Defuzzifying Citizen to Consumer Identity – A Layered Approach

The first of a two part guest blog from Susan Morrow, Head of R&D at Avoco Secure and one of our speakers at Think Digital Identity for Government on June 7th.

Posted 12 March 2019 at 9:00am by

Since I started working in the field of digital identity there has been a debate about just what it is. When identity was purely an enterprise endeavour it was much simpler. You had a directory where new employees were added, and this gave them access rights. As ‘identity’ moved outside into the ‘real-world’ things became fuzzy: What is identity when it is used by everyone? Is it an actual identity in the philosophical sense? Is it a way to ‘identify’ someone and does it contain certain types of identifying data but not others? Does it have an ‘assurance level’ associated with it? Just what is a digital identity?

Enter the government…

Citizen identity is not a new concept. Human beings have always had ways of identifying members of their ‘tribe’. Our surnames, for example, place us in a particular geolocation – my surname describes my Irish roots; our first names can even place us as being born in a particular time. But our digital lives demand a digital identity, or so it seems. Governments, looking to save money and ‘digitally engage’ with their citizens, looked to create online identities that could be used to access government services.

This created a bit of a conundrum. We were used to enterprise IDs which could be assigned to employees who had been checked by HR – their personal and work data then entered into a directory, and hey ho, an identity was created. Passwords updateable every 30 days.

But out in the wider world, how do you do the same thing? How do you check the individual? How do you make sure the whole thing is secure? In the UK, the Verify scheme was born. Verify attempted to replicate the assurance needed for secure, fraud-free, online identity to access government services.

Verify wasn’t the first citizen identity, but it is the one I will use as a comparison to discuss commercial digital identities in this article.

Crossing the fuzzy line between citizen and commercial IDs

Digital identity, whether for citizens or commerce needs certain fundamental things to be of use. These things are the foundation stone of the identity and will determine its value, not only for the service consuming it but for the person it represents. But before we start let’s look at the ideology of a digital identity.

I remember many years ago, I was in continuous debate with an industry elder who already had many years of experience before I became involved. He taught me that ‘identity’ in both the online and offline context was a construct. Our personal identity isn’t static. Digital identity even less so. We change our identity as we go through life as events occur. Our name may change, our address may often change. Our age changes all of the time. All of the tangible things that make ‘you’, ‘you’, are transient. The intangible won’t be discussed here. Maybe one day we can find the essence of our ‘identity’ but the pragmatist in me will not consider that here.

If we want to make use of a digital identity, we need to be pragmatic. What do digital identities do? They help us to perform tasks. These tasks we will call transactions, but this is a loose term for making a decision and putting that decision to work.

A digital identity then needs:

  • A way of tying a transaction to an individual
  • Some mechanism to consume identity data
  • Some mechanism of reward for consuming these data

Citizen IDs like Verify do all of the above. The service requiring data to be asserted by the individual and checked by other ‘trusted’ services.

The result of the checks, an assurance level, then associated with the individual.

The whole being tied together with two-factors of authentication.

The mechanisms to consume the data being the SAML 2.0 protocol

The mechanisms for reward being allowed access to government services.

The problem, as always, was that the devil is in the detail. The goal of assurance is a hard one to achieve. Assurance is also something that is contextual and means different things to different services. Of course, at this juncture, you will be saying that is why the Good Practise Guides 44 and 45 were created. Even so, assurance and credential requirements in a commercial context are open to various needs – regulatory frameworks being the final say in many industries.

And, in the commercial world, it is not just about assurance and security it is also very much about usability and customer engagement. There is only one government. If you need a citizen identity to use a government service, you have to hunker down and get one, even if it takes 20 minutes of searching for a loan reference you took out 20 years ago to prove you are who you say you are. In the world of commerce, competition is a strong driver of innovation and demands sweet, neat, easy user journeys.

Commerce needs assured identity but not at the cost of usability. There are ways of having your cake and eating it. And, there are ways of using your citizen identity (that has taken you half an hour to get) commercially too.

But just like it takes a village to raise a child it takes an ecosystem to create a cross-purpose identity service.

Commercial identities need a number of balanced requirements:

  • Friction reduced journeys, to get customers in and keep them in
  • Flexibility in how people can be checked and, in the credentials, used with the ID. Flexibility in how IDs can be used (omni-channel support and accessibility)
  • Commercial applications – a reason to have a valuable identity. This is both from the commercial service and the customer viewpoint 

In my next article I’ll delve into how we make the transition from citizen to commercial

Susan has worked for over 20 years in the cybersecurity and digital identity space. She currently holds the position of Head of R&D at identity data specialists, Avoco Secure, based in the UK. Susan’s focus is on strategic development and solution architecture. Core areas of her domain knowledge include the use of technology layer linking, usability, accessibility, and data privacy. Her mantra is to make sure that human beings control technology not the other way around. Susan regularly writes on identity and security at CSOOnline: https://www.csoonline.com/blog/future-identity/

Image on index page courtesy of Chuttersnap on Unsplash