The question of digital identity needs to be taken seriously
Malte Pollman, CSO, Utimaco explains the importance of digital identity. In eCommerce and digital finance it is vital that the person logging into an account is the person associated with it. Fraud does happen in physical spaces, but it is much rarer because a person trying to pay on a card can simply be asked for an identity document like a driver’s licence to prove their identity, and even if they have somehow forged a driver’s licence they will be visible on security cameras.
Digital spaces don’t have anywhere near that level of deterrent – anyone with a username and password can potentially access an account as if they were its legitimate owner. The idea that there should be ways of proving one’s identity digitally that are as secure as those in the real world is not new. The UK government has already created a framework that would allow private companies to create digital identity systems, called Verify.
Although they have now been taken off the table, a hypothetical ‘vaccine passport’ would have also bridged the gap between analogue and digital identities. Analogue identity checks are based on a document with a high level of protection against forgery which is issued by a trustworthy authority – a passport or drivers license for example – and are considered the gold standard when proving identity. How can we create something just as trustworthy and secure in the digital space?
How are digital identities created? Currently, many websites offer customers the option of logging in via existing Google or social media accounts, often secured with two-factor authentication or app-based verification. These are, by definition, digital identities but they are flawed in that anyone can create a new Google or Facebook account and there is no need to use a government-issued ID to verify your identity when setting one up.
There is no equivalent of what the UK government wants to create – a single digital ‘document’, perhaps based in an app with biometric identification, that allows anyone to prove that they are who they say they are. It would necessarily have to involve submitting analogue forms of identification like passports when setting one up, which would then have to be verified as authentic either digitally or by humans, both of which have their problems and a potential for fraud and identity theft. The transfer of an analogue proof of identity into the digital space is only one of the challenges with electronic identities.
The other is to protect eIDs against misuse and data leaks. This means that there must be a simple way for a verifying authority to determine whether an eID presented to it is genuine. Under the new UK digital identity plans linked to above, the authority that issues and manages the digital identity plays a major role: the ID’s integrity is guaranteed either by the fact that it is issued by government institution or through certification and audit procedures if it is a private company.
The checking authority knows which issuers of certificates that confirm the digital identity are considered trustworthy and will generally only accept such certificates – in the UK, they will have to follow a trust framework. However, each time an ID is used it will still need to be clarified whether the certificate is genuine. This requires a process that guarantees a very high level of protection against forgery as well as easy verifiability and can be automated.
This is where asymmetric cryptography comes into play: the method is based on a private and a public key connected to each other using mathematical operations that are difficult to reverse, such as the multiplication of large prime numbers. Generating the public key from the private key is therefore trivial but getting to the private key from the public key is extremely difficult. The public key can therefore be made available to everyone.
If this matches a certificate that was created with the corresponding private key, the certificate is considered authentic. Any digital ID framework will have to be based on a public-private key architecture. Asymmetric cryptography is a highly scalable, robust method for keeping digital IDs secure, already used in thousands of applications in the public and private sector.
Promising approaches But there is also an Achilles’ heel to asymmetric cryptography: the private keys must absolutely remain secret. Regardless of whether they are private trust service providers or state institutions, anyone who offers identity services based on private and public keys must ensure that the private keys are optimally protected.
Hardware Security Modules (HSMs) are the ideal choice for generating and securely storing strong private keys. Compared to software solutions, they have the advantage that the keys themselves are not read into the main memory of a computer, which means that they cannot be compromised remotely. Some HSMs also have a real random number generator – important for generating top-quality keys – and are designed to resist next-generation quantum computing.
Digital identity documents solve a key problem in the digital world: being able to tell that somebody is who they say they are. Although there is likely to be a civil liberties pushback if a UK digital ID were mandated, they are likely to slowly become more common. For this reason, they need to be secured to the very highest standards, and the level of security that is possible with modern hardware security modules will be a key way in achieving this.
To stay up to date on the latest, trends, innovations, people news and company updates within the global security market please register to receive our newsletter here. Media contact Rebecca Morpeth Spayne,
Editor, Security Portfolio
Tel: +44 (0) 1622 823 922