Shauli Zacks
Published on: June 5, 2024
In today’s rapidly advancing digital landscape, the evolution of digital identities is transforming how we manage and protect our personal information. Nick Mothershaw, Chief Identity Strategist for the Open Identity Exchange (OIX), offers valuable insights into this dynamic field in an interview with SafetyDetectives. From the shift towards secure digital wallets to the standardization of credentials, these innovations promise enhanced security, user control, and efficiency. Mothershaw addresses common myths surrounding digital IDs, explains how user consent is managed, and shares exciting developments we can expect in the near future. His expertise sheds light on the promising future of digital identity and its impact on our everyday lives.
Can you introduce yourself and Open Identity Exchange (OIX), what is the focus of the company?
My name is Nick Mothershaw and I am the Chief Identity Strategist for the Open Identity Exchange (OIX), an influential not-for-profit membership organization that has a global focus. Our mission is to enable a universally trusted, reusable digital identity that works anywhere in the world for anyone that wants one.
Digital ID ‘wallets’ have emerged as the preferred method of storing, securing and managing these digital IDs. We are involved in moving the world to place where a digital ID wallet works just like a regular wallet that holds a person’s payment cards. When they travel abroad, that wallet goes with them and the payment cards held inside that wallet work wherever they choose to use them. The same would happen with a digital ID wallet containing a person’s digital ID and credentials.
We recognise that digital ID is complex and can be confusing for members of the public, and the myths surrounding digital ID continue to increase their concerns about it. Our work also involves ensuring digital ID is accessible and inclusive, helping people understand what it is, how it will work, and why it will benefit them. That’s why we have created a series of short and simple videos to both provide better understanding in a clear and concise way, as well as help alleviate each concern around digital ID.
They help explain why digital IDs are safe and secure, what trust frameworks are and the valuable role they will play, how privacy will be protected, and why biometrics should not be a concern. We’re committed to providing more educational resources to combat these myths and inform the public.
What are the main benefits of having a digital ID?
Moving away from traditional paper or plastic forms of identity to a digital identity has numerous advantages.
Let’s begin with more security and control. Most people conduct much of their lives on their smartphone, take payments for example. Placing identity information in the same way onto a phone means it is more secure and the user has more control over where their data is shared, as well as what data is shared. This is called data minimization. It means that people can systematically and legally ensure that no more data than is required for a transaction is actually shared.
For example, if a person wants to prove their age to buy alcohol from a store, they would show their driver’s license, which has a date of birth, address, and other information that is not necessary for that transaction. Digitally, that data can be ‘minimized’ so that only the data needed is displayed, in this case the age. And it will be trusted, because it comes from a reliable source.
Another benefit is the ability to more easily bring together various pieces of information that have been requested for a specific purpose. For example, for a job application where the applicant needs to prove they have the right education, the right employment skills, up to date background checks and they are who they say they are.
The idea with a digital ID wallet is that it would contain a person’s digitized credentials and should be able to bring all the required elements together digitally on behalf of the user then, with the user’s agreement, present it to the prospective employer or vetting agency. The whole process simplifies things significantly.
Reusability is a key benefit. At present, when individuals open a new bank account, engage with the government, or seek employment, they have to repeatedly prove who they are by scanning a driver’s license or a passport and provide various other documents that must be up to date. Various background and database checks are then carried out by those organisations to verify their existence in the real world.
Instead, a person would choose a digital ID provider through which they create a digital ID, and a digital wallet that holds all the required credentials. Whether it’s a passport to board a plane, a driver’s license to rent a car, or education and employment history to start a new job, it can be presented instantly to multiple organisations requesting the information, and it will be trusted immediately.
Can users control their personal information in digital ID systems, and how is their consent managed?
The user is always in control of their data. This is a crucial element of the rules within which digital ID providers must operate. These rules are set out by digital ID trust frameworks and digital ID providers must go through a rigorous process before they are certified through these frameworks. Digital ID providers are also required to ensure that users can manage their data through some form of digital ID wallet or holder service.
Organizations must be clear about the specific information they are requesting from a user, detailing the credentials it will come from. The user can then decide whether to share this information. With their agreement, the information would be shared with the requesting organization and a record of this transaction is kept for the user, showing them where their information has been shared. Users can review their sharing history and if they decide that they no longer want their information shared with a specific organization, they can withdraw their information from that organization. Any changes and updates to a user’s information, such as a change of address, can be made easily and verified, then pushed out only to those organisations they want to share their data with.
It is important to note that the user’s agreement to share data is always sought before information is shared.
What are some of the biggest myths that you’ve come across in the digital ID field and do you dispel them?
There are a number of myths surrounding digital ID among consumers that we have been working hard to dispel. One of the key myths is around privacy. There’s a belief that the organisations accessing all this information will be able to monitor what people are doing and then monetize that information. This myth is often exacerbated by the idea that governments delivering digital identities will be monitoring everything their citizens do, because every transaction goes through their digital identity system.
However, with a robust trust framework in place, this simply cannot happen. There are stringent rules and processes that mean that only the users can see and control their data. Providers cannot legally monetize or manage that data without the user’s agreement.
Another myth involves the use of biometrics. There is a belief that using biometrics, like facial recognition, for a transaction will enable ongoing and constant monitoring wherever that person then goes. That is not how biometrics in digital identity will be used.
A person’s biometric data is recorded to prove who they are and used on a ‘one-on-one’ match basis. The biometric relationship is strictly between a user and their identity provider, implemented in a secure way that adheres strictly to the trust framework that has been put in place. It cannot be used on a ‘one-to-many’ match basis, where a crowd is scanned for a face.
Fraud is another significant worry. People fear that if a fraudster gets hold of their digital ID wallet, they’ll have access to everything. Fraud will never be eliminated entirely as fraudsters will continue to find new ways in. However, digital ID can help reduce levels of fraud through the use of biometric authenticators, which are hard to spoof. For example, deepfakes have received significant attention in the media and have become a key concern among consumers. The reality, however, is that their ability to get through biometric engines designed to verify one-to-one matches is extremely low. An algorithm can spot flaws in a deepfake that the human eye might miss.
It is important that people understand the vital role that trust frameworks will play in protecting them. These have been put in place around digital identity across the globe. In the UK, this framework will be established by law. Trust frameworks will ensure that digital identities are managed properly and safely.
What innovations in digital ID should we expect to see in the near future?
Digital wallets are already the world’s leading payment method for e-commerce and point of sale retail, but will also become critical for digital ID and secure access. However, they will have to deliver many different types of credentials in a consistent format, so that they can work easily across both sectors and borders. For example, an educational credential should be recognizable whether it’s from a university or a high school, maintaining a standard that is readable and reliable at the other end. As such, there is significant work underway in the area of standardization.
The trust frameworks, that ensure all the key rules to protect each party involved are in place and strictly adhered to, are also expanding. The moving from focusing solely on digital identity trust to broader frameworks that also encompass credential trust.
At the same time, we are seeing a need for and an emergence of what we are calling ‘smart agents’. Whoever is requesting information – employers, airlines, governments, or financial services – users will need help to understand which credentials, or parts of a credential, are needed, what’s missing and how to obtain them. These can be complex requests and users will need guidance through the process. Smart agents will assist users in fulfilling these requests seamlessly and efficiently by gathering the required credentials from the user’s wallet and handle the complex presentation of these credentials back to the organizations that have requested them.
Final words
There are already many countries where digital ID is a proven approach and used by businesses and the public – the Denmark, the Nordics, Estonia, Singapore and India. But there are still many others where myths and concerns about digital ID persist. The good news is that they are being addressed in detail through various global initiatives that OIX is involved in to ensure that digital IDs are secure, trusted and work well for everyone across the globe.