In this Help Net Security interview, Carla Roncato, VP of Identity at WatchGuard Technologies, discusses how companies can balance privacy, security, and usability in digital identity systems. She emphasizes modern techniques like biometrics and passkeys to replace knowledge-based authentication methods and highlights the need for global standardization in decentralized identity solutions.
How can companies balance privacy, security and usability in digital identity systems—especially in sectors such as financial services and healthcare?
One technique is to eliminate knowledge-based user information. As an example, Knowledge-Based Authentication (KBA), a method used to verify a person’s identity based on their knowledge of specific information, consists of two main types of KBA: static and dynamic.
Static KBA involves questions based on information that the user has previously provided, such as “what is your mother’s maiden name?”, or “what was the name of your first pet?”.
Dynamic KBA generates questions in real-time based on information that is often derived from public and private records. Examples include “what was the amount of your last car payment?” or “which of the following addresses have you lived at?”.
Another technique associated with KBA is to eliminate the use of passwords, which are secret words, or a phrase memorized by the user (consumer, patient) to sign-in to a financial services or healthcare provider application. In both cases, knowledge-based questions and memorized passwords do not provide appropriate security or privacy to either party for the purposes of authenticating or verifying the individual requesting access to sensitive, protected and confidential information.
Instead, organizations can employ modern techniques such as biometrics (something you are), behavioral interactions (something you do) and passkeys (something you have), which have no-knowledge. This approach enhances privacy and security through encryption and cryptography which is bound to a device (e.g., laptop, mobile phone, tablet, smartcard, or hardware key) that only the user possesses. By designing interfaces that are consistent, native or intuitive, and accessible, companies can reduce friction for users while improving privacy and security during registration, enrollment, and sign-in.
Blockchain technology promises user sovereignty over their digital identities. However, scalability, interoperability, and user adoption remain critical issues. How can companies address these challenges while leveraging decentralized identity solutions?
It is important to note that ledger-based technology and networks to enable decentralized identity schemas can coexist along with distributed cloud identity systems we use today. Global standards bodies such as the OpenID Foundation, Internet Engineering Task Force (IETF) and Worldwide Web Consortium (W3C) have been developing open digital credential standards and protocols to facilitate interoperability between different blockchain networks and traditional distributed systems.
Organizations and governments committed to enhancing privacy, security, efficiency and data risk reduction can focus on streamlining credential issuance and improving verification effectiveness, eliminating the need for costly, laborious manual checks and re-checks. User adoption by citizens and consumers alike will be driven by a preference to have control and autonomy over our digital identities – and the ability to selectively share information, and revoke data access by a service provider at any time. Convenience is key and digital identity wallets provide a method to securely store and manage credentials on personal devices, eliminating the need for passwords.
A lack of standardization and regulatory framework is often a roadblock to decentralized identity adoption. What steps should be taken to create a more standardized identity management system globally?
Work is already underway to address digital credential standards, security, and regulatory frameworks. For example, the European Commission, Decentralized Identity Foundation (DIF), the European Telecommunications Standards Institute (ETSI), and ISO/IEC, and OpenWallet Foundation (OWF) are collaborating with OpenID, IETF, and W3C to foster and develop implementation standards.
A formal security analysis of OpenID for Verifiable Credentials, the first in-depth security analysis of OpenID for Verifiable Credentials has been completed, with the goal of increasing confidence in the security of these specifications. The formal security analysis includes the protocols OpenID for Verifiable Credential Issuance (OID4VCI) and OpenID for Verifiable Presentations (OID4VP), both part of the OpenID for Verifiable Credentials family.
In terms of frameworks, the European Digital Identity Architecture and Reference Framework requires OpenID for Verifiable Credential standards for certain use cases. There are already numerous wallets in the European Commission EBSI for individual and organizational use. The NIST National Cybersecurity Center of Excellence is drafting plans on mobile devices with mobile driver licenses (mDL). Additionally, the ISO/IEC standards for mobile documents and mobile drivers’ licenses are published.
An example of adoption and production of a decentralized identity ledger-based system was employed by the Province of British Columbia, which launched the Verifiable Organizations Network (VON), enabling governments and organizations to exchange data using privacy-enabled, secure, open standards and technology. This is in collaboration with the Province of Ontario, which is also committed to self-sovereign digital identity trust model.
Due to their complexity, user adoption of decentralized identity solutions remains low. How can we make decentralized identity systems more user-friendly to ensure mass adoption?
Decentralized identity systems are no more or less complex than traditional distributed identity systems used across the internet today; it’s an architecture and data model shift for the issuers and verifiers. For far too long, collection and centralization of identity information has led to the ransom and theft of billions of credentials, and disclosure and loss of sensitive identity data (among other types of sensitive personal, financial, and health/patient records).
User adoption and user-friendly experiences are a core component to success. Simple onboarding processes to streamline registration, installation and use of ID wallets across platforms and services, and user verification steps between the verifier and credential holder are key. By addressing these key areas, users will naturally adopt verifiable credentials as issuers and verifiers enable use cases.