THANK YOU FOR SUBSCRIBING
Margo Stephen, Head of Digital ID, Australia Post | Wednesday, April 27, 2022
Trusted interactions are key to well-functioning digital economies. Across the globe, we’ve seen the emergence of national digital identity programs, aiming to establish this trust. Such schemes are generally created with the intention of facilitating trusted interactions between individuals and relying parties (for goods and services), however these trusted digital identities can also be used to strengthen security within organizations—to both improve security and user experience.
A digital identity is a digital representation of verified attributes and credentials that can be used to transact online. Generally housed on a smartphone and based on a range of evidence types checked against authoritative sources that may include biometric matches and liveness tests, digital identities increase assurance that someone is who they claim to be.
When combined with organizations’ identity and access management (IAM) systems, a trusted digital identity can increase security and reduce risks associated with usernames and passwords and at the same time offer a consistent and frictionless user interaction.
This interaction of digital identities with IAM is illustrated in the diagram below. My digital identity confirms who I am. When used with IAM, it specifies my persona within an organization-specific context. The IDAM system manages what I can do within the organization.
As an individual, I can have multiple personas when dealing with different organizations or even within the same organization, but my “identity” always remains the same. For example, I access my bank account online as a customer (persona), but as an employee (persona) of the same bank, I need access to different systems to perform my job. In both cases, who I am (my identity) does not change, but in the context of the bank, each persona has different permissions.
For individuals, the real power of a digital identity is a simple, trusted, and consistent interaction to prove identity regardless of which organization they are dealing with. In the bank example, my digital identity can be used to interact with the bank, removing the need for a separate customer identifier and employee identifier. Likewise, my digital identity can be used to interact with my university as a student or with my local government as a resident.
Only information relevant to a specific interaction needs to be requested and shared with express consent, putting the individual in control of their identity information. This not only enhances trust but also reduces organziations’ storage and management of personally identifiable information (PII). As a customer purchasing alcohol online, I can share an “18+” attribute to prove my age, rather than my exact date of birth, protecting my sensitive personal information.
For organizations, once the relationship has been established between digital identity and permissions, the digital identity subsequently be used as a high assurance, password-less authentication factor. It can also be used as part of organizational workflows to verify that the person with relevant authority is, in fact, the individual performing specific tasks like approving spend or electronically signing a contract.
Used as part of employee onboarding, a digital identity can confirm identity, but also qualifications or entitlements, like a police check or a forklift license. A digital employee credential linked to the digital identity could replace physical ID cards and be scanned to access buildings. These could also be combined with real-time biometric checks for higher risk interactions like entering high-security areas. All provisioning and lifecycle management becomes completely online, removing the need to manage plastic cards.
As digital identity programs continue to evolve and grow in popularity, there is an opportunity for IAM providers and organizations to consider how they can leverage trusted digital identities to both improve security and experience. This requires thinking about identity interactions more broadly than today. Rather than optimizing for and within a single organizational context, consideration must be for unifying the identity experience across ecosystems with the individual at the core; enabling multiple personas to seamlessly interact with multiple services—all using a single, trusted digital identity.