Are you ready for your digital identity ?
Jean Luc DI MANNO
Innovation lead / solution architect | payment and authentication
The digital identity is about to become an important event in coming years. In Europe eIDAS regulation envisages 80% of EU citizens to use digital ID by 2030 (1) leveraging on a European digital ID wallet. The United Nation (UN) and world bank ID4D initiative aims to provide a legal identity by 2030 (2) to less privileged countries and by extension to the entire world (3). In meantime, a digital driver’s license project leveraging on digital identity gathers momentum in many countries (4). For example in USA the mDL (mobile driver license) provides a framework for US jurisdictions (5). Other working groups are working on digital identity for passport such as International Civil Aviation Organization (ICAO) recently publishing LDS2 standards (6). It is just some example of the current market blast.
Digital expectations are high: better user experience (more convenient especially leveraging wallet), improve user privacy (by sharing only relevant identity asset rather than all user information), improve security (leveraging on standards such as verifiable credential mechanism) and more interoperable allowing cross-border interaction (such as eIDAS project in EU).
The digital identity technology relies on 3 mains pillars: the digital identity asset digitization, the technical architecture used (centralized vs decentralized) and the authentication method.
For the digital identity we observed an overall acceleration for digitization of every related individual’s assets such as passport, driving license, diploma, card data, banking account… It enables the possibility for an end-user to select which asset to share with a service provider (e.g. EU digital wallet). The technical subjacent mechanisms need to allow partial sharing with a strong authentication while gathering user consent. Depending on the topology used the mechanism may differ. On the industry some standards emerged like Decentralized Identifiers (DIDs) with related Verifiable Credentials Data Model provided by W3C.
For the authentication is mainly based on biometric. For instance UN goals is to provide biometrics-based national digital identity for 2030 (7), eIDAS is leveraging on FIDO to provide digital identity in EU. Biometrics allow a strong linkage between the digital identity and the individual behind.
Payment landscape
Are you ready for biometrics in you payment habit?
In June 2023 W3C announced the SPC standard has been published as candidate recommendation (9). It is an important milestone in the digital identity shift. SPC allows the usage of biometric authentication during an electronic transaction. One of the major differences with webAuthn remains on the relying party context (in addition of payment specific UI and data element). Thanks to SPC, a bank can now perform biometric authentication during a payment through the merchant environment without any redirection or iframe. This important feature has been adopted by EMVCo in the latest version of EMV 3DS protocol version 2.3.1.1 (10). It surely helps to improve user experience and therefore reducing abandonment rate still high in 2022 (11). The initial stripe pilot with SPC (12) shown 8% improvement of conversion rate and performing authentication 3 times faster than regular EMV 3DS. This new technology enables usage of digital identity verification by a third context relying party.
But it still requires from the end user to have credential enrolled on a specific device you might say… well does it really?
Passkey advent
Passkey technology allows the cryptographic credential (unlocked by the biometric) to be stored on the cloud rather than being only available within a specific device. One’s identity is linked to cryptographic credential unlock by biometrics. This credential permits the link to the individual. For instance, this mechanism is used within eIDAS for the self-sovereign identity (13). Before passkey the end user would have to perform enrolment for each relying parties (such as merchant, bank…) on each device. If the device is stolen or lost the credential become useless. With passkey all end-user devices synchronized to the cloud can use all credentials whatever the device on which the enrolment took place. It improves the user experience but also bring new challenges such as fraud management and regulation compliance (such as PSD2 device binding). The industry is very keen to use passkey. Recently TikTok announced to migrate on passkey for user authentication (14). To ensure a unified experience Fido recently published a guideline to implement passkey use cases (15).
Let’s prepare to see more and more this passkey prompt in future transaction.
A digital world with serious concerns
Despite market appetite many challenges need to be tackled. User readiness and education, countries infrastructure capacity, regulation (e.g.PSD2/3), parallel technology evolution (such as quantum computing and related threat on current cryptography algorithm) and industry inertia are serious concern delaying the overall progression of the digital shift.
领英推荐
Want to know more about digital identity industry trends?
·????????Passkey, Fido2 and SPC
·????????OpenWallet initiative
·????????Decentralized identifiers and verifiable credentials
·????????eIDAS and European digital wallet
·????????technical standards and regulation
References
Passionate about leading successful IT businesses across the Asia Pacific region, empowering teams and delivering exceptional and sustainable shareholders value.
1 年"Exciting times for digital identity! The eIDAS regulation and UN's ID4D initiative are paving the way for a global digital ID ecosystem. As we embrace biometric authentication for payments with the SPC standard, it's clear that user experience is improving, but are we prepared for the cloud-based 'Passkey' era? This shift unlocks convenience but brings a whole set of new challenges like fraud management and compliance. Anyway, thanks for the post Jean-Luc, it is very insightful !