The New Zealand Department of Internal Affairs recently stated that it is contributing to a “Future State New Zealand Identity Ecosystem” (my bolding, DIA discussion paper, June 2023).
The establishment of a national identity ecosystem is an important subject. What is an identity ecosystem? I ask what should we be aiming for as a society? And is it one or multiple identity ecosystems?
What is an Identity Ecosystem?
Defining the term ‘ecosystem’ is a useful starting point. Wikipedia states:
An ecosystem (or ecological system) consists of all the organisms and the physical environment with which they interact. These biotic and abiotic components are linked together through nutrient cycles and energy flows. Energy enters the system through photosynthesis and is incorporated into plant tissue. By feeding on plants and on one another, animals play an important role in the movement of matter and energy through the system.
Wikipedia describes a ‘biological ecosystem’ that has evolved to a steady state. Such a biological ecosystem has systemic features of many co-existing parts that, in a sense, cooperate. An ‘identity ecosystem’ will share this systemic feature - it too will have many cooperating parts.
But an identity ecosystem is designed by humans. This additional dimension is obviously important – it determines everything! Such as whether the thing works, how efficient it is, how secure it is, and how much it costs!
So, we must avoid being too romantic about identity ecosystems - they are not natural, they are not easy, and there is no preordained ‘order of things’ to define how they should work.
Identity Ecosystems Attributes
So, there are different types of ecosystems. To understand these differences, I categorize identity ecosystems using three attributes:
the operational environments that are supported
the type of transactions that are supported (2-party and/or 3-party)
the level of security
1-2 have been described in previous newsletters.
The third, the level of security, is determined by what identity-based transactions are being supported. If the transaction is high value or high risk, like obtaining a passport, a high level of security should be expected. If the transaction is low value or low risk, such as accessing social media, a lower level of security may be appropriate.
Together, these three attributes define the scope of an identity ecosystem. There are two classifications:
a broad-scope identity ecosystem that supports multiple variations of environment, transaction type, and security level
a narrow-scope identity ecosystem that supports limited environments, transaction types, and levels of security.
Loosely and Tightly Coupled Ecosystems
An additional aspect that is important for ecosystems is how the ecosystem functions. To describe this, I will focus on how tightly the entities within the ecosystem are coupled together.
One extreme features loosely coupled ecosystems with lots of independent entities that can randomly interact with each other. They do not have hard and fast connections. Biological ecosystems are clearly loosely coupled with a huge variety of entities and multitudinous interactions. These many-to-many relationships somehow work, primarily because millennia of evolution have produced a steady state system.
At the other extreme, tightly coupled ecosystems have a structure, and the entities interact according to patterns that some might characterize as rules. Such ecosystems are much more likely to be made by humans.
Current and Future Identity Ecosystems
I use the three attributes and degree of coupling described above to analyze a series of current and developing identity ecosystems.
Government Identity Documents
I start where we all started – birth certificates, driver’s licenses etc. They are useful in many environments and transaction types, so they have broad scope, but they have limited security. They are loosely coupled ecosystems.
International Passports
Passports are clearly the biggest identity solution on the planet. They are highly effective in border locations where hardware is installed, although they can be used elsewhere for general identity in a moderately coupled manner.
National Identity Solutions
The most sophisticated and well-known national Identity solutions are in the Scandinavian countries and Estonia. BankID operates in Sweden and Norway. It evolved from a smart-card based solution to being predominantly based on smartphones providing 2nd Factor Authentication. It focuses on on-line use and can be used with both government services and commercial services in a tight configuration.
National Hybrid Identity Card / Biometrics Solutions
These are an emerging type of solution similar to National Identity Solutions. For example, the Philippines is introducing a chip-based identity card and collecting iris and fingerprint biometrics at the same time. If well implemented, this will give all sorts of options in the future and shows how countries with minimal Identity infrastructure may be able to take a major leap to a sophisticated technology approach. They are likely to be tightly coupled.
Social Media Identity
Federated Identity is quite important for many of the four billion social media users! Based around protocols, such as OAuth, OpenID, and OpenID Connect, this is an on-line 2-party solution, with a large unverified user base, that operates tightly. It is difficult to measure the security, but the absence of any major reports of disaster suggests that the technologies themselves are secure.
Big Tech Passkeys
I’ll cover this in a future newsletter, but the tech giants Google, Microsoft, and Apple along with FIDO, on 20 May 2023, announced the technology of passkeys as the new identity solution. Passkeys could be seen as an evolution of FIDO 2nd Factor Authentication, but it is much more than that. Centralized management of passkeys to remove the reliance on passwords (and hence minimize the risk of phishing attacks) has a lot of positives and a few negatives (do we trust them?). Passkeys, if and when it achieves some sustainable volume, will have an on-line, 2-party focus in a tight configuration.
Identity Ecosystem Summary
The ecosystems analysed above are:
There are some trends in this analysis:
we do not have any identity ecosystems that are both broad-scope and highly secure - government identity documents is the only identity ecosystem that covers all environments and transaction types (i.e. is broad) and it is not secure. I know of no other broad-scope identity ecosystems.
current secure identity ecosystems are tightly coupled - this borders on stating the obvious, but governmental, commercial and big tech development build on the technology stacks we currently have, and utilize real-time communication and strongly-typed messaging. That is, Identity providers utilize current technologies to tightly couple entities and to thereby gain security.
Conclusion / Observations
I will to conclude with these points:
the ecosystem approach is useful - the discussion in this newsletter is worthwhile. We need to have a way of discussing identity at a national level, and the concept of ecosystems allows this discussion to take place. By that, I mean at a national level, we must go beyond simply discussing standards, legal accreditation, and technologies.
identity ecosystems are a good idea - I started by recounting how Department of Internal Affairs’ aim to contribute to a “Future State New Zealand Identity Ecosystem” and asking whether this is a good goal. While I have not focused on proving that in this newsletter, it seems intuitively obvious that ecosystem solutions at the same level as Payments solutions would be beneficial.
a secure broad-scope identity ecosystem is not easy – history supports this. I think there are two primary reasons for slow progress: 1) it is a very difficult problem, and 2) industry is waiting on government. Unfortunately, it is not the role of government to fix everything, so industry needs to find its own ways to move forward.
narrow-scope identity ecosystems will develop initially – before the big solution arrives, we will have narrow-scope identity ecosystems for industries, social groups, and communities. This may be the future for the next 5-10 years or more.
So, Identity has some things to do. In the next few newsletters, I‘ll consider how to design an identity ecosystem and discuss some current approaches to developing identity solutions.
Regards
Alan