January 22, 2016 By Dan Gisolfi 3 min read

Personal Identity Instruments

Today our personal identity is collected, captured and rendered by identity-issuing institutions. The plastic card is the common format used to convey that a trusted institution has certified your identity. However, we all know that this trust model is plagued with fraud issues.

The most common personal identity instrument, the plastic driver’s license, is easily counterfeited — so much so that 39 U.S. states recognized the issue as a pervasive problem. The Center for Immigration Studies also recognized that fraudulent licenses are an easy way for illegal aliens to break the law.

Technology vendors and identity-issuing institutions continue to explore new approaches to make identity fraud more difficult and keep personal identification documents safe, secure and authentic. As history has proven, sometimes the simplest policy change is difficult to execute given our existing paper/plastic identity document model. Recently, several state agencies have decided to go mobile by declaring their intentions to move driver’s licenses to a digital format on your smartphone, according to Move Magazine.

As the shift from paper and plastic to digital identity instruments evolves and matures, there will be pilot projects that are still haunted by security concerns in our current model. Yet these approaches only claim to carry the same level of trust and security as our current physical instruments, the driver’s license and ID card.

It’s time to rethink the construction and issuing of personal identity documents by leveraging mobile devices to make digital identification documents the center of your identity.

Digital Identification Documents

Academic institutions, government agencies and even retail companies rely on card data element standards such as ISO 18013 to provide guidelines for the content and formatting of data stored on machine-readable personal identification instruments. These identity-issuing institutions will expect the same level of industry consistency when they move to mobile devices. But individuals have their own set of requirements around digital identification documents — namely instant access, availability and reliability.

To achieve such expectations, we must rethink the entire life cycle of personal identification documents. This new era of digital identification must address transitions across the personal identity ecosystem:

  • Issuing institutions need to manage the life cycle of identification documents in a cost-effective manner while also considering governance processes, user convenience, fraud protection and privacy.
  • Identity documents need to be safe, authentic, secure and accurate.
  • Owners need a convenient mobile offering for their identity documents that safeguards privacy, is secure and provides control over releasing identity information to others.
  • Verifiers need an efficient and secure manner to verify the authenticity of the identity document and obtain information from that document.

This shift requires new technologies to address the issuing, managing and challenging of digital identification documents. This includes offering:

  • Protection against fraud, tampering and counterfeiting;
  • Prevention of fake IDs;
  • Reductions in human errors during validation and governance tasks;
  • Prevention of privacy threats and theft; and
  • Face-to-face identity validation, which reduces broadband dependencies.

Business processes and workflows will be impacted by a move to digital identification documents. There are a number of steps in the typical life cycle that can benefit from the switch:

  • The layout and design of digital identification documents can be created, reviewed and modified quickly and easily.
  • The appearance of existing digital identification documents can be modified and distributed. You can update digital identification documents systemwide all at once.
  • New digital identification documents are generated and pushed out to the owner’s device immediately. There’s no need to create, print and mail a plastic card.
  • Multiple copies of the same digital identification document can be used. An identity owner can have a copy on all registered devices.
  • Digital identification documents can be quickly and easily replaced if a mobile device is lost or stolen.
  • Digital identification documents can be revoked and purged from a device.

An Aberrant Approach

Organizations are attempting to rethink solutions for the personal identity ecosystem. To get started on a mobile identity strategy, IBM recommends that identity-issuing institutions:

  • Perform a costs analysis of the design, production and delivery of cards today. This should include assessing the ecosystem of providers and dependencies.
  • Identify the operational assumptions for the tactical period where both paper/plastic and mobile identity options are available.
  • Spend time examining verifier procedures for the handling of physical cards and mobile IDs.
  • Speak with ecosystem members (e.g., insurance providers, vehicle registration bodies, etc.) to understand how they are proceeding since the pace of adoption will also impact them.
  • Consider a tactical business model for a digital identification document solution. For example, analogous to vanity plates, mobile convenience could be handled as an uplift to offset initial adoption risks and budgetary shortfalls.
  • Approach this technology shift in phases with focused pilots.

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today