The Identity Evolution: Human Beings, Being Human and the Identity Conundrum
When Descartes declared “I think, therefore I am” nearly four centuries ago, I don’t suppose he could have ever conceived that future scholars would be debating whether computers and AI could be classed as sentient, and what role they play in identity theft, credential stuffing and synthetization.
Yet when we debate the identity evolution over the past 10 years of digital transformation, it’s an inescapable question to pose. How do we define identity? Who owns and manages digital identities? How do we ensure that a person’s identity is both protected and preserved, while remaining dynamic and heterogeneous in the face of identity breaches, synthetic identity creation and evolutions in digital technology, with the ability to encompass diverse and non-static input signals?
Who Owns Identity?
There seems an obvious answer to this question. Of course, the owner of an identity is the person that it belongs to. But in a digital world that is evolving faster than the identities of the people it serves, the question becomes more complex.
A person’s digital identity is generally made up of the pieces of information that can be used to identify them. These can be physical pieces of Personally Identifiable Information (PII) such as name, address, telephone number and email address. It can also include physical identity documents such as passports, identity cards and driving licenses. But digital identities can also include many other groups of identity information such as:
Physical biometrics data: Face, voice, fingerprint and even gait analysis.
Behavioral biometrics data: Relating to how a person interacts with a device, what keys they press, and how they press, hold and swipe their phone etc.
Generic behavioral data: Typical transaction patterns, payment thresholds etc.
Location data: General locations where a person transacts, work, home and foreign travel patterns.
In this context, do individuals entrust ownership of these pieces of identity data to the businesses they interact with? Are these pieces of information shareable across groups of trusted businesses? Should they be federated as one, easily transferrable digital identity that the consumer owns and manages? And when an identity is breached or stolen, can parts of an identity be preserved without tainting the reliability of the whole?
What’s clear is that in the context of digital identities, the concept of a single, uniform identity is neither realistic nor helpful. While digital identities need to be reliable, they must also be dynamic, with the ability to incorporate new and up-to-date attributes, behavioral patterns and markers that can support identity recovery in the case of breach or theft. From an awareness and education perspective, democratizing this information more widely across your customer base will also help users understand how, and why, their digital identity data is so important.
These questions are ones that many government agencies are currently grappling with as federated digital identity schemes are gaining traction globally. How can governments leverage the full spectrum of digital technologies – blockchain, QR codes, biometrics and digital apps for example – to help their citizens better control how and when their identity data is shared.
Take the case of India, for example. Its national identity database –Aadhaar - was breached in 2018, exposing some of the names, address details, email addresses and phone numbers of almost every Indian citizen. Synthetic identities could therefore be recreated in a Frankenstein’s monster of multiple digital identities for use across the digital ecosystem, destabilizing the integrity of the national scheme. Making digital identities static and irrefutable is neither possible nor desirable.
Who Defines Identity?
Perhaps on face value, a more philosophical question, but interesting to consider in the context of digital identity verification and identity and access management (IAM).
If we take the pieces of information that we identified earlier in this article as our blueprint, it would be a good starting point. But look again. So many of these pieces of information are now being used every day by fraudsters and automated machines to create near-perfect replicas of humans at scale.
Consider the case of deep fakes. Realistic enough to fool the canniest of observers and likely to form an ever-increasing segment of account takeovers, business email compromise and insider fraud. Skeleton keys of a person’s fingerprint have successfully fooled biometrics verification, as have 3D prints of people’s faces, and computer-generated voice replicas. Physical biometrics tokens are neither fool-proof nor unique to a user.
We’ve proved just from looking at a couple of use cases, that individual identity attributes are not wholly reliable definitions of their owners.
Who then, defines identity? Should it be the individual business that the use is transacting with, controlling identity verification dynamically in the context of every unique digital journey the user makes? Certainly, any business that owns a know your customer (KYC) process must adhere to strict criteria around what satisfies the validation of a customer identity. But beyond mandated regulations, how can the owner of the identity be complicit in this dynamic exchange, and can they decide what level of information they share, even if it means creating a digital interaction that has more friction, in the form of an additional authentication check?
What’s interesting to consider, again is that we return to the theme that user identity is neither static nor necessarily the same for each user. It must be dynamic, adaptable, tailored and real time to incorporate both different digital scenarios, and the very many different users who perform those transactions.
Who Manages Identity?
Whenever we part with elements of our identity data in a digital context, we are entrusting the business or service we interact with to manage that data safely, securely and with integrity. This doesn’t always happen, as we know from the very many data breaches that have occurred as the result of lax security, insider fraud or defenses that are not fit for purpose.
Privacy and security concerns are being forced to the top of the agenda, however, with the evolution of global regulations such as Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Businesses are under the spotlight to ensure that the way they store and process consumer data is secure, private transparent and better controlled by the consumer themselves.
GDPR, for example, allows the right to be forgotten, or essentially the removal from an online database. How could, and should this affect any federated identity schemes? How do businesses make this simple for consumers to control and execute in scenarios where they wish to terminate a relationship with a particular provider? And how does this also help fraudsters who are submitting the same right to be forgotten requests?
Meanwhile in what context should it be acceptable to share information relating to a user? And how can this be done in a private and secure way? New Privacy Enhancing Technologies (PETs) such as Homomorphic and Polymorphic Encryption are game changers when it comes to sharing intelligence relating to a user.
Homomorphic Encryption facilitates a scenario that means the data controller does not need to trust the party receiving the encrypted data. Data can be processed or analysed without decrypting it, removing the risk associated with sharing data intelligence.
Polymorphic Encryption allows different parts of a dataset to be shared with different parties, i.e., the encryption and decryption pair can change every time they are used.
Identity as Code?
How, then, can businesses navigate this complex maelstrom of digital identity verification and access management without risking the privacy, satisfaction or integrity of their customers and their data?
How can businesses better automate and dynamically control identity verification in the context of live digital journeys? What opportunities exist to create identity as code, sharing identity standards across both internal business departments and potentially to external parties? In many ways, this presents the most robust opportunity for digital businesses to continually update, tailor, verify and authenticate user interactions in the context of the information they know about them.
How then should businesses build customer-first identity strategies that are future proofed to prioritize private, secure and holistic management of customer identities?
Here are some key principles to consider in the context of digital identity creation and management.
Key Identity Principles
- Use machine learning to create typical user patterns and profiles relating to digital identity. Ensure these can filter out outliers and are updating dynamically in real time.
- Leverage AI to better differentiate real and fake identity markers.
- Prioritize a single view of your customers across every digital journey they take, and across every business unit that they interact with.
- Ensure that data relating to a user’s identity is collected holistically across an online journey rather that during point in time interactions to build a more complete picture of their digital identity.
- Ensure that sharing intelligence relating to fraud, trust and risk does not come at the expense of user privacy. Deploy PETs to protect the integrity of PII data.
- Create the ability to dynamically tailor online journeys according to the trust or risk of the identity of the connecting user. This helps to streamline access for good users, while serving risky users, or those displaying an anomalous digital identity, with additional verification or authentication protocols.
Future-gazing to the next five years is an exciting prospect for the evolution of identity. It feels inevitable that users will have more control over how and when they share elements of their identity data. Will we control identity tokens that we can share privately at our time of our choosing? Perhaps we will be able to dynamically update biometric, physical or digital identity data ourselves. What is also clear, however, is that the businesses we entrust with identity data must use it privately, securely and passively, without unnecessary intrusion and across all digital touch points so that as consumers, we have the best possible online experiences.