It’s widely held in digital identity circles that the original sin of the internet is the lack of a foundational identity layer. What we have instead is a patchwork of centralized identity systems held, stored, protected, and maintained by an unstable network of users, services, and devices. The result of this fragmentation is an increasingly frustrating user experience, and arguably the worst of both worlds. An extremely centralized point of failure, with diffuse mechanisms for recovery when something goes wrong. If you just read that sentence as “the status quo is failing everyone,” that’s pretty much what we mean.
The problem was decades in the making. Thankfully, due to an interesting confluence of user behavior, enterprise stakeholders, and government agencies, we could be at the forefront of new digital identity solutions that will work for everyone.
As markets begin to adopt federated identity models, at Liminal, we’ve seen some early drivers that have the heft and user consolidation to make a real dent in broader adoption of digital identification. How far—or near—are we from a tipping point where consumers can upload an officially issued identification to a mobile wallet or sign into many online systems with a single reusable credential?
Today, there are bigger authorities getting behind officially issued and administered digital identification. Big Tech players (e.g., Google, Apple) are likely to be even bigger drivers of consumer adoption. The COVID pandemic accelerated a lot of things, including digital wallets as payment systems. In 2021, 32% of mobile wallet users had three or more mobile wallets (Apple Pay, Google Pay, etc.), which was up from 21% a year earlier. That’s a massive user base of both digital natives and their Gen X big siblings who are increasingly comfortable and confident using their cell phone as more than just a communication tool. Increasingly, it’s a payment tool as well.
In September of 2021, Apple announced its work with several states to add driver’s licenses and state IDs to the Apple Wallet. This early collaboration with various state governments makes Apple a definite leader in the eID space. The challenge: It won’t scale for users without an iOS device. Despite Apple’s best efforts to gain exclusivity, we predict that it will struggle to control mDL program rollouts.
Some states that have already adopted mDLs include Arizona, Maryland, Connecticut, Georgia, Iowa, Kentucky, Oklahoma, and Utah. These states are working to put REAL IDs directly in their residents’ digital wallets, and the TSA can already accept mDLs at a few U.S. airports, including:
The EU is currently working to roll out the European Digital Identity, which will be available to all EU citizens, residents, and businesses under the eIDAS 2.0 regulatory framework. Like an mDL in the United States, European Digital Identity allows parties to verify their identities online and in person for a variety of public and private services throughout the EU. The EU is also aiming to establish a decentralized system where users control their own accounts, another step toward federated identity ecosystems.
For something like a state-issued driver’s license to reach true scale, a digital ID must have full interoperability across all devices and applications. It may seem a bit provincial to point this out, but think about how you don’t have to wonder whether or not your physical driver’s license will fit into the windowed slot in your physical wallet. Digital natives will expect the same ubiquity across all of their devices, and the use cases for identity in their daily lives. In short: mDLs should be as technology-agnostic as possible (obvious examples: Bluetooth, Wifi, HTTP).
To this end, some of the tech giants are coming together in a combined effort to support common standards, like the World Wide Web Consortium (W3C) and the FIDO Alliance.
Additionally, an ISO for mDLs that was established in 2021 is getting a lot of attention and interest from various players (Apple included amongst them).
Fast ID Online (FIDO) is a leading set of security specifications for reliable authentication. The FIDO Alliance (a non-profit with the intention to standardize authentication) is seeking to overhaul the fallibility of passcodes (which, per FIDO, cause more than 80% of data breaches). FIDO’s latest initiative proves to have teeth, especially after Apple, Google, and Microsoft announced a collaborative effort to support FIDO standards for password-less sign-ins in May 2022.
FIDO uses a standardized public key cryptography and a centralized repository to simplify the onboarding and log-in process. The potential (and hope!) is to improve security by reducing the margin for human error (forgotten passwords, misplaced passwords, phishing schemes) or criminal activity. Because a user never controls their own passkey, it can’t be shared or stolen. A private passkey is mathematically related to a public key, so the private passkey itself never even passes through a server.
The upside could be massive. The challenge is assuming that bitter rivals will agree on shared standards and that those shared standards will meet the expectations of consumers.
There are obvious success stories that point to rivals working together and adopting unified standards (HTTP, Bluetooth, WiFi, among others).
But when we’re in this early adoption cycle, things can also either fail or just simply stall. Over a decade ago, the movie studios formed UltraViolet in an effort to unify the end-user experience and protect their IP. That alone wasn’t enough to respond to the fragmented online content marketplace (or, let’s face it, Netflix).
As we move through these early adoption cycles, and more technologies mature, there are opportunities to readdress the sin of omission we mentioned above: one that puts authentication and identification in the hands of larger stakeholders, and allows third parties and consumers to get out of the username and password business.
To get there: this process will need to keep the user central to the discussion and create frameworks that allow for frictionless interoperability, portability, security, and, most importantly, trust. What is today’s great idea could ultimately prove to be tomorrow’s UltraViolet, and so on. Success could be defined by all of these stakeholders admitting there’s a problem with user authentication throughout the entire ecosystem, and generating shared standards for federated user data and identity.
For more information about how Liminal’s proprietary research and intelligence can help stakeholders adopt or develop groundbreaking identity solutions, learn more about our growth strategy advisory services.