People – The weakest link of electronic identity
We are all looking for simple and secure ways of identifying ourselves online. The challenge is that being human, with human traits, also makes us a very weak link. We forget. We lose things. We don’t read instructions. We share passwords (often willingly or by accident). We reuse passwords. When comparing all of this with the security of a modern PKI solution, we (the people) pose the biggest risk and challenge in building the identity eco systems of the future. I will touch on some of the challenges in this article.
Humans and the password dilemma
At many events, I’ve started by asking “How many of you have forgotten a password?”, which results in almost everybody raising their hand. The same with losing a car key or a house key. For the latter scenarios, you can contact the car dealer or a locksmith to get help to get into your home. Imagine what would happen if you were told: “to get help, you must present the security codes you stored in a safe place when installing your house lock or buying the car”. I guess this would result in a lot of abandoned cars and empty houses. Still, this is what’s being done in the digital world. Even a (supposedly) simple thing like setting up a two-factor authentication, you are told to store a set of security codes, in case you lose your phone. Almost daily, I see information about people who have lost their Bitcoin, because they’ve lost the credentials to access the secret key. It is estimated that 20% of all Bitcoin are lost because of lack of recovery mechanisms. And I am not the only one who has lost data, because I lost access to my PGP secret key. I should’ve known better and created my own key recovery scheme. This only proves that we cannot put this responsibility on the people.
Our digital identity and digital legacy
Another challenge is passing your digital assets on to your next-of-kin when you pass away. A famous story is the Canadian bitcoin exchange QuadrigaCX, where the CEO died, and he was the only one with access to the private key. Or was he? In addition to digital currencies, what about photos? Today it is normal to find photos and photo albums when you clean out the apartment of a deceased. These often bring out fond memories and history. But what happens when more and more photos are digital? When more and more assets become digital. Videos. Books. NFTs. Maybe you won’t even be able to turn on the lights in your smart house?
Banks already have the legal framework for passing assets, including bank accounts and safe deposit boxes to next of kin. I think the banks have an important role in electronic identity in the future, and handling of digital assets is one of them.
The identity verification and identity presence crux
One of the things which concerns me the most, is the link between the digital identity and the user of the identity at a given point in time. For most electronic identities, like the “BankIDs” in the Nordics, ItsMe, iDIN, and DigID in the Benelux and many others, you can have a high degree of confidence of the owner of the electronic identity. But who is using it right now? As the electronic identity can be used for legal purposes, such as signing documents, there must be a high degree of confidence of the user of the electronic identity. There have been fraud cases where close relations to the victim, with access to their physical devices and knowledge of the password or PIN, have used this information to sign up for a bank loan. Another type of fraud with electronic identity, is where the fraudsters call the victim, pretending to be from the bank, and tricking them into using their BankID (“Please use your BankID now to prove who you are”), and thereby enabling the fraudster to transfer money to the fraudster’s account. Some of these have gone to court, and initially held the owner of the BankID responsible, but lately this has turned, stating that the user cannot be held responsible for this.
We need a better way of establishing who is actually using the electronic identity. In my opinion dynamic biometrics from multiple sensors is the future. This is based on the way you walk (gait), which Bluetooth devices are connected (i.e. disconnecting from the smart watch will be an indicator that the user is not present), to the more advanced techniques of detecting heart patterns (ECG) or brain waves (EEG).
In short: Your mobile device “knows” whether it is in your possession, or somebody else is holding it.
Identity in the digital era – control vs management
If you ask people whether they want to be in control of their data and electronic identity, the answer would be yes. But do they also want to be the manager? In most cases, I think not. I compare this to the alarm system of my home, where I am in control. I can turn it on/off, I enjoy having that ownership and control. Decide who has access. I do trust the security company NOT to enter my building without my consent, and that they will alert the fire department in case of fire and replace the sensors in case of errors. Personally, I want the same for my electronic identity. A trusted entity which manages my electronic identity, while I am in control.
I would even want to take it a step further and have my bank taking care of the GDPR and cookie consents on my behalf, including blocking a site, if the terms and conditions are not according to my settings for data sharing.
Act on somebody’s behalf
Lastly, I’d like to touch on the lack of authorization models, which is often the reason people share their credentials, to grant somebody access to their bank account or health information, which is often needed and quite understandable. Passwords are (still) central to using your electronic identity, and they are easy to share.
The challenge is that the nature of passwords has changed. Originally (way before computers) passwords were a way of getting access to a city or a fort. If you knew the pass word (the word to pass) you were granted access, but it told nothing about who you were.
About 60 years ago, passwords were adopted by the early computers, to grant access to a computer, a file system or an email account. The problem is that we are still using the same mechanism and mindset to prove who you are, for example to sign a contract. So today, sharing a password is akin to telling a person to be allowed to act on your behalf, also legally. Although some systems have authorization models, these must be improved, and should be an intrinsic part of future electronic identity schemes.
This is important to be able to handle electronic identity for children, the elderly, and other individuals which may be unable to handle this themselves.
Last words
There are a lot of interesting developments with electronic identity, and especially with decentralized identity, which puts the user and not the service provider in the center. However, unless we take the people issues seriously, this will not be successful. People expect account recovery. We expect assets to be passed on to next-of-kin. The link between the human being and the electronic identity must be improved.
All-in-all: Trusted entities are needed to manage identity on behalf of the users.
I’m looking forward to 2022 and the advances in the electronic identity space. If you have any comments or feedback to this, please get in touch.