Last year was a complicated one for digital enterprise, with highlights and more bracing moments – and at the centre of that developing picture has been digital identity. On one hand, eCommerce is now forecast to reach a total value of $2 trillion by the end of 2019, a growth rate of 20% on the previous year. This has unfortunately come, however, with increased levels of cybercrime: there are now around 3 billion data breaches per year, bringing the total losses through digital services to $600 billion. What this does mean, though, is that as the headlines fill with the details of the latest hack, consumers are becoming more aware of the need to fight back and protect their data.
And, as public perception grows increasingly wary of social media networks with respect to privacy, there has been a growing recognition that more secure means of logging into online services are needed as standard. The shape of that future in digital identity was the focus of discussion at our seminar in Barcelona last month, The Future of Digital Identity: From Revolutionary Technologies to Social Acceptance. As the GSMA’s Global Head of Programme Delivery Richard Cockle pointed out, Facebook recently acknowledged that around 200 million Facebook accounts – over 10% of the global total – are not who they purport to be. And when 1 million of the 17 million identities stolen over a year in the US are children, the urgency of the matter is plain.
Operators have a range of assets to bring to the table in this fight, and the business case for doing so is increasingly clear. “No longer is this something operators have to convince their boards to take part in just for the sake of staying relevant,” Richard observed – “the actual commercial opportunities here are now widely understood.” User attributes – where they are, their account type and usual activity, and so on – are established tools to this end, but there are ever more ingenious and sophisticated options on offer. Increasingly important for instance are checking user attributes for consistency – one firm in the UK can now detect when the habitual keystrokes on a device are out of step with the approved user.
It’s innovations like that which allow digital identity to offer ways of working which don’t add complexity and disturbance to the process, but which protect it all the more effectively nonetheless. “If we’d been having this conversation five years ago, we’d be talking to users who wanted nothing ‘in the way’ of their digital services – they wanted these to be completely frictionless. But there’s now increasing desire to see these safeguards put in place: recent research shows 67% of people concerned about their online shopping, and 89% of them were happy to see a little more friction in place to help – now it’s up to us to establish how much friction they’ll tolerate.”
And the success of forums like ours to helping those conversations yield fruit is perhaps more important now than it’s ever been. Andy Tobin, European Managing Director at Evernym, went so far as to suggest that IoT should stand for ‘Identity of Things’, so crucial is reliable and efficient digital identity to the IoT’s ability to thrive and grow. Mr Tobin predicted that this will be achieved through increasingly decentralised means, as identity is verified between organisations on the go. “If every smart thing, every connected device, needed to phone home to some central server or database to verify users before it could be used, the IoT simply wouldn’t scale. But if those devices can know seamlessly that a user is allowed to control them, that’s a different matter.”
That means methods currently mysterious to many, though they may have heard of them – distributed ledger technologies (DLT) like blockchain, for instance – may soon become far more commonplace as demand not only for that efficiency, but for ownership, too. “There’s often misunderstanding here – self-sovereign identity doesn’t mean self-attesting identity. It doesn’t mean I can claim I’m the King of Spain – it means I have ownership of the credentials that verify who I really am, where today, like everyone else, I carry credential issued to me by third parties. Digital credentials like that are what digital identity has been building towards all this time.”
Principal Program Manager at Microsoft Ankur Patel was clear that operators are the natural enablers of that decentralisation. “The world is already made up of multiple trust frameworks – but the way the world works now, with usernames and passwords, means that you only need to know one or two things and you get access to everything.”
What changes with decentralised solutions like DLT is that no-one can walk around with that digital skeleton key, regardless of how legitimately they came by it: users can instead be required to confirm any number of facts or attributes, on the spot, to confirm their identities. “So it doesn’t have to go through everyone – it just has to work between two parties. Operators are the brokers of that in just about every scenario in the planet; you’re the gateway bringing end users and businesses together in the digital world, so if we can have you guys saying how the specifications can work and still be open, then these methods can really begin to scale.”
And what that means in practice, among other things, is that users will gain the control over their identities needed to parcel out aspects of it as they see fit. As CEO of Summit Tech Alido di Giovanni pointed out, this could include fractional identities whereby users can share aspects of their identity such as particular habits with connected devices, which can then act on their behalf, while retaining ownership of the whole. This could mean authorising a chatbot to control automated functions of a smart home by instructing it in a specific range of behaviours that allow it to fulfil that function, without enabling it to go beyond what is required.
“But it has to be frictionless,” warned Mr di Giovanni. “If we achieve that, we’re on the edge of this becoming reality at scale.” Evernym’s European Managing Director agreed: “2019 is the year decentralised identity comes to life – from pilots into production. Banks, governments, credit unions – we’re seeing millions of such credentials being realised as we speak.” If the demands made on users are not too great – if these innovations can be brought to them in such a way as to avoid distraction from or delay to the task at hand – those numbers are likely to grow rapidly in the years ahead.