How can we make the transition from citizen to commercial identity?

The second of a two part guest blog from Susan Morrow, Head of R&D at Avoco Secure and one of our speakers at Think Digital Identity for Government on June 7th.

Posted 13 March 2019 by Lucy Brown

The work done by governments to make digital identity a reality is not a lost cause. We just need to use technology in a smarter way to find common ground so that commercial identities can either utilize existing citizen IDs or use the lessons learned.

The idea of a commercial and a citizen ID being different is somewhat artificial. Both need the same basic things:

  • To know who you are
  • To get some information to do business with you
  • To make sure it is done in a secure way (and in a privacy respectful manner)

The challenges lie in how you get to the three tenets above to marry up.

In a citizen ID service like Verify, getting assured to a high level, even a lower level, in fact, can be fairly onerous. You have to present certain data, have that data checked, perhaps present further data, and so on. This has been one of the criticisms of Verify by users.

In a commercial system, if you put barriers in the way of a customer using a service, they simply will not use it. But you do still need the same assurance that citizen ID has – how do we square that round?

There are ways of doing this. But you need to be flexible, not just in the technology you use but, in the way, that you approach the digital identity debate. You need to enter the frame with an approach based on layers. Layers of technology, layers of relationships, layers of assurance.

I said earlier that it takes an ecosystem to create a cross-purpose identity service. There are a number of moving parts in an identity system that can offer an assured, yet usable, identity service that is based on layers of technology – above and beyond the identity provider:

A hub – this can let you piggyback off existing accounts. A hub that offers protocol translation will let customers choose an existing account as a starting point for their new account. This has a number of beneficial factors, including pre-population of forms. But it doesn’t stop there. Your commercial ID could accept existing IDs that are already verified to some degree – using this as a basis for your own assurance. It is also technically possible to use existing citizen IDs in a hub-centric ecosystem.

Uplift broker – These brokers, usually under user control, can draw in attributes from external sources to enrich existing identities or during registration to add data to the customer’s profile.

Rules engine – rules that can be dynamically applied and updated are very powerful in modifying the behaviour of an identity ecosystem. They offer ways of tailoring user journeys and relationships between customer and service that are otherwise hard-coded, making user journeys clunky and onerous.

Event-driven transactions (see later) – having the flexibility in the ecosystem to drive transactions based on events opens up new avenues in the use of an identity. This can be applied across the entire platform from authentication to applying to use a new financial product.

Consent-driven transactions – having a centralised consent engine to manage relationships once an identity is created.

Customer relationships – When you register for a digital identity you need to prove you are worthy of a relationship with the service. By the same token, the service needs to prove it is worthy of your data. But this does not have to happen all at once. Online data checks can be onerous, as many citizen ID schemes have shown. Building a profile, over time, has benefits. Bringing customers in a low assurance level (using the levels as applied to a citizen scheme) might be the best way, commercially, to engage with a customer. Encouraging the customer to build a relationship with your organization, over time, is beneficial to both parties. Using gamification to build-up a profile gets your customer to a higher assurance level without the pain.

Are we just asking the wrong questions?

If we want to truly get that mythical middle ground of usability vs. high assurance, perhaps we are asking the wrong question?

I believe that the question is more fundamental than what is an identity.  We need to ask, does a user want an actual digital identity or do they simply want to perform a task? Identify the task and the solution should hopefully fall out of that exercise.

In other words, is this a question about identity or about data?

The issues with the GPGs is that they do not address the task in hand, they just address the assurance level. The building of platforms that allow users to carry out transactions is much more than an assurance level.

On the earlier mentioned event-driven transactions. Alistair Campbell of HSBC recently presented an OIX event. At the event, he highlighted a more commercial mindset and approach to the conundrum of using a person’s identity data to perform a task. He proposed the use of an ‘event-driven’ and flexible approach to performing digital actions. If we want to make our notions of digital identity workable in a commercial sense, then this sort of dynamic and flexible way of viewing identity data is a way forward.


A digital identity is, in my view, a misnomer. What we are really talking about is using personal data to create relationships.

In our real world lives, our ‘identity’ changes over time, we act differently depending on who we are dealing with, events cause changes, and our relationships grow over time; we add layers of trust between ourselves and others, as we go.

We can mimic this and apply the same type of relationship building ideologies in the digital world too. As in life, what makes you, you, changes over time. Digital identity can be built up and broken down. It can be enriched, new relationships (services) can be added or removed under your consent. A citizen identity should be part of the wider ecosystem that commercial entities can use if they so wish. What is needed to bring both together, to defuzzifier the divide, is flexibility and the use of many types of technology to build a bridge between customer expectations and service needs.

Susan has worked for over 20 years in the cybersecurity and digital identity space. She currently holds the position of Head of R&D at identity data specialists, Avoco Secure, based in the UK. Susan’s focus is on strategic development and solution architecture. Core areas of her domain knowledge include the use of technology layer linking, usability, accessibility, and data privacy. Her mantra is to make sure that human beings control technology not the other way around. Susan regularly writes on identity and security at CSOOnline: https://www.csoonline.com/blog/future-identity/

Image on index page courtesy of Larm Rmah via Unsplash