Digital ID: A new approach

Richard Elliot-Cooke examines the opportunities and challenges around implementing Digital IDs in the UK.

To repurpose a famous adage, identity “…is everywhere. It is all around us…You can see it when you look out your window or when you turn on your television. You can feel it when you go to work, when you go to church, when you pay your taxes.”

Many of us use dozens of bank accounts. As an individual, a parent and a co-founder of a small business, using multiple accounts is a necessity of day-to-day life. Some of the accounts I use were easy to open – probably because some financial institutions continue to rely on name, date of birth, and address data provided by credit bureaus to verify individuals. Others were exceedingly complicated to open, requiring me to submit multiple government-issued proofs of identity, extensive details about my business and undertake virtual biometric checks. One high street bank even asked me to send my passport in the mail – not a copy – which is where I drew the line.

That is just banking. I must also share varying details about my identity to book a flight, cross a border, drive a car, apply for a job, manage multiple gov.uk accounts, prove my right to work, rent a property, or vote. The list goes on.

So, having the ability to easily share verified data about myself – or my business – without having to fill out endless forms and continuously share copies of documents should be a game-changer. This is what the UK government’s digital ID promises to enable, but perhaps not in the way you’d expect. It will be federated, democratised, proportionate and voluntary.

Having the ability to easily share verified data about myself - or my business - without having to fill out endless forms and continuously share copies of documents should be a game-changer.

Federated

Any universal form of ID in the UK, digital or otherwise, is a sensitive political issue. Therefore, a digital ID managed exclusively by the government is unlikely to gain much traction. Instead, the UK government has positioned itself as an orchestrator, setting out a ‘trust framework’ comprising a set of principles which must be met by public or private organisations that participate in verifying, storing or sharing identities.

Whilst government bodies will play a key role in digital ID (e.g. the DVLA issuing digital driving licences) there will not be a single centralised holder of identity data. The government will certify a multitude of public and private providers against its trust framework in order to verify, store and share data relating to digital IDs. The IDs will be stored principally on users’ devices, who will have to consent to share relevant aspects of their data according to the intended purpose.

Accordingly, a digital identity profile will not be established by a single provider, but instead built over time by a number of providers, depending on how and why it is used by the individual.

Democratised

Approximately 5% of the UK adult population do not have photo ID, which means approximately 2.4 million people do not have the typical ID documents required to prove their identity. To help address this, the UK government has set out to ensure that digital ID is accessible and inclusive for everyone. This includes enabling service providers to accept alternative forms of ID to help build a digital ID, such as through a ‘vouch’. A vouch can be provided by a person in a position of authority within a community, for example a nurse can vouch for a patient applying for a repeat prescription, or a schoolteacher can vouch for the age of a student.

This should enable individuals who would otherwise be excluded from digital ID to participate in the initiative. However, it also introduces complexity for organisations in understanding the origin of the data they are relying upon, and is at risk of abuse by individuals intent on circumventing more stringent controls.

Proportionate

The data that is shared by identity service providers must be proportionate to the intended purpose of service they are providing to the individual. For instance, verifying someone’s age requires sharing a much narrower set of data attributes than verifying someone’s right to work. Service providers must only share data that is relevant and necessary to each particular use case.

This sounds straightforward in principle but will be technically difficult to implement. If all ID attributes are held securely on the individual’s device, then it may be down to the individual’s discretion as to which attributes they share with each provider. However, offering such discretion is likely to lead to prompt fatigue – akin to the impact of cookie banners when accessing a website – which could be taken advantage of by nefarious providers. Therefore, it may be necessary when vetting providers to carefully qualify which attributes are truly proportionate for the intended service, in order to better protect users.

It is likely there will always be proportions of the population who do not want to adopt a digital ID, which means organisations will need to maintain alternative journeys.

Voluntary

Digital ID, as it is currently proposed, is entirely voluntary. It is also hard to perceive a time when it will become mandatory given the UK’s long history of rejecting any form of universal ID. However, if it eases friction in customer journeys, and individuals’ lives more generally, it is conceivable that adoption could become widespread.

Still, it is likely there will always be proportions of the population who do not want to adopt a digital ID, which means organisations will need to maintain alternative journeys that do not rely on such an ID. Similarly to the ongoing use of cash, continuing to have non-digital journeys in place for those who do not participate in the new approach could also leave the door open for criminals to exploit any potentially weaker controls.

Implementation and limitations

Whilst the trust framework has been developed, and a register of certified identity providers has been established, timelines for broader roll out and implementation of the digital ID are less clear. There are already some digital ID services being used widely (e.g. the Yoti app for proof of age) but enabling data to be shared readily and securely between identity providers is a more substantial hurdle to overcome. It is likely to be some time before I can digitally verify myself with a bank once, and then all other banks I want to utilise can also place reliance on this verification.

However, from a financial crime perspective this is certainly a goal worth working towards. Current identity checks are duplicative, inconsistent and sometimes insecure.

Whilst many banks have now adopted biometric identity checks – comprising provision of a photo ID combined with a selfie or liveness check – the accuracy of these checks is dependent on the software provider they have selected. Most organisations lack the capability to truly test the effectiveness of such services. This is because they rely primarily on ‘positive’ test cases, which give confidence a genuine individual’s identity can be verified successfully, rather than ‘negative’ test cases, which demonstrate more conclusively that a fraudulent individual’s identity cannot. This means that they have to trust the software vendors have tuned their verification models effectively, which is difficult to demonstrate given that these models are typically based on machine learning algorithms. Sometimes these algorithms are developed by other third parties that the vendors have chosen to rely upon, which can make evidencing their soundness even harder.

Use of a standardised trust framework and the ability to share data between providers will help to ensure greater consistency of controls across the industry, as well as reducing friction. However, the same security challenges will exist and indeed become even more pertinent if providers place reliance on checks carried out by others. To give financial institutions confidence, identity verification providers will need to develop more transparent mechanisms for demonstrating that their verification models are accurate.

When financial institutions do start to adopt a more universal form of digital ID, they will need to demonstrate how they are meeting the inclusivity requirements alongside their digital journeys. This is likely to be difficult to navigate, as the requirements give provision for mechanisms which go beyond the current forms of non-standard documentation recommended by the Joint Money Laundering Steering Group (JMLSG), such as via vouching. It has yet to be established which forms of verification financial institutions will be recommended, or required, to accept.

Looking ahead

Digital ID is likely to offer significant opportunities in the near future to reduce friction in identity verification as well as making it more robust and accessible. Time will tell how rapidly this goal can be achieved and what obstacles there might be along the way. With Australia and the EU already making progress in similar federated approaches, UK organisations may have some latitude to learn from their experience.