SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Making the case for decentralised identity
Tue, 1st Nov 2022
FYI, this story is more than a year old

There's a moment in the movie, The Net when Sandra Bullock, playing a systems analyst and remote worker, gets her identity—and entire life—erased with far-reaching consequences. The year was 1995, and the issue of "personal privacy" was just starting to emerge. Major web players, from eBay to Cisco, had by then begun to reflect on global standards for managing personal data.

Fast forward to today, and we find ourselves in the midst of an identity crisis like never before, thanks to the explosion of digital services. The global pandemic has only widened the battlefield for rampant identity fraud as more people shift to online transactions and remote work.

Online fraudsters on the rise

This can be attested to by the rising number and monetary size of online scams since the coronavirus outbreak in 2020. Australians have lost AU$295 million to scams in the first half of 2022, according to newly released data from the Australian Competition and Consumer Commission's (ACCC) Scamwatch. The total losses from January to June 2022 have more than doubled compared to the first half of 2021, where Australians lost a combined $139 million.

Banking scams are particularly fraught for both consumers and the banks, which take hits both on the financial and reputational fronts. In many instances, customers blame a bank's scam prevention measures and demand that banks need to be more proactive.

Nearly three-quarters of consumers expect businesses to take the necessary security steps to protect them online, and 7 out of 10 say it's important that companies they frequently deal with online are able to identify them across visits. This isn't a surprise to businesses, a majority of which expect consumers to cite security as a top priority.

Which begs the question: what can a business do? How can CIOs and CISOs preserve privacy and trust as identity theft becomes increasingly rife?

A new secure identity paradigm

This is where decentralised digital identity comes in.

What makes this different from existing identity strategies? It is the way critical data is stored and validated. The idea is to give individuals more privacy and convenience with less fraud. One specific implementation of decentralised identity is self-sovereign identity (SSI) which is designed to give an individual or company more control over their digital identity.

Take, for example, Mary, who is trying to buy age-restricted items. If SSI is adopted, Mary can present proof through her digital wallet that she is at least 18 years old without having to reveal her actual date of birth.

In a decentralised identity framework, the user receives verified credentials about him/herself from certified issuers such as governments and retailers. These credentials are stored in the user's digital wallet app. When the user presents proof of identity to a company requesting this, the company can verify the proof via a blockchain-based ledger.

Note that the fundamental properties of a blockchain ledger are, firstly, that it does not store the user's data and, secondly, that it is cryptographically secured to make the ledger tamper-proof.

The movement to decentralised identity is underway, with forward-thinking companies developing the core technologies and roadmaps to build self-sovereign frameworks. This gives users back their privacy, allowing them to choose the personal information they share and who can access it, resulting in convenience with less fraud and friction – a win-win for everyone.

However, we still have hurdles to overcome, including mainstream acceptance if decentralised identity is to become adopted as a standard process. Given that personal data is valuable currency to businesses, it is understandable why there is a reluctance to let go of the consumer data monetisation model. On the plus side, this model is gaining traction with support from standardisation forums such as the Decentralised Identity Foundation and W3C Verified Credentials.

Time for a new chapter

The decentralised identity space is still in its experimental stage. Organisations have yet to figure out how to deploy this technology at scale while also factoring in legacy issues, costs and regulatory requirements.

There are companies that are already developing the core technologies and roadmaps for establishing decentralised identity protocols. To start building this framework, businesses can benefit from working with a trusted partner with a strong portfolio of identity solutions that includes citizen identity verification (IDV) and user identity to help protect sensitive information.

Whatever the approach, shaping any digital identity strategy should begin and end with the consumer. Ultimately, what benefits the consumer will, in the long run, benefit the business.