It’s time to start taking digital identity seriously
- By Malte Pollmann
- Oct 04, 2021
Digital fraud has never been more prevalent, potentially costing the world $10.5 trillion USD annually by 2025, a truly staggering sum. In the U.S. alone, $382 million was stolen in COVID-19 related scams, often by fraudsters registering for stimulus checks and unemployment benefits with stolen identities.
This theft illustrates the fundamental problem at the heart of online fraud: how can organizations tell that a person is who they say they are? In real life, there are clearly identifiable identity markers -- from faces to fingerprints and DNA are supplemented by certified documents like passports and driver’s licenses – that limit a person’s ability to pass themselves off as somebody else. Online, a bad actor (or increasingly an automated bot) who enters the correct username and password on a website has access to everything the person who set up the account does. Digital identities clearly must be as strong as offline identities.
Congress has already identified this problem and introduced a bill aimed at providing a solution. The Improving Digital Identity Act aims to develop standards to guide government agencies when providing digital identity services, upgrading existing systems and creating interoperable tools for verification. It’s a promising start, but it may be hampered by the lack of clarity around digital identity itself.
How will digital identity be secured?
Digital identity documents are already used in applications like the biometric IDs that are issued to non-resident aliens, but these aren’t interoperable -- they have specific use cases and are not an “all in one” digital identity that could be used anywhere. Even with the Improving Digital Identity Act, there is unlikely to be a single government-mandated ID in the U.S., but there may be multiple private-sector suppliers offering approved digital IDs under a regulatory framework established by the legislation.
Any framework will have to be based on a public-private key architecture. Asymmetric cryptography, where freely available public keys can be used to verify a private key held by one person, is a highly scalable, robust method for keeping digital IDs secure. It is already used in thousands of applications in the public and private sector.
But there is an Achilles' heel to this procedure: The private keys must absolutely remain secret, which makes hardware security modules the ideal choice for generating and securely storing strong private keys. Unlike software solutions, the keys themselves are not read into the main memory of a computer, which means that they cannot be compromised remotely.
With online fraud as pervasive as it is, it is no surprise that the government is looking for digital identity solutions for immigration, deterring identity theft and speeding up government services, even those as mundane as renewing a driver’s license. Given how important getting it right will be and the substantial benefits from doing so, both the government and private sector must work toward meeting the very highest standards of security.
Malte Pollmann is CSO at Utimaco.