First Principles of Digital ID vs. AI

Digital Identity was supposed to be simple:

• Something you are
• Something you know
• Something you have

3 Changes

AI has changed everything. Catchy aphorisms are rendered irrelevant.

"Something you are" — With the advent deepfakes this doesn't work anymore.

Yes, a biometric test done in person and supervised by employees or officers that can't be bribed still works. Border Officers, Police, and Bankers are examples of people that can run these services. But what happens over the open Internet?

"Something you know" — What you know is probably for sale on the dark web. Your mother's maiden name, the type of car you first owned, your favorite type of music. That information is all out there to be bought.

"Something you have" — We'd like to trust our phones, but we can't. Even Apple iPhones are susceptible to trojan horse attacks that steel all biometric information.

Group-IB 's Andrey Polovinkin and Sharmine L. recently described how their firm uncovered "the first iOS Trojan" designed for harvesting "is capable of collecting facial recognition data, identity documents, and intercepting SMS." Their CEO, Singapore based Dmitry Volkov posted details on LinkedIn.

We Need a New Solution to Digital Identity

The Internet is not safe because it does not have an identity layer. Businesses do not have an easy way to verify the identity of their end users. This leads to a raft of problems:

• Fraud — Estimates are in excess of $500B a year in losses
• Extortion Through Ransomware — Hit a Record $1.1 Billion in 2023
• Damage and Loss of Data — The average cost of a data breach in the United States amounted to 9.48 million U.S. dollars in 2023
• Theft of Data and IP — $1.12 billion. Growing at 36%." See Cyberhaven
• Harassment
• Invasion of Privacy
• Manipulation Through Misinformation
• Exploitation
• Cyber Terrorism

The statistics are daunting.

Trust is infrastructure. It requires investment and effort to build a high-trust society.

4 Questions

Businesses need to answer four questions about each random new end-user connecting to their site over the open Internet.

1. What can we know about this person?
2. How can we recognize this person?
3. What is the risk associated with doing business with them?
4. If there is risk, how can we transfer the risk?

Let's go through these one-by-one, understand what each question means and how best to answer it.

1 - What can we know about this person?

Is this person a real human? What's their name? Do they really represent that organization, with that specific role, and those rights, those responsibilities and that authority? For example, is that person really the CEO and can they really sign legal agreements on behalf of the company?

In the "real world" these facts are often presented in the form of credentials, such as a birth certificate. For example, "A person Jane Doe who was more on March 1, 2023 in San Francisco." A Birth Certificate is weird because it includes no direct way of authenticating the person. You have to assume the person holding the birth certificate is the rightful owner. We rely on parents and members of the community to confirm that Jane Doe is who she claims to be when she eventually applies for a Driver's License or a Passport.

Physical credentials and identity documents include stamps and holograms and other ways of confirming who created them. Similarly, a digital verifiable credential uses a unique encrypted signature that, when checked with its corresponding public key, can be used to confirm which organization created and signed the document.

Tim S. has a great article listing 101 Use Cases for Verifiable Credentials

Examples include business cards, digital diplomas, electronic passports, smart driver's licenses, marriage certificates, and verifiable professional credentials.

When a use comes to a site and presents credentials that can be verified, the business can use the information in those credentials to answer the question "What can we know about this person?"

If you want to learn more about Verifiable Credentials, check out the OpenWallet Foundation and companies like MATTR and Trinsic . These Verifiable Credentials are going to become more prevalent. Jamie Smith?? has an excellent article asking if James Mirfin 's team at Visa have just changed the identity game by turning cards into a pointer to an Identity Wallet.

2 - How can we recognize this person?

In the "real world," people have ID documents that combine a credential, like "The State of California has given Jane Doe a license to drive," with a tool to recognize the person: that's why ID cards have pictures. Newer versions ID cards also have chips that include both the picture and a digital version of the credential, which uses a unique encrypted signature for extra confirmation about which organization issued the credential. That is not the case on the Internet.

On the Internet, Card issuers think about this as "Card Not Present." But that only describes half the problem.

The second half of the problem is "Human Not Present."

Over the open Internet, recognizing someone is almost impossible.

Continuous Authentication is the only way to recognize someone

If everything can be faked on the Internet, how does any organization accurately authenticate their end users?

A first pass at the solution was described in Lex Fridman 's PhD thesis.

Active authentication is the process of continuously verifying a person’s identity based on the cognitive, behavioral, and physical aspects of their interaction with the device.

Fridman described the goal of authentication system this way:

The challenge of identity verification for the purpose of access control in distributed communication systems is the tradeoff between maximizing the probability of intruder detection, and minimizing the cost for the legitimate user in time, distractions, and extra hardware and computer requirements.

(As an aside, I wonder if Lex Fridman realizes his work has inspired so many?)

The best bank authentication systems use Continuous Active Authentication. These are risk engines that are fed data about every aspect of your behavior. The list includes behavioral the angle you are holding the phone, your input patterns, your geographical movements, movements across wifi and wireless networks. It also includes both device and server side biometrics. And it includes passive and active push notification response time. Finally, it includes a long list of things like camera response time - which are used to judge whether the phone is likely compromised. All of this creates the most accurate assessment of whether or not it is really you on this session.

You've Experienced Continuous Active Authentication

Have you ever received a notification from your bank asking "was this transaction you?" Perhaps you were out late and bought a 2am snack. Or, you had to travel at short notice. Behind the scenes there is an entire suite of tools being used to try and determine whether it is really you. The strongest way for the bank to confirm that you initiated the transaction is to push a request your device, have you log into the bank app, run the full suite of continuous authentication systems and verify that it is really you.

Continuous Active Authentication is Privacy Invasive

The problem is that this is very invasive of your privacy. Your bank is basically watching you always. Normally, no one would agree to this kind of surveillance.

However, because it is in service of protecting our money and because banks are well regulated to respect our privacy and because banks have a business interest aligned with protecting our privacy, people agree to let banks run the most powerful continuous active authentication systems in the world.

Authentication must be combined with KYC

One of the most knowledgable people in the world on the topic of authentication and verifiable credentials is FaceTec, Inc. 's Andrew Hughes . A member of the Standards Council of Canada working with ISO/IEC, Andrew has described the challenge very succinctly:

Every single digital credentials group I intersect with has a Gordian knot around "holder-credential binding" or "authorization to present" - tying the living human to the digital credential and its presentation.

Bank-based ID rails can be used for ID verification everywhere

Banks are perfectly positioned to solve the problem and untie the Gordian knot.

• Banks have gone through a rigorous Know Your Customer (KYC) process to tie the individual opening the to government issued Identity credentials. The system is governed by strict laws enforced by armies of bank regulators. The same pattern is repeated the world over because governments want to get paid their taxes, and because governments want to limit money laundering from criminal activity.
• Banks have the Continuous Active Authentication systems needed to verify end users.

All we need is a way to leverage this capability where people need to prove they are who they claim to be.

3 - What is the risk associated with doing business with them?

Once a business has determine who someone is, their next question is simple: What is the risk of doing business with this person?

• Will they fail to pay?
• Will they be unable to pay even if they want to pay?
• Will they return the product? (Do they return products at a very high rate?)
• Will they exact a huge amount of support?
• Will they berate and belittle people working for the business?
• Will they leave an unnecessarily cruel and harsh review?

Some of the answers to these questions are available through typical credit services, like Experian , Equifax and TransUnion can provide some of these answers. But none are complete.

More importantly, there is no general way for the end-user to prove they will be a great customer. Specific services like Uber have a customer rating but it is not portable.

If you have a great customer rating, wouldn't it be nice to be able to show new businesses that you have a great reputation and that they should treat you we care.

User controlled Identity solutions with user supplied verifiable credentials and next generation customer affinity solutions will help businesses know what to expect while keep consumers in control of their privacy.

4 - If there is risk, how can we transfer the risk?

This is the most important question for businesses trying to work with a new customer over the Internet. It is also the only question that has no solution in most markets today.

According to Visa Verifi, e-commrce businesses lose 3% of revenue and 30% of profit to fraud. Bank-based ID verification systems can reduce that. But, where they can't, we need an insurance solution.

Insurance transfers the risk of fraud. It is best priced on a transaction by transaction basis.

A global bank-based Identity solution can deliver the platform needed to offer transaction level fraud insurance because it automatically gathers the data needed to price both the insurance and the re-insurance.

Conclusion: The Future of Digital Identity

The old ways of managing Digital Identity no longer work. AI and hacker have combined forces to wreck the old model. What you are can be deepfaked. What you know has been hacked and sold on the dark web. And what you have is easily compromised.

Instead, in a digital setting, when the "human is not present", we need to leverage Continuous Active Authentication system to prove that a person is who they claim to be. These systems are very privacy invasive, so it makes sense to flip the problem and give the end user the ability to prove they are who they claim to be with the aid of a trusted 3rd party KYC and Authentication provider. Examples of these include banks or specialist companies like CLEAR .

Finally, all of these Digital Identity problems need to be reframed to answer the critical questions that businesses have about a random new user:

1. What can we know about this person?
2. How can we recognize this person?
3. What is the risk associated with doing business with them?
4. If there is risk, how can we transfer the risk?