Co-Founder and Co-CEO of Unum ID — the future of commerce and digital identity.
Identity is at the core of commerce, and every interaction is gated to establish trust. To transact, you must prove something about yourself — tap your credit card, enter a password, state your SSN, show your driver’s license or complete a biometric check.
In the physical world, identity is often trivial. Your very presence helps establish it. But as the saying goes: “On the internet, nobody knows you’re a dog.” The result? A piecemeal vortex of usernames, passwords, CAPTCHAs and lengthy forms forced upon users in a ceaseless effort to replicate the trust of a physical exchange. Current digital identity is expensive, inefficient and ineffective.
Put simply, it’s broken.
It’s broken because companies still lose hundreds of millions every year to fraud. It’s broken because billions of personal data points are breached every month. And it’s broken because organizations independently collect, verify and maintain potentially toxic personal user data.
That will change. Fixing digital identity may be the single biggest opportunity in tech.
McKinsey estimates that better digital ID could unlock economic growth equivalent to 3% to 13% of GDP globally by 2030 — trillions of dollars of annual value. Government agencies, financial services, healthcare providers, insurance companies, e-commerce sites, travel services and nearly every other industry need better digital identity solutions.
A “good” digital identity — one that is verified, unique, secure and privacy-preserving with user consent embedded by design — empowers better digital interaction for everyone.
To reap the rewards of next-generation digital ID, it’s important to understand where it can go wrong. Here are seven “deadly sins” that threaten digital identity innovation:
1. Lack Of User Consent And Control
Digital identity inherently deals with sensitive personally identifiable information (PII), making user consent and control essential. Currently, regulations like GDPR and CCPA carry stringent requirements around data rights, and more regulations will follow.
Past digital ID systems have a poor track record on user consent and control. Facebook famously exposed millions of users’ data to Cambridge Analytica simply because they were friends of people who took an online quiz. New digital identity solutions must embed user consent by design and enable robust controls to manage access to personal data over time.
2. Siloed Storage And Single-Use Data
My bank, healthcare provider, insurance company, ride-sharing apps and countless others hold enormous amounts of data about me — much of which overlaps.
When I sign up, each requires that I fill out forms supplying the same basic information. And each independently holds my personally identifying data on their servers. This is hopelessly inefficient and needlessly increases my PII threat exposure.
Digital identity should be reusable and portable across organizations.
3. On-Chain Storage And Blockchain Lock-In
Many new identity systems leverage blockchain technology to create auditable and immutable records. While distributed ledgers and hashing can supply substantial benefits, they must be very carefully designed. A poor implementation can lead to catastrophic identity problems down the line.
Sadly, hashed data is very difficult to unify and catalog: The addresses “123 Test Ave,” “123 Test Ave.,” and “123 test ave” all create distinct hashes. Furthermore, any hash stored on a blockchain may become vulnerable at some point in the future, and there’s no recourse should that occur. If someone hacks your hashing scheme — even 10 years from now — they have access to all of the related data ever issued on-chain.
Additionally, many designs rely on a single (often proprietary) blockchain. This is particularly problematic in light of GDPR. If anyone publishes PII to that chain, every company leveraging the identity solution may be liable.
4. Tokenization Limitations
Many identity efforts hinge on tokenization. The idea is sound and utilization can even leverage game theory to align incentives. But what’s great in theory often fails in practice. Novel cryptocurrencies are a cautionary case in point, including those created around an identity system. They tend to be volatile and difficult to use — not to mention beleaguered by regulatory uncertainty.
5. Centralization Risk
PII is perpetually under threat, so reliance on centralized data storage is an unacceptable risk to security and privacy.
Some centralized storage is unavoidable and even actively helpful — say, my bank tracking my account activity. But any single centralized provider that knows everything about a user is a horrifying concept straight out of 1984. Good digital identity must be pushed as much as possible to the edge — to users and their trusted institutions/devices. Using your digital identity should be similar to using a credit card. You and your bank should know a good amount about your purchases, while VISA or MasterCard should know very little — and any data sent anywhere should be encrypted end-to-end to ensure the network provider has no access.
6. Independent Deployment
Good digital identity requires a cooperative network. Organizations must coordinate their efforts and adhere to common standards to enable seamless commerce everywhere. In the past, some large companies have independently implemented identity products (e.g., Login with Facebook, Sign Up with Google). But unilateralism leads to chaos.
Next-generation products should embrace the power of aggregate data and standardize across a network of companies and users. Each organization can maintain complete control over where its data is used and shared (indeed, they must to enshrine user consent, security and privacy). But collective standards will help them and their users leverage data in a vibrant and more-frictionless ecosystem — as opposed to a Balkanized mire of one-off relationships.
7. Passwords And OTPs
Usernames, passwords and one-time passcodes (OTPs) sent by text and email can’t hold up in today’s security environment. Passwords can be bought easily on the internet for pennies, and bad actors can simply execute a simple SIM-swap attack to intercept a passcode. Strong, multi-factor authentication resolved locally on a user’s device (e.g., FIDO) is essential to secure, privacy-preserving digital identity.
To conclude, digital commerce hinges on establishing trust with the human being on the other side of the screen. Establishing that trust through “good” digital ID will safeguard the future — and open massive new opportunities for early adopters.