ITU-T Focus Group Digital Financial Services
                                              Technology, Innovation and Competition



               Executive summary

               This Technical Report to the ITU-T Focus Group on Digital Financial Services (DFS) presents an overview of the
               current and projected state of digital identity and authentication, as it applies to the DFS sector. It is intended
               to be read in the context of Recommendations ITU-T X.1252, ITU-T X.1253, and ITU-T X.1254, which address
               the wider issues around the management of identity in data networks.

                                                                   th
               The broader context is the adoption by world leaders on 25  September 2015 of the UN’s 17 sustainable
               development goals (SDGs) of the 2030 “Agenda for Sustainable Development”, of which Clause 16 states:
               “Promote just, peaceful and inclusive societies”, which is further amplified with the clause: “By 2030, provide
               legal identity for all, including birth registration”. In the light of broader moves around the world to electronic/
               digital transactions, particularly in the DFS sector, it is inevitable that the best method of achieving this is
               through the creation and use of digital identities, through a variety of means. For this reason, the paper briefly
               explores the relationship between legal and digital identities.

               The nature of digital identities is explored in this report, as well as a core definition of their usage presented,
               based on three phases:
               •    Identity proofing - the process of establishing the legal identity of an entity presenting him/herself for
                    registration. At the successful conclusion of this phase, a digital identity is created and associated with
                    the person.

               •    Authentication - the process (undertaken when the person asserts an attribute of their identity) of
                    validating the assertion of an attribute associated with a previously established identity.

               •    Authorisation - the process of determining the degree of access to a service that may be provided on
                    the basis of a previously asserted and successfully authenticated identity.

               This includes provision for partial assertion; so an individual does not need to assert every attribute of their
               identity. For example, an individual might assert their name, and not their address or any other attribute – or
               perhaps that he or she is over 18 years of age, without being required to provide his or her name.

               The paper then describes different types of digital identities, from the foundational identity, usually created as
               part of a national identity scheme, and is typically based on the formal establishment of identity through the
               examination of qualifying (breeder) documents such as birth records, marriage certificates, and social security
               documents. This can then be used in the creation of derived digital identities, such as a transactional identity
               which might be created during registration for DFS services, and used for customer authentication during DFS
               transactions, and for other service access as determined by the DFS operator.

               After an overview of the importance of the level of assurance (LoA) associated with a digital identity, this
               paper briefly introduces the various forms of identity architecture that are being explored worldwide. These
               are explored in more detail in Appendix A.

               In addition to architectures, a further complication is the class of digital identity used – either static or dynamic.
               A static digital identity is derived from the foundational identity and is one that is typically issued by a national
               identity scheme, or historically, by a bank. Its initial high LoA degrades over time (attributes such as address
               may change, for example), raising a requirement to re-check periodically – for example, the financial regulator
               in South Africa requires that banks’ customers re-assert their address at least annually. An alternative that is
               being explored is the dynamic identity, which is initially self-asserted (as in a Facebook ID, for example) with a
               very low LoA, which can be developed over time – for example, by visiting a service provider and presenting
               supporting documents (like a passport) in order to gain access to an additional service. This approach can
               dramatically reduce friction around onboarding, though it does need careful management.
               The technologies around digital identity are explored, specifically around the identity proofing, authentication,
               and authorisation stages of the lifecycle. In general, a specific focus is on authentication technologies;
               particularly around personal identification numbers (PINs) and biometrics. The reasons for moving away from
               PINs are explored, and the difficulties of moving to biometrics are highlighted as a set of technologies that are
               easy to use badly (often giving a sense of security that isn’t really there), and difficult to use well.



                28