A 2021 Liminal study revealed that a staggering 76% of consumers wanted the ability to manage their own data, and 60% of those consumers expressed more comfort with using a digital wallet. That shows a stronger push towards consumer adoption of digital tools and could portend that we’re at the fore of a new age of digital identity.
“Decentralized identity” in this context refers to the emerging technology that allows consumers to store, share, and revoke access to personal information directly through their own devices, thereby ensuring portability, protection, and privacy of online identity.
The emerging technologies of decentralized identification are gaining traction, but the market is still nascent. Simply put: We’re still in early days.
One of the original sins of the internet— a sin which every digital identity practitioner would go back and change now if they could—is a failure to develop a foundational identity layer.
The lack of an identity standard has resulted in the bloated, unmanageable system of one-to-one pseudonyms and passwords that every user creates for each platform they interact with. In turn, every individual platform is asked to encrypt and store this data, forcing those platforms to get into the ID business—whether identity and encryption was its business model (or not).
That creates (among other things) diffuse points of failure and recovery. Another way of putting it is that our current online identity layer has resulted in one unscalable, messy centralized point of failure.
When the user is not robust in their cybersecurity practices, like someone who uses a single email and password combination across all their accounts, that single point of failure is now a diffuse problem across every single platform they use. They have little to no recourse in understanding which accounts were breached and how a hacker has interfaced with their personal data.
To date, the only way companies have started to address that diffuse (or central) problem is by storing less user data. Regulatory pressures, as well as a general breach of public trust, have forced an awkward birth toward a new generation of identity management.
Services in both the private and public sector have an opportunity today to use a combination of existing and open platform technologies to put the end-user in control of the use of their own identity in varying degrees of transparency for verification purposes.
Such a user-driven identity platform also needs to address the “NASCAR problem” of competing IDPs in the identity stack: Users aren’t going to respond well to an incoherent screen full of logos offering different “login with” options. Right now, there are no successful, real-world examples of a user-centric identity ecosystem to point to (i.e., Google offers single sign-on for multiple other providers; however, truly inoperable personal identity ecosystems are still in a nascent state).
Users should have a right to be forgotten, and they also have the right to brandish whatever aspects of their identity they need for any given account or use case. (Paradoxically, blockchain works against the ability to have utter online anonymity as the public nature of the transaction ledger and its immutability are defining characteristics.)
For a given application, most users want to present a sliver of their identity. What you share on a job posting board may vary wildly from the aspects of your identity you share in a video game session, or an online dating profile. Fundamentally, those versions of identity may as well be two entirely different people.
Today, consumers are not well positioned to manage their own identities and they see no solution in sight for that problem. In addition to that pain point, platforms are burdened with varying degrees of identity management and the resulting cybersecurity and regulatory risks.
When users remain at the center of every identity use case, ideally they should be able to spin up identities as needed, and shred them when they’re done. Think of this like a burner phone for your identity, only far more secure, robust, and revocable.
When a user needs to prove they’re 21 for age-gated content or a purchase, the platform on the other side of the transaction needs only the surety that this person is who they say they are, and that they are over 21. Maybe the platform doesn’t need this information on an ongoing basis, so the information can be revoked by the user after the transaction is over. (The bouncer at a bar does not keep a copy of a driver’s license after someone proves they’re old enough to drink, right?)
Decentralized identity solutions suffer from a chicken-and-egg scenario currently: Consumers are hesitant to onboard themselves onto a new identity platform unless it offers immediate value (Apple’s digital wallet is the perfect example of this). Platforms are unwilling to invest the financial and personnel resources to integrate identity platforms without a critical mass of users (which is why that Apple example is so relevant).
There could be some new signs of a shift among the market, and it’s one that has the true potential for that level of ubiquity. FIDO is an example of large platforms sharing resources to establish an open standard. It could stand a chance of gaining significant traction amongst end-users that are already using an Apple digital wallet, for example. To date, it’s definitely evidence of an open platform that could realize true critical mass.
This consortium is still in its early days, but the FIDO2 announcement is likely to be tremendously impactful. The Liminal digital identity flywheel, as well as inherent challenges to verifying aspects of identity (including age), still leave plenty of gaps for stakeholders to uncover both insights and opportunities to participate and innovate solutions for user identification.
Credential scanning and storage. Players that can harmonize and orchestrate varying types of credentials. Offerings, for example, that provide digitization services (scanning, storing, encrypting physical identification) for platforms that haven’t adopted digital IDs in every state or developing countries within the EU. Consider that a business that caters to, or manages, an aging client base may need to work with paper IDs because that user base will be reluctant to adopt radically new identity standards.
Identity recovery. If an identity is tied to the cryptographic keys stored on a specific device, and that phone falls into the ocean, that user will need a secure and efficient way of reestablishing their account keys on a new device.
Fraud detection. The deployment of decentralized identity seals off many of the most common threat vectors for account takeover and fraud. However, fraudsters can be counted on to evolve by identifying and exploiting new (and existing) techniques. Identifying and detecting account takeover and social engineering threats will require new and innovative solutions tailored to the decentralized identity landscape.
Ultimately, the success of any consumer-centered decentralized identity product relies on securing viable use cases to ensure adoption. For more insights into how your company can benefit or how you can enter the new realm of digital identification, contact us about our individualized market research solutions and membership offering.