Implementing the government’s new digital identity trust framework must be a main priority for 2023, leading tech industry figures believe. But speakers at a recent event on the future of digital identity in the UK were split on how this should be achieved, with some calling for greater education of citizens by industry, and others saying the government must take the lead on legislating in this area.
The Westminister eForum ‘Next steps for digital identity in the UK‘ event saw executives from tech trade organisation techUK, digital identity vendors Iproov and IDEMIA, and other industry stakeholders such as the Open Data Institute and the Biometrics Institute discuss their priorities for the next 12 months. These included technology and interoperability, organisation adoption and cooperative structures, support and guidance, skills development and public engagement and trust.
For many of the speakers, the focus was on the Digital Identity and Attributes Trust Framework. First announced by the government in 2021, it sets out the requirements for organisations to follow if they want to provide secure and trustworthy digital identity and attribute solutions. The framework was initially published in alpha testing phase, and a beta version was released last summer following input from more than 250 civil society groups, standards bodies and other stakeholders.
It will now go through a more vigorous testing process before being brought forward as legislation.
Moving digital identity away from the historical mistrust of the national ID card
Sue Daley, director of technology and innovation at techUK, said previous attempts to introduce digital identity checks for accessing public services had floundered due to public mistrust around ID cards that dates back to the 1990s. But she said the direction the government is now taking with the framework is replacing that mistrust.
“There are several different reasons why [there is pushback on a national ID card scheme] – some of it’s cultural and historical,” she said. “I think that the approach with the trust framework and developing a market and an industry that will enable products and services [that will empower citizens] has been the focus for several years now.”
Research by Iproov indicates that people in the UK are open to the idea of a single digital identity. However, while the government is slowly piloting One Login, which will allow citizens to use one set of credentials to access all government online portals, it does not have plans to create a national ID card system.
However, how to gain public trust was one of the biggest discussion topics among panellists, with disagreement around where the responsibility lay when things go wrong for users. Andrew Bud, CEO and founder of Iproov, told attendees of the event that the industry had to "get it right" when it came to digital identity due to the harm it could cause citizens.
"It is [the industry's] responsibility to make the use of these technologies obvious and intuitive, and to shoulder the task of protecting [users] against abuse without having to teach them how to protect themselves," Bud said. "Otherwise when things go wrong, it's their fault - and that is simply not right."
Government has to intervene to drive trust in digital identity
Bud argued government needed to intervene to ensure barriers to adoption of digital identity tools are removed.
"If we're talking about wide-scale trust, if we're talking about network effectiveness, if we're talking about adoption - these are public goods," he said. "They are externalities and these are things that government has to intervene in order to remove barriers to entry, in order to promote innovation, in order to drive adoption and in order to drive trust."
To achieve this, he asserts, regulation is essential to ensure digital identity systems are not abused by cybercriminals. Bud presented evidence that showed digital injection attacks, face swap attacks and discriminator attacks were the main methods of attack against biometric authentication: "We saw a number of key trends in 2022 and what they communicate is the tremendous rate of change and increase of sophistication with which attacks are attempting to compromise, create, steal and takeover digital identities by attacking the bind between the identity and the human being," he said.
The Iproov founder warned that while historically people thought that the threat to biometrics was an attacker using a photograph, a screen or a mask over someone's face, the real threat comes in the form of digital injection using stolen or synthetic imagery to bypass cameras. These attacks happen across all platforms, he warned.
Iproov gathers its insights evidence through its security operation centre, which Bud says observes what is happening in the biometrical authentication arena across its networks worldwide. In the UK, the company works with the government on the EU Settlement Scheme, the NHS app and GDS's One Login.
"The message is what took high technology today is becoming universally accessible," Bud explained to delegates. "We're seeing this vast explosion, indicating low-skilled criminals now have access to the cool kids on the dark web so that they can very readily and cheaply launch."
This is a fundamental challenge to biometric authentication, says the CEO. And he believes it's going to get worse.
Digital identity stakeholders must prioritise inclusion
Further conclusions drawn from Iproov's evidence are that inclusion is key for digital identity products and services. Bud explains that this is not only evident from a security perspective, but also from the performance of the system and how organisations work with their global clients and maintain their relationships.
"Systems that are segmented or discriminatory will not successfully move the needle," he said, continuing that there are two aspects to achieving true inclusion.
The first is offering choice - moving away from handset-specific digital identity solutions. Bud describes these as a "money-making feature" and emphasises that no digital identity product or service should "impose any requirement for special devices or hardware sensors on the users."
"We've also seen that device-based solutions have tremendous risks," he cautions. "It also makes it impossible to gather threat intelligence to all defences."
According to Iproov research, while the majority of British people find applying for government services online relatively simple, over a third struggle to do so.
Focusing on educating the public on digital identity is 'fundamentally wrong'
During the event, all stakeholders took part in a debate about the need to educate the public on digital identity. Bud was the strongest advocate against this approach.
"When I hear people saying 'we have to educate the public on this, we have to teach them about that, I think that is fundamentally wrong," he told delegates during his presentation. "The binomial between usability and security is no longer acceptable and it's especially not acceptable in the world of digital identity."
Instead, Bud explained that the task of the government and the industry was to relieve users of the burden of responsibility.
Research shows that people in the UK have varying perspectives on what a digital identity is.
Other speakers touched on this topic, including Martin George, from the digital identity expert group at the Biometrics Institute, who said that the organisation did believe in the role of education and "helping people to understand the risk" that using mobile apps or the Internet could expose them to. He pointed in particular to the sharing of private data.
"This needs to be understood," he said. "I think the only method by which we can do that is education."