One world, one key: The growing urgency for a common digital ID

Innovation has made communication, information gathering and payments digital, portable, fast and automatic — a fundamental reordering that has revolutionized how people and companies engage with each other and the world.

The problem is, that revolution's got a big hole: Digital identity. As ID technology automatically embeds in layers of apps, programs and devices, users will spend less time actively authenticating themselves. So the goal becomes the problem. The more authentication gives way to standardized pre-registered virtual keys, the harder it is for the world to know who we are with absolute certainty.

The digital ID market has massive potential, but many fundamental problems that must first be overcome. Among them: The companies best positioned to provide a viable digital ID platform are not the ones best positioned to benefit from it.

There is one common point of agreement, however: The physical keys and static passwords that identified us until just a few years ago are anachronistic, overused, and unsafe. The objective is — or at least should be — to build one virtual key that lets the entire world know who you are. A key that brings a billion new people into the financial system, that shortens lines at grocery stores and airports, that combats data breaches, that effortlessly swims from one app to another, and can’t be duplicated or stolen.

For any digital ID initiatives to be successful, recurring identity — or the largely invisible authentication that launches that millions of repeat users for that engage the app economy — has to be trustworthy and recognized. And without a global ID project, which is unlikely, the parties that are supervising the varied initiatives will need to agree on standards for that universal ID projects will have to meet.

Digital identity takes on a greater importance for 2019 and beyond because a new generation of retail advancements, financial inclusion, heightened security risk, and rapidly expanding cross-border finance require low-touch transferrable ID.

And there are fundamental day-to-day tasks that are different than just five years ago, and not easily secured by traditional authentication. Hailing a taxi happens on an app instead of waving one's hand. Paying for that ride happens simply by walking out of the car instead of fumbling around for cash. Accessing a television program comes through a streaming subscription instead of a remote. Booking a flight, checking into a hotel and checking out happen on a mobile device. Even shopping at a grocery store can happen without a cashier.

There are literally dozens of technology approaches, with new innovations constantly being introduced. For example, A universal digital identity refers to an ID that's recognized across a network of relationships and doesn't require repeated sign in. Self sovereign ID, which is supported by the Sovrin Foundation, is a decentralized model for ID that supports user control, so that proof of ID can be shared with other parties. Another option, ID as a service, stores credentials in a cloud to support single sign on and access controls.

The goal of digital ID is is well on its way, but the market so far is messy. Each sector's interests are not aligned; the companies that are best positioned to create a common digital ID aren't the most motivated to implement it or profit from it. And the implementations that exist today aren't necessarily compatible; government jurisdictions such as Singapore have electronic ID systems, and banks and large technology companies have long developed what they claim are flexible electronic identification.

More than 120 countries have digital passports and more than 60 countries have national ID cards, according to Gemalto. The approaches to digital identity differ enough for the organizations such as the World Bank to call for collaboration on standards. The issues at hand are enough to demonstrate that not only do digital identity projects use different technology, but can often result in different outcomes based on the party driving the project. The World Bank calls for deliberation over who creates, controls and benefits from the information, with a particular focus on upholding personal rights and the adoption of shared principles, standards and practices.

Distributed ledgers such as blockchain have already shown promise for security by distributing vetting across a network rather than a centralized authority, but also have shown vulnerabilities from hacks of cryptocurrency networks. And banks and other large enterprises have long been reluctant to use large multi-tenant public clouds for operations that involve user data.

The challenge and complexity of universal identity is daunting, enough to keep many companies on the sidelines.

“We don’t have a controlled experiment yet with new digital ID systems, but we do have cashierless stores, and currently the lack of some sort of ‘uber’ digital ID isn’t a huge impediment to payments. Would better and more convenient digital ID solutions help? Absolutely. Is their absence a show-stopper for payments? I don’t think so,” said Eric Grover, a principal at Intrepid Ventures.

Diagnosing the problem is easy. The treatment, however, is not. A digital identity standard needs to be automated, work in different places on different devices, and be interoperable with other digital ID systems. But there is a vast disconnect between those that need a solution and those who would offer it.

“Right now, users are locked into using separate ID systems from large companies like Apple, Facebook, Google, etc., which doesn’t benefit users,” said Gee Chuang, co-founder of Listia, a Sunnyvale, Calif.-based digital marketplace. Chuang sees a widespread need for a better way for payments industry participants to collaborate on authentication solutions.

He foresees a surge in capital and corporate development in digital ID solutions as urgency increases to upgrade today’s disparate patchwork of costly, inefficient systems with their competing— and increasingly confusing—processes to authenticate users for commerce and other routine operations.

Companies such as payment processors, financial institutions and governments are all taking a swing at solving the problem. But there are headwinds. Financial institutions have proprietary concerns. Regulations such as the data-sharing GDPR and PSD2 are seen as catalysts for digital ID, but not all stakeholders may see it that way. Both rules provide compliance challenges, and are often more popular with fintechs than banks.

“Investor enthusiasm for developing digital ID solutions has waxed and waned in recent years,” said Grover noting the existing payments authentication systems took years to evolve and are now “baked in” to the present ecosystem, despite their flaws and exposure to fraud.

But there is both a carrot and stick for faster movement in the near future. The barrage of data beaches over the past few years often involve ID compromise or manipulation. Though Visa earlier this year estimated it will take at least five years to phase out deeply entrenched use of fraud-prone passwords, the need for consumer-controlled, security risk will attract interest form technology investors and fintechs.

“The lack of a digital identity infrastructure is a fundamental friction in payments, and as the cost of coping with fraud, compliance and risk continue to rise, so is the pressure to do something about it,” said Dave Birch, global ambassador for Surrey, England-based Consult Hyperion.

Finding broad solutions to satisfy all parties will be challenging, but intensifying government mandates to strengthen customer authentication and guard consumer data could be catalyze enterprise-scale development.

The growth of blockchain as a popular method to streamline financial transactions could also push digital identity. For example Nuggets, a U.K. startup that came out of that country's regulatory sandbox, has built a blockchain system that uses biometrics for payment login and ID verification, but does not store user data. Merchants access Nuggets through an API and consumer via an app.

In many countries, the path to digital ID is through the government, In addition to Singapore's ID — which supports parking, building access, transit and other services — larger countries are advancing similar schemes. France's national digital ID is scheduled to launch in the fall of 2019, and includes the IDEMIA CloudCard+, which uses strong authentication, digital signatures and biometrics. Canada's national ID system will be paired with open banking to improve communication between banks and third parties.

And the ID2020 initiative aims to use digital ID to boost financial inclusion, noting World Bank figures that show more than 1 billion people do not have a reliable ID. The ID2020 initiative, whose supporters include Accenture, Microsoft and the Hyperledger project, plans to use blockchain and the wide availability of smartphones to build sharable identity.

The government-backed digital ID projects usually build off of national ID cards, which have existed in some countries for decades. In the U.S. opposition to nationalized identity comes from both sides of the political aisle, which likely leaves digital ID to non-government players.

“In the U.S. it would be hard for government to mandate participation in a national digital ID system with a free-market economy, and all the various privacy and data-security issues,” said Ali Raza, managing principal with Atlanta-based payment consulting firm Blue Leviathan.

There are corporate initiatives underway from U.S.-based companies that, while global, present both promise and potential push back for digital ID. Mastercard and Microsoft’s announcement this month of a collaboration to develop a universally recognized digital identity service; followed by this week’s news that Barclays is working on a self-sovereign identity solution with Evernym.

Barclays is backing Evernym, which leverages distributed ledger technology for Sovrin. In a 12-month test, Evernym is experimenting with its solution with Barclays, the Red Cross and Irish Life, an insurer with other financial services.

In the non-profit financial market, CULedger, a consortium of credit unions, is developing MCUID, which uses credit unions' traditional model, which resembles a distributed ledger, to share digital identity.

These companies have more in mind than just ID. Creating a standard for ID could, in the case of Mastercard, add another standard to the card network's "single button" for online payments. That gives Mastercard greater control over enrollment and the data analysis and marketing benefits that result form that. That makes any card network move toward standards a potential rival to PayPal and other fintechs.

“Banks in Europe that are being forced to implement strong customer authentication and KYC/AML processes should look at turning these costs into a platform for new businesses in the identity space,” Birch said.

This mix of participants — bank and non-bank, fintechs, profit and nonprofit — ensure many ideas will emerge in the coming year. As has been the case thus far, that diversity has made digital ID a global issue with the potential to expand financial inclusion, promote digital commerce and improve security. But it also means that's still much work to be done to bring the different parties together to make sure seamless ID's development is also smooth.