The Digital Identity Dilemma

On the one hand, the problem seems obvious. We all need some kind of consistent digital identity (think virtual ID “card”) that can identify and authenticate us not only to all our devices, but to all our online services, commerce and banking accounts, and essentially anywhere where we need to digitally, or even physically, verify who we are.

Actually solving that problem, it turns out, is pretty hard. For one, any kind of digital identity solution needs to be platform and device independent. Sure, it’s fine to be able to swipe into your phone with a fingerprint reader, but most people own more than just a smartphone, for example and, in many cases, they run different on different platforms.

Plus, merely logging into the device doesn’t transfer your credentials to all the password-protected websites you use, services you log into, etc. Sure, there’s been some useful improvement in this area over the last few years, but we’re still a long way from the nirvana of a what I like to call a portable digital identity.

Think of a portable digital identity as something akin to a digital passport that could not only identify you to known locations, but unknown situations as well. Want to be able to get immediate access to your Spotify account while using grandma’s PC? As long as she has internet access, no problem.

One of the most obvious benefits of this type of digital ID would be the eventual abolition (at least, in theory!) of passwords. We all know how horrendously broken the concept is and the amount of money, time and effort wasted—not to mention the incredible amount of frustration they regularly generate—is now measured in extraordinarily large numbers, both for individuals and companies.

Recently, there have been a number of important steps made toward achieving more universal digital identities. Key among them is the work done by industry organization the FIDO Alliance, whose members include Microsoft, Google, Intel, Qualcomm and Samsung, among many others, but noticeably lacks Apple. Last fall, the organization submitted their FIDO 2.0 Web APIs to the W3C internet standards body as part of an effort to allow digital identity and authentication credentials to be passed from device to device and device to website.

Essentially, this will enable people to leverage technologies like biometrics—using fingerprints, face recognition, iris scanning (like on Samsung’s new Galaxy Note 7), and more—to not only identify you to the local device, but to other devices as well. Even better, it will enable apps, websites and other services to seamlessly recognize you via that same identity verification. Once it’s widely adopted, this could be the ultimate “friction-removing” technology. These Web APIs should be able to dramatically change how quickly and easily we use web services, make online transactions, and much more, all while dramatically decreasing the potential for fraud and identity theft.[pullquote]The Fido 2.0 Web APIs should be able to dramatically change how quickly and easily we use web services, make online transactions, and much more, all while dramatically decreasing the potential for fraud and identity theft.[/pullquote]

Microsoft provided an early version of support for these standards in the enhanced version of Windows Hello that’s built into the new Anniversary Update of Windows 10. In fact, Microsoft is supporting what they call the Windows Hello Companion Device Framework to allow external devices, such as wearables or other Bluetooth-equipped devices with biometric sensors, to enable biometric security not only to devices that don’t have it, but to extend that level of verification to any sites or services which support FIDO 2.0.

Of course, the security questions about how this all works and how effective it will really be in the real world have been debated quite a bit. While it’s impossible to say that it’s hack-proof, the good news is that the entire effort has been built with worst-case scenarios in mind.

The technology used to enable the security can be very complex, but there are a few basic concepts worth mentioning. To start, all these efforts begin with a hardware root of trust on any end user device, such as a TPM (Trusted Platform Module), or some other kind of digital security chip, that is physically isolated from the main processor and OS. Leveraging virtualization or similar software isolation technologies, the information used to identify and verify you is encrypted and kept separate from main memory, making it extremely difficult to get access to. In fact, in most situations, it would require physically tapping into the device, which greatly reduces the risk threat in most situations. Plus, that identifying information isn’t directly passed along, but instead is only used to start the process of verification.

The net result is that highly personal biometric information is not only extremely hard to acquire, but can’t be used to directly tap into an account in the same way that a stolen password potentially can.

Even with all these efforts, we’re several steps away from a truly standardized, universal digital identity, but it’s clear that we’re much closer to the goal than even just a year ago. By later 2016 or early 2017, the W3C is likely to approve the FIDO 2.0 Web APIs and that’s bound to create some strong momentum around these extremely important standards. Your portable digital identity is nearly here….

Published by

Bob O'Donnell

Bob O’Donnell is the president and chief analyst of TECHnalysis Research, LLC a technology consulting and market research firm that provides strategic consulting and market research services to the technology industry and professional financial community. You can follow him on Twitter @bobodtech.

8 thoughts on “The Digital Identity Dilemma”

  1. I’m wondering if there aren’t 2 sides to the issue:

    1- a technical side. ID/authentification is evolving fast: biometrics, SSO right around the corner (has it has been for the last 10+ years), encryption and security…

    2- a regulatory side. As you say, this is about digital ID. The government is in charge of analog IDs, shouldn’t it be in charge of digital IDs and maybe linked services (payment info, etc..). The current situation of tens if not hundreds private companies holding our data with total disregard (or incompetent regard) for its safety isn’t satisfactory. Can rules and regulations (and penalties) be enough (assuming they are feasible), or does the government need to provide ID services as a public service ?

  2. Take a look at Sweden’s Bank-ID system.
    The biggest banks teamed up to create an universal electronic-ID, available on both computers and mobile. Even the government trusts this ID, and with the one Bank-ID token in my phone I can authenticate to all the banks I use, do the taxes, read my hospital records, check my childrens progress in school, etc

  3. Great points in a great article but I’m wondering what happens when someone hacks our biometrics? If someone gets their hands on another person’s fingerprints, they can’t exactly change all their fingers to get up and running again. Maybe the answer is a continual verification system that recognizes our unique signatures, like vocal tones and patterns and keystrokes and will log someone out if they are inactive but the program immediately opens again once they resume activity?

Leave a Reply

Your email address will not be published. Required fields are marked *