The ever-evolving shift to digital means that most of our day-to-day activities are carried out online. We’re now accustomed to simply toggling through a few apps to book a ride, order dinner and scroll through content from friends and public figures alike. Each of these actions requires a basic premise of trust and safety online which starts with identities needing to be verified and authenticated.
But creating an identity layer wasn’t imperative for the creators of the internet as they didn’t predict the emergence of online platforms that facilitate people-to-people interaction.
The digital presences most of us have are based on browsing or consumer habits and are siloed within various accounts and social networks. Indeed, they don’t present an accurate picture of our unique identifiers and who we are.
Building an identity layer is complex
Establishing a verified digital identity is a complex process. Authenticating that a person performing an action online is who they say they are, and then validating that they exist is tedious for two major reasons.
Firstly, digital identification procedures require checking in with conventional and alternative data sources and identity tools that are scattered across many different channels and providers. Secondly, identification verification procedures are not uniform across the globe – identity infrastructure, technological capabilities, data normalization and privacy policies vary from country to country and sometimes even state by state.
Additionally, individuals around the world have unique attributes that are dependent upon things like jurisdiction, use cases and other factors. This further illustrates why building an identity layer that comprises a robust network of tools and data points is extremely difficult.
Sophisticated threats and shifting perceptions on digital identity
Mass reliance on mobile devices has opened the possibility of tapping into non-traditional data that can be examined and parsed through with machine learning and artificial intelligence. Without even realizing it, things like typing speed, location data and other behavioral biometric factors can help verify and authenticate a person digitally.
If entities are taking a privacy-centric approach in handling this data, they can detect fraud signals to identify a malicious actor and prevent them from inflicting harm.
While biometric attributes are difficult to replicate, there are identifiers that can be easily stolen and exploited by bad actors. Synthetic identity fraud is an insidious practice in which fraudsters combine real and fake information, like inventing a first and last name but combining it with a real social insurance number to apply for a loan. With poor or no identity verification procedures in place, a bad actor can perpetrate financial crimes or launder money without detection.
Sophisticated security threats like synthetic identity fraud and data breaches have made individuals understand the need for reliably and securely establishing a digital identity. In a recent survey conducted in April 2021 by polling 3,000 people living in the U.S., U.K. and China, 80% of respondents indicated that companies need to help reduce cybercrime by introducing effective identity verification. What’s more, three-quarters of the participants said they felt at greater risk from online fraud than a year ago, pointing to the indelible effects the COVID-19 pandemic has had on how people feel about their digital presence and safety online.
Merging security and digital identity
The pandemic has generated almost daily headlines about new scams and fraud perpetrated by bad actors and criminals. From people impersonating government officials asking for banking information to deposit alleged government grants to the creation of fake vaccine cards, there has been a flurry of new threat vectors exploited by fraudsters.
With heightened awareness around frauds and scams, data privacy rights are top of mind, emboldening individuals to be better informed regarding the data collected about them and take more ownership of their digital identity.
Governments have been introducing a variety of privacy protection regulations, such as the GDPR in Europe. Not only are there huge potential fines for non-compliance, breaches or lapses in protecting personally identifiable information (PII) erode trust and confidence in online services.
A uniform digital identity network would support data minimization, that is, ensuring only the sensitive information needed for a specific interaction would be accessed securely by a third party with our authorization. And importantly, it would free the siloed identities we have across online services by making our digital identity portable and applicable to every interaction and transaction.
Without an identity layer on the internet, we exist online as mere account holders that are bound to the terms and conditions of the social media services and platforms we belong to. Most importantly, this would help to preserve the trust and safety that is so vital to the digital interactions we participate in every day.
This article first appeared in Help Net Security.