Claire de Longeaux - Director of TRUSTECH (incorporating CARTES)
The development of the web, mobile apps and devices has one thing in common with the needs expressed by businesses and governments: they are slowly but surely consigning physical identities to the graveyard while promoting digital identities.
In an increasingly digital world, what does our identity actually consist of? At first glance, the subject may seem simple enough, but it raises a number of vital questions about security, personal information and information sharing. Although the principle of physical identities resides in paper documents (passports, driving licences, etc.), the very definition of digital identities is not a clear-cut concept or an exact science, because it encompasses a range of political and geopolitical issues, as well as philosophical, sociological and ethnological aspects. Points of view also differ depending on which side of the Atlantic you are standing on. The US and UK tend to go for a global and big data approach that uses all the digital data published about a person in order to build up an image of them. As such, it aims to offer a combination of facial and behavioural recognition and analysis. The strategy adopted by Europe, however, is more concise and pragmatic, where digital identities are a minimal data set used to distinguish one person from another in a given context. This approach is closer to the one used by the authorities and is based on what are known as pivot data.
A crucial need for standardisation
Digital identities, by their very nature, may take on many different forms, meaning that there is a strong requirement for interoperability to ensure authentication. In this respect, social networks are increasingly used as a master database. Facebook is a prime example: by using the OAuth protocol, this social network acts as a true identity management system. Although it could be described as a low-level system, it is already a mandatory or optional feature when users want to sign into a third-party service on the web. Google+ and LinkedIn tend to be following suit, and the principle is similar: when users sign into a service with their social network account, they are actually indicating that the social network is vouching for their identity. This example shows the need to set up different levels of authentication, as well as the necessity for standardisation. On another level, the French government has launched France Connect, a system that "guarantees a user's identity based on existing accounts for which his or her identity has already been verified."
Setting up "levels of trust"
The example of social networks is especially symbolic, since digital technologies are much more intricately woven into the lives of the young generations. This phenomenon is destined to grow until such time as only digital identification systems exist. Which of these digital natives will be offended when physical ID cards disappear? In all probability, hardly anyone or even nobody. With physical identification on the wane, there has never been such an urgent need for standardisation. Several efforts have already been made with this aim in mind, but unfortunately no standard philosophy has yet to emerge between such different initiatives as the FIDO Alliance, Liberty Alliance and OpenID. The result is that everyone works with their own systems. For example, France uses a general security standard, while nearly two thirds of the world's countries have already spearheaded their own digital identity schemes.
One idea in particular is currently gaining ground, namely creating levels of trust for authentication. The level of trust required varies depending on whether users are downloading an unimportant document or sending personal and/or confidential information! This highlights the major change that has occurred over the last few years: we have moved from an Internet that was designed for communication to a digital world in which we manage practically our entire lives, such as transactions, contracts and undertakings. Consequently, the need to build greater trust is essential, especially traceability for legal purposes. For example, European companies need to be sure that a contracting party has consented to sign an agreement; this is the principle of non-repudiation. Presently, this is consistently taking the form of several services with the creation of three "levels of trust". When hiring a car, you need a level two identity, while a mortgage will require level three trust.
The inevitable rise of digital identities
Many governments may have already focused on the issue of digital identities, but the business world began the process many years ago. The need to tighten up IT security was partly the reason that spawned this phenomenon as electronic processes began cropping up. The growing number of entry points into information systems has prompted strong authentication methods, with SSO (Single Sign On) and more generally tokens and certificates. For the time being, it can be seen that physical and digital identities are converging, with proof mechanisms based on physical identification, such as sending a text message to a device that belongs to the person requiring authentication. At the same time, digital identities also enable companies to collect ever more information and knowledge about their customers. Their relationship with customers is therefore destined to undergo drastic changes as digital identities and interoperability develop.
The issue of digital identities is already a complex area as we have seen, and we should not forget another phenomenon, namely the emergence of smart devices. Personal information and information security are becoming extremely important, especially since a device can be associated with your life and even your bank account. In tomorrow's world, smart devices will also generate data, and connected cars are a case in point. Therefore, the real challenge is knowing who will have access to which data and how! All of these subjects have been the focus of discussions in governments and companies for several months. The digital security and identification markets are undergoing high levels of growth. Everything is converging towards the same destination: digital identities will definitely become a major issue that all stakeholders will need to start preparing for today.
All the topics covered in this article will be addressed during TRUSTECH (incorporating CARTES) , the global event dedicated to trust-based technologies, which is being held in Cannes, French Riviera, from 29 November to 1 December 2016.
White Paper titled "Digital ID and physical ID on a convergence path", written by Smart Insights, to bring its readers a synthesis on the ongoing convergence between who forms of identity coming from different backgrounds.