The Holy Six Commandments of Digital Identity

by David Rihak
on Aug 11, 2020

Reading time: 8 min

Frankly, digital identity is miles away from being a simple concept to wrap our minds around. It’s a complex, multi-layered topic where discussions include words like ‘quantum,’ ‘cryptography,’ or ‘assurance.’ The problem is: most people (including politicians & business leaders) have no clue what any of these means. Not really anyway. On the other hand, it’s hard to cover the topic without talking about social values and cultural, as well as legal norms. It’s such a vast topic, and it can be overwhelming.

This is exactly why we need to pick digital identity apart piece by piece and set some ground rules. We need to start with figuring out what to build and only then build it. With such a complex issue, we are unlikely to succeed unless we have a very good grasp of the digital identity cake and what are the requirements for its success.

The biggest problems today still remain online identification, authentication, and generally being able to prove something online.

Let’s start with online identification & authentication and see what needs to be considered when designing identity systems.

1. Security without compromise

The idea that anonymous accounts (e.g. your spam email) don’t need to be secure is ridiculous. It’s like saying you don’t need a door because no one knows where you live. We mustn't mix assurance and security. Just because the email service doesn’t need to know who I am, doesn’t mean I don’t have very sensitive data circulating through my mailing account. It’s not just money that’s sensitive. These days it’s hard to say what is sensitive and what isn’t. Is your spam email full of your shopping preferences sensitive or not? What about your food delivery account with your unverified, but very likely exact home address? Sure, losing your personal information is no biggie for the service, but for you, it may lead to a disaster. This is why we need to start building user-centric identity systems.

2. Privacy-by-design

So we need to have a consent button on our website? No, that’s not the end game for identity. So what does it mean to have an identity that protects privacy by design? To begin with, we need to recognize that privacy and cybersecurity are not always the same thing. At least in scope. Security is usually about “has the service done its best to protect its users?” The problem is that identity is not so simple. If you think about what personal data is, you will find that it’s any information that can be used to directly or INDIRECTLY identify you. In other words, the scope of the privacy-by-design principle actually can’t be treated as a simple domain-specific security issue. It has to do with the whole of your digital identity. It’s all connected. If privacy isn’t treated in all, it’s complexity; you may find that third parties may know who you are before you willingly reveal it to them. Sounds exaggerated? What was the last time you’ve come across some weirdly relevant advertisement? This has to do with identity as well.

3. Economically beneficial

Identity is all about relationships. And no relationship lasts if the economic situation is not set in order. Digital identity must be free for its users. That’s clear. But this in itself is not enough. For it to start clicking, digital identity must be portable. When it’s portable, it’s also a cost saver for service providers. Sounds easy? This is one of those topics that can get tricky. If you have a digital identity that saves everyone money and is secure, we’re all good, right? Here comes this little thing we call the LAW and along with its culture and politics. If a portable digital identity isn’t recognized, we can wave interoperability and portability bye-bye. This is why public and private leadership must adopt a proactive stance to make digital function identity happen. At the end of the day, it's a social issue that can have enormous economic benefits.

4. User-centric

This one may sound obvious, right? It must be easy to use. Duh! Yes, Yes, But that’s not it. Digital Identity should really keep the user at the center of everything not just from a usability design perspective, but actually also from an architectural perspective. Picture the last time you used the Facebook login button. Got it? So that’s exactly the way it shouldn’t work. With Facebook you actually have to through Facebook every time you use the Facebook login button. This means that from an identity perspective, it’s actually Facebook that’s at the center of all activities, not you. We must really work towards an identity system that can provide the kind of user experience that Facebook logins provide, but without the big-brother resemblance.

5. Time-resilient

This one may seem a bit geeky, nevertheless absolutely vital. Whether we like it or not, a secure digital identity needs cryptography. The issue with cryptography is it ages. We have to make sure that we consider time for identity systems. Too often, an identity ceases to exist with the expiry of a certificate i.e., cryptography. This is because identity system designs just don’t know how to deal with this. It may be tempting to say; we will deal with it when it comes. But that’s a bit like trying to start coping with fuel shortage mid-air.

6. Identity Availability

Last but not least, we must realize personal assets are directly dependent on identity and are actually the reason for its existence. It must be a Perpetuum Mobile. The show must go on. Do you mean? The purpose is that your daily life will not be affected once you lose your “credentials.” And identity makes sure of it. The bottom line is that identity is quickly recovered regardless of the incident’s magnitude.

We can all agree that digital identity is far from embodying a piece-of-cake concept. It is a tough nut to crack. Nevertheless, let’s bear in mind where there is a will; there is away. And there is a light at the end of the tunnel. The principles, as mentioned earlier, allow us to chunk this humongous piece of Goliah and tackle it with way less complexity. The established principles can serve us as guiding maps for handling, managing, and above all, building a digital identity that actually works.