When you are walking about town, or on the Internet, how do you identity that you are you and not some imposter?
Current Forms of ID
We should all carry some form of physical identification (e.g. a photo driving licence) that can prove who we are, our age and where we live. In the UK the National Identity Card was disbanded in 2011 which was previously introduced by the Identity Cards Act 2006. In other countries there are varying degrees of requirement ranging from the mandatory to the optional.
In the UK the official forms of identity are based on documents issued by the Government that have a photo included and are:
- The UK Photo Driving Licence
- The UK Issued Passport.
Other forms of identity accepted tend to be based around a valid bank card, a utility bill, bank statements and these tend to be required in addition to a photo Id when you take out certain services (e.g. a bank loan).
Each form of identification has its own reference. For example:
- Driving Licence has a unique driver number
- A Password has an Issuer Code (in the UK GBR) together with a unique Passport Number
- Utility Bills will have a Customer Number
- Bank Statements in the UK will have a Sort Code/Bank Account Number
- UK National Insurance records will bear your National Insurance Number
- Tax records will have the Unique Tax Reference (UTR).
None of these are fully linked up, but all form part of your official identity.
For visiting foreign nationals who intend to stay in the UK for an extended time, or are intending to settle in the UK, a Biometric Residence Permit is required as part of their visa which includes:
- Their name, date and place of birth
- Their fingerprints and a photo of your face (this is your biometric information)
- Their immigration status and any conditions of your stay
- whether they can access public funds, for example benefits and health services.
In other countries this is often called a Residence Permit.
Identity Cards in the UK
What if you just need to certify that you are over 18, or that you are a local resident? Providing any of the official forms of Id provide additional information that the requestor don’t need and opens the individual up to Identity Theft.
When the UK National ID Card was disbanded in 2011, the focus switched to private companies to provide forms of identification. This has given rise to a number of companies provided age verification cards (e.g. CitizenCard, My ID Card, and Yoti).
These ID Cards only confirm your Name, Age/Date of Birth and appearance through a Photo. They typically will have the PASS hologram of the The National Proof of Age Standards Scheme. They will also have the logos (see below) for:
These cards allow people, young people in particular who might not have a lot of the official forms of ID, to prove their age for a number of age limited services.
These cards are useful in providing physical identity in person, but the standards around providing Digital identity in the UK (also worldwide) is somewhat disorganised.
What makes up your Digital Identity?
This is quite a complex question to answer, and depends on who you ask. At a minimum it should include:
- Your Date and Place of Birth
- Main residence address
- Official ID numbers (e.g. National Insurance Number)
- Government Issued ID (e.g. Driving Licence, Passport)
- Bank Details
- Biometrics (e.g. fingerprint, iris scan, voice print)
- Medical History (e.g. access to dental records)
- Valid Email Address
- Phone Number (Mobile or Landline)
- Census records.
Your digital identity is also made up from several actvities, for exmaple:
- Social Media activity (Likes, Shares, Comments, Posts)
- Photos on social media
- Purchase, and other financial transaction, history
- Search Queries
- Geotagging, including geolocation through cell phone activity
- Signed Petitions
- Apps you have downloaded
- Cell phone usage
- Travel history (e.g. train tickets, international travel).
However, none of this guarantees your identify online since all of this can be either stolen or faked.
When we sign up for an account online, we often need to provide an email address, phone number, an address and often a credit/debit card number. This is often validated:
- For an email address by sending an email with a confirmation link you should click (and what have we told you about clicking on links in emails)
- For a Phone Number they might call you or send you a SMS with a one-time passcode you need to enter
- For a Credit/Debit Card they may make a small transaction (e.g. for £1) followed by a refund to confirm the card is valid
- Sending account documents to your address
However, the credit/debit card transaction only proves the card is valid, not that you own it. You may have hijacked the email account or stolen someone mobile phone. Your home address is just what you say it is and is often not validated.
Digital identity information can be exposed through, to name a few:
- Public Wi-Fi networks
- Unsecured websites
- Third-party data breaches
- Phishing and other social engineering attempts
- Weak or limited number of passwords
- Deepfake videos, voice and graphics
- Location sharing settings
- Adding strangers to social media accounts.
Personal and Identifiable Information (PII), such as the above, is easily available on the Dark Net in hacking forums for in most cases for very little money. Typically:
- $1 for a Social Security Number
- $15 for a Passport scan
- $20 for a Driving Licence
- $50+ for Medical Records
- $60 for Credit Card details (but some can go for as little as $0.25 each)
- $1000+ for Banking details.
All this information is typically disclosed in data breaches. These are being reported daily and involve several high profile organisations (e.g. the Marriott breach in 2018). It is highly likely that a lot of your identity information has already been disclosed in some form, if nut published.
Cyber Criminals are not just providing individual pieces of information. They will often bundle whole identities for a person including all the above information, and if this is certified as active it can go for big money. They will also sell bundles of Usernames/Passwords for $0.11/1000 records.
What are the UK Government doing?
From the 19 July to 15 September 2019, the UK Government asked for consultation and evidence on establishing some standards around digital identification from “all interested parties, including citizens and businesses, as well as organisations who anticipate being a consumer or creator of digital identity tools or services, and those focused on protecting civil liberties
This call for evidence seeks views on how government can support the development and secure use of digital identities fit for the UK’s growing digital economy“.
The UK government will publish a response in the Spring of 2020.
You should also review the UK Digital Economy Act 2017.
How do you prove Identity today?
In order to prove you are who you say you are, you should be able to provide:
- Something you know that can be verified simply (e.g. a security question, password)
- Something you have (e.g. a driving licence, utility bill)
- Something you are (e.g. a fingerprint, 3D face map/scan).
The problem is that a lot of organisations rely on the first two and forget about the third which as we have shown above can be acquired from the Dark Net easily. They are merely asking if a person is who they say they are versus who they really are. But what if that person has a legitimate, yet stolen, ID document? Likewise, looking at an account record is no longer helpful. Companies need to know that the person interfacing with them online is who they purport to be at that very moment.
What they should be asking is:
- Are you really who you say you are?
- Are you still really who you say you are?
These are the two questions companies should care most about when it comes to digital identity. The answers to those questions come through two interconnected processes:
- upfront identity verification (through traditional and biometric information as well as official records)
- ongoing user authentication (regular challenges, adhoc contact, MFA).
Increasingly, modern enterprises are turning to biometrics for identity verification and authentication, alongside more traditional ID verification, to strengthen their defences against online fraud, maintain compliance with Anti Money Laundering (AML) and Know Your Customer (KYC) regulations and to build trust in their brand.
What about the future?
This in part is what the UK consultation is all about.
The best practice for now seems to be to establish an online identity that ties to government issued (and verified) documents that are proved in some way to be authentic. The digital identity should then be corroborated using photographic evidence through a selfie or short video where you repeat prompted phases which also prove that you are a living person.
If biometric information (e.g. fingerprint, iris scan, retina scan) could also be corroborated through some form official record this would further strengthen the digital ID. However, here lies the issue with privacy as this information can be misused by commercial organisations and governments. This was partly to blame for the termination of the UK National ID Card.
We don’t want an individual company, or for that matter a government organisation, to have all the information (the UK National ID Card was backed by a centrally owned government database). However this information does need to be linked in some way so that it can be easily looked up when needed. It also has to be delivered based on the need and only the required information delivered. For example:
- To verify someone’s age, their DoB only needs to be disclosed
- To verify they are a resident of a particular town, only the postcode of their normal residence needs to be disclosed.
What is happening internationally regarding Digital ID?
There are a lot of initiatives going on around:
- National ID schemes with increased reach and visibility
- New technologies and regulations supporting the transformation
- Many new standards are emerging fostering interoperability.
I don’t want to go into these in too much detail here as the Thales Group have published a very useful guide to this in their “Digital identity trends – 5 forces that are shaping 2020” report.
How can we secure our Digital ID?
Consider Paid versions of Services. A lot of free services will harvest your personal information and use it for their own ends in order to get paid for the service they are providing for free. Facebook, for example, uses advertising as a revenue stream and in order to best target those Ads they use your interests that you post on your feed. Alternatively, paid versions will often not deluge you with Ads as they are getting revenue from you directly and not otherwise market your information.
Manage your Passwords. This is something we have blogged about in our Authentication Guidance and specifically in Account and Password Management. Ensure you use unique passwords for each service you use, use some form of password manager to manage all your passwords and enable a second factor through an authenticator app (not SMS).
Change Passwords if they are subject to a data breach. You can regularly visit “Have I been Pwned” to see if your email address and/or password have been disclosed in data breaches. If they have, you need to change them anywhere they are used. Reputable password managers will be able to help you manage this. You can also read our blog post Guidance on Effective Use of Passwords to understand how to form strong passwords.
Go Password-Less. Biometric authentication is widely available on mobile devices as well as desktop PC’s. If it isn’t built in then it is easily added using a USB based device. There are a lot of ways to authenticate without passwords, and this will be the subject of future blogs in this area.
As you can see the issue of identification, especially in a digital-first world, is an issue that has yet to be fully cracked. In the mean time we have what we have.
I personally think we need to collect together all the relevant information into some form of officially sanctioned database – maybe owned by one/more commercial organisations.
This database should hold the primary identification numbers (e.g. to get my medical records it could hold my NHS number (UK only) which could then be released through my doctor. Similarly my financial records managed through my Bank and my birth/death record through the governments Births, deaths, marriages and care records.
I would also like to see if a digital identity could be integrated with a digital certificate that could be issued by a government/international agency (similar to the SSL certificates issued to encrypt a website). Any collection of information should also be encrypted using this certificate in such a way that the custodian of that information cannot decrypt it.
Until the UK government responds from their consultation and brings forth some form of legislation that I am happy with from a privacy stand point, I will personally not be subscribing to any commercial organisation and I will use other methods to manage this information.
I will also be monitoring the UK governments consultation on this issue and will write it up when it is published.
I have mentioned a number of companies providing digital identification and ID cards in this blog post. It should be noted by anyone reading this blog that I do not personally endorse any of these organisations and have not been paid in any form to mention them. If you choose to use any of them you do so at your own risk and should fully investigate the company before you subscribe.