In the previous edition of this learning series, we defined the important principles of identity (see What is digital identity – Part 1). As we saw, identity is who you claim to be and who you are. Now we can begin to describe digital identity and its benefits. Essentially, it’s a way to prove that you are who you say you are, online. This could include things like name, age, and professional accreditation. A digital identity is the collective electronic representation of these claims. But this may evoke many questions, such as:
- What does a digital identity look like?
- How is a digital identity created and used?
- How can we trust a digital identity?
We will begin by defining some additional digital identity concepts and provide real world examples to help with the explanation. We will then look at how a digital identity is created and used and discuss different changes that can be made to a digital identity.
Primary Digital Identity Components: credentials and authenticators
Two basic components of a digital identity are often credentials and authenticators.
A credential is a set of attributes bound to an identifier. Let’s break that down with an example. Take your passport:
- The passport itself is the credential.
- The attributes are the information pieces on the card like name, birth date, place of birth etc.
- The identifier is the unique number on the credential, in this case, the passport number.
A person can have several credentials that make up their digital identity, just as we do with physical credentials. For example, your birth certificate proves you were born, your driver’s license proves you have the right to drive, your accreditation with a medical college may prove you can practice medicine. The sum total of your digital credentials make up your digital identity.
An authenticator is something that allows you to prove that the digital identity in question is yours. In a real world example, the photo on your passport achieves this. It allows whoever is looking at the passport to look at that picture and look at you. If the photo is a match (barring any fraud, of course) the person looking at your passport can confirm it’s yours. In the digital identity world this works a little differently. Let’s look at an example: setting up online banking.
When you’re first setting up an online banking account, the bank has a process to verify your identity. This process confirms that you are you. They don’t just take your word for it. The process may include:
- Testing your knowledge of an existing banking relationship (e.g., Do you have a credit card with us? What is its credit limit?);
- Producing evidence from other sources, like a passport or other Government issued photo ID; and/or
- Supplying additional evidence, like a copy of a utility bill with your name and address on it.
This evidence allows the bank to conduct its own due diligence (its validation and verification) on the information you’ve supplied. With this process completed, the bank will record the information it deems important to create a digital identity for you in their system. In doing so, the bank will create a unique number (often called a unique identifier). This ensures your information is always tied to you in the bank’s system, and no one else. This identifier might be something as simple as a unique client number. The sum total of this recorded information can be thought of as the credential. What it does for you is create an account in their system but how do you access it? For that you need an authenticator.
An authenticator can be:
- Something you know. The most common among these are passwords, PINs, or even the answers to pre-configured challenge questions.
- Something you have. Examples of these include a smart card or access card, your smart phone, or some other type of physical token.
- Something you are. Typically, this is a biometric characteristic, like a fingerprint or retinal scan.
Coming back to our banking example, the bank will ask you to create a PIN or password to allow you to access online banking. They may also ask you to choose a few secret questions and answers to help you when trying to gain access to online banking. With these in hand, the user can access the bank’s online services without having to go through the initial verification and validation steps every time.
The digital identity lifecycle
The example above describes the creation of a type of digital identity, the credential that associates you to your bank account. Let’s zoom out a bit and understand digital identities more broadly. At a high level, the lifecycle of a digital identity consists of three phases:
- The initiation of an identity or an identifiable entity – Some examples of this include: someone being born, someone passing their learner driver training and being eligible for a driver’s licence, or a business being incorporated etc. Essentially, this is the coming into this world of someone, or something, to which an identity can be ascribed.
- Enrollment – The creation, also known as issuance, of a credential. This is the process to create a credential for a digital identity. We previously described this process with the example of a person wishing to engage in online banking. At the end of the enrollment process, the bank registered a credential – that unique customer number we talked about earlier – in their system. Increasingly, however, these credentials are actually provided to the individual to store and use themselves. Think of electronic boarding passes and concert tickets.
- Usage – The process of showing your identity, and someone confirming its validity for the purposes of conducting an electronic transaction (e.g. a flight attendant scanning your electronic boarding pass). This phase includes supplying an authenticator, to confirm the credential belongs to you. In the electronic boarding pass example, this would be your government issued photo ID. When interacting on a computer or smartphone, touch ID (using your fingerprint to unlock a device or gain access to an app) is an example of an authenticator.
Digital Identity Statuses
In addition to the phases in the lifecycle identified above, a digital identity may also be:
- Updated – bound attributes (the pieces of information about you) may require changes over time. For example your height might change, or your marital status. In this case, an issuer may update a bound attribute and provide it to you, the holder.
- Suspended – Sometimes a digital credential will need to be suspended, making it temporarily unusable. This is often due to suspicious activity such as misuse, a security breach, or something as simple as the credential expiring. Think about credit cards, when you or your credit card company suspects your card may be stolen, the credit card company can suspend the card. For suspended digital identities to be reinstated, they must be reassessed using some or all of the verification processes used at enrollment.
- Reinstated – the process of returning the digital identity to a state where it can be used again. This is done only after reassessment of a suspended digital identity.
- Revoked – This occurs when a digital identity is permanently disabled. Revoked digital identities cannot be reinstated; they must be recreated based on enrollment.
Note that in practice, it is not necessarily the entire digital identity that is suspended, reinstated or revoked. Typically, it will be a credential and/or the authenticator that is flagged to, in effect, change the status of a digital identity.
Credential, authenticator, attribute, identifier, enrollment, usage etc. – these are all foundational terms to understand digital identity. We still have a ways to go though. The next parts still to come in this learning series will describe digital identity ecosystem models such as centralized, federated, and decentralized in greater detail. This will help explain concepts like self-sovereign identity and selective disclosure. One goal of this learning series is to outline the elements that make sure a digital identity protects your privacy, is easy to use, and is secure. We will discuss privacy frameworks, levels of assurance (LoA), and the technology that enables digital identity, like digital wallets and verifiable credentials.
What topics still remain ambiguous? Which concepts require more detail in subsequent publications? We would love to hear from you and address your most popular questions in subsequent learning series publications.