In the future, digital identities will fundamentally change how we interact with online services. Doing a shopping tour in the city and visiting various stores is something we know well from the ‘analogue’ world. However, when the same scenario transfers online it suddenly becomes a cumbersome task. You need accounts for each and every shop that contain your personal information, such as delivery address or credit card. With a digital identity, entering different online shops through one single account will be possible, replicating that analogue shopping experience.
Author: Prof. Gilbert Fridgen, PayPal-FNR PEARL Chair in Digital Financial Services, head of the FINATRAX (Digital Financial Services and Cross-Organisational Digital Transformations) research group.
Decentralised digital identities are the only solution to digital identity management that promotes democracy and freedom. With this approach, users are the only ones who have full access to their identity information and can choose what to disclose. Recent innovations can enable high security and high privacy standards at the same time. The European Commission is on the right path to adopt decentralised digital identities in their eIDAS 2.0 regulation.
We are not there yet though. Today, the way of doing things is called fragmented identity management.Fragmented identity management means having your own account for each separate online service, and we all experience how inconvenient this is. People choose between remembering each password or using a password manager. Too often this results in choosing to reuse passwords, which is a security nightmare. The challenge is to unify all these accounts in a secure way. Ultimately, you want to have a single credential to access all services – a digital identity.
How that unified digital identity comes to be is now the question we must address. With federated identity management, digital identities are centralised by a private company or a government that offers one single account. For example, Facebook or Google offer “log-in with” features to access other services. In Sweden,there is a digital bank ID, run by the banking industry and acknowledged by the government. China and India are managing the digital identities of their residents in centralised governmental systems. However, in all these centralised approaches users allow private or public institutions to gather information about the services they use and how often they use them. This is obviously a privacy issue.
Decentralised identity management eliminates the privacy issue of federated identity management. In the decentralised approach, users receive so-called “verifiable credentials” from authorities. They can then prove their identity or further attributes by holding this information in a digital wallet stored on their smartphone. Credentials can also verify, for example, the existence of drivers’ licenses and university diplomas, as well as any other private information such as age or bank details. Additionally, users only need to reveal the information that is actually required. This is called selective disclosure. For example, a car sharing service does not need to know the full details of an ID card. They only need to know if the user has a valid driver’s license.
It is unavoidable that some form of digital identities will shape our online experience in the future. In contrast to federated approaches, privacy is the main objective of decentralised digital identities. With a decentralised approach users can prove that they are eligible for a service without disclosing their internet activities to another party, be it a private company or government. Having the right to act anonymously on the Internet is just as important as it is in the ‘analogue’ world: When someone goes to a bar and is carded, no one else is informed that they showed their ID there. This should also apply to the digital world.
Decentralised digital identities prevent both private and public institutions from collecting large amounts of data on citizens. Too much data in the hands of private actors can lead to manipulation, for example when it comes to elections. Too much data in the hands of public actors can even lead to the persecution of political opponents. Decentralised digital identities are thus essential to democracy and freedom.
The decentralised approach has thus been recognised as the way forward by the EU: The European Commission adopted digital wallets in the current draft eIDAS 2.0 regulation. The goal is to establish European digital identities for all residents. The digital identities will be stored in a digital wallet found in an app on their smartphone. The digital wallet uses the safety features of the smartphone itself to ensure that digital identity is not stolen.
The potential impact of a well implemented digital identity is infinite. For small e-commerce businesses it will be game changing as users will be able to provide all the required information to a small shop without creating an account. This could give SMEs new opportunities compared to e-commerce giants such as Amazon. For the financial services industry, this could be interesting when they are onboarding new customers. Know Your Customer (KYC) checks that are required by regulation are very costly and digital identities will make KYC processes easier, cheaper, and more efficient.
Yet, decentralised digital identities still face three main challenges: standardisation, security, and usability. Standardisation is important because today many different standards are being developed. In addition, a solution must be secure to be trusted and to prevent hacking. Finally, digital identities must be easy to use.
Opponents of decentralised digital identities criticise the risk of identity theft and fear easier data collection. However, this should not deter us, instead fuelling investment in the needed cybersecurity and privacy advancements.
In my research group at the University of Luxembourg’s Interdisciplinary Centre for Security, Reliability, and Trust (SnT) we are working on the many sociotechnical questions concerning decentralised digital identities. We are considering: how much decentralisation do we need? How can high usability be guaranteed while having a secure solution? What effects will digital identities have in industry? And what developments will we see in society? For example, the digital divide is a problem. What happens when people do not own a smartphone and cannot participate?
Digital identities will appear all around the world. We will see centralised solutions run by private companies or governments. However, decentralised approaches to digital identities will be a cornerstone of democracy and freedom.
Prof. Gilbert FridgenFinTech Taipei 2022 conference is PayPal-FNR PEARL Chair in Digital Financial Services and head of the FINATRAX (Digital Financial Services and Cross-Organisational Digital Transformations) research group at the University of Luxembourg’s Interdisciplinary Centre for Security, Reliability and Trust (SnT). He was a keynote speaker on “Digital identities in the financial services industry – A European perspective” at the .
Read Prof. Fridgen’s original LinkedIn post, and connect with him here.