In a provocative presentation entitled `Designing Identity 3.0 to fix a broken identity system', Paul Simmonds, CEO of the Global Identity Foundation, said that digital identity is usually defined by IT, but is divorced from business requirements - including security.
Speaking at the Identity Management 2014 conference in London on Wednesday, Simmonds - a co-founder of the Jericho Forum - said that the problem with establishing identity in the digital world is that most user information, assuming it is used, is not authoritative.
"We have to enable the risk decision [process] into a binary," he explained, referring to the fact that translating the security/risk equation from the real world into program code is not the easiest of processes.
And, he told the audience, with the Internet of Things (IoT) on the near horizon, the IT security industry has to solve many problems in order to implement them reliably.
The key problem, he says, is that digital identity has, to date, failed miserably, as witnessed by the failure of the UK national digital identity scheme. Even the Germans, he adds, have not succeeded in this area, as their digital ID program is now only used by the government there on a small scale.
And then we have the challenge, he went on to say, of whether the Chinese – for example – are prepared to accept a US-issued digital ID, and vice-versa.
The bottom line, says Simmonds, is that we spend our digital lives dealing with secondary attributes on the digital identity front, rather than the primary ones.
Identity 3.0, he adds, will centre on managing risk.
Just to make life even more challenging from a security perspective, Simmonds - who is on the Executive Advisory Board of ISSA UK – predicts there will probably be no single body that is truly issuing a digital identity on a global scale in the future.
And then, he explained, there is the risk associated with allowing a state entity to possess your digital identity.
A national digital identity success
Whilst several speakers at the Whitehall Media Identity Management conference cited the example of the UK's national ID project as indicative of the security and technology challenges involved with these types of schemes, two representatives from the Belgian CSAM national ID project, which has been a rare success, drew the largest applause of the event, as they explained how secure digital IDs have simplified eGovernment in their home country.
Jan Vanhaecht and Wouter Debecker, a CSAM architect and a CSAM service owner, respectively, in Belgium, explained that the country is actually three regions rolled into a single country: There is the Flemish-speaking Flanders, the bi-lingual Brussels region, and the Walloon region, which is French speaking.
Coupled with the fact that there multiple regional and local government agencies to deal with, Vanhaecht said that a single national smart ID card has allowed the citizens of Belgium to interact across language and regional boundaries, with multiple government agencies.
The end result of this, Debecker explained, is that the smart card is a unique identifier that allows Belgian citizens to make online bookings with a high degree of security, as well authenticate themselves with government agencies that they may not have dealt with before.
For some years, he said, Belgian government agencies have increasingly been offering online services to citizens and organisations. The `e-loket' online office windows of municipal councils, and the tax-on-web and inter-VAT systems - through which businesses can transfer VAT online - are all examples of this.
E-government, he went on to say, offers many advantages, as long as users' identities are verified, so ensuring that the appropriate person gains access to the application used by a given organisation.
In Belgium, said Debecker, there are different types of governments, each providing its own set of services, there is the federal government, as well as provincial government, and governments of communities and regions, along with local and municipal councils.
Since each government agency has its own way of controlling access to its applications, he added, things can get complicated for users. And this, he explained, is where the Belgian digital national ID project enters the frame as a real solution.