One of the most entertaining parts of the Mission Impossible movies is watching the characters don masks of targets they want to impersonate and slip into and out of the secret identities like gloves. In the digital world, impersonating people is much simpler. Thankfully, government officials and the consumers they represent appear to want to change that. In September of this year, U.S. legislators took an important first step with the introduction of the Improving Digital Identity Act of 2020. Between the explosion of e-commerce and the stay-at-home reality of the COVID-19 pandemic, their timing could not be more perfect.
As businesses release more consumer-focused apps and employees shift towards remote work, verifying users are whom they claim to be is absolutely critical. Often, this takes the form of two-factor authentication, biometrics, or measures such as passwords and security questions. However, the market for identity verification services intersects with document verification, which entails the verification of physical documents such as driver’s licenses, passports, and national or military ID cards. The need for proofing goes even further when considering the validation of educational or trade credentials and validation of professional licenses. For example, an Emergency Medical Technician (EMT) showing up at a disaster area to help from another state or county.
With the identity verification business projected by industry analysts to continue to grow over the next several years, the implications of the Improving Digital Identity Act on the market for digital verification services are worthy subjects of speculation.
The push for this legislation comes at a time when the pandemic has heightened concerns over online fraud, synthetic identity fraud (where the identity being used is not associated with a real person), and fears of increased cybersecurity risk caused by the spike in remote working. With ever-increasing numbers of unmanaged devices accessing the network and the increased use of collaboration tools like Zoom, proving users are who they say they are will continue to rise in importance.
The bill has three critical components around identity verification:
- It establishes a task force of key federal, state, and local agencies to develop a secure methodology for validating identity attributes and to support reliable, interoperable digital identity verification tools in the public and private sectors.
- It directs the National Institute of Standards and Technology (NIST) to create a new framework of standards for government agencies providing digital identity verification services in order to ensure privacy and security.
- It creates a grant program within the U.S. Department of Homeland Security (DHS) to allow states to upgrade the systems used to issue driver’s licenses and other credentials and support the development of interoperable state systems that comply with the framework from NIST and enable digital identity verification. At least 10% of grant funds must go to services that help individuals obtain identity credentials or identity verification services needed to obtain a driver’s license or state identity card.
Each of these components puts the government in a position to set an example for the private sector to follow. For NIST, whatever framework is developed needs to balance security, privacy, and user experience. Too much friction and it will hurt adoption for both government agencies and the general public. It also puts NIST in a position to establish an inherently inclusive framework and avoids creating a digitally underserved subclass.
However, if state-issued digital IDs can be leveraged by applications and websites to allow a customer to conduct transactions that require ID, such as opening a bank account, and it becomes easy for brands and organizations to implement, they may gain traction in the private sector—similar to the widespread use of social login.
In this way, the standards, systems, and methodologies could provide an alternative for the private sector—instead of using third-party online ID verification products, they could utilize the identity validation mechanisms of the government. In effect, this would remove the extra cost for those solutions and make those capabilities more available to smaller companies that may have found them cost-prohibitive in the past. Alternatively, it enables private parties to focus on complementary services around validating education, trade, memberships, loyalty programs, affiliations, professional certifications, board licensing, foreign credentials, and licensing – the list goes on. Private parties can also compete based on how much privacy they would offer for a validated digital identity or a digital attribute.
Third-party service providers could work with the government to develop the applications and services necessary to support verification. These apps could leverage multifactor authentication methods such as biometrics to reduce the chance of misuse. Driver’s licenses, passports, and national or military ID cards could provide the backbone of this verification process because of their relative ubiquity.
Additionally, the DHS announced in September that all 50 states are now in full compliance with the REAL ID Act of 2005, which established certain requirements for driver’s licenses and ID cards that will be accepted by the federal government for “official purposes,” such as boarding flights or entering federal buildings.
Will the standardization, implementation, and issuance of digital identities make today’s emerging identity-proofing technologies based on plastic government-issued redundant – for the US market? Time will tell. But as the number of online services used by the public continues to grow, the government’s commitment to improving the digital identity infrastructure will remain critical.
About the Author: Keith Graham is leader of the IDSA CIAM TWG subcommittee and Strivacity’s co-founder and chief operating officer where he drives day-to-day business operations and defines Strivacity’s product strategy and differentiation in the Customer Identity and Access Management market. Keith has more than 18 years of experience in the technology field. The last 10 of which were in cybersecurity, with a focus on identity and access management, and endpoint detection and response markets. Keith has extensive know-how in building and leading product management, engineering, user experience, as well as risk and compliance teams in high-growth software companies