In the future, a digital ID may replace all your current forms of identification. At the same time, as we become more and more digital, trust issues are increasing. Is the future of ID centralized and managed by governments/financial institutions, or distributed and trust-less like blockchain? Which practical (technological) measures can be taken to increase digital trust between a company and its clients? How should security departments — which are expected to be the guardians or digital personas — adapt to these developments?
No one can accurately predict the future of digital ID, but some governments are moving towards digital forms of verification. The Estonian government, for example, supports e-identity where people can provide digital signatures with their ID-card, Mobile-ID or Smart-ID. This way, they can safely identify themselves and use e-services. The chip on the digital ID-card carries embedded files, and in combination with 2048-bit public key encryption, can be used as definitive proof of ID.
I-voting, e-prescription, and ePassports
Proof of identification is also included when logging into some bank accounts, voting online or getting digital prescriptions. Other personal admin tasks like checking medical records and submitting tax claims. Thanks to the ID-card, Estonia has one of the world’s most advanced digital signature systems which saves the average Estonian five days a year.
ePassports have also been issued to 30 countries according to Gemalto, the Dutch tech company behind the development biometric passports. ePassports contain a secure microprocessor that stores the user’s personal data together with a digital photograph, enabling digital facial recognition.
With 1,000 million ePassports in circulation since mid-2017, smart borders and airports are able to offer self-service airport facilities for passengers from check-in to immigration control and boarding. Schiphol airport, for example, offers an eGate facility enabling anyone over 16 with an ePassport to cross the border faster via automatic self-service checkout.
Financial services have also followed suit with digital ID, with many banks issuing mobile applications with Apple’s Touch ID as a form of verification.
Your digital self on the blockchain
However, a secure, blockchain-enabled decentralized identity for everyone on the internet may also become possible and this is what IBM hopes to achieve. The idea behind it is that identity owners have more control over their personal information and businesses can worry less about managing it.
Unfortunately, blockchain technology is still in its early stages and the biggest barrier to mass adoption may be its inability to scale, even though various new blockchains are trying to solve this problem.
Nevertheless, many businesses find blockchain technology appealing enough to explore.
Johan Koole, Product Owner Digital identity & access at ABN AMRO believes that “secure and flawless management of digital identities is key for banks working in the digital era. Therefore, ABN AMRO is continuously looking at options to further develop its identity provider capabilities for its clients, as well as the options to utilize blockchain as identity provider.”
As we wait for the future to reveal itself, there are some practical things that businesses can do to increase digital trust:
#1 Implementing two-factor authentication
Making sure that customers are who they say they are is a key part of digital trust. Otherwise, your products or services may be vulnerable to fraud. A popular solution that’s easy enough to implement is two-factor authentication (2FA). 2FA is a process that requires something that the user knows (first factor) and something that the user has (second factor) before successfully authenticating the user’s identity.
For instance, when withdrawing cash from an ATM, the user needs to have their PIN (first factor) but they also need to have their bank card (second factor). Therefore, if a hacker only gains access to one factor, it will not be enough for them to access the system, which makes it more secure.
The difficulty with the second factor, being something the user has, is that people basically need to carry it with them at all times. Mobile phones provided the solution, with the development of mobile phone 2FA. This works by sending a one-time password (OTP) to the phone, verifying that the user is indeed in possession of the phone (something in the user’s possession). Consequently, the user then has to input that password (something the user knows) into the system.
Phone number verification can be implemented when confirming user identity upon login, resetting passwords, and authenticating important changes to someone’s account.
#2 Educating your customers
Businesses should also take the responsibility to inform customers about how to prevent fraud from their account. Just as parents tell their kids not to just give out their home address to anyone so as not to invite burglars, businesses need to share how customers can keep their accounts safe. For example, as Touch ID is a common verification method to access mobile banking, users should be reminded to ensure that no one else’s fingerprint is registered on their device. Clear instructions on how to do this are helpful as well.
#3 Provide notification or alert options
Consumers need to be sure that no one else has access to their service. Companies can build this trust by sending notifications for important account activity. Emails confirming purchase and delivery, texts confirming a recent order has been fulfilled and notifications that a transaction has successfully gone through are all indicators of account activity. For example, every time you sign in to your email from a new device, Gmail gives a notification to your alternate email address. This gives the user the ability to monitor and act immediately when their account has been compromised, increasing trust in Google.
#4 Implementing common security measures
The last one may seem quite obvious, but security departments should keep up to date on implementing the latest patches to various security loopholes. They should also push for implementing an SSL certificate to make sure the connection between the user’s browser and the website is encrypted. Additionally, they can protect their site from spam and abuse by implementing reCAPTCHA, a free service offered by Google.