Page 42 - ITU-T Focus Group Digital Financial Services – Technology, innovation and competition
P. 42
ITU-T Focus Group Digital Financial Services
Technology, Innovation and Competition
Executive summary
This Technical Report to the ITU-T Focus Group on Digital Financial Services (DFS) presents an overview of the
current and projected state of digital identity and authentication, as it applies to the DFS sector. It is intended
to be read in the context of Recommendations ITU-T X.1252, ITU-T X.1253, and ITU-T X.1254, which address
the wider issues around the management of identity in data networks.
th
The broader context is the adoption by world leaders on 25 September 2015 of the UN’s 17 sustainable
development goals (SDGs) of the 2030 “Agenda for Sustainable Development”, of which Clause 16 states:
“Promote just, peaceful and inclusive societies”, which is further amplified with the clause: “By 2030, provide
legal identity for all, including birth registration”. In the light of broader moves around the world to electronic/
digital transactions, particularly in the DFS sector, it is inevitable that the best method of achieving this is
through the creation and use of digital identities, through a variety of means. For this reason, the paper briefly
explores the relationship between legal and digital identities.
The nature of digital identities is explored in this report, as well as a core definition of their usage presented,
based on three phases:
• Identity proofing - the process of establishing the legal identity of an entity presenting him/herself for
registration. At the successful conclusion of this phase, a digital identity is created and associated with
the person.
• Authentication - the process (undertaken when the person asserts an attribute of their identity) of
validating the assertion of an attribute associated with a previously established identity.
• Authorisation - the process of determining the degree of access to a service that may be provided on
the basis of a previously asserted and successfully authenticated identity.
This includes provision for partial assertion; so an individual does not need to assert every attribute of their
identity. For example, an individual might assert their name, and not their address or any other attribute – or
perhaps that he or she is over 18 years of age, without being required to provide his or her name.
The paper then describes different types of digital identities, from the foundational identity, usually created as
part of a national identity scheme, and is typically based on the formal establishment of identity through the
examination of qualifying (breeder) documents such as birth records, marriage certificates, and social security
documents. This can then be used in the creation of derived digital identities, such as a transactional identity
which might be created during registration for DFS services, and used for customer authentication during DFS
transactions, and for other service access as determined by the DFS operator.
After an overview of the importance of the level of assurance (LoA) associated with a digital identity, this
paper briefly introduces the various forms of identity architecture that are being explored worldwide. These
are explored in more detail in Appendix A.
In addition to architectures, a further complication is the class of digital identity used – either static or dynamic.
A static digital identity is derived from the foundational identity and is one that is typically issued by a national
identity scheme, or historically, by a bank. Its initial high LoA degrades over time (attributes such as address
may change, for example), raising a requirement to re-check periodically – for example, the financial regulator
in South Africa requires that banks’ customers re-assert their address at least annually. An alternative that is
being explored is the dynamic identity, which is initially self-asserted (as in a Facebook ID, for example) with a
very low LoA, which can be developed over time – for example, by visiting a service provider and presenting
supporting documents (like a passport) in order to gain access to an additional service. This approach can
dramatically reduce friction around onboarding, though it does need careful management.
The technologies around digital identity are explored, specifically around the identity proofing, authentication,
and authorisation stages of the lifecycle. In general, a specific focus is on authentication technologies;
particularly around personal identification numbers (PINs) and biometrics. The reasons for moving away from
PINs are explored, and the difficulties of moving to biometrics are highlighted as a set of technologies that are
easy to use badly (often giving a sense of security that isn’t really there), and difficult to use well.
28