Identity plays a major role in everyday life. It’s the key that determines the particular transactions in which we can rightfully participate as well as the information we’re entitled to access. But, in a world that’s increasingly governed by digital transactions and data, our existing methods for verifying someone’s identity based on a physical credential are far from adequate.
I recently read Better Identity in America, a report by the Better Identity Coalition, an organization launched earlier this year to focus on promoting the development and adoption of solutions for identity verification and authentication. The report outlines a policy agenda for improving the privacy and security of digital systems and help combat identity fraud.
How bad is the problem? Data breaches, large-scale fraud, and identity theft are becoming more common. In 2017, there were 16.7 million victims of identity fraud in the US, causing a loss of $16.8 billion. The U.S. in 2017 saw a 44.7% increase in data breaches over 2016 and a 30% rise in online shopping fraud. About 179 million personal information records were exposed to data breaches, 69% of which were identity theft incidents.
The report notes that “the ability to offer high-value transactions and services online is being tested more than ever, due in large part to the challenges of proving identity online.” The lack of an easy, secure way to verify identities, according to the report, is leading to ” increased fraud and theft, degrades privacy, and hinders the availability of many services online.”
As the report reminds us, the extent of this challenge was famously captured back in 1993 by Peter Steiner’s New Yorker cartoon with the caption, “On the Internet, nobody knows you’re a dog.” Twenty-five years later, the cartoon still perfectly describes the identity challenge. If anything, the challenge is even more serious in 2018, given that the volume and variety of online transaction services are greater than ever before.
Some countries have a mandatory national ID, but not the U.S. Americans still need to get some sort of government-issued identity documents and credentials for activities like getting a job, paying taxes, receiving government benefits, driving a car, boarding a planes, and so on. But if someone doesn’t need to do any of these things, there are no laws requiring them to get an ID.
“Instead, a patchwork system has emerged of identifiers and credentials issued by a variety of different Federal, state and local entities,” says the report. “This patchwork has worked relatively well for in-person transactions… However, the model has fallen apart online… Americans remain dependent on paper and plastic-based identity credentials, none of which were designed to be easily used – or validated – online.”
“Moreover, in hindsight, they look like attempts to ignore the elephant in the room: that government alone confers identity authoritatively, and that government is thus in the single best position to address the challenges we have today and make identity better… Not by issuing a national ID – but by allowing consumers to ask government that it stand behind the paper and plastic credentials it already issues in the physical world.”
The report outlines five key recommendations for addressing the identity challenge.
Prioritize the development of next-generation remote identity proofing and verification systems. In recent years, Knowledge-Based Verification has been widely used by the private and public sector to validate online identities. KBV relies on an individual’s ability to answer secret questions based on information that, presumably, only the individual would know. But, as a result of all the recent data breaches, adversaries have stolen enough data to defeat many KBV systems. Answers that were once secret no longer are.
To address this problem the report recommends that “Governments should offer new digital services to validate attributes – modernizing legacy paper-based identity systems around a privacy-protecting, consumer-centric digital model that allows consumers to ask the agency that issued a credential to stand behind it in the online world.”
Change the way America uses the Social Security Number. The SSN was first created as a 9-digit number, an identifier that uniquely associates an individual with wage and tax data as well as Social Security benefits. Government and business also use the SSN as an authenticator, that is, a way to verify that someone is who they claim to be. Needless to say, our SSNs are now in data bases all over the Internet, and even if they were once secret, after massive data breaches they no longer are.
“Stop using the SSN as an authenticator,” says the report. It’s OK to use it as an identifier, as the risks are much smaller, but its use should be reduced whenever feasible.
Promote and prioritize the use of strong authentication. There’s no such thing as a strong password or shared secret, since they’re easily compromised by data breaches and other common attacks. Strong authentication methods like multi-factor authentication are much less vulnerable to attacks by adversaries. The report cites a a few multi-stakeholder initiatives– the Fast Identity Online (FIDO) Alliance, the GSMA’s Mobile Connect, and the World Wide Web Consortium’s Web Authn– whose strong authentication technologies are being embedded in devices, operating systems and browsers.
Research efforts are underway around the world, such as the open identity and data sharing framework being developed by MIT’s Trust::Data Consortium. As explained in this recent paper, since identity is fundamentally a data-sharing problem, what’s required is the ability to share information in a privacy-preserving manner. The paper describes a new paradigm it calls Open Algorithms (OPAL), based on the collective exchange of vetted algorithms among participants in a trust network ecosystem.
International coordination and harmonization. “Consumers and businesses operate in environments beyond American borders, and other countries are also contemplating new approaches to making identity better.” The US should thus coordinate with other countries to harmonize requirements, standards and frameworks where feasible.
Educate consumers and businesses about better identity. Finally, “As part of improving the identity ecosystem, Americans must be aware of new identity solutions and how to best use them. Government should partner with industry to educate both consumers and businesses, with an eye toward promoting modern approaches and best practices.”
Irving Wladawsky-Berger worked at IBM for 37 years and has been a strategic advisor to Citigroup, HBO and Mastercard. He is affiliated with MIT and Imperial College, and is a regular contributor to CIO Journal.