ID Systems & Services
Regulatory compliance, combined with the globalization and the online nature of business today has made identity management a major issue. One of the biggest problems in preventing fraud is being sure that the individuals participating in a transaction are who they say they are and have the authority to approve and carry out the transaction. Authenticating participants presenting themselves via a multitude of platforms such as the Internet on PCs and laptops, mobile phones, smart cards, etc. is becoming increasingly difficult.
Watching the body language of shoppers is a classic way of spotting fraudsters in shops, but it is no good on the internet as no-one knows you're a dog, as depicted in Peter Steiner's famous 1993 cartoon. Ideally, each participant would have a verifiable Digital Identity (ID) proving that they are who they say they are. Digital IDs are needed for authorising payments, document signing and controlling access to many corporate systems
However, digital IDs raise many issues:
- what constitutes "identity" and who makes certain that you really are who you say you are?
- digital IDs raise many issues:
- what constitutes "identity" and who makes certain that you really are who you say you are?
- has the initial due diligence by the Certification Authority (CA) to identify and authorise the individual ID holders been carried out consistently?
- who manages the identity and how is it validated?
- who provides liability coverage if something goes wrong? And how are disputes handled and who has responsibility for managing them?
- how and where can the identity be used?
- is the identity non-repuditable?
- is the identity legally binding?
- does the identity meet regulatory requirements?
- how easy is the identity to hack, spoof, phish or pharm?
Digital ID standards and services are now in place for:
- establishing or vetting the individual's identity
- storing the individual's digital ID
- validating the ID and the authority of the individual for each transaction
- auditing the trail of transactions the individual has carried out.
Theoretically digital IDs can be used in any type of transaction where full proof of identity is needed. They enable electronic document signing, the elimination of paper based forms and processes and the use of browsers on the Internet with real-time identity validation. Digital IDs will also allow corporation staff to sign digitally files at both the company and individual levels to create non-repuditable transactions that are legally binding and globally accepted. As IdenTrust put it "A single identity: One ID, One Password. One you," but we are a long way from this.
A new era is definitely beginning. However, for digital IDs to become generally accepted the Public Key Infrastructure (PKI) will be required world-wide - the set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates. This will take an awfully long time to put in place. It will probably require governments world-wide to drive the development of the required PKI.
Main Developments
The main trends in the development and use of digital IDs include:
- governments, e.g. UK's HM Revenue Customs Secure Electronic Transfer online service, exchange information securely using digital signatures and encryption certificates
- a small but increasing number of banks are offering digital ID issuance services enabling corporate clients to sign digitally and approve payments
- Notaries have standardised on Adobe's LiveCycle Document Security.
There are three types of digital ID services available. The general digital ID management services from third party providers, general identity systems and services systems, and services from cash management banks.
But the key issue in implementing and using digital IDs is that only a few companies, governments and banks accept them in business transactions at present.