A hitchhiker’s guide to the identiverse

Will identity-as-a-service be the next banking business model? Will self-sovereign identity solve the paradigm of security versus ease of use? These and other questions will be explored on the Innotribe stage at Sibos. Alex King probes the outer reaches of verification technology for an ethical solution to who owns our digital selves

How many times have you read an article that opens with the tired old maxim that ‘our identities are increasingly formed online’?

It’s reached the point of linguistic exhaustion as our digital identities have flourished across the boundless space of the internet. Sometimes we’re offered a poignant reminder of the almost absurd nature of the networked lives we now lead. Summing up our fully-fledged digital selves, philosopher Srećko Horvat wrote: “If you want to have a job, you have to be connected. If you want to maintain friendships, you have to be connected. If you want to go on a date, you have to be connected.”

The username-password model was built into the fabric of our digital experience with the launch of the first email accounts, but the compulsion to sign up, log in and upload our identity has reached fever pitch in the last decade, as websites and apps demand we create additional siloed representations of ourselves in exchange for access.

Most use personally identifiable information (PII) to share and monetise consumer data through their back end. PII cuts to the core of who we are, which is precisely why it’s so valuable for marketing purposes. But by onboarding with scores of sites, services and tools, the average person now juggles dozens of disparate identities and maintains a dizzying array of verifiers to fire over the internet, simply to prove who we are.

This, then, is the present-day ‘identiverse’ across which we map our lives. It’s a system and structure powered by the commercial value of data and guarded by initiatives such as the General Date Protection Regulation (GDPR) which, for the first time in history, established privacy as a human right.

But data privacy is only one of the pressing contemporary debates. Identity is also about inclusion and exclusion – about ethics, human rights and bias-conscious technology. Importantly, it’s about who owns and trades our data – and who we can trust to store that sensitive personal information securely.

That’s where financial institutions enter the picture. If data is the ‘new oil’, then who better to trust with our share of this valuable commodity than banks, which are already the custodians of our physical wealth? As trusted brokers in identity, banks may be the best initial experimenters in the developing identity-as-a-service (IaaS) space.

An IBM report into the future of identity, published in 2018, suggests that banks are well-positioned to do just that. IBM’s survey of thousands of adults around the world found that nearly half would trust a major financial institution (FI) with their biometric data – a key emerging technology in the identity authentication space. By interesting contrast, only 15 per cent of respondents said they would trust a major social media site with such data.

If such findings indicate FIs ought to wake up and smell the identity-infused coffee, there’s no better place to brew up the beans than the Sibos Conference. Its famously future-facing Innotribe Stage will this year be plunging the press on identity, percolating answers to the most pressing questions of our time.

Debating under the gaze of a giant model jellyfish, Innotribe speakers will be gathering up the many tentacular strands that connect to the bulbous body of the identity industry: privacy, payments, know your customer (KYC), authentication and issues surrounding usability and trust.

With identity a crucial element in verifying payments, risk-assessing new banking customers, authenticating online banking logins, and enabling consumers’ financial data to be shared across banks and fintechs, banks are already deep in the identiverse. The question for the 2020 is simple: will IaaS be the next banking business model?

One speaker attempting to answer this question at Innotribe will be Ghela Boskovich, founder of FemTechGlobal and a global fintech influencer. As she explains, the concept of identity is currently entangled with crucial issues regarding data ownership in the digital age.

“Data is the fuel of the digital age, and the owners of that data literally have the keys to the future,” she says. “Right now, the crux of the identity debate is centring around ownership and control. And we now recognise that individuals own and should be able to control the access to, and distribution of, their personal data.”

That’s been a big step in recent years, driven, in part, by the sea-change brought about by GDPR and open banking. Consumers are also more enlightened than ever about how their data is monetised, and increasingly suspicious of the tech firms that have proven, in the Cambridge Analytica scandal and elsewhere, to be careless custodians of their data.

But privacy comes at a cost. The choice, at present, appears binary: convenience and ease, or privacy and security – but (for now at least) rarely both. Little has changed since Edward Snowden remarked at a SXSW (South by Southwest) event back in 2014 that consumers “have to choose between a service that is easy to use and reliable and polished, and a tool that is highly secure and impossible for the average person to use.”

Reconciling security and user experience is therefore a huge priority for the future of identity – in the banking space and beyond. That’s certainly the view of Eric Sachs, another Innotribe speaker, who has 25 years’ experience in the identity industry, including a leading position in Google’s security team.

“Friction has been a major market force driving innovation in consumer login systems but, unfortunately, reducing that friction has generally had the side effect of reducing security,” explains Sachs.

“Enterprises are increasingly concerned about the public relations or regulatory risk of security incidents that leak consumer data. However, that has led many to deploy login security approaches that are unnecessarily heavy-handed and have very poor usability,” he says.

Into the void between companies’ binary options fall considerable profits, as customers high-tail towards providers that offer login systems they prefer.

Many outside observers might, at this juncture, point to emerging biometric technologies as the arriving cavalry, galloping opportunely into the centre of our attention as traditional verification systems stall and flounder.

Heralded by some as the ‘death of the password’, biometrics comprise those technologies that use our unique biological features to confirm that we are who we say we are. Users of the iPhone will, for instance, already be familiar with fingerprint and facial recognition technologies that allow them to access their devices and there is increasing interest in voice recognition in financial services.

In 2017, the US Department of Commerce released a set of Digital Identity Guidelines that praised the use of biometrics in phones. Crucially, though, the paper recommended this be the only place they’re used. At present, biometrics are less a solution to the impasse in the identity verification space, and more a novelty way to unlock our devices. There is a notable exception – in China, facial recognition technology is being increasingly adopted by high street retailers for customers to ‘pay with a smile’ through Ant Financial-owned Alipay. It’s even announced it will be filtering the face that smiles back at you following feedback from consumers that the ID checker made them look ugly.

Recent use cases only serve to justify the position taken by the Department of Commerce. Facial recognition software – already notorious for racial identification flaws – was used at last year’s Champions League final to spot known troublemakers. After the event, it transpired that 92 per cent of those detained were false positives.

The state of Illinois also recently passed the Biometric Information Protection Act (BIPA) – currently the only law that specifically requires companies to acquire explicit consent to collect biometric information. A Six Flags amusement park was subsequently successfully sued for using fingerprint technology to issue tickets without giving visitors an opt-out.

Sachs also explains why biometrics cannot, presently, kill off the password.

“Let’s says you have an iPhone that gets broken, and you buy a new one,” he says. “To add your accounts on the new iPhone, you won’t be able to use biometrics because they were all stored locally on your old broken phone. You’ll still need passwords to your Apple account to set up the new phone. That is just one of the many edge cases that still require passwords.”

While the use of facial recognition by Alipay in China might be benign, state use of biometrics both there and in India has been subject to sustained criticism since the technology’s introduction. If biometrics present  ethical and technological problems, then where does the solution lie?

One source of hope and expectation in the identity industry is coming from something less sci-fi than biometrics but arguably far more ingenious: self-sovereign identity, or SSI. To understand the paradigm shift promised by SSI, we spoke to another Innotribe speaker – Kaliya Young, better known in the identity sphere as ‘Identity Woman’.

Young has been a central trailblazer in SSI, and co-authored an authoritative book on the subject titled A Comprehensive Guide to Self-Sovereign Identity. Fast Company magazine named her ‘one of the most influential women in tech’ after her 15 years of theoretical and mathematical grappling with the problem of who we are.

SSI places the individual in the centre of their own identiverse, with control over exactly what data they share with the digital galaxies they visit on a regular basis. As well as being a more efficient form of authentication, SSI steals back control of our online identities, as Young explains.

“The current paradigm that’s in everybody’s head is that ‘I get identity from other things. I get a student number from my institution. I get a phone number from the phone company. I get an email address from Google, Yahoo or Microsoft’.

All of these identifiers are given to us by someone else – and therefore can be taken away by them,” she says. “The new, emerging decentralised identity says ‘no – you generate your own identifiers in an infinitely large space of magic math, and you use those decentralised identifiers as anchors for different credentials’.”

Decentralised identifiers (DIDs) are the key to self-sovereign identity.

Stored in a digital wallet, they come with two keys: one public, and one private.  In order to verify an identity, institutions are able to mathematically challenge an individual’s public key, and work out from that challenge whether or not they are the owner of their private key – all without an individual’s private key being shared.

“I always wave my hands and say ‘look at the fancy math!’” says Young. “It’s a little counter intuitive because physical things don’t work like that. It’s best described as a new language, a new set of protocols – like we just invented HTML,” she says.

Fancy mathematics to one side, the SSI system, according to its leading proponents, may just be the way in which banks and financial service providers overcome some of the key challenges they’re facing – whether in the fight for simultaneous usability and security in onboarding, or the battle to tackle financial fraud.

Identity fraud, remember, costs the world $35,600 every minute. Elsewhere, confusingly complex onboarding processes, including regulation-enforced know your customer (KYC) protocols, drive consumers away, just as much as the data breaches that convenient and frictionless login systems can lead to. The combined cost of these two forces for FIs is incalculable – but significant enough to encourage banking executives to sit up and take notice of SSI.

“It’s much more secure, cheap and fast – 10 times better than what banks are using right now,” insists Young. “The early adoption use cases within the banking sector use verifiable credentials issued to customers as a way to do authentication when they ring a call centre. This avoids the ‘what’s your mother’s maiden name?’ question and uses the credentials in their digital wallets instead. They use the magic of cryptography to prove you’re the same person. It’s way more secure and you’re way more in control.”

This element of emancipatory control – with one’s digital identity owned by you instead of an intermediary like Facebook or Google – touches back upon Boskovich’s interests in ownership and self-determination in the identity space.

As industry players such as Boskovich are keen to point out, the UN and World Bank have prioritised the creation of a legal digital identity for all as a Sustainable Development Goal to achieve by 2030. With only 55 per cent of the world online and nearly two billion individuals technically lacking identity, achieving this goal will be a mammoth undertaking for the world’s supranational organisations.

In a commercial sense, the increased proliferation of digital identities will mean ‘banking the unbanked’ in untapped regions of the world. And in human rights circles, the same undertaking will uphold Article 6 of the Universal Declaration of Human Rights: the right to recognition everywhere as a person before the law.

“Southeast Asia alone has 438 million unbanked people, which is 73 per cent of the entire population,” Boskovich asserts. “According to a study done by McKinsey, reaching the unbanked population in this region could increase its economic contribution from $17billion to $52billion by 2030.”

That’s a pretty compelling economic argument to justify plans to provide digital identities to markets outside the western world. Equally compelling is the argument that business models and policies to encourage participation – in bureaucratic and economic identities – will help the world’s most vulnerable people, balancing out some of the inequalities currently written into the global identity industry.

“But for banks to validate identity well, and to do it ethically, we have to start designing business models and products that onboard the unbanked and the underbanked. And, for those who don’t buy the human rights reasons, we need to highlight the business case for doing it right, too,” says Boskovich.

This summer, Facebook published its eagerly anticipated white paper on its forthcoming Libra cryptocurrency and  Calibra digital wallet. One of its central claims, to ‘bank the unbanked’ and create ‘decentralised identities’ eerily echoes the aspirations of Young and Boskovich.

It’s possibly too early to tell how the scheme will play out, though author and futurist Daniel Jeffries may represent the majority perspective in his label for Facebook’s long-awaited initiative: panopticon money.

“I’m suspicious of it,” Boskovich agrees, “primarily because corporations should not be the commercial owners of identity. From an inclusion perspective, it’s an interesting experiment, since more people have Facebook accounts than bank accounts,” she says.  “But Libra is being compared to ETFs (exchange-traded funds), which would require regulatory oversight and KYC standards. So, if it’s ultimately regulated like an ETF, those regulatory requirements render the ‘inclusion’ argument moot. People will still have to prove identity initially to do Libra transactions.”

Having previously described Libra as ‘very world domination-ish’, Young is confident that the social media firm isn’t about to wrench the reins from the community that has been doggedly directing the direction of travel for fair and fast identity systems over the past two decades.

“Identity is too big to be owned,” she says, “just like the web is too big to be owned.”

Whether Facebook’s intervention in the identity industry will be the era-defining change many in the identity authentication space have been waiting for remains to be seen. What’s clear is that the work going into solving this increasingly pressing problem isn’t happening inside the halls of Silicon Valley GAFAs (Google, Apple, Facebook and Amazon) – it’s happening across disciplines and industries.

Horvat concludes his critique of digital connectivity by stating what may be the crux of identity in an increasingly connected world – that being inside one’s own identiverse is itself a requirement of modern life. “If you are out of the circle,” he argues, “it’s as if you don’t exist.”

If nothing else, the discussions at Sibos’ Innotribe stage should rally around that core idea – that we should all have access to digital identifiers that we own ourselves.