This Technical Report to the ITU-T Focus Group on Digital Financial Services (DFS) presents an overview of the current and projected state of digital identity and authentication, as it applies to the DFS sector. It is intended to be read in the context of Recommendations ITU-T X.1252, ITU-T X.1253, and ITU-T X.1254, which address the wider issues around the management of identity in data networks.
The broader context is the adoption by world leaders on 25th September 2015 of the UN’s 17 sustainable development goals (SDGs) of the 2030 “Agenda for Sustainable Development”, of which Clause 16 states: “Promote just, peaceful and inclusive societies”, which is further amplified with the clause: “By 2030, provide legal identity for all, including birth registration”. In the light of broader moves around the world to electronic/digital transactions, particularly in the DFS sector, it is inevitable that the best method of achieving this is through the creation and use of digital identities, through a variety of means. For this reason, the paper briefly explores the relationship between legal and digital identities.
The nature of digital identities is explored in this report, as well as a core definition of their usage presented, based on three phases:
• Identity proofing - the process of establishing the legal identity of an entity presenting him/herself for registration. At the successful conclusion of this phase, a digital identity is created and associated with the person.
• Authentication - the process (undertaken when the person asserts an attribute of their identity) of validating the assertion of an attribute associated with a previously established identity.
• Authorisation - the process of determining the degree of access to a service that may be provided on the basis of a previously asserted and successfully authenticated identity.
This includes provision for partial assertion; so an individual does not need to assert every attribute of their identity. For example, an individual might assert their name, and not their address or any other attribute – or perhaps that he or she is over 18 years of age, without being required to provide his or her name.
The paper then describes different types of digital identities, from the foundational identity, usually created as part of a national identity scheme, and is typically based on the formal establishment of identity through the examination of qualifying (breeder) documents such as birth records, marriage certificates, and social security documents. This can then be used in the creation of derived digital identities, such as a transactional identity which might be created during registration for DFS services, and used for customer authentication during DFS transactions, and for other service access as determined by the DFS operator.
After an overview of the importance of the level of assurance (LoA) associated with a digital identity, this paper briefly introduces the various forms of identity architecture that are being explored worldwide. These are explored in more detail in Appendix A.
In addition to architectures, a further complication is the class of digital identity used – either static or dynamic. A static digital identity is derived from the foundational identity and is one that is typically issued by a national identity scheme, or historically, by a bank. Its initial high LoA degrades over time (attributes such as address may change, for example), raising a requirement to re-check periodically – for example, the financial regulator in South Africa requires that banks’ customers reassert their address at least annually. An alternative that is being explored is the dynamic identity, which is initially self-asserted (as in a Facebook ID, for example) with a very low LoA, which can be developed over time – for example, by visiting a service provider and presenting supporting documents (like a passport) in order to gain access to an additional service. This approach can dramatically reduce friction around onboarding, though it does need careful management.
The technologies around digital identity are explored, specifically around the identity proofing, authentication, and authorisation stages of the lifecycle. In general, a specific focus is on authentication technologies; particularly around personal identification numbers (PINs) and biometrics. The reasons for moving away from PINs are explored, and the difficulties of moving to biometrics are highlighted as a set of technologies that are easy to use badly (often giving a sense of security that isn’t really there), and difficult to use well.
These inputs are then used as inputs to an analysis of the use of digital identities in the DFS sector, considering first the ‘traditional’ approach with a customer who has a foundational identity document set. The paper cautions against relying entirely on the foundation identity for DFS transaction authentication, highlighting the consequent performance issues, and suggests the use of derived transactional digital identities for this purpose. With regard to customers without the necessary identity documentation, a way forward based on the use of dynamic digital identities is suggested, with the type of service that can be delivered linked directly to the LoA that can be achieved over time. It is recognized that further work is needed in this regard.
A number of examples of the use of digital identities with DFS services are explored, including a general example of the use of a foundational digital identity with the Groupe Speciale Mobile Association’s (GSMA) mobile connect framework, and specific examples from Pakistan, South Africa, India, and Nigeria. The impact of digital identity on DFS in general, and on the barriers to adoption, are explored from the perspectives of the commercial models (increasing the potential customer base, reducing the cost of regulatory compliance, and creating a framework for the development of additional revenue streams), social and cultural issues (specifically including privacy concerns, balanced by the potential to enhance financial inclusion), and the regulatory impact (including the potential for increasing support for the FATF Risk-Based Approach, and the need for developments in the area of liability).
Finally, a number of recommendations are made:
Recommendation 1: At the time of registration, a DFS operator should create a digital identity for its customers, for use in both DFS transactions and (where relevant) in identity assertion with external service providers.
Recommendation 2: Where a customer is unable to provide a foundational document of digital identity, consider the issuance of a dynamic, self-asserted digital identity, which may be ‘stepped up’ over time and as required.
Recommendation 3: Regulators should standardize digital identity registration, and ensure interoperability between DFS operators and service providers relying on the digital identity.
Recommendation 4: DFS operators should build in customer privacy measures, compliant with national legislation either current or anticipated.