiple passwords. The result is an onslaught of credential stuffing attacks, where fraudsters use stolen credentials to hack into online accounts; 88 billion such attacks were recorded in 2019.

 

This issue is not just a consumer problem. The phenomenon of working from home, coupled with Shadow IT and bring your own device (BYOD), means that the issue of credential stuffing could potentially leak over into enterprise access: users re-using cloud login credentials for personal

accounts for convenience.

 

Federated identity provision, seen in its simplest form, provides the reuse of social provider login federation and enterprise Software-as-a-Service (SaaS) provision. This is a useful device for improving usability. Single Sign On (SSO) is sometimes associated with federated login for even easier resource access. Tokenization is used via standard identity protocols, Security Assertion Markup Language (SAML), OpenID Connect (OIDC) and Open Authorisation (OAuth).

 

Federation of identity, or ‘identity reuse’, can provide a mechanism to reduce the burden of credential management and recall. However, the federation has some implicit problems, namely which existing identity providers to support. The use of standard protocols such as OIDC allows

easier onboarding of federated ID support. However, some existing ID systems, such as decentralised wallets (see later), may use proprietary Standards.

 

The W3C project, ‘Decentralised Identifiers (DIDs) v1.0’ is updating this situation by developing the DID standard so that: 

 

‘DID methods can also be developed for identifiers registered in federated or centralised identity management systems. Indeed, almost all types of identifier systems can add support for DIDs. This creates an interoperability bridge between the worlds of centralised, federated, and decentralised identifiers.’ 

 

The development of ‘hubs’ or an orchestration layer to handle protocol translation, onboarding and offboarding of relying on parties and services, and federated identity providers (IDPs), offer a more versatile and manageable way to create federated identity networks.

 

However, the federation in and of itself is not the answer to securing access. The whole system requires other components to verify and check access events. For example, verification of additional attributes may be required. Other checks, such as machine-learning-based User and Entity Behavior Analytics (UEBA), Anti-money laundering (AML) checks, can also be used to augment identity networks that utilise federation.

 

API-sation of Identity

Cloud-based identity was hailed as the next big leap into more accessible identity systems. This is not untrue. However, a movement towards a more connected network of identity components is crystallising. This is driven by widely available services and functionality through Application Programming Interfaces (APIs). Opening up functionality via an API provides the mechanism needed to easily connect important building blocks in identity services. The result is the development of several hubs and ‘identity (data) orchestration engines’ that sit at the heart of identity services. These hubs and engines act to bring disparate components together to facilitate use cases. Some of the more mature orchestration engines offer a mechanism to connect disparate APIs to create ecosystems/ID Networks based on industry needs/use cases. Identity (data) orchestration is typically controlled using rules that modify behaviour based on the relying party's needs. The data orchestration engines can find a fit with a number of use cases in retail, banking, healthcare, and government, as they can draw in from existing functions, including federation, open banking, verification services, behavioural monitoring, anti-fraud checking services, etc. The identity (data) orchestration engines are typically capable of performing protocol translation, so they can handle many types of existing identity providers to facilitate identity reuse. ID Networks have the potential to draw proprietary solutions, such as ID wallets, into a wider system. ‘Bridges’ or ‘hubs’ are being offered by a number of vendors as a method to orchestrate both traditional identity providers and DiD-based self-sovereign wallets. This ability to provide user choice and federation of ID no matter what source is likely to be a unification authority in a complicated ecosystem that requires an emphasis on user choice.

 

 

‘The API economy has driven advancement in this space in simplifying the transmission of data. And while there are still technological hurdles to integrating new fraud detection and authentication solutions, the challenge becomes more about how to leverage those solutions in a coherent manner. Aligning risk scores from a diverse set of niche solution providers can cause significant confusion for the business that is attempting to efficiently serve an increasingly demanding customer base with low friction and low risk. Having APIs to help with the transmission of data still doesn’t solve the need to ensure that the data is valid and authentic or that the person requesting that the data be shared is authorised to make that request. These become the new concerns in an ecosystem approach to data sharing and transmission.’ - David Britton, VP of Industry Solutions, Identity & Fraud Management at Experian

 

Governments Leading?

A wide variety of countries have tried, failed, or are planning to bring digital identity to citizens. 

 

The move to a digital government is largely dependent on a mechanism of identifying yourself in an assured manner. The government also has control over a number of identity documents, such as passports. The two should be symbiotic. However, the devil is always in the details.

 

Online government services are often the main touchpoint for consumers wishing to connect to local and national governments. These services can be crucial in delivering benefits and tax options. The level of assurance required to transact online with government services is a key requirement of these systems.

 

In the UK, this same requirement became a blocker to the smooth running of digital government identity. The UK Verify service was a vanguard service that shaped the ideology of digital government. The identities were provisioned by a number of UK brands, including the Post Office, Royal Mail, Experian, and Barclays Bank. The system was based on a SAML 2.0 ‘hub,’ acting as a conduit to the citizens, allowing them to pick a brand to provide their government ID. The level of assurance started off as low (LOA1), allowing a small number of these brands to quickly onboard for the scheme. A second procurement was put out to market, but these new IDPs were required to start at an increased level (LOA2), eventually retrofitting to an LOA1 as the project progressed. Issues with match rates plagued the project. To achieve an LOA2, users had to be taken through fairly onerous steps to prove their identity, providing identity documents and being asked questions from a number of Credit File Agencies and aggregators at the backend of each IDP. Match rates were low, typically below 50%. Most IDPs left the scheme due to government funding issues, leaving only the Post Office and Digidentity to run the IDPs (note: The Post Office IDP technology is provided by Digidentity). Match rates for 2020 are around 45% of users successfully being issued an identity.iv Of the expected 25 million UK citizen signups, by February 2019, only 3.6 million people had successfully signed up for Verify.

 

A number of different approaches to digital identity for Government-to- Citizen (G2C) transactions are shaking out. Australia has launched the MyGovID, a smartphone-based ID based on a granular point system (you can gather up to 100 points to prove your identity).

 

Card or wallet-based IDs remain popular in a number of countries in the EU, including Estonia, which are innovators in the space. The Canadian government is active and innovative in the digital identity space. Digital ID & Authentication Council of Canada (DIACC), headed up by Joni Brenan, ex Kantara Initiative, is working toward an interoperable relationship between the public and private sector to build a Canadian digital identification and authentication framework.

 

MyGovID is a smartphone-based ID that is based on a granular point system (you can gather up to 100 points to prove your identity).

 

Card or wallet-based IDs remain popular in a number of countries in the EU, including Estonia, which are innovators in the space.

 

The Canadian government is active and innovative in the digital identity space. Digital ID & Authentication Council of Canada (DIACC), headed up by Joni Brenan, ex Kantara Initiative, is working toward an interoperable relationship between the public and private sector to build a Canadian digital identification and authentication framework.

 

The US continues to battle with citizen acceptance of a federal identity scheme. This will play out in the coming years.

 

Citizen identity has the potential to create bridges between consumer and citizen identity. Schemes around borders and airports, such as WorldReach’s ‘Know Your Traveller’ app, have allowed the successful processing of most of the 3.1 million applications to the UK Home Office

 

EU Settlement Scheme (EUSS).

 

Government use cases continue to drive certain aspects of the identity market and test the waters around high assurance IDs and consumer usability.

 

Anti-fraud and Seamless Online Transactions

By 2024, Juniper Research forecasts that fraud detection and prevention software spending will reach $10 billion, showing the importance of leveraging identity for fraud management.

 

Transaction decoupling from identity can offer an alternative way of delivering identity-driven services without the identity component. Consumers want to perform online tasks (e.g., buy goods, send money, and so on). They do not necessarily want or need a full-blown digital identity to do this. API-based orchestration of data could provide an answer. By removing the identity piece and replacing it with an on-the-fly presentation of specific required data, transactions could be made more secure from both ends of the transaction:

 

  • An existing identity account such as a bank can be reused

  • The service gets the data needed to perform the transaction (for example, by calling an Open Banking API)

  • The user may need to supply some additional attributes depending on the transaction and service needs, for example, an address, driver’s licence

  • These data have gone through a Know Your Customer (KYC)/Customer Due Diligence (CDD) process at the bank

  • These data can be checked using a third-party verification service (e.g., government checks, CRA, etc.)

  • AML checks can be performed on-the-fly

  • Nothing needs to be stored

  • Data can be tokenized

 

The driver of online fraud is pushing the market towards fewer online accounts and more data orchestration with checks facilitated by API-enablement of services. This should help improve security and usability.

 

Consumer Expectations: Ease of Use and Omnichannel Identity

 

As always, consumer uptake drives any scheme in the world of technology. Usability is a hot topic, especially in relation to diversity challenges in mass-adopted identity systems. All approaches to identity have an underlying need to build a great Customer Experience (CX). Diversity in identity groups like Women in Identity (WID) is pushing for more consideration of diverse groups' coverage by ID schemes; WID pushes for ethnic minorities, women, disabled users, etc., to be considered during the design stage. This makes sense when you consider that bias often adversely affects technologies such as facial recognition. Additionally, issues for disabled users in complex verification journeys can lose that customer base. Having an omnichannel approach is a key driver for ID system uptake.

 

Trends driving the need for decentralised digital identity systems

User behaviour 

  • Need for seamless and ubiquitous authentication 

  • Preference to use one and single digital identity 

  • Dissatisfaction with passwords  and codes 

  • Lowering rates of online transactions due to lack of trust 

  

Need for trust 

  • More complex  and private transactions are  taking part 

  • Lack of trust in online businesses 

 

Privacy concerns 

  • If consumers  feel their data is  not protected,  they will not transact online 

  • In which way,  where and by whom is the information used? 

  • Increasing privacy awareness in  the digital native  population 

 

Rise in technology 

  • Emerging technologies  are improving  ID management  very effectively  and quickly  

  • Blockchain, Big data, Biometrics, Machine learning 

 

Cost reduction 

  • Digital identity systems are cheaper to run  than physical ones 

  • The use of a digital identity is already validated by a trusted third party