Evolution of digital identity and mobile identity wallets: what’s next?
IN Groupe is a founder member of the Secure Identity Alliance (SIA), and a contributor to the Digital Identity Working Group that has released a whitepaper outlining future possibilities for trusted mobile identity authentication services. This paper shows how digital wallet technologies are already arriving in the world of remote and mobile identity management, breaking new ground, and doing the things that physical identity technologies cannot.
Now, the coming generation of digital wallet technologies promises more tools to accelerate growth towards a richer use of identity information, offering more trusted credentials, and all in a more user-protective way.
What do the next steps look like?
We live in a largely physical, and occasionally offline world. This opens the question of whether wallets might also have a visible face: can the same credentials be used or represented in both digital and the physical worlds? The rising use of QR codes is a good example. It shows how digital credential data might also be represented physically to bring physical and digital worlds together with a ‘phygital’ bridge. A good example was seen during the COVID-19 pandemic.
Digital identities and wallets – current landscape
As the SIA paper shows, services have adapted to growing digitization by offering users ways to apply for and access services online using mobile identity authentication. A good example is the case of the Faroe Islands’ national digitization program where conversion to digital is high and most use a dedicated mobile identity application. Social inclusion is ensured by the same functionality in a desktop option.
The success of digital use goes beyond online authentication tools. In India, for example, the national biometric digital ID system is used to make legally binding e-signatures available to 1.4 billion people. The change is also global, in the EU the drive to a standardized set of eWallet functions is well underway, with a deadline of 2025 for the implementation of wallets at private citizen level.
The correct positioning of wallets at the center of use cases is important to the Extended Monaco program which aims to simplify the way that citizens, businesses, and administrations work together. This program includes multiple identity technologies – e-ID cards, PKI, biometrics, digital identity wallets, self-service kiosks – to build an eco-system that is secure, frictionless, and attractive to people and businesses. Here, the wallet’s mobile user interface provides an important user consent tool to bring home the idea of a user-centric identity.
The need for interoperable and scalable solutions
If single-use wallet applications have led to open wallets and interoperable wallet eco-systems, then we can expect an increase in identity data and trusted credentials to raise the bar for the different technical bricks in a wallet eco-system. Users may hold mobile phones, but there are issuers and verifiers to consider, and there is still a need for a trust layer, even if this is decentralized.
Some known technologies become more important for scale and capacity building because the road ahead is not only revolution, but evolution too. Proven technologies such as Public key infrastructure (PKI), have been issuing identities and signing trusted credentials for a long time; they are here to play an eco-system role.
Identity solutions based on PKI are easy to scale to meet growing demands across use-cases. This can be seen in one of our service installations that issues 40 million digital identities in a week, that’s 2 billion in a year. Smart cards too continue to play a major role. These continue to be the most common source of trusted private PKI keys for users, so connecting these by mobile middleware to wallet eco-systems is a natural and scalable approach in the evolving technology roadmap.
Trusted identity verification
Getting users started with their wallets is a new issuance challenge. This can begin with a Foundational ID program such as that in India, where a biometric check can retrieve the identity information needed to create a digital identity. Or, in the Extended Monaco program, a powerful entry point to a digital wallet can be the possession of a trusted eID card credential, which may also act as the bearer of the wallet’s private key, or as a means to authenticate the core identity before creating a new wallet key. The PKI embedded in the eID card makes possible the identification and authentication of trust linked to a unique legal identity established by governments.
Where there is no pre-existing verification method then traditional face-to-face checks based on an ID document inspection and a visual biometric check using a document such as a passport is still the strongest method of assurance. Many countries require this to be done face-to-face to achieve sufficient status for the creation of a wallet identity.
Use-cases where this can be applied range from verifying document authenticity to grant citizenship to verifying professional identities and credentials that let individuals execute their daily tasks with ease. This not only prevents fraud but ensures that all individuals are able to exercise their rights with confidence.
Meeting privacy and compliance requirements
More identities, more data, more credentials, all mean more need for privacy and compliance. One path is that of Self-Sovereign Identity (SSI), which puts users in complete charge of their identity data by decentralizing this to the user’s local (usually mobile phone-based) wallet. This may work for some, but much more likely is a hybrid world that rests on a wallet architecture more complex than a user’s mobile device.
At the very least this world would include the necessary back-up to users for their mobile wallets, after all, most users today already back up their mobile devices, so why not their identities?
Keep your wallet close, but your eco-system closer
From the issuer to the user, to the verifier, the chain of wallet components will need to explain and justify itself as private and compliant. Again, using known and proven bricks such as PKI, eSign solutions, and private key management from existing methods such as smart cards, is both practical and a reflection of what we already trust. Our objective is not to replace, but to grow.
The technology world is always on the look-out for unicorns, but when it comes to user-centric identity the more interesting mythical animal is the minotaur. Half human and half beast, the minotaur was adept at navigating the great maze in the palace of Knossos. The minotaur is half old, half new, and the best of both worlds.