Digital identity systems will fail if they do not take humans into account, warns identity innovator, suggesting that a ‘digital guardian’ could help overcome most of these challenges
Most people would like to have a single, verified and validated digital identity that can be used to access all services, according to John Erik Setsaas, vice-president of identity and innovation at Signicat.
“But in trying to achieve this, technology systems designers need to take human nature into account. Otherwise, these systems will not work because it is people who are going to use them,” he told the European Identity & Cloud Conference 2019 in Munich.
The human element, said Setsaas, presents various challenges that technology innovators need to take into consideration and overcome, ensuring that anything they design places minimal or no responsibility on users, who are inherently prone to error.
“First, any system in which a user accesses their identity via a specific smartphone or other mobile device that holds their credentials will fail when the device is lost or the secret key is forgotten, for example,” he said.
Other important considerations Setsaas raised were what happens if the device is compromised and who is liable if something goes wrong.
“Distributed ledgers have security risks. They are made by people. They will be hacked. Systems designers need to consider what would happen if a bad actor exploits a vulnerability to access someone’s digital identity or digital double. Designers need to think about liability,” he said.
Anonymity, said Setsaas, is another challenge in the context of a zero knowledge proof approach where a user is seeking to prove they are over 18, for example, without revealing anything else.
“The problem arises if this approach is used to access a discussion forum, but once access is granted, a user starts spreading illegal information. Most people would expect there to be a way of holding that user legally accountable, but that is not possible where access is truly anonymous,” he said.
The fact that most people do not understand how to manage passwords and do not follow best practices is yet another human-related factor that indicates that most people are unlikely to be able to manage their own identities, he said.
“Technology systems designers need to take human nature into account. Otherwise, these systems will not work because it is people who are going to use them”
John Erik Setaas, Signicat
“When thinking about the future of identity management, we can’t think about giving people more responsibility,” said Setsaas.
In the light of these and other human-related challenges, he suggested a potential solution lies in the concept of an “identity custodian”, because while people want to be in control of their information, they do not really want to operate all on their own, particularly when things go wrong.
“An identity custodian is a trusted entity that will take care of managing people’s identities, providing a link to their digital doubles, taking care of liability, providing someone to call if there is a problem, monitoring for risk or fraud, and account recovery,” said Setsaas.
Digital custodian services could also include the facility to create a set of personas or roles, he suggested. “So for banking purposes, I would show my full profile, but I could have other personas for specific uses so that only the relevant or qualifying attributes are shared, such as age, gender and nationality.”
And in the case of any suspected wrongdoing or illegal activity, Setsaas said identity custodians could either help to prove there was no liability or provide a “high-friction” way to enable authorities to link a particular person to the individual behind it.
The role of digital custodian could be taken on by banks, insurance companies and other trusted entities, with individuals able to choose their trusted digital custodian based on their requirements or have different custodians for different purposes, he said.
“The GDPR [EU General Data Protection Regulation] will also help in switching between providers of digital guardian services because of its requirement for data portability and the right to be forgotten, in much the same way you would switch between telcos, energy providers or banks,” he said.
In summary, Setsaas said an identity custodian would provide a potential solution for a range of human-related obstacles and failings. “Identity custodians could take liability and responsibility from individuals, providing someone to call when things go wrong to ensure accounts are recovered and that access to digital assets can be passed on to their heirs.”
In response to a question from the audience about potential business models for identity providers, Setsaas said providing such services would strengthen the direct relationship between banks and customers, for example, which could help with customer retention.
“And then generally, in the context of distributed identity, providing validated information to service providers has a value. Instead of the service provider having to do the work themselves, the identity custodian provides it, and that is worth something,” he said.
Enterprises need to step up protections around identity-related compromises and look to decentralised identity in the longer term to improve security, says computer scientist.
