In era of changing times, Raconteur: Optimizing digital identity experiences for an accessible future

Digital identity is one of the oldest and hardest problems on the Internet and it is getting worse.

Although this famous New Yorker cartoon was first published in 1993,1 it remains true even today. Despite a quarter-century of advances in Internet technology, there is still no easy way to prove online that you are not a dog, are over 18, live at a certain address, graduated from a certain school, work at a specific company, or own a specific asset. These kinds of assertions about ourselves (the identity owner), known in the digital identity industry as claims, are difficult to trust because they are nearly impossible to verify.

Key Challenges

• Many governments still lack secure and widely accepted ways to authenticate citizens online. This limits government capacity to shift from physical to digital service channels in response to the COVID-19 crisis.
• Digital identity is not just about authenticating citizens online and signing remote transactions. Emerging use cases and technologies enable age validation in shops by delegating authority to caretakers or proving one’s health status as part of COVID-19 recovery.
• Governments are not usually good at anticipating public trust and acceptance of digital identity options, or at estimating the true costs and benefits of new technology rollouts in this area.
• No single approach can ensure successful adoption of digital identity by citizens and administrations. Similar governance approaches can lead to different results in different contexts.

By 2023, at least 80% of government services that require citizen authentication will support access through multiple digital identity providers, e.g., by supporting a bring-your-own-identity (BYOI) model

Success of digital government and digital identity are now inseparable. There can be no real end-to-end provision of digital public services without trusted citizen authentication or identification. At the same time, designing digital identity without understanding the citizen experience during the life event or service that requires digital identity use is a pointless exercise because it will lead to disjointed efforts and low adoption.

Citizen digital identity has the potential to transform trust and safety because its impact extends beyond traditional authentication for online services and electronic signatures. But many governments are slow to factor in the wider implications and use cases into plans for digital identity:

• Privacy-enhancing technologies. Companies rely on and welcome trusted government credentials to vet users. But governments have been slow to adapt traditional credentials like personal ID cards or drivers’ licenses to the digital age. Few schemes support zero-knowledge-proofs, such as those to validate your age without disclosing your date of birth (see “Hype Cycle for Identity and Access Management Technologies, 2019”). Austria’s new digital identity scheme E-ID has piloted  age validation via smartphone app.
• Digital wallets and BYOI. Citizens use a growing number of digital IDs for online and offline transactions. The resulting convenience and security challenges can be addressed through interoperability schemes, user-managed digital wallets and BYOI approaches. In Canada, SecureKey Concierge allows citizens to use their  online banking log-in to access selected government services.
• Delegated access. Digital identity can help address digital access gaps, for example by creating possibilities for assisted access, delegated authority or digital powers of attorney. The French government is piloting use of digital identity to let  social care workers assist elderly people in accessing digital government services.
• Smart objects, bots and Internet of Things (IoT). Governments need to anticipate the use of smart and autonomous objects (IoT) to execute transactions on behalf of citizens and other contexts. Emerging pilots are exploring  identity options for connected devices in smart cities and digital twins.

Assess Your Options, Knowing There Is No Panacea

A widespread misperception is that digital identity for citizens requires the use of so-called “electronic identity (eID)” cards (enhanced personal identity documents). In fact, a range of alternative options exist and are being practiced.

• Who is the provisioning authority? Government or non-government actors from the wider digital identity ecosystem. Government-provisioned digital identities are further differentiated between:
• Primary official identity in the form of an electronic ID card, passport, driving license or other type of universally accepted identification.
• Secondary official identity, i.e., a digital identity provisioned by government that is not a universally and legally accepted means of identification.
• What is the mode of provisioning digital identity? Direct (provisioning authority is provider of identity services) vs. federated (provisioning authority is a broker of identity services, which means it doesn’t issue identities but acts as an intermediary among identity providers, service providers and citizens).

Digital identities do not need to be provided by a single entity, such as a government authority or a business. The digital identity ecosystem is seeing the emergence of self-sovereign or decentralized identities, often based on blockchain implementations (see “Innovation Insight for Decentralized and Blockchain Identity Services”). An example is  Verified.Me, which is used by businesses in United States to identify customers — but not accepted as a digital identity by government organizations at this stage. Avoid being a first-mover if your public sector organization’s digital maturity is low.

Balance Security With User Convenience

Trust and security are critical for the success of digital identity. But governments sometimes miss getting the balance right between building a secure digital identity infrastructure and offering citizens convenience in using those services

Government CIOs can follow established practices to balance security and user convenience in meaningful ways. A proven approach is to adopt different levels of security and identity assurance, depending on the type, value and risk of the transaction.

A three-level identity assurance framework, as set by European eIDAS regulation and approximation to U.S. NIST standards for digital identity, could look as follows:

• Level 1: Low-value/risk transaction where user convenience can take precedence over security. In Argentina, citizens can use social IDs by Facebook or Google to  book appointments with some public authorities.
• Level 2: Medium-value/risk transaction where user convenience and security should be balanced. In France,  citizens can use FranceConnect to submit tax declarations, checking the status of healthcare reimbursement claims or signing up in local electoral rolls (see Note 2).
• Level 3: High-value/risk transaction where security should take precedence over user convenience.  Estonia lets citizens vote online for the national parliament, provided citizens use one of the two digital identity schemes cleared for this service: National eID card or Mobiil-ID.

A single digital identity scheme can support various levels of security and convenience. Digital identity schemes like MyGovID in Ireland, SPID in Italy or RealMe in New Zealand offer different levels of identity assurance, depending on the credentials citizens provide and on the security needs of the transaction.

Build a Sustainable Game Plan for Digital Identity Progress

Government CIOs can follow a sequence of steps to make progress on citizen digital identity:

• Build a shortlist of digital identity options you want to offer citizens. Examine what works and what doesn’t, nationally and internationally. Do this to make assumptions about what could work best in your context.
• Look for outside partners. Government is not the sole authority to issue digital identity. Scout potential partners and scan their digital identity services. For example: How are banks in your geography vetting users for online onboarding and transactions? Established partners can be a valuable help in responding to urgent digital identity needs such as in COVID-19 response.
• Formulate assumptions. There simply is no certainty about what will eventually work in your context. Consult end users, create personas and explore use cases that integrate digital identity. Create citizen journey maps to visualize your assumptions about the use cases.
• Test assumptions with real citizens. Use human-centered design to explore and observe how pilot users are responding to the suggested digital identity scheme. Leverage real-life use cases, e.g., using digital identity to request social benefits payments. Observe pilot user behaviors and use the feedback to iterate the prototypes.
• Do not rely on just a single option. Avoid fixating on a single scheme because it might turn out to be unacceptable to citizens or different parts of the administration. Instead, trials for different options will give you flexibility before making final decisions. A hypothetical set of options to pilot could look like:
• Option 1: Direct provision of digital identity by government, e.g., a digital driver’s license.
• Option 2: A government-brokered scheme where public and commercial identity providers are interoperable and citizens can choose their preferred identity service.
• Option 3: Establish trusted partnerships with commercial identity providers, e.g., banks or telcos, to let citizens use these known services to also access digital government.
• Avoid big-bang rollouts. More mature governments gradually develop and procure digital identity. In times of urgency you will have to act swiftly by partnering with established identity service providers. In parallel, you can explore other options that require bigger investments. Avoid single large-scale procurements from the start. Instead, do a first tender to explore the acceptance and viability of different options before tendering a full-scale rollout. Make those final rollout choices only after you piloted and explored different options — in the context of real-life use cases and with real citizens.

In a context of government-to-citizen service delivery, we can distinguish three definitions of digital identity evolving over time:

• Retrospective: Digital identity as a collection of services, capabilities and schemes that allow electronic identification, authentication and signing in the context of government-to-citizen service delivery.
• Contemporary: Digital identity beyond authentication and identification. This encompasses advanced, privacy-enhancing technologies that allow citizens to selectively share information, prove eligibility without disclosing personal information (zero-knowledge proofs), delegate authority between individuals, and make use of identity outside of government service boundaries.

Future-oriented: Digital identity as the convergence of physical and virtual identities. Complete sovereignty over digital identity becomes possible, but the question remains: Who exactly will have the power to execute that sovereignty — and over whose digital identity?