The Platforms move into identity

Introduction

The ability to prove identity is what we can consider an utility. An utility is defined as

• a service that is used by the public, such as an electricity or gas supply or a train service.
• the usefulness of something, especially in a practical way
• ability to satisfy a particular need; usefulness.

So not very useful by itself but essential to be able to do what you would like to really do. In may ways this is not a new thing we are already using this everyday based on the platform provided methods.

These are useful but comes with clear limitations of what they actually prove and will be accepted for. This together with ever increasing requirements for identity proofing sets the scene for the next mile to be conquered.

Sometimes a picture says more than 1000 words

This read with current patent applications should paint a clear picture.

The subject system provides for authenticating a user's physical ID with an identity provider (e.g., an issuer of the ID) to create an electronic ID for a given service or domain of services. During an enrollment phase, the user's device captures image(s) of the ID (e.g., a driver's license, passport, or the like) and sends the image(s) to an issuer of the ID (e.g., an agency that issued the ID, such as an agency that issues driver's licenses), and/or a third party verification service that is capable of verifying the authenticity of the ID.

Rationale

There is no such thing as a free lunch and there will never be deeply capitalistic commercial actors that endeavor onto this unless they have a rationale.

Support for other value proposals

The most obvious motivation is stickiness and engagement where you tie the users deeper into the ecosystem you control. Today it is can be considered inconvenient not to live in a phone only lifestyle and have to have your leather wallet with driver license and other identification means available.

In use cases like payments or access to private and public services proof of identity clearly related to an accepted root of trust is required. This goes beyond what is possible by login with Apple/Google/Facebook today. Again to tie you deeper into a ecosystem having this ability would be seen as a great advantage.

By playing on privacy users can be motivated further. One play here would be, as with payments, to tie this deeper into biometric validation for the release of identity credentials. Today this is attempted by plastic which can be easily copied or unintentionally exposed.

Fruit ripe for picking

Real ID

As we know most of these actors are US based and tend to be motivated close to home. One great motivator would be based on the real id requirements coming into enforcement in the US.

This creates a need for a different level of identification or even a requirement for identification at all. Just like chip technology introduction in the US probably was instrumental for enabling the pay by phone schemes this is a vacuum that can be filled.

It is already there

We are in an situation where the technology is almost in place as most phones these days have a secure storage and execution environment in place. So there are no requirements for adding a new cost driving feature into the current designs but merely to get appropriate certification on the devices.

This has already happened with several initiatives for deploying such credentials on a phone.

• Driver license.
• Passport.
• Identity cards.

These are limited local initiatives but clearly sets the stage for deploying similar solutions at scale and across borders. By the same token it is hard to see that implementations surpassing the requirements such solutions are subject to would not have to be accepted by the regulators.

The ones having full control over the hardware and the software would be in an unique position which would especially play into the hand of Apple.

The death of the payment card

A payment card is merely a proxy to an account of some kind. Historically it made sense having this proxy with dedicated card networks in the days of very limited inter-connectivity. Today is do not make much rational sense anymore but like horses will not disappear over night by the introduction of cars.

But in a longer perspective there are limited objective reasons not to connect directly to the account and by that cutting out a lot of middle men which translates into saving money.

A key component for such solutions would be reliable proof of the presence of the account holder. Arguably this will achieved in a much more reliable way than what is provided by the current card and pin combinations by having strong identity provisioned at the phone.

User Acceptance

Finally the user base is getting ready to accept such solutions based on a clear mobile only preference which is still demographically tied to younger people of mobile only. Needless to say they become older and will over time dominate the user base with the rest of us being grand-parented to our plastic usage.

Entrenchment

By having this at the platform you can have one level of trust to relate to. Today every app will constitute it′s own trust leave. The equivalent is visible with Apple pay where payment is authenticated and executed by the platform and not an individual app having just one trust point in the payment value chain.

For end users this translates into having ID proofing behind convenient biometric protection which arguably could offer a greater security for both the end user and the acceptor.

More than this

More than this, tell me one thing

We live in a world of a hierarchy of needs coined by Marslow by his hierarchy of needs.

The implication into this domain is that after secure identification you just always needs to know one more thing and really be able to rely that information also.

One such thing could be the current or historical addresses of a person, certainty on current employment etc.

This is the new frontier of digital validation which builds on secure identification.

Being in the position of being the provider of such services would be a dream coming true for a platform and where they obviously is very much positioned to capture this position. Being able to do this is really what an platform is all about and this would be a chargeable market where identification like payments are commodities that nobody are prepared to pay much if anything at all for.

To really scale this aspect a unified capture of identity in all use cases is really a precursor. If you leave the strong validation of identity to somebody else you will have problematic gaps when trying to fill this role.

Execution

Onboarding

There are a myriad of options for on-boarding. Some would be.

• Based on NFC capture and face/liveness match.
• Optical capture and face/liveness match.
• Based on preexisting electronic identity.
• Based on logical ID documents.

All of these and many more are possible and carries an implicit level of reliability based on tamper proof capture.

One method do require special focus since it both has the potential of reaching the highest level of reliability and is very much native to the current devices. This would be usage of NFC and the built in liveness ensuring biometric capture.

Usage

Cloned document

A very simple usage would be a playback of the data captured from the identity documents or document emulation. The data would be signed artifacts certified by the root of trust and would at minimum consist of.

• Personal information like name and unique personal identifier (if applicable in the home country).
• Nationality and issuing country.
• Date of birth.
• Unique document number of the issued document.
• Validity period of the document.
• Picture of the document holder.

All of this is digitally signed and as such forge proof, there may be a lot more information available depending on the policy of the issuing state.

There are only a few missing pieces from being a full fledge document.

• Clone detection. Most document contains a unique private key which works in a challenge response mode to detect a cloned document.
• Chip detection. This is basically the same mechanism but intended to certify that the chip used is bona fide and has not been replaced.

Arguably non of these changes the fact related to the identification of the user by the signed data and signed image of the holder.

It is conceivable that the cloning features could be replaced by device attestation effectively ensuring that this is a good clone residing on a approved platform.

While not the most elegant solution this enables drop in solution for replacing traditional documents with limited or no upgrades required in places like police terminals or automated border gates.

Deployment of full fledge digital ID

Please notice that there is no exclusivity involved as this can be done in addition to document clone or instead of document clone.

This would be provision of credential into the secure execution environment of the device with biometric protection of usage being likely.

This can be done by the platform company or more likely it will be partnered out to avoid regulatory scrutiny, which is a pattern we recognize from banking.

Renewal

The most basic method would be to revert to the root of trust by capture of a new document.

However one should not disregard the business opportunity for document issuers here by dropping the issuance of new physical documents but rather make a renewal process directly and only to the device.

This would be a substantial cost saver and would in reality improve the security of the issuance process compared to what is the case today.

So dropping the issuance of physical documents make sense for everybody and is thus likely to happen given time.

Summary

This article describes what is likely to happen based on the merits such an development has and the logical rationale for it happening.

Not everything that is likely happen will happen but I am pretty sure this will happen, perhaps in a different way and perhaps by different actors than Apple or Google who are the best actors positioned.

For the rest of us being able to look into the crystal ball gives us an opportunity to prepare position.

Private sector

For most there is very unlikely to go in with guns blazing and try to beat the platforms directly, many have tried and all have lost to do that.

However this will be a ecosystem where there are several lucrative positions that are available, where the platforms will not deliver and where currently nobody else is positioned.

Regulators

Really, really needs to get ahead of the curve here. This especially applies to regulating the area of digital verification in a way that ensures to make it a productive and useful reality by itself.

This is especially important to ensure x-border if not you are setting up for a divide and conquer to be executed.

For entities like the EU this should be a call to action unless one would like to have no digital single market thus not having a single market down the road and thus having no rationale for having a construct like the EU even further down the road.

This should obviously enter into the current revision of the eIdas regulations but one should understand that to make things happen more is needed.

• Execution at speed. Things need to happen fast and fail fast and be pivoted into a new approach immediately.
• Building and ensuring a broad ecosystem. Just making adjustment and hoping back to sleep will not be sufficient. There is only one success criteria which is when it happens and have a deep profound impact in the real world.

Public Sector

Should consider the inherent opportunities this will have for producing services to the population in a better and more efficient way.

The potential risks and dangers should also be considered but one should avoid the temptation to approach this by burying their head in the sand believing this will go away or we can make it go away.

Obviously the risk of creating yet another taxation loophole should be carefully considered.

BIO

Ronny Khan is an IT and Business development specialist within the Norwegian financial sector, who is involved in standardization effort on remote natural person identification targeting trust level high as part of a shared effort by the Banking association with public sector stakeholders as well as member of the EU expert group on eid and KYC.

He is currently working full time seconded to the banking association as liaison with key players in the public sector to ensure deployment at scale of remote on boarding for electronic identities. 

He is also participating in ISO standardization, national standardization with focus on biometrics , security and identification in retail banking , a keen follower of the are of identity, identity proofing , KYC and always looking for new interesting domains. Currently he is focused on digital validation as a natural evolution of digital identities.

Previously he has been working within a broad field covering digital identities, internet bank authentication/authorization, card security and telecommunications.

More information on Ronnys homepage