Do I need multiple digital identities?
From my point of view, it is good to have one, and only one, digital identity. And you protect the login information very well. Frequent logins ensures that you are familiar with how to log in, which user name and password, and how to use the second factor. Always authenticating in the same way reduces friction, as you know exactly what to do. At the same time, this increases security, as you will know exactly how it works, and you will recognize deviations, which may be security attacks and fraud attempts.
Note that I am talking about your digital identity, and how to authenticate, i.e. prove that this digital identity is yours. I would of course like to be able to have different personas using this identity, so I can present a different part of myself to different organizations. This for example depends on whether I use my ID as an employee, as a member of voluntary work or as a private person. But this is not the topic for this blog post.
A word on frictionless. To be completely without friction, you would not have to do anything. The system would automatically recognize you. There are some interesting projects around behavioral biometrics, which are quite promising in this area. More about this in a later post.
Remember John from my previous post? Imagine if he had a separate digital identity for government. Government login is done very rarely, maybe as rarely as once per year, when you do your taxes. It is very probable that John would not remember the procedure for using this ID, nor his password, and maybe not even find his second factor token. This increases friction. As John (like most of us) does his taxes in the last minute, he would not be able to file his taxes on time, or he would occupy the support hotline leaving a bad and expensive experience.
Insurance is another case where login is not done very often, maybe two or three times a year, in some cases when you have had an accident, and need to get in touch regarding this. Having to authenticate in a way you are not familiar with will only increase the user tension.
As pointed out, there are huge advantages of using the same identity for bank identification, which you use weekly or even more often, also for less-used services like government, insurance and health. So how come that in Norway, you can use the same digital identity for multiple different services? Why are other countries struggling with digital identity? Why won’t users start using it? Why are different schemes used for different purposes, as this is not helpful for the consumers and does not increase security?
One reason is that the Norwegian government and banks managed to work together on this. From the very start, the use of BankID was thought to be used by both the banks, but also for third parties, needing digital identity or signature. And this resulted in a critical mass of users, using BankID for banks, government and others.
On a side note, the only thing which is shared between BankID in Norway and BankID in Sweden is the name. They are completely separate.
Then of course there is the social security number; SSN, which is a number uniquely identifying an individual, and treated differently in different countries. In Norway, the banks are using the SSN as the login ID, and as far as I know, they have been doing this since Internet banking started. As in many countries, the banks MUST have the SSN for tax reasons. The government must know exactly who you are. For the health services, it is very important that our John is not confused with another John, and on and on. So it makes a lot of sense to use this as login identifier. Any Norwegian will be able to recite his or her 11-digit SSN without missing a beat. It does help that the first 6 digits is the date of birth on the format DDMMYY.
As an alternate example, let me use the Netherlands, not because they are doing badly with digital identity, but because there are two schemes emerging: iDIN and DigiD. The latter contains the BSN (the Dutch SSN), and is restricted in usage to government and health insurance only.
Which I personally find strange, as all banks are required by law (for tax reasons) to obtain the BSN of each customer, so the Dutch banks do have this number. This means that if a Dutch bank wants to onboard a new customer, iDIN can be used. However as iDIN does NOT supply the BSN, the customer must also upload a personal identity paper (for example a scan of the passport), to provide his BSN. In the rare situations where I need to use DigiD to log in; will I remember the procedure and the credentials? In any case, friction is increased, and I would claim that security is reduced.
The eIDAS (EU regulation 2014/910) regulation is put in place to let people use their digital identity across countries. There are some claims here that eIDAS will only be used to issue new “local” credentials, which then will be used for logging into one (or more) services in the foreign country. However, then we are back to my initial problem, with having multiple credentials.
From my perspective, always using the same way of logging in, also every time you log in over eIDAS to a foreign service will reduce friction and increase security.
Blogpost by John Erik Setsaas, Identity Architect, Signicat