Overcoming industry obstacles for decentralized digital identities
In this Help Net Security interview, Eve Maler, CTO at ForgeRock, talks about how digital identities continue to play a critical role in how we access online services securely. Maler also highlights the challenges encountered by various industries in implementing decentralized digital identities.
What challenges do decentralized digital identity systems face, and how can they be overcome?
Decentralized identity is a nascent area, and we’re at an exciting moment in time where decentralized digital identities are gaining traction across various industries. The biggest challenge decentralized digital identity systems face is adoption, as it introduces system complexity and requires changes to the inner workings of both service providers and specialized identity providers as well as changing user experiences.
It also requires rethinking an organization’s relationship with personal data and ability to mine that data. We can expect to see greater adoption when both organizations and end users realign on new ways to create insightful and personalized services that nonetheless offer meaningful personal control of data.
Can you provide examples of successful implementation of decentralized digital identity systems in real-world scenarios?
We’re starting to see a few use cases in the real world. One of the strongest examples of implementation of decentralized digital identity systems is the mobile driver’s license (mDL) movement in the US for context, an mDL is a driver license (or ID card) stored in secure digital form on a mobile device with the capability to be queried in real time in a privacy-sensitive fashion.
It is composed of the same data elements that are used to produce a physical driver license and can be read by an electronic reader. One of the reasons the mDL movement is gaining steam is that its interactions are defined by a purpose-built set of standards, which promotes interoperability between systems even in different US states.
In the EU, we’re seeing progress in comprehensive planning for digital identity wallets for initiatives like the cross-border movement of people. There are also more targeted use cases – such as in a healthcare or retail organization – where people can use mobile applications that have been enabled to function as digital wallets, so that they can supply personal information relevant to those contexts.
The deployments to date are not sizable, but they’re helping to drive speed and accuracy in key verticals. We’ll see more of these use cases emerge over the coming years.
How do emerging technologies like AI, machine learning, and blockchain enable decentralized digital identities?
Let’s start with blockchain. The original name for the research that led to decentralized identity was known as “blockchain identity.” A blockchain or distributed ledger is a key technology, though not a strictly required one, in helping services use “verifiable credentials” that a user chooses to share out of their digital wallet. These credentials are secured packages of data that were each placed in the wallet – issued – by some authoritative source.
For instance, the Department of Motor Vehicles (DMV) may be the issuer of a credential saying you have a license to drive. The credential is not stored on a blockchain, but the verifying service can refer to a “verifiable data registry” typically stored on a blockchain to authenticate its issuer. So what does go onto a blockchain is only information about who issued it. The blockchain serves as a public record of who is issuing what types of credentials.
As wallet technologies continue to emerge, artificial intelligence (AI) and machine learning (ML) will play a critical role in smart authentication. The digital wallet knows who users are and users can unlock a digital wallet with on-device biometrics such as Face ID. This can support amazing passwordless experiences by improving on magic links.
However, security of that wallet technology and ensuring that the right person is using it – the wallet-to-user binding – then becomes really important. After all, once a phone is unlocked, it can be used by others, and it’s possible to register multiple peoples’ fingerprints when that is the unlock method. AI can be useful in detecting, silently, that the “wrong user” is using a wallet because they behave differently. Any passwordless method of authentication benefits from additional layers of AI checking in this fashion. AI will play a pivotal role the more digitized we get. It provides finer-grained authentication in a way that isn’t onerous for the user.
In what ways do you think decentralized digital identities will transform traditional identity verification and authentication systems?
If an end user can offer services data that’s been pre-checked by an authoritative issuer and then stored in their wallet securely, the entire process of identity verification that they usually go through when trying to register for a service can be decoupled from that experience.
People will be able to get a credential one day – and then, the next day or week or year, be able to convincingly tell a service provider that they’ve already been proven to be old enough, or that they have a license to drive, or what have you. And as mentioned, users may be able to authenticate in an entirely passwordless fashion by unlocking their wallet and sharing what needs to be known about them.
In this way, the decentralized approach can strengthen the quality and improve the experience of passwordless authentication even beyond what’s already possible today, ensuring we don’t have to compromise. Relying on biometric device unlocking is particularly powerful for improving privacy as well. Traditional passwords are too weak, outdated, and ineffective; wallet-based credentials can help users get one step closer to a world where they never have to log in again, or even register for an account again.
What are the key factors to consider when designing a decentralized digital identity system that is both secure and user-friendly?
A secure and user-friendly experience is critical for making decentralized identity a success. My first piece of advice is to ensure that the experience is seamless and is respectful when asking for information.
Once organizations have a larger quantity of verifiably true data at their disposal through credentials, they need to ensure it’s being infused correctly into their IT infrastructure. My second recommendation is to use mature identity and access management (IAM) systems for ensuring a unified approach to using and securing this data, and orchestration to ensure correct data flows and user journeys.
Third, ensure that the parts of the decentralized identity systems that have to do with security and privacy are robustly implemented, so that the promises made by decentralized identity today can be realized. The standards for decentralized identity and wallets define a way to let the holder of the wallet revoke their permissions for data use. It’s important for organizations in this case to do the right thing and be prepared if revocation happens.
Finally, the digital wallet landscape is very noisy and complex right now, so it’s important to be flexible about interacting with identity wallets. Standards come into play here to ensure that major digital wallet players, as well as more niche speciality providers, interoperate with services in the issuer and verifier roles as seamlessly as possible.
With the rise of data privacy regulations like GDPR and CCPA, how do decentralized digital identity systems ensure compliance with these laws?
It’s important to note that being compliant doesn’t necessarily guarantee security or privacy. That said, a key idea behind decentralized digital identity systems is to take away the possibility of being non-compliant by minimizing service exposure to personal data. We don’t yet know if that is true; experience from large-scale production deployments will be needed to see how it all plays out.
What are some of the potential risks associated with the widespread adoption of decentralized digital identities, and how can they be mitigated?
Incorrect – or bad-faith – implementation of the standards and flows is a risk. What if some of these services are asking for personal data in the form of credentials, holding it for a long time, and not respecting revocation instructions? This could create many more copies of high-quality data in many more repositories than before.
If things go right, the idea is to minimize the footprint of people’s personal data. If things go wrong, we could maximize it. Digital identity wallets attempt to decentralize identity information, that is, literally to put that data “on the edge” in the form of individuals’ wallets. At some point, that data has to make its way into the center of enterprises so they can do their job. What happens to the data at that point is the real risk.