So why isn't digital identity working today?
We're designing solutions for organisations, not people. They are 'closed loop' by default. We need to open things up...
In the last post I wrote about how our identity tools are quite broken, and that they are failing to meet our human needs. Instead, too often they are designed to meet business requirements. Today I want to look at that in more detail, and help explain why so many attempts to develop new digital identity systems have failed to take off.
Let’s look again at why paper identity solutions are helpfully based around human requirements:
they are centred on the person;
they are accessible;
they are varied;
they work across contexts;
they are private;
and they can be used in limitless combinations.
Now let’s see how businesses and organisations are actually designing our digital identity solutions today:
1. Centred on the person? Nope - our identity systems are built for organisations, not individuals
When interacting digitally, almost always we are given specific digital credentials to use with each and every different organisation.
Our supermarket gives us a digital loyalty card so they can make sure they send the right offers to the right person at the right time. Our utility company gives us an online account so we can update our energy information and make payments. And with a digital employee credential I can only use it in one place: at work, and within their own systems.
Yet with paper ID, I can prove things about me anywhere.
The more we interact with different organisations, the more we have to use different ID solutions in different places, designed and built for use in only those places.
2. Accessible? Of course not - they’re fragmented and exclusive
Today’s digital identity solutions make life even harder than it already is. Yes of course, offering a digital solution means we’re already excluding billions - those without devices, those without connectivity. But even for those with privileged access to smartphones and the internet, our digital IDs are hard to use and almost always require complicated login and registration processes.
Then there’s filling out long forms with information we can’t remember or don’t know. Having to chose between passwords that are easy to remember (but therefore easy to steal), or passwords that are hard to remember (but therefore more secure). Being sent random numbers or links to different emails and phone numbers that we might even not have access to at the time… it’s nuts.
And it’s particularly painful if you’re interacting with a bank, insurer or healthcare organisation, where accessing an account can be torturous.
And none of this even touches on those vulnerable populations who can’t get started with digital at all.
3. Are they varied? Perhaps - but we’re missing the value
Digital applications are appearing in every facet of our everyday lives, and naturally there has been a related explosion of digital identity solutions to serve them. But this increasingly large and rich ecosystem of identity credentials is missing something quite fundamental: almost of all of our data is locked-up behind company walls.
There is tonnes and tonnes of data about me and my life that neither I, nor other groups I trust, can access or use. My bank has an broad and deep picture of my financial life. They could make any number of valuable attestations on my behalf: that my bank balance is above a certain threshold; that I have a certain income; that I am creditworthy for a particular purchase; even that I am a citizen of this country.
But today’s digital identity infrastructure prevents that data being shared. The same goes for retailers, telcos, our governments, supermarkets and healthcare providers, and any other organisation we interact with. It’s a missed opportunity to create new value for me, and a colossal loss of value to these organisations, who with my permission should be able to repurpose that data.
4. Useful across contexts? Sometimes - but at a cost
As I’ve already pointed out, for the most part we can only use our digital identities in one place: at the organisation that gave them to us. My username and password is only useful at one website. My gym membership identity is only useful at the gym.
Over the last ten years a handful of digital services, so called ‘Identity Providers’ (or IDPs), have emerged to provide digital credentials we can use in more than one place. Social login is a good example, where the service I want to access (e.g. Retailer A) has done a deal with — literally signed a contract with — the IDP. This means that when I go to Retailer A’s website, instead of using my normal username and password, I can use my Identity Provider account information.
This means I don’t need to create or remember another username or password, and makes life easier for Retailer A. But there are a number of downsides to this model, the most obvious of which is that we, the customers, can only use our Identity Provider account details where the service provider (i.e. the website) has done a deal in advance. Everywhere else I still need to create and remember a myriad of usernames and passwords.
Many organisations and customers also object to the Identity Provider’s terms of use. That the IDP gets to keep and analyse the identity data; or that they can track the user across different websites. As a result, many regulated businesses aren’t able to support the IDP model due to liability concerns. And organisations like governments, banks, telcos and airlines only wish they could provide user experiences like the social networks, but they just can’t get around the compliance risks.
This lack of use across contexts is particularly painful for those trying to get a foothold in the system to begin with. If you have just moved to a country and are setting up in a new job, you need to provide bank details to get paid. So you need to open a new bank account. But for that you need proof of address. But you won’t have that yet as you haven’t been sent ‘verified’ documents like a utility bill by post. And so it goes on. This is all down to the fact that you are unable to use your identity credentials across contexts (in this case, to share trusted identity data from your country of origin).
5. Private? Don’t be ridiculous
In most mainstream digital identity applications we see privacy traded off against better user experiences and improved security, and organisations are often forced to pick two out of the three. And for many digital identity applications, user privacy is expressly ignored, where their very business model depends on collecting more and more personal data, and tracking users across contexts to creating rich customer profiles to be sold, or analysed and used elsewhere for advertising and sales.
Overall we have an ecosystem of digital identity solutions that are neither private nor secure; or if they are both, have terrible user experiences.
6. Limitless combinations? No - they are narrow solutions where the ‘computer says no’
Finally, today’s digital identity systems are narrow by design. They require specific data sets to work, and cannot cope with different types of identity information. If you provide the wrong format or type of information (how many times have you had to re-type your mobile number, or date of birth in a form online?), many digital applications just say ‘no’.
By contrast, it’s what paper credentials can do so easily — if the first credential isn’t suitable, then just show us another and another until we can build trust.
This inflexibility with digital identity means that organisations are creating unnecessary headaches for their customers, and driving up unnecessary costs. When customers need to register or log in but can’t, they turn to other support channels like call centres and physical stores… meaning fewer sales, unnecessary overheads and lower customer satisfaction.
From closed-loop to open-loop identity
In contrast to paper credentials, our digital identity solutions are largely ‘closed-loop’ approaches that are overly-focussed on the needs of the organisation; are fragmented and silo’d; are privacy-invading (or at best difficult to use); and are largely inflexible.
When you add it all up, you can’t help but come to the difficult conclusion that today’s digital identity approaches cannot be sustained — they are fundamentally broken, arguably idiotic, and at worst damaging.
Simply put, they won’t reach their full potential or scale; they will never fully replace today’s paper equivalents.
What if instead of today’s ‘closed-loop’ solutions we had ‘open loop’ digital identity infrastructure, that could bring all the advantages of paper credentials but that work digitally?
In the next post I’ll explore what that might mean, and why it could foster whole new levels of value for individuals, organisations, our economy and — perhaps most importantly — our society.