When it comes to exploring new technologies, it is common to hear the phrase “a solution looking for a problem” thrown around the boardroom. And, of course, in many cases this is an entirely valid criticism of the pointless and redundant application of a new bit of kit, or software architecture, or complicated cryptographic concept that no-one really understands.
Sometimes it is genuinely hard to distinguish the use cases from the useless cases: The idea that fire departments, for example, might use the blockchain to fight fires more effectively than by using a database (one of my favorite useless cases) might reasonably be criticized in this context.
When it comes to the new technologies of identification, authentication and (in particular) authorization though, this criticism is wholly misplaced. In the identity world, we have not one but a million problems looking for the same solution: Digital identity.
A million? Yes, I am confident in this prediction. The lack of any identity infrastructure is manifest in the out-of-control fraud we see on both sides of the pond. Every single day I read about more abject failures of the identity infrastructure! In the last few weeks I have had the pleasure of working in UK, North America, Australia and New Zealand and in every one of these countries the media are full of examples of identity theft, identity-based frauds and misrepresentation.
Here is just one: in the UK, a woman who took around 150 driving tests for other people has just been jailed for eight months. It seems to me that if the driving license test centers are incapable of determining the correct identity of their customers, there is absolutely no possibility of (for example) volunteers at polling stations validating the identity of voters — the UK now has voter ID laws — or HR departments verifying the credentials of applicants.
Don’t Trust, Verify
That last point about verifying credentials is very important. I can illustrate this point with another story from the UK, that of a pilot who was sent to prison for lying about his flying experience to get a job with British Airways. The fraudulent flyer entered false details and altered entries in his flight logbook so that he could appear more experienced than he actually was. He got the job and was working for the British Airways subsidiary BA CityFlyer and former Irish regional airline Stobart Air for two years before he was found out.
Now, it’s one thing to lie about credentials to get a job flipping burgers (“no, I have never been convicted of possession of a deadly weapon”) or as a member of parliament (“I am unfamiliar with use of cocaine”) or as the CEO of an internet company (“yes, I have a computer science degree”) but it’s quite another thing to lie about being able to drive or being a police officer or qualified as an anesthesiologist or as a pilot.
But how can someone prove that they are a police officer or a pilot? The police in London are thinking about adding QR codes to their identification cards so that women and girls can scan the cards with a smartphone to confirm the officers’ identities but I don’t know if that will be good enough. QR codes are too easy to copy, and in any case right now there are at least 2,000 police identification cards that are missing and could be used by anyone, since there is no authentication. And if the police do it, then should all emergency services adopt the same scheme?
Incidentally, while fake pilots are a pretty disturbing idea, I am English and therefore far more concerned about the epidemic of deceptive dentists across our green and pleasant land. When I read about the podiatrist who claimed he was a dentist and targeted pensioners or the woman with no qualifications at all who managed to fool hospitals for “nine years before being discovered” or another woman convicted on two charges of carrying out dentistry work without holding any dentistry qualifications, I get twitchy.
It’s a mess and the fact that Miami street gangs are now competing to control identity theft instead of boring old guns and drugs tell us that we are long overdue a practical identity infrastructure.
No, Not Those VCs
The general problem statement here is, as you will have noticed, not about proving who you are but about proving what you are. I need to know you have a line of credit, a pilot’s licence or a diploma from a top ten dental school. I do not care who you are, unless something goes wrong, it which case law enforcement or professional bodies take over.
Here, then, there is most definitely a problem looking for a solution and we already know what the solution is: verifiable credentials (VCs).
It should be quite straightforward. You walk into the doctor’s surgery and there is a certificate on the wall. You tap the certificate with your phone (or scan a QR code on the certificate) and your phone either shows you a picture of the doctor, if the qualification is valid, or a big red cross if it is not valid. If the process is anything more complex than that, it cannot help the general public.
Given the evolution of smartphones, contactless interfaces and verifiable credential standards, this takes us beyond the familiar tap-to-pay world that people already seem very comfortable with and towards what Jerry Fishenden calls the “tap-to-prove” world, which I think we need to get to as soon as possible. We are undoubtedly making some steps in the right direction here: For example, The Post Office and Yoti have become the first government-approved digital ID providers, allowing UK citizens to prove their identities with an app instead of physical documents for the specific purposes of applying for a job or renting a property.
Identity experts often talk about the need for a “ceremony.” It’s a concept I find valuable in this context: It means that the actions that two people need to take in order to engage are well-known to both of them so that the ritual is familiar and provides confidence in the outcome. If you have to do something different in the bank, in the supermarket, in the sports stadium, on the web and everywhere else then fraudsters can take advantage of the uncertainty. If, on the other hand, the same ritual is applied in all circumstances, then not only do you begin to do it automatically but if someone asks you to do something out of the ordinary, your suspicions are aroused.
I rather like the idea of a standardized tap-to-prove ceremony, because it introduces the possibility of a common mechanism for demonstrating credentials not only at the technological level but also at the human level. It makes for a recognizable “dance” for demonstrating attributes in such a way as to make for practical improvements in day to day security.
This is what I mean by practical improvements through common ceremony. If you go into the bar, you tap your phone on the doorman’s phone and the doorman gets confirmation that you are over 21 and you get confirmation that the doorman is licensed by the city to perform such a function. If you go to see a doctor when you are on holiday, you tap your phone on the doctor’s phone and the doctor gets your insurance details and you get confirmation that the doctor is licensed to practice. If you go to watch a soccer game, you tap your phone on the turnstile and the gate gets confirmation you have a ticket and are not banned from ground while you get confirmation that your loyalty points have been awarded.
It is one thing to have the digital identity infrastructure that we need to function in the modern world, another thing to make it deliver for the populace. Tap-to-prove ceremonies are a way to do this. The need for improvement is urgent. Losses from only those fraud schemes in which fraudsters use stolen payment credentials for their own gain, soared 79% last year to $24 billion, according to Javelin Strategy & Research.
We know what the solution is and we know what the million problems are, so surely it’s time to move forwards.