A Proposed New Trust Framework for Physical and Digital Identity Interactions

March 13, 2020
|
co-authored by Dan Gisolfi
|
6 min read

Identity is a difficult term to define in the cybersecurity world. The range of personal information that can be associated with an identity interaction is highly dependent on the situational context of the interaction. The definition of identity also depends on the context of the medium within which it is exchanged.

In the physical world, when we talk about identity, it’s usually rooted in government, healthcare, finance and other issued credentials, such as driver’s licenses, passports, national ID cards, health insurance cards, car registration documents and more. In the digital world, however, identity is usually rooted in what we have access to — applications, usernames and passwords, accounts and federated accounts.

Why do we consider identity differently in the physical and digital worlds? At the end of the day, isn’t identity any trusted instrument that is used for the exchange of personal information between entities?

(Source: IBM)

Some forward-thinking concepts to keep in mind as we look to address this identity dilemma include:

  • Lack of a single identity approach across physical and digital interactions
  • Evolving processes and interactions in our digital world while using the existing frameworks and standards that are already ingrained within industries
  • A standards-based approach will be the underpinning to deliver digital trust at scale

The Need for Identity Across Physical and Digital Realms

As we think about the different mediums within which we exchange identity — e.g. physical and digital — we have yet to truly develop a robust, scalable and portable way to establish trust that adheres to privacy-by-design principles.

In the digital world, this simply does not exist and we’ve defaulted to usernames and passwords. Sure, we’ve made things easier with federation and other approaches, but the fundamental piece of it remains: You need an existing account to establish trust. Having an existing account should not be the default to establish a line of trusted communication.

In the physical world, we are limited by a lack of business process modernization and a need for transforming to a digital-first interaction — online banking, e-commerce and other digital interactions have created poor onboarding experiences and higher potential for fraud.

Why not bridge how we exchange identity in the physical and digital worlds? Identity interactions and data representations should work in harmony across both worlds. The context of the relationship will dictate what personal data attributes (or collection of personal data attributes) will be needed. In different cases, these can be self-asserted, peer-asserted or asserted by a vetting institution.

In simpler terms: Anything that we store in our wallets or purses, that we use to access applications through online interactions or that is given to us by a third party for us to use downstream — such as a loyalty card, membership card, education transcript or tax form — can be considered personal data attributes that describe who we are and what we can do. These personal data attributes may also be referred to as identity traits.

A Proposed New Framework to Establish Trust

In response to the above challenges, we have been developing a new framework for handling interactions across the physical and digital worlds that is built on principles of privacy-by-design. We call this approach IdentityNext. Please note that IdentityNext is a term used to describe a proposed approach to identity. It is not intended to be used as a product name or community initiative, but rather our own term to represent identity concepts.

We believe IdentityNext is evolutionary because it can enable us to bridge our physical and digital identity interactions. We have the mental model and framework for identity at scale through user control and privacy — we do it every single day when we use various credentials stored in our physical wallets and purses. Each of those is based on established standards: ISO, WEDDI, ACCORD and others. The technologies used to create and print those physical credentials are industry- and standard-agnostic — that is to say the technology used to print a driver’s license should be the same technology that can print an insurance card because at the end of the day, these two physical credential renderings are collections of personal data attributes. All the standards do is define a common data structure needed for each of those credentials.

This same mental model and framework can be used in our digital experience — it’s not revolutionary. We are not fundamentally changing how we exchange identity, but simply using the frameworks and standards that exist in our daily physical interactions to evolve our digital interactions. Just as we need technology to print a physical credential, we need technologies to help create digital credentials with the fundamental premise of being agnostic to any industry standard and building on open protocols through a community-based approach.

(Source: IBM)

What Is IdentityNext?

IdentityNext is a concept we’ve developed to refer to an evolution in how we think about and view identity across all the interactions we have. Security, privacy, user control, transparency, portability and more are all components of IdentityNext. It is a new framework for establishing trust.

Why IdentityNext?

IdentityNext is the evolution of a new trust model that treats user privacy, security, control and transparency as priorities. For organizations, it can help create trusted relationships with end users through an interaction that values and respects their privacy. This creates the ability to grow trust and equity with users while also providing better end-user experiences.

Who Does IdentityNext Affect?

IdentityNext would touch every single entity that wants to perform a trusted transaction with another party. Any entity that needs to exchange trusted data, issue an identity instrument, hold or manage identity, or verify identity would be affected by IdentityNext.

What About Systems of Records?

One thing remains the same and will continue to remain the same: Systems of records (SORs) will never go away.

SORs will remain, but the duplication of what is in those SORs will decrease as we move to IdentityNext. Governance, privileged access, administration, and reporting and auditing for those SORs is still required. The backend components that are used to originate the issuance of a credential will remain the same. The components used to store the needed data after verifying credentials for auditing and compliance purposes will also remain unchanged.

What really changes with IdentityNext is the interaction layer. In the physical world, the interaction layers allow users to store credentials in wallets or purses and present them to verifying (or relying) parties without the verifying party ever needing to “phone home” to the issuer of the credentials. The same experience will manifest in the digital world with the issuance of credentials to the digital wallets of users, enabling them to share and exchange attributes under their control and explicit permission.

(Source: IBM)

IdentityNext Is Based on Community Interoperability

As with other evolutions of identity — from centralized to federated and now decentralized — everything we do needs to be built for community interoperability. With federation, we introduced Security Assertion Markup Language (SAML) to provide better experiences with applications within enterprises. For consumer-oriented web and mobile interactions, we created OpenID Connect (OIDC) and Oauth, still in the context of applications.

As we broaden our scope of identity and consider what is required to exchange trusted personal data across multiple mediums, interoperability becomes even more important. The decentralized identity ecosystem represents a community focused on interoperability standards and open-source code through decentralized identifiers (DIDs) and verifiable credentials, new standards in the evolving identity landscape.

(Source: IBM)

When we think about the IdentityNext concept, it is not a rip-and-replace of existing identity infrastructure. It’s not a revolutionary approach to how identity is exchanged. IdentityNext could be the next wave of how all of us will interact, putting each of us at the center of all relationships that span physical and digital interactions. It’s evolving how we transact, simplifying our experiences and building for a world that practices proper data stewardship.

Learn more about delivering digital trust through an integrated, holistic approach

Milan S. Patel
Product Manager, IBM Security
Milan S. Patel is a contributor for SecurityIntelligence.