Why have governments struggled to get it right on digital identity?
With many government-developed services seeing poor uptake, the answer may lie in allowing citizens to ‘bring your own identity’, according to Arthur Mickoleit of Gartner
Governments have not been very good at giving citizens the means to securely and easily identify themselves online.
If you leave out the Nordic countries, governments’ digital identity schemes around the world have not been met with a lot of acceptance or use by citizens. That is starting to change, fortunately. Not least because governments are starting to recognise that digital identity is not just a technology issue, but also needs serious thinking about governance and user experience.
When creating and managing digital identification schemes, government agencies have two main avenues.
The first option is to manage the entire identification and authentication process in-house. The second is to turn to the growing list of digital identity service providers (IDSPs) that are emerging, within government and outside. Turning to an IDSP offers a range of benefits, mainly the reassurance of focused expertise that a specialised provider brings.
At the same time, governments need to consider that commercial, public and citizen interests can sometimes differ in this space.
Government agencies also need to consider that citizens already use digital identities to access a range of public and commercial services. Having to hold separate digital credentials for each service is irritating for citizens, inefficient from a service provision and management standpoint, and risky because it creates and increases vulnerabilities.
This is why governments are starting to allow citizens to ‘bring your own identity’, by using the digital identity of their preference to interact with government agencies and services. This means, for example, using an online banking or social security login to access other services, such as tax administration services.
Amount of government services worldwide that will support access from multiple ID providers, according to Gartner’s forecast
29 September 2018
Date from which EU public services providers have, under eIDAS regulation, been required to recognise electronic IDs from all member states
One in five
Proportion of residents of France sign up for the government’s FranceConnect service
Number of UK residents signed up to GOV.UK Verify – the UK government’s digital identity service
Number of services using Verify
Gartner predicts that, by 2023, over 80% of government services requiring authentication will support access from multiple IDSPs.
In Europe, this is becoming a reality already.
The eIDAS regulation means that citizens holding a digital identity accredited in one country can use that identity to access public services in another country – meaning, for example, a holder of an Estonian Mobiil-ID could use it to access digital public services in Austria. Services in any EU member state are thus becoming accessible by means of any of growing list of digital identity providers accredited under the regulation.
Across the globe, a range of systems and schemes have been developed – some more successfully than others. In countries like Norway or Denmark, virtually the entire population uses digital identities to access government – and commercial – services. Other countries including Germany, Australia and the US are still trying to establish digital identities that are widely accepted and used by citizens.
The less successful digital identity schemes are often bogged down by overly-bureaucratic cultures, leading to complications and poor user experiences. Many governments, for instance, prioritise high levels of security over positive user experiences.
While that might seem intuitive, it is also a very rigid approach, if universally applied. Individual services can have different needs. For instance, booking a social welfare appointment does not bear the same risks and should not require the same level of security as declaring taxes. Declaring taxes, in turn, probably does not need the same level of security as changing your residence or even voting for your members of parliament via an online channel – which is practised in Estonia.
This should give government CIOs pause for thought.
They must explore and pilot different approaches before deciding what will work best for their own culture, context and needs. They might opt for a system based around government-issued IDs, such as Spain’s Cl@ve or India’s Aadhaar, non-government IDSPs, such as Canada’s SecureKey Concierge or Norway’s BankID, or a combined approach.
One such approach is FranceConnect, in which the government takes the role of identity broker, allowing citizens to access government services via a range of accredited IDSPs from the public and private sectors. Launched in 2016, FranceConnect already counts a user base of around 20% of the population.
Technologies that support digital IDs and authentication methods are evolving at a rapid rate. So, while it’s important for government CIOs to safeguard continuity, they must also manage change in relation to the emerging technology options. For example, if people want to access services on mobile devices, they need to question the usability of digital identities on physical cards.
The less successful digital identity schemes are often bogged down by overly-bureaucratic cultures, leading to complications and poor user experiences
Government CIOs have to stay on top of how security options and user profiles continuously evolve. Emerging technologies such as blockchain have the potential to resolve a range of governance, security and privacy issues of digital IDs. Proven use cases do not yet exist in this area, but government CIOs are advised to closely monitor this space and potentially engage in pilots.
The creation of secure digital IDs is not simply a matter of technology; recent incidence of digital ID misuse in Estonia have demonstrated this point.
The security breaches saw the misappropriation of identities through phishing and social engineering. Governments need to dedicate resources to educating citizens about the growing value of their digital identities. Citizens need to realise that their digital identities are becoming as valuable and important to protect as their analogue identities.
The CEO of Danish tech firm NetCompany tells PublicTechnology why the country’s existing digital infrastructure could help encourage adoption of its soon-to-launch coronavirus...
The oldest claim awaiting decision was filed eight years ago and 10,000 more were added to the waiting list in the first three months of 2020 alone
Data shows declines in the proportion of both confirmed cases and their contacts being reached by tracers
UK will switch to Google and Apple system after discovering that less than one in 20 contacts were detected on the latter’s devices by the NHS’s own system
CyberArk's David Higgins explores the cyber risks of hiring independent contractors
PublicTechnology talks to Rich Turner about why organisations need to adopt a ‘risk-based approach’ to security – but first make sure they get the basics right
CyberArk's John Hurst looks at the true cost of GDPR breaches