Identity credentialing, proving you are who you say you are, needs to catch up to the technologies available. Currently, most organisations use simple means, and a person's digital identity is often reduced to a username and password – occasionally backed up by a text message.
This simplicity, combined with the massive oversharing of personal information on insecure or unsafe platforms, has led to widespread cybercrime and identity theft. The combination is made even more dangerous thanks to real-world pressures, like the COVID-19 pandemic, which have increased the number of people shopping, working, and living online. Cybercriminals are using this pressure to scam good people, but smart organisations and agencies are using it to reform current eID (electronic identity) systems.
Digital identity in NZ
So how does New Zealand manage digital identity? For now, we call it RealMe, which manifests as a single sign-on verified further with real-world credentials. It comes in two flavours, a login and a verified account. Both allow users to access government services, certain banks and even some student services. However, user reviews are mixed, and much of the populace have a love-hate relationship with the platform.
Potential upgrades remain parked in digital economy and communications minister David Clark's bill, the digital identity services trust framework bill. This bill aims to institute a legal framework to create secure and trusted digital identity services for New Zealanders.
Challenges of eID systems today
- Oversharing personal data: A primary weakness of most existing eID solutions is the lack of precision during verification. This existing method contributes to the weakening of identity security, with users routinely having to expose an unnecessary amount of information from photographic evidence of their passports and driver's licenses. A reformed solution must feature selective attestation, minimising data exposure.
- Fertile ground for identity theft: Many credentials and identity element attestations are not sufficiently tamper-resistant and do not carry adequate protection against theft. The eID landscape is also fragmented, forcing consumers to maintain multiple accounts while relying on individual companies' policies to protect these accounts - RealMe attempts to ameliorate this issue. Given the frequency of data breaches and the constant sale of credentials on the dark web, it could be considered easy for someone to steal an identity.
- Closed ecosystem solutions: Government solutions, like RealMe, have led by providing access to multiple online services using one username and password. However, because RealMe is operated by a centralised body, the government, it offers limited control to the issuing party or consumer. This means there is little to no digital sovereignty for consumers.
A modern and robust eID system
Decentralised digital identity technology (DDI), also known as self-sovereign identity, gives people control over their digital identity. This approach has been standardised by the W3C, the international standards organisation for the world wide web.
Under this concept, the user receives various credentials from different sources (e.g., government, employer, university etc.) and stores them in a digital wallet. The holder can then present cryptographic proofs of their identity to a verifier (e.g., a cell phone company trying to verify one's address), who can check the proof provided is true via a tamper-proof, decentralised, and cryptographically secure system.
For New Zealand to reform eID, two things are needed.
- Simplified, standardised verification: The verifiable credential format proposed and supported by various DDI systems that comply with the W3C standard results in standard and straightforward procedures to verify credentials. Credentials are mostly self-contained, and the standard explicitly describes all cryptographic operations required to verify a credential.
- Explicit user control and consent: The user should remain in control of their identity and explicitly consent to share the parts needed in each case. As a more autonomous solution, DDI technology is an effective reform for platforms like RealMe. Once credentials have been stored within a digital wallet, DDI technology enables cryptographic proof to be shared with verifiers. It is through this capability that specific elements of identity can be shared, rather than sending photographic evidence and revealing entire sets of irrelevant personal data.
Do people want self-sovereign eID?
Data shows that there appears to be a growing concern for cybercrime and identity theft alongside an appetite for data protection in New Zealand. We hope that any identification system allows people to take control of their data, the holy grail of which is their identity.
Delivering people the credentials to navigate the digital world with confidence is critical to building a society that feels safe online. An easy to use, secure eID will give people real control of their data, and when people feel protected and in control of their digital lives, they engage with all that the internet has to offer.