Posted: 4 Min ReadNorton Labs

Next-gen digital identity protection calls for system reform

System reform will be critical in achieving the digital identity protection of the future.

The need for this level of reform has been building steadily over time, but the COVID-19 pandemic has proven to be a major catalyst. With remote working, digital healthcare, identity verification, and transactions proliferating, there has never been a greater need for robust, dynamic digital identity protection. As it stands, the risk to consumers who want to leverage the convenience of digital services is increasing, as are the opportunities for cybercriminals.

The pressure is only set to rise as life becomes more digitized, with governments and regulators in the EU leading the way on bullish electronic identification (eID) targets. Digital exposure of personal data will also be increased by the widespread rollout of vaccine passports, an innovation deemed essential to the world’s management of the virus.

Legacy instruments must be reconsidered if the world is to achieve next-gen protection, verification, and attestation that can keep up with digital transformation. In this article, we will explore the factors that are driving the need for system reform, and what it will take to implement an eID system suitable for the future.  

Why reform is needed now

At the beginning of the digital age, many of the initial threats that arose were countered by digital identity protection at the time. For instance, numerous methods of identity theft were suppressed by the application of tools that could rapidly detect and respond to them. Since that time, technology and online habits have evolved, particularly regarding the rise of online transactions and verification.

We have arrived at a critical moment as businesses and institutions begin to recognise the need for change. Above all, a new way to secure legitimate transactions and verify digital identities must be devised, one that moves beyond the need for physical credentials like ‘wet signatures.’

A new system should also mitigate the oversharing of personal data, which exposes sensitive information unnecessarily. For example, when you are asked to provide photographic proof of your ID, it can often result in more data than necessary being captured and stored during verification. This is just one limitation of existing systems and understanding them all will provide a basis from which to map out a solution.

Existing system challenges

Oversharing personal data: The example above illustrates a primary weakness of most existing eID solutions: the lack of data control precision during verification. This existing method contributes to the weakening of identity security, with users routinely having to expose an unnecessary amount of information from their passports and driver’s licenses. A next-gen solution must feature selective attestation, minimising data exposure.

A highly fragmented, susceptible landscape: Many existing eID approaches utilise identity element attestations, which further limit security due to being highly susceptible to tampering and theft. Compounding this challenge is the fragmented nature of the eID landscape, which forces consumers to use multiple accounts. This complexity increases room for human error and security weak points for identity thieves to target. Despite these inefficiencies, eID developers and many other service providers are continuing to develop disparate, ‘purpose-built’ systems that may worsen the fragmentation. The security of these systems is commonly based on inadequate email and password pairs, and in most cases do not adhere to a common standard. 

An overly complex ecosystem: The current complexity of regulatory compliance is also presenting a significant challenge, hindering the transmission of verified credentials. To remedy this aspect of the problem, a system is needed that simplifies the process, while also considering cross-border compatibility and self-sovereignty.

An eID for the future

The next-gen approach must provide users with greater control of their data exposure and streamline the digital identity protection process. A design that delivers these capabilities is Decentralised Digital Identity (DDI) technology. Otherwise known as Self-Sovereign Identity, the technology consolidates various credentials within a digital wallet and can alleviate much of the existing complexity.

Once credentials have been stored within a digital wallet, DDI technology enables cryptographic proof to be shared with verifiers. It is through this capability that specific elements of identity can be shared, rather than sending photographic proof and revealing entire sets of irrelevant personal data.

Solutions built on this technology will also provide a native and highly processable format, enhanced transmission security, and increased privacy. In addition to this raft of benefits, this next-gen solution would also promote and streamline options for user consent, as well as standardising the verification in general. Perhaps most significantly, DDI has been standardised by the World Wide Web Consortium (W3C) and is supported by many other key stakeholders. This level of support enhances the potential success of the standard, even if it is implemented by completely different entities.

The digital identity revolution

Digital identity protection must be as innovative as the services and opportunities that emerging technology provides. Ensuring that verification capabilities are prioritised is essential to the safety of the increasingly digital lives we now lead, and for the realisation of digital transformation itself.

An opportune moment has now presented itself to reform identity systems, to bring about a next-gen, standardised approach. This is due in no small part to the appetite of governments, legislators, and regulators to support the development and evolution of eID systems. Experts and technology providers stand ready to deliver the necessary support to help bring about this digital identity revolution.

Editorial note: Our articles provide educational information for you. NortonLifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.

Copyright © 2022 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Other names may be trademarks of their respective owners.

About the Author

Dr. Petros Efstathopoulos

Global Head of NortonLifeLock Research Group

Petros joined NortonLifeLock Research Group in 2009 and has focused on next-generation storage/backup systems, portable storage security, network security, privacy and identity. He is responsible for Lab strategy, direction, and growth.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.