In this increasingly digital-led world, the customer experience has to be seamless and fully personalized. In the paper-based world, proving an identity is pretty straightforward. When someone shows up to open a bank account, buy a phone plan, update a passport or rent a car, all they have to do is show an ID: a passport, a driver's license or a government-issued ID. The company then knows they are exactly who they say they are, as it is confirmed in person.
But proving who you are gets far more complex in the digital world. You don’t know for sure who you are doing business with, as the customer is not there physically to present an ID and show their face. A digital identity is a way to verify that an identity matches their real-world identity, to ensure you are dealing with the right person.
# 1. What is a digital identity?
A digital identity is the entirety of information about a person in digital form which when put together, all point to who that person is. Anywhere someone has login credentials, they have a digital identity. This can be everything from a Facebook identity to a Netflix identity or a bank identity. All of these are a digital representation of a person in the digital world. And, to different degrees, these service providers know who the real person is.
If your business wants to go digital, you at least need to know something about who your user is. This depends on the regulations and the risk associated with your business. For example, if you are a bank, you are under the KYC (Know Your Customer) which requires identity verification. On a high level, this is fighting terrorism and slavery. But if you are selling flowers, you don’t need to know too much about your customer other than whether their payment details are correct and which address to send the flowers to. You are not under any legal obligation to know a lot in this case, but it would be a benefit to your business to obtain a digital identity to recognize the same user coming back each time. This way, you can recognize the user and offer specialized services to them. This has the added advantage of keeping them as customers.
# 2. Who am I in the digital world?
Digital attributes and online activities make up a digital identity. The pieces of information that form a digital identity are called ‘data points' or 'attributes’. These attributes can be something which obviously points to a person, such as a username or a National Identification number. But it can also be less obvious pieces of information, such as an online comment or a like made on a post on Facebook. The same way that a name and ID make up an identity in the physical world, an online identity is made up of social media profiles, geographical location, Google search history and everything else someone does online.
# 3. A digital identity should act like a digital passport
Attributes such as usernames, passwords and credit card numbers are regularly shared to purchase items online or access a bank account. And sharing this information means users are at higher risk of identity theft. While the move to online services has completely changed everything for both businesses and consumers alike often for the better, it has also created huge risk.
In the last 30 years, Anti-Money Laundering (AML) laws have been introduced to try to prevent criminals from disguising illegally obtained funds as legitimate income. Know Your Customer (KYC) laws, have also been introduced, which is the process of a business verifying the identity finance industry to ensure investment advisors know detailed information about a person’s risk tolerance and financial position. Due to laws and regulations, running an identity check and identity verification by themselves, can be costly and time-consuming.
People keep credit and debit card numbers secure and only use them when they need to authorise payments. People only use a secure paper ID when they need to prove something about themselves. Much the same way, a digital identity should work like a passport to help prevent an expensive and long process of verification. A verified digital identity is the digital equivalent of a passport. A digital identity or passport which is verified and secure would reduce the possibility of identity theft.
# 4. What is a digital identity used for?
Onboarding, which is meeting a new customer for the first time and making them familiar with your product or service, is an incredibly important stage of the customer journey. When SaaS (software as a service) companies gain a new customer, the onboarding experience can define the ongoing relationship your customer has with the product or service. This makes it critical to the continuing relationship. But you need to know who this user is, and have their identity verified in order to engage with them.
According to research by Signicat on digital onboarding of customers in the retail banking industry, close to 40% abandoned their attempt to sign up for new financial services. And 72% said they want an all-digital onboarding system. This is because current digital identity verification is inefficient and costly. This is holding back digital progress as customers are forced offline to prove they are who they say they are as they need to show their paper ID.
As the onboarding process continues, and when the user has established the customer relationship, they need to be able to show that they are the same person coming back. If you, the business provider, don’t know who keeps coming back to your service, you can’t provide a personalized service which hampers your ability to keep them as a customer.
# Electronic Signatures
With the digital signature market size growing by 39% in 2020 (P&S Intelligence), it is more important than ever that digital signatures are secure and verified.
The use of electronic signatures will simplify the way a user makes an agreement. The process should be fully digital, and simple for the user. This will save time by not having to send physical documents, and cost by avoiding manual labor both for the service provider and the user.
The most important part of digital signatures is knowing who is signing, so you need some form of digital ID. If a customer signs a document with a digital signature, you have to be certain they are who they say they are, to reduce the risk of repudiation or any kind of fraud.
# Attribute verification
Digital attributes make up your digital identity, and it should not be necessary to reveal your entire identity - just what is absolutely needed. For instance, an attribute could be the fact that you own a driver's licence, that you’re married, or that you are a doctor. Age is an attribute too and occasionally this is asked to prove a customer is over a certain age. For example, you may need to show your driver's license to buy alcohol. But this also shows your exact date of birth, as well as your full name, and possibly also your National Identification Number (NIN) or Social Security Number (SSN). In order to prove an attribute digitally without giving all of your information away, you need digital identity verification.
As an example, in Norway, tanning salons are required by law to only open to those over 18 years old. But as they are also mostly self-service, this means a customer walks through the door, scans their card with a QR code and initiates payment. So how do you use this to prove you are over 18? You use BankID, an identification solution that allows companies, banks and governments to authenticate agreements with individuals online. In the case of the tanning salon, the BankID will only release information that the user is over 18 and no other personal information.
# 5. What is a verified digital identity?
While digital identity is a general term for all the digital information available about you, a verified digital identity is one issued by a trusted service provider. This requires that you physically meet someone and show your passport or other identity paper which is in accordance with the high level of requirements in eIDAS. Digital identities can be based on fully customer-provided information without any third-party validation. This makes it non-verified, such as a Facebook account. Or it can be AML-compliant identity verification and validation from an eID service provider or a bank, resulting in a verified digital identity. You need a verified digital identity if you are dealing with users on a daily basis and need to sign agreements with them.
# 6. What is an eID?
An eID (electronic identity) is any digital solution for proving the identity of citizens or organisations. eID is more convenient and secure than traditional proof of identity, but has the same level of trust that you would get with those forms such as passports, or a driver’s licence. The eID gives users full control to approve identity related requests for their transactions, directly from their smartphone or card. They can share specific identity details required for each transaction, without worrying whether the rest of their information will be released.
Consumers are able to sign up for different services entirely online and friction-free using their eID. This means consumers don’t have to memorize multiple usernames and authentication processes, they can simply rely on their eID – a standardized login – to gain access to everything they need across both the public and private sectors. An eID includes solutions like BankID, a general term for eID schemes. BankID came about after Nordic banks wanted a collaborative solution to identify users and have secure digital signatures online. It manages credit cards and bank accounts and even public sector issues such as filing taxes, accessing health records and signing contracts. Examples of these types of eID schemes include BankID in Norway, NemID (soon to be MitID), BankID in Sweden and FTN in Finland.
A solution like BankID or other forms of eID means a customer’s identity has been verified by that bank or other organization. The organization has verified the identity in person as they meet face-to-face showing their passport or other identity paper to prove who they are. The person is put through the KYC process and the organization issues an electronic ID which links the person to the eID, and then that eID can be reused across various services and channels including banks, insurance, university and even tanning salons! As the eID has been verified once, it is verified wherever it is used thereafter.
Using a third-party eID to verify digital identities means as a business, you don’t have to verify identities yourself. You can trust the eID provider, BankID, for example, to provide the identity verification.
# 7. Can you trust a digital identity provider?
Digital identity is all about establishing confidence and trust for both the business and the customer that they are who they say they are. And both require trust in the solution that creates that interaction. An eID has to be completely trustworthy because you are depending on the onboarding work done by another business. This is where there are many challenges.
According to a recent study commissioned by mySafety, 36% of Finnish and 45% of Swedish companies have been exposed to, or subject to an attempt of ID theft. According to the Identity Theft Resource Center report, most data breaches were identity theft incidents. And $6 billion was lost to ‘synthetic’ identity fraud in 2016, meaning criminals combine real stolen information with fake information, to create a new identity.
There are a significant number of digital IDs in existence in today’s world, from social media accounts such as Facebook, Google or Twitter to multiple other SaaS businesses who have their own sign-in accounts. This is confusing and is an over-saturation of the market. Customers can become overwhelmed with this many different logins and passwords.
Using a reusable digital identity is far easier than creating yet another digital ID for customers to remember: this when an eID can be reused across various service providers, such as banks, tax authorities, to apply for education and so on.
The advantages of using an eID solution is that users have one ID for many different purposes. As a business, you can use another organisation to verify identities on your behalf and. This means you save money and time. But of course, the downside is whether the eID can be trusted. This is why a trustworthy solution is required with high levels of assurance.
# 8. What is eIDAS and can this provide me with assurance?
eIDAS (Electronic Identification, Authentication and Trust Services) is an EU regulation on electronic identification and trust services for electronic transactions. It allows citizens within Europe to conduct business using their national eID scheme.
This provides a common base for safe electronic interactions across member states. Electronic Signatures can be advanced or electronic and both are regulated by this. Under eIDAS regulations, Trust Service Providers (TSPs) such as a BankID or Signicat, must be audited by a governing body in order to become qualified. Being a Qualified Trust Service Provider (QTSP) means the provider is secure and trustworthy. If you are dealing with a QTSP, the burden of proof is reversed. In most services, if the user thinks there is a problem, the user needs to provide information on this, and challenge the service. However, if you are dealing with a qualified TSP, you can request the QTSP to provide proof that the service is secure and operates according to requirements. This gives a higher degree of trust in the service.
A recent study by the European Union Agency for Network and Information Security (ENISA), showed that 90% of respondents believed eIDAS to be an opportunity to grow their business.
The eIDAS regulation has classifications based on trust and assurance which show the level of assurance provided by different digital identity providers.
There are three levels of assurance - low, substantial and high:
- Low: This provides a very limited confidence in the identity. You can assume the digital identity issuer has evidence of the user’s identity. An example of this is Facebook or Google. A customer signing in with their Facebook account provides a good idea of who this person is, but there is no way to be certain. It is easy to create fake accounts on social media which means the person may not be who they say they are in reality.
- Substantial: This provides a stricter method of identity verification and the user must have a valid, official document proving their identity such as a passport. It is equivalent to an electronic version of a passport or driver’s license.
- High: This fulfills many of the same requirements as substantial assurance, but high assurance also uniquely links to the person and is absolute verification. For example in healthcare or banking digital IDs.
One of the biggest risks to the future of digital identities is relying on a simple username and password process. There are so many online logins that you lose track of your login details so may reuse the same ones over and over again. However, weak and reused passwords are easy targets for cyber criminals. In order to have a good level of assurance, two-factor authentication at least should be used such as a password and activation code.
# 9. How can a digital identity help grow my business?
A significant number of consumers sign bank forms or other applications online and they expect every step in the process to be digitized. Every step in the customer journey must be digital to speed up the process, save on costs and even expand the reach of the business, as going digital creates a reach across geographical borders.
# 10. What is the customer journey a.k.a. The Digital Identity Lifecycle?
When growing a business you should be looking at the whole lifecycle of the digital journey. It’s not just about digital onboarding and login - the whole customer journey needs to be taken care of. There are four aspects to this customer journey or digital identity lifecycle:
# Get to know the user
The first step is getting to know your user. Bringing the person online and making sure they are who they say they are.
This is typically where you would use an eID to provide you with assurance that you know who your customer is. If the user does not have an eID, this step will involve scanning paper documents and taking a self portrait.
# Validate the user
The second step is to validate the user. Even if you know who they are, can you trust they will fulfill their obligations?
Perhaps they have a bad credit history or a history of unusual activity - all of these things will come up when validating the user. To comply with the AML, you have to check if they are in a prominent public position or is a PEP (Politically Exposed Person), which means additional checks must be performed on the user. You need to monitor them on an ongoing basis - this is to protect yourself and your business.
# Serve/Authenticate the user
What is called serving the user is when they have to login to the service provider. They come back and share their details, you authenticate these details and make sure they are the same person using the same account that signed up in the first place.
# Commit the user
This is when the customer signs an agreement to take up a loan, rent a car or buy a house or anything else they might have to agree to in writing. They need a verified digital identity in order to make a purchase and commit to the organisation. This will typically also be done using electronic signatures.
When looking at this lifecycle you can make a better user experience with verified digital identities. Looking at the total interaction between user and business is the only way to help grow the business and keep the user.
You need to build trust online - that is the only way to grow a business digitally. When signing up for simple services, users are required to fill out online forms with personal information over and over again. Not only is this frustrating and inefficient, but it can lead to serious security issues.
You need a verified digital identity to make sure your customers are who they say they are. It helps keep them as your customer without wasting time with logins and online forms and makes sure they are happy wherever they are in their customer journey.