For the last decade, governments at the federal, state, and local levels have been advancing digital transformation programs that support broader online access to benefits, services, and information. The COVID-19 crisis has highlighted that progress has been made to date but that there is still much to be done, particularly for citizens needing access to services from multiple government agencies.
More often than not, citizens are required to laboriously register new credentials for each service, inputting the same personal information for each site and service. When peeling back the layers of how digital identity can enable broader, stronger, and more convenient online transactions, four specific principles can be distilled:
Digital identity solutions should be user controlled and portable so that citizens can easily access many online services with the same secure digital identity, and not have to create multiple different identities for each service.
Digital identity services should be flexible and adaptive to support the rapid integration of different end-user devices and authentication mechanisms—such as biometric technologies and low-friction solutions such as behavioral analytics—based on evolving technologies and the shifting threat environment.
A broader digital identity ecosystem will likely emerge where verified information will be consumed—for example, a citizen may establish reputational trust around their digital identity that is used to post online information; or threat alerts, such as compromised email addresses or other information that may be shared among organizations in the ecosystem.
Strong digital identity systems should enable bi-directional trust – that is, governments need to know that the authorized citizens are accessing services and information, but citizens also need to trust that they are interacting with a legitimate service, that their personal information will be protected, and that they can efficiently access services.
Deloitte’s perspective on this critical topic of digital identity—based on supporting programs across federal and state governments for over a decade—is that the specific aspect of bi-directional trust has historically been the sticking point. “In the past, there has understandably been more of a focus on the government identifying individuals correctly to make sure benefits and services are going to the right people,” said Colin Soutar, managing director in the Cyber and Strategic Risk practice at Deloitte & Touche LLP. “But as online services evolve, there also needs to be reciprocal trust by citizens that their interactions with service providers are securely protected and that their privacy is preserved.” Deloitte believes that achieving this bi-directional trust is incumbent upon embracing and implementing the principles of digital identity stated above.
As this bi-directional trust is established, the user experience should also be simplified and streamlined. Currently, citizens accessing different government services online typically have different logins, different passwords, and need to supply the same set of personal information each time to verify their identity. That’s because government currently operates on the basis of re-identifying digital users each time they access a new service.
Instead of this re-identification cycle, bi-directional trust embraces the principle of putting the citizen in control of their digital identity. The federal or state governments, or the commercial sector, can issue citizens verified attributes that they can then use to access government services. Depending on the risk of the transaction—filing taxes would likely be high risk, booking a tennis court would likely be low risk—the required attributes for that transaction would change. But regardless of the transaction and whether it was with local, state, or the federal government, the digital identity would be the same.
With this bi-directional trust and user convenience, governments can achieve digital transformation milestones, leading to greater efficiencies and cost savings. “When citizens don’t trust the government service that they are interacting with, they might walk away,” Soutar says. “We often see loss of patience or trust as a predictor of online attrition rates.” That attrition costs government money, because those people who could have interacted with services online now have to be supported in person or telephonically, which is more expensive and resource intensive.
“Even if they request different services, it is ultimately the same individual who is a constituent,” said Ryan Galluzzo, manager in the Cyber and Strategic Risk practice at Deloitte & Touche LLP. “Enabling that individual to bring their own identity to different online interactions promotes a simpler user experience and gives the individual greater ability to control their own identity data. It also means that the government doesn’t have to force identity proofing each time an individual accesses a different service or government agency.”
Important to this portability is that a user can carry their trusted digital identity across disparate platforms and agencies, to access a multitude of government services and interactions. There are many different concepts to enable this portability and most are based on the idea that individuals would be able to receive verified attributes—date of birth, address, driver license number, Social Security number—from attribute providers. The attributes could be stored in a mobile driver license or a digital wallet and then used by the individual as needed. This model would enable the individual would be able to choose which attributes to reveal based on the transaction and there would be privacy-enhancing features. The digital wallet or mobile driver license would show that they are over a certain age for age verification rather than revealing full date of birth, and instead of giving out the entire address it would confirm that they live in a specific town.
Overall, portability can be accomplished via common standards and the digital identity can be protected through authentication methods like biometrics, device fingerprinting, or more traditional techniques like multi-factor authentication. This use of diverse authentication technologies also enables governments to adapt to changes in security posture; user preferences; or modernization needs. It also allows citizens to choose their preferred channel—mobile, laptop, desktop, etc.—for interaction with the government while feeling safe in the knowledge that their digital identity is enabling secure communication.
As digital identity systems continue to evolve, governments may benefit from deploying a layered approach that dynamically adjusts controls based on the current situational and transactional risk. This would be supported by broader ecosystem capabilities, such as shared threat signals, crowdsourced vulnerability hunting, and broad information sharing that unlocks identity ecosystem-wide security capabilities that can support trusted transactions. This broader digital identity ecosystem will, of course, also require that bi-directional trusts exists between all ecosystem participants such as governments, businesses, and individuals. This would be based on common adoption of operating principles such as those stated here.
“For years, the security industry has been calling for two-factor authentication—which remains a valid and powerful tool—but we are already seeing some traditional two-factor authentication methods being subverted,” Galluzzo remarks. “A way for governments to stay ahead of attackers is to manage risk through the layering of new and innovative solutions that can be rapidly deployed through modular, service-based architectures.”
Techniques such as behavioral biometrics, device attributes, user history, and dynamic access controls can create moving targets for attackers and support a stronger security posture. “With many of these solutions the need for transparency becomes paramount,” Galluzzo says. “Users need to know what data governments are collecting, how it’s being used, and how they can opt-out. Without this, bi-directional trust is not possible.”
A more dynamic and cohesive digital identity ecosystem can enable citizens to more efficiently and conveniently move around online while governments gain the assurance that they need to determine that benefits are going to the correct individuals. The world has been disrupted by the COVID-19 pandemic, and it is inevitable that a more virtual society will persist beyond the crisis. This virtual society will have many diverse circumstances – with use cases that span a wide range of requirements for verification of digital identities. One approach to satisfy those needs is to embrace a broader digital identity ecosystem that embraces bi-directional trust between citizens and government, portability across government, and the ability to be flexible and adapt to the needs of the individual.