Picking up where we left off (see What is digital identity – Part 3), let’s look at other factors affecting the adoption of digital credentials, beyond privacy and the protection of personal information. For the benefits of digital credentials to become fully realized, their use must be more far reaching. Similar to Visa’s catchphrase “accepted everywhere”, for different forms of digital credentials to be recognized everywhere, a critical mass of adoption must first be reached. Adoption relies on key characteristics that we have come to expect from technology in daily interactions:
Further, adoption relies on trust. For example, holders and verifiers must trust that the issuer is issuing a legitimate credential and the verifier must trust that the holder is the legitimate owner of a digital credential. For widespread adoption to take place, we need to have appropriate levels of assurance (LoAs) that each party can be trusted, that they are legitimate. We’ll dig into this and talk about risk, levels of assurance, levels of harm, and how they relate to LoA frameworks used in Canada and around the world.
Factors Affecting Adoption of Digital Credentials
Reliability is a key characteristic that directly affects user trust and adoption. Examples of the reliability that users expect include:
- Reliable service – Does the service operate consistently and error-free?
- Reliable service design – Does the digital credential reflect best design practices?
- Reliable privacy protection – Can you trust this digital credential service to protect your privacy?
- Reliable process – Do the operational processes surrounding the use of the digital credential meet the same level of reliability as the rest of the system? Like a chain, the entire lifecycle of the digital credential is only as strong as its weakest link.
Proven reliability of the digital credential itself fosters trust. Ultimately, digital credentials and their supporting systems must consistently meet the expectations of those that use them and depend on their performance. Otherwise, people won’t be able to rely on the service and won’t use it.
Accessibility is one of the key pillars of digital credentials. Anyone who is eligible for a particular digital credential and wants to use it should be able to access it. This requires a “nobody left behind” approach that takes into account the needs of potential users who may otherwise experience physical, cognitive, socio-economic or language barriers when using digital credentials.
For example, a significant percentage of the public experience disabilities, like mobility impairments or sensory issues (e.g., poor eyesight). Ensuring digital credential solutions meet Web Content Accessibility Guidelines is an important first step. Other design considerations include ensuring a digital credential can be accessed on any device, interrogating technology for biases that may result in differing experiences amongst users (e.g. bias in facial verification has been well documented), providing internet access support to those who need it, and reducing or eliminating fees associated with the digital credential issuance process. Any service dependent on digital credentials must design for its entire potential user base. In summary, the following questions should be considered when evaluating accessibility:
- How do you make sure everyone is able to move through the process with the same ease?; and
- How do you make sure your technologies take into account the digital device access and digital literacy of your user base, and design accordingly?
Accountability is another key to fostering the trust necessary for a broader adoption of digital credentials. Accountability involves a clear and traceable line of responsibility between the features required in a digital identity ecosystem and those tasked with enabling them. Demonstrated accountability provides a basis for ongoing trust in the service being offered. Furthermore, the standards and laws surrounding the use of digital credentials must clearly put the user’s privacy, security, ease-of-use and equitable access first. There are many elements to accountability, including:
- Well-communicated policies and procedures – Who is responsible for making sure my digital credential works? Where do I go if I have a problem? What are the mechanisms to dispute policy or procedure?
- An accountable individual or organization responsible for overseeing privacy protection and receiving privacy concerns and issues.
- An ability to monitor and report on the technical reliability of the solution.
Interoperability between entities and systems is crucial for a functional and sustainable ecosystem that is user-friendly. In this case, interoperability is the ability for technical solutions to work with one another, or talk to each other in a consistent and understood manner. Consider when a digital credential issued to a user by a trusted issuer is later submitted to a third-party verifier. Take for example trying to use a verifiable electronic transcript issued by one university in one province to an employer in a different province. The digital credential has to be interoperable throughout the entire chain of the verification process. This is why interoperability is characterized as an absolute requirement. To ensure interoperability works there are several initiatives under way:
- There are numerous organizations that develop standards and technologies to address various aspects of technical interoperability. This work is increasingly taking centre stage and continues to evolve. These efforts must be developed collaboratively and provide best practice guidance for interoperable processes and technology.
- Common procedural requirements dictated by law or regulation must be consistently interpreted and applied. Policies developed in a jurisdiction (e.g., Canada, province of BC) or a sector (e.g., health, financial services) should provide for alignment and interoperability at all policy levels.
Usability is in part affected by reliability, accessibility and interoperability. Usability (or ease-of-use) is the degree of effort required in interacting with something to achieve an established purpose, and is a key concern for end-users of any technology-dependent process. This starts with best-practice design of user interfaces to ensure that:
- Information and processes are organized to be as straightforward as possible;
- The user interfaces are error free and appear to be credible; and,
- The user interface is adaptable to many device types (e.g., desktop, mobile devices) and operating systems (e.g., Android, iOS).
There are many sources for best-practice guidelines aimed at solid user experience design. Usability is a field of practice in its own right and is often dubbed “User Experience” (or “UX”). Any digital credential project with a user interface component, whether an internal or external user, should involve a professional UX resource to ensure optimum usability.
Beyond effective visual and process design, there are other considerations particularly applicable to the use of digital credentials. Processes dependent on digital credentials are often sensitive to privacy and security concerns, and may have a common target audience with defined characteristics (e.g., all potential users are expected to be working in a corporate setting). Dependencies such as these, device, connectivity or related requirements should also be considered when evaluating usability.
Risk and Levels of Assurance (LoA)
As we have discussed, overcoming barriers to the adoption of digital credentials is important for fully realizing its benefits. This usually means making it as easy as possible to access a digital credential. That said, a balance must be struck between the sensitivity of a credential and the level of security, verification and overall confidence in a person and claim. This balance is typically captured through LoAs (also known as levels of confidence). It is the degree to which we can trust that a person or a credential is legitimate. In the context of entity authentication, the International Standards Organization (ISO/IEC 29115) defines a level of assurance as describing the degree of confidence in the processes leading up to, and including, authentication.
The challenge is that the more confidence we need in a person or a claim, the harder it is to issue a credential. This can disincentivize adoption. So, it is important to carefully choose the right fit for the right purpose.
In Canada and around the world, policies and standards often classify LoAs in a defined framework. The lowest level of assurance in a framework implies little confidence in asserted claims and the expectation of minimal or no harm in the case of a compromised transaction. The highest level of assurance is used when there is great risk of harm, such as a significant privacy or security breach.
In Canada, many LoA definitions are based on, or similar to, the formalized LoA definitions used by the federal government:
- LoA 1 – Little confidence required that an individual is who he or she claims to be. Compromise could reasonably be expected to cause nil to minimal harm. – One way to look at it is that it doesn’t really matter who is behind the computer or presenting the credential, like a typical social media account.
- LoA 2 – Some confidence required that an individual is who he or she claims to be. Compromise could reasonably be expected to cause minimal to moderate harm. – In this case, it matters a bit and we at least need to know it’s a real person, or are alright with the risk that it might not be them behind the computer.
- LoA 3 – High confidence is required that an individual is who he or she claims to be. Compromise could reasonably be expected to cause moderate to serious harm. – Here, it is important to know that it is a real person AND be quite sure that they are the RIGHT person behind the device.
- LoA 4 – Very high confidence required that an individual is who he or she claims to be. Compromise could reasonably be expected to cause serious to catastrophic harm. – At the highest level, there can’t be any doubt that the person is who they say they are and are authorized for the transaction.
This classification of LoA provides an important framework for the management and use of digital credentials.
Let’s look at a more specific example:
Steve lives in Calgary and is working towards a degree and realizes that he will need student loans to help fund his education. He already has registered for a MyAlberta Digital ID (MADI) and went through the process to make sure it was verified. This was done by allowing the province to access his driver registry information, allowing for LoA 2, and mailing out a PIN to a valid address on file, reaching LoA 3. This confirms that the person exists, and that the right person is authenticating, so they are able to get access to more online services that require a higher level of identity assurance.
Steve goes to the Alberta Student Aid website, where he sees that he can apply online after creating an account. To do this, he can request the creation of a new digital identity and credential, or simply use his existing MyAlberta Digital ID (MADI). The MADI program developed the policy and procedures requiring a higher LoA and Alberta Student Aid leverages the MADI credential to eliminate the need for Steve to create a new account. All the while, Alberta Student Aid has confidence they are really interacting with Steve, and not someone else.
The expanding reliance on a digital economy and increasing value of transactions means that it is more important than ever to make new technologies, specifically digital credentials, reliable, accessible, accountable, interoperable and usable. It also means that exposure to risk and potential for harm will continue to persist as the digital economy matures. We must continue to evolve and implement frameworks that mitigate these risks.
For digital credentials to be as ubiquitous as the hard copy counterparts we use today, their adoption will need to be scaled. Interest and demand from one end to the other will have to be present for the benefits to fully optimize. To accomplish this, a tightrope must be walked to ensure digital credentials are privacy protecting, secure, easy to use, equitably accessible, and ultimately: trusted.
We’ve touched upon the main factors affecting the adoption of digital identity. Going forward, we will describe several techniques and design elements that are being used. While the list is not exhaustive, we will explore important components of digital credential related services. This will include the notion of digital wallets and signatures, principles such as selective disclosure, and use of cryptography in zero-knowledge proofs.
We would love to hear from you and address your most popular questions! Get in touch with IDLab!