Europe’s big four telcos have formed a joint venture to create a digital identity solution, signaling that digital identities will be a key focus for many organizations in the months to come. It’s likely the finance industry, which has always evolved and grown in alignment with the demands and preferences of the consumer, will be a leader in this space. From the advent of the credit card, to the incorporation of payment methods into our watches and mobile phones, the way we bank and spend our money has always been at the forefront of innovation.
We’ve seen a huge rise in mobile and online services offered by the financial sector. But accessing funds and transacting through digital methods, whilst oftentimes more convenient, brings a whole new layer of security concerns. This has sparked a need for seamless and an end-to-end digital identity verification process. The mission to securely verify online identities has been on the agenda for years now, with lots of different methods tried and tested along the way. But one method likely to enter the mix and be a key theme throughout 2023 is the concept of decentralized identities.
What is a decentralized identity and why does it matter?
Digital identities – digital representations of one’s real self or of an organization online – have become an essential part of existing in the online world. In banking, digital identities allow financial institutions to verify identities without relying on face-to-face meetings or physical documentation, adding a layer of security that is essential for consumers. Digital identities so far have mainly been “centralized” – they’re generally managed by singular identity providers such as tech companies (Google, Facebook, Twitter etc) or by financial institutions like banks. In addition, digital identities are often not built with privacy in mind - when accessing online services and creating a digital identity, a user may not always be able to control how much of their personal information needs to be shared.
But there is another option, one that would re-envision the concept of a digital identity completely and give customers more control over the privacy of their personal data. Decentralized identity is a model of digital identity whereby a user can create, self-verify, and own a digital identity that is portable between relying parties. For example, after a customer verifies their identity with a bank, they would be provided with a verifiable credential from that bank, which would be stored in a digital wallet on the customer’s mobile device. When the customer onboards with a new bank, they would provide that credential along with a decentralized identifier (DID) that they use, and prove their ownership of both. The receiving bank would then check the validity of the credential on a shared ledger i.e. a blockchain, thus the customers identity would need only be verified by one bank, negating the need to disclose personal information with a number of different parties and reducing the risk of their data ending up in the wrong hands.
Frederik Mennes is Director of Product Management & Business Strategy at OneSpan.
It's still an emerging concept, but it’s one that’s already seeing some adoption from players in the fintech space, particularly those in crypto. Ethereum, for example, a blockchain-based platform best known for its cryptocurrency ether, offers decentralized identity accounts, meaning consumers can create as many accounts as they want without permission from anyone and without the need to store them in a central registry. There are some elements that need to be researched further, but decentralized identities would completely transform how we verify ourselves online going forward. The most important step to its adoption is underpinning it with robust and highly secure authentication methods.
Securing decentralized identities for mainstream use
Like any digital identification method, if decentralized identities are to be picked up by mainstream financial institutions then they will require stringent security protocols. When designing a shared log for identity verification, there may be an inclination to start with a minimum viable product that simply pools the personal information of customers together. The issue with this is that pooling the personally identifiable information (PII) of customers creates an attractive honeypot for attackers, and a point in the system design where information can be accidentally leaked. For a shared log to be suitable for use in identity verification, it’s imperative that it is designed using technical and organizational measures that ensure a level of security for customer data.
In addition, banks have their own privacy concerns. Clearly, we shouldn’t design a system where banks can conduct surveillance on each other. In the design stage of a technology, we must consider how the benefits of transparency can solve new problems, while at the same time, finding acceptable levels of data confidentiality and privacy.
Ensuring that the privacy and security of customer information remain a priority is important, and this will likely require a mix of intelligent adaptive authentication methods, such as mobile apps, multifactor authentication, biometrics, pin codes etc. Leveraging these authentication tools and incorporating them into a decentralized identity setup can ensure that customers get the benefits of increased control over their data whilst still feeling confident that their information is safe from attackers. Decentralized identities likely represent the next step in how consumers manage their digital identities and transact with each other and organizations – making them secure is the foundation of mainstream acceptance.