2021 was an exciting year for digital identity, but what can we expect in 2022? In this post, John Erik Setsaas predicts this year's major trends and buzzwords.
1. What will be the buzzwords of 2022?
- Identity wallet
- Decentralized identity
- Web 3.0
2. What has been a big industry takeaway from 2021 that we will see more of in 2022?
Decentralized identity and web 3.0
- The Self Sovereign Identity (SSI) movement started some years ago due to the lack of trust in authorities and collection of information about what people were doing online. With the announcement of the upcoming eIDAS/2 and the focus on the digital wallet, the emphasis on decentralized identity has increased, especially as eIDAS/2 requires the states of the EU to issue a free digital wallet to all its citizens.
- People can safely store digitised documents and verifiable identity information from different sources in their digital identity wallets. You own this wallet and its contents, so you have the power to decide which information is shared with whom. The main goal is to give the user more control over what information is shared, depending on the context and requirements of the organisation requesting the information.
- The concept of overseeing your identity is one of the pillars of web 3.0. The idea is that data will be distributed, and connected to the user’s decentralized identity, which gives the user the option to grant access to this data in a controlled way.
- I think that the attention to decentralised identity and web 3.0 will continue to grow in 2022, but I don’t expect any major changes just yet.
- We all hate passwords. And especially the complex password rules, which were supposed to make the passwords more secure but has only created more frustrations. If you doubt this, please see this video by comedian Michael McIntyre, which is spot on why complex password rules do not work.
- Another thing that has happened with passwords somewhere along the way is that they have changed functions. Originally, before the age of computers, passwords were used to be let into a town or a house. If you knew the password, you were let in. This was (amongst other things) used by the military to give access to a camp. In the early days of computers, the passwords worked like this: they gave you access to a computer, to a file system, to a mailbox. And people willingly (and rightly so) shared them to give other people access.
- Today, a password is used to prove who you are in more and more cases. For example, when signing a document, the password is part of your identity to authorize the transaction. And this is a legal action, which means that if you share the password, somebody else can legally sign on your behalf, at least if they also have access to your mobile device. Most people are not in this mindset in which a password is representative of one’s unique identity.
- Which is why we need passwordless solutions. Authentication mechanisms that do NOT depend on something you know. Which you share, willingly or by accident. And which you forget.
- I think we’ll see more advances in this space as it becomes more and more important to create a strong binding between a digital identity and the person. Multiple signals must be combined to create a high confidence that it is the owner of the digital identity using it now, and not somebody else. One of the more interesting signals I’ve seen in the space are technologies such as ECG and EEG- measuring the heart patterns and brain waves- which is pretty hard to simulate for someone else than yourself. The latest Apple watch can measure ECG, so this technology may be closer than we think.
Digital onboarding/Know Your Customer (KYC)
- People expect digital onboarding for most services today. Asking people to visit a physical branch to access products or services is no longer an option. We’ve seen a lot of good solutions for proving your identity digitally, which consists of two parts:
- Proving that the identity really exists and
- That this individual is actually present.
- Most solutions today base this digital onboarding on scanning an identity document, including digital forensics to detect forgeries. Some of them also use NFC-reading for improved trust in the document. In addition, taking a video of the person is used for digital onboarding/KYC purposes. This must include some liveness detection to prevent showing a photograph or a sleeping person.
- In addition, there will typically be some background checks taking place to get additional information about the individual, where checking if the person is a politically exposed person (PEP) is one of the most common examples.
- And for onboarding organizations, there will be additional complexities of knowing that the person is authorized to act on behalf of the organization, and finding the ultimate beneficary owners (UBOs) of the organization. Especially since different countries have different ways of determining both PEPs and UBOs.
3. What are the biggest organisational risks for 2022?
- Not being able to serve your customers digitally. Even if you deliver physical products, customers today expect a good user experience (UX), simple payment options and fast delivery of goods. This means that you must streamline processes, starting from the first digital meeting with your potential customer. As our market research, The Battle To Onboard 2020 showed, 63% abandon digital onboarding. Losing 6 out of 10 customers as they are about to «go through the door» is a huge loss.
- You must offer good UX when ordering and using the services. A lot of smaller startups and neobanks offer just a fantastic UX, and the existing businesses will be compared with this. This of course, also includes how you pay for the services.
- Challenges for the Nordics
- I think in the Nordics our biggest risk is our existing electronic identities (eIDs). They are used by the majority of the population and function very well. So why change them? But the world is moving ahead, and we are finally seeing the world moving closer to Kim Cameron’s laws of identity from 2005, where the user is put in the centre and given full control and privacy. Unless we act, one of the advanced identity regions of the world will be biting the dust…
- That being said, decentralized is not happening next year. But we need to start preparing. As we have seen from Denmark, the transition from NemID to MitID has taken a long time, and has been met with a lot of challenges. A transition from centralized to decentralized will be even more challenging.
4. What solutions should business, technology and security executives consider for 2022?
- Do not invent the wheel and don’t be an identity provider. There are many trust service providers that can help you with your identity challenges, including Signicat. As for advice, I’ll repeat some of the items already mentioned:
- If you are still using passwords (as most organizations do):
- Kill the complex password rule. They cause only frustration, not increase security. Only length does.
- Start looking for passwordless solutions.
- Integrate with existing eIDs. This relieves you of having to worry about KYC/AML processes which have already been conducted with the creation of the eID either through a bank or public sector entity.
- Integrate electronic signatures into your business processes. Not only are these electronic signatures legally binding and more efficient for business operations but also more sustainable.
- Keep your eyes open for decentralized identity and web 3.0, but no need to move fast on this. Yet.
- If you are still using passwords (as most organizations do):