Digital transformation risks getting stuck without Verified Identity.Tweet
According to McKinsey and others, most digital transformation projects fail to achieve their goals. One reason why many business processes resist digitisation is there has been no way to automatically verify the identity of the entities involved. For example
- It can take around four months to validate and on-board clinicians to a new NHS Trust
- Businesses in Europe spend six to seven weeks on average verifying the identity of potential vendors or clients before starting to conduct business
- Organisations are advised to run a gamut of manual checks prior to running third party software for the first time
- New devices are typically onboarded to enterprise IT networks manually, a process that takes 20 minutes on average for each individual device
Two core issues underlie this situation. Firstly, today’s predominant identity technologies such as OAuth were never designed to represent an individual’s identity outside the context of the traditional access control model. As a result, individuals must prove their identity multiple times, to every organisation that requires this level of assurance.
More fundamentally, OAuth and related technologies focus purely and solely on person identity, leaving a gap in how to verify all the other elements involved in a business process or ecosystem. For example, there hasn’t been any standard way to share and verify a legal entity’s identity digitally, resulting in an ad-hoc exchange of PDFs among organisations seeking to work together, all of which must be manually checked. Similarly, software applications and devices lack a standardised means of automatically proving attributes like provenance, security updates and certifications.
In the words of Dave Birch, a commentator on digital financial services, “People are actually a rather small subset of the general category of ‘thing’ that will need to be identified in the always-on and always-connected world of the future.”
When identity comes to everything, the complexity of identity relationships and the sheer volume of identity transactions will explode. Today’s identity and access management (IAM) systems were never designed for such a scenario – though vendors will undoubtedly do their best to make their systems appear fit and ready!
This is not to suggest that the current identity standards are deficient, but rather that the technologies they were designed and built around have moved on. OAuth was started in 2006; OAuth 2.0 was approved in 2012. Our connected world has been utterly transformed since then. In 2009 Satoshi Nakamoto published the Bitcoin white paper, with the network first going live in 2011, when few except hardcore cyberpunks knew it existed. It is both unreasonable and foolish to expect that identity models designed before the advent of blockchain will be fit for purpose in a world of decentralized applications and data.
Fortunately, an alternative to centralised IAM is available. The Decentralized Identifier (DID) and Verifiable Credentials (VC) standards, developed under the aegis of W3C, the internet’s governing body, are in the third year of a four-year field test sponsored and evaluated by the US Department of Homeland Security, encompassing a digital permanent residency card and creation of a digital chain of custody for cross-border trade in commodities like steel, crude oil and agricultural produce.
The DID and VC standards being trialed and deployed in the US and many other territories (including Canada, the EU and South Korea) have been designed from the outset to cover all entity types, from people to organizations to things. This is not the case for previous ‘turns’ of the identity technology wheel and marks a step change in the evolution of digital identity, enabling data sovereignty (control of data by its ‘owner’) to be extended from personal data to other forms of data for the first time. In the words of Innopay CEO Shikko Nijland, “We shouldn’t limit ourselves to personal data only, because data sovereignty is equally important for industrial and business data.”
What’s next for DIDs & VCs? A key goal of the Department of Homeland Security pilot is to stress-test the interoperability of these standards in the field:
- Any entity in an ecosystem should be able to automatically verify the identity of any other entity
- Data should be shared in a format that’s machine readable by any entity (this is made possible by the standardised Verifiable Credentials data model)
- Any vendor should ensure their solution fully implements the technical standards, such that it is possible to seamlessly replace the vendor with a competing solution (no vendor lock-in)
Interoperability of DID & VC based solutions has indeed been established in the DHS pilot and other mission-critical settings such as cross-border digital identity verification in the EU and digital staff passports in the NHS, with a growing number of use cases entering full production.
For organisations that have focused on digitising internal processes, the question is: are you ready to extend digital transformation to your customers, partners and wider ecosystem? If yes, you may want to consider how DIDs and VCs can play a role.
Wider Team are experts in decentralised identity, helping clients assess risks, identify opportunities and map a path to digital trust. For more information please connect on LinkedIn or drop us a line firstname.lastname@example.org.