Digital Identity and Why It's Important
Digital identity is the digital representation of an identifier (or a group of attributes), data and relations to accurately describe a specific person, organisation, or thing. A person’s digital identity is commonly used as a catch-all term to represent any personally identifiable information (PII) that can be used to identify someone’s civil, social or individual identity. As people upload more of their unencrypted and non-anonymised PII to the internet, it becomes easier for other digital users to undertake malicious acts such as identity fraud.
When digital identity is managed within a trusted, authenticated ecosystem, all ecosystem parties can ensure that:
- The identity subject (referred to as the Holder) is protected and cannot be compromised
- The identity providers (referred to as Issuers) are delivering PII securely to the rightful Holder, and
- The relying parties (referred to as Verifiers) can be assured that the PII they are verifying is from a trusted source and the claims associated with the Holder are true. Verifiers are also committed to only using the data for the contracted purpose.
There are many digital identity models all of which can be used in different scenarios with different outcomes. Many models incorporate different digital identity approaches to streamline processes and/or further reach. Some of the most commonly referenced models and approaches are summarised below.
The centralised identity model places service providers or centralised governments at its centre, with these organisation being the custodians of users' identity. Users are given accounts and login details in order to access their identity data but have limited control over ownership and data exchange.
When taking part in a federated identity model, a user can login or access an identity provider (IDP) which communicates and shares your data with organisations on your behalf. In this model, a group of IDPs that the user can select from is called a federation, and the organisations that request your identity data are called Relying Parties.
The decentralised identity model gives users complete control over their identity data. Their identity data is stored on a device of the user’s choosing, and exchanges of this data occur peer-to-peer. Rather than creating accounts and accessing external systems, users create connections with one another that can be managed by the users themselves.
Self-sovereign identity (SSI) is closely aligned with decentralised identity in that it supports the idea that the user is at the centre of the data ecosystem and each user controls and exchanges their data via peer-to-peer interactions. The additional layer that SSI brings is that it can be applied to all aspects of digital identity including the business, legal and social aspects. To achieve an ecosystem where trust filters through these different layers, resulting in all participants trusting each other, requires the implementation of governance frameworks. These frameworks are key for SSI infrastructure to be successful.
Every time a user logs in to a platform or shares their personally identifiable information (PII) there is a risk that their data could be shared with third parties or used for malicious intent. Reusable identity is an approach to securely storing users' credentials, login in information, and PII in a unified platform which can be accessed only by the user when they require it. This approach not only reduces the risk of data theft but saves the user time when completing sign up, login and other data exchange workflows.
A recurring theme when discussing digital identity is that of trust. As mentioned above, all parties within a digital identity ecosystem or workflow need to trust each other in order to manage a robust identity exchange network. To ensure different parties can trust each other, many Governments and organisations are implementing standards and frameworks into their practices. These standards and frameworks create standardised rules and requirements for each ecosystem participant, making involvement in a digital identity network more reliable, ethical and risk-reducing.
In Australia, the Trusted Digital Identity Framework (TDIF) provides nationally recognised accreditation to digital identity, attribute, and credential service providers. This accreditation ensures that providers meet an extensive list of requirements, including privacy, security and risk management obligations when engaging with customer’s PII. The providers who obtain TDIF accreditation are providing digital identity solutions aligned with Australian Government built standards.