5. Identity Performance: 3-party
So how good are the Identity processes that society uses? Do we have a problem?
In the previous newsletter I discussed 2-party Identity, the top row of the matrix below:
In this newsletter, I look at 3-party Identity, the bottom row of the matrix above.
The 3-party challenge
The really hard thing to do in 3-party Identity is identifying yourself to an organization that does not know you. You, the first party, have an identity held by a second party and you want to provide that identify to a third party who has no idea who you are.
Ponder for a moment how unusual this is in the world of ICT. How often are we designing processes for something we cannot directly verify?
This is challenging, so it is not surprising that we do not have many solutions. So this newsletter simply highlights a few of the solutions, however secure or insecure, that are currently identifiable.
The example above for in-person is the use of Verifiable Credentials like Aotearoa New Zealand’s Covid passport. The individual (first party) shows their Covid status (provided by the second party, the Health Department) to the café (the third party). This solution served a useful purpose: ensuring some compliance with Covid regulations. But it is not secure, so it is highly unlikely to be a long-term solution (more on that in a later newsletter).
In-person was initially based on and is still largely based on documents. The best known, and the one that works, is the closed system of passports. Other photo IDs, like driver’s licenses, sort of work sort too! But they also promote a counterfeit card industry!
On-telephone 3-party Identity processes do not exist! At least, I have not identified any Identity process through which I can identify myself on the telephone to an organization who does not know me. If you know of any, please let me know.
Due to the inherent insecurity of On-line Identity there are few examples. The most noteworthy is the nascent know your customer (KYC) industry, where individuals present a number of credentials and biometric information which are proofed to establish identity. The driver for KYC, Anti-Money Laundering legislation, is a legal requirement, so ease of use is not a high priority and a low cost is not essential.
There are other on-line solutions that I know of. In New Zealand Aotearoa, we have a Direct Debit payment capability. When set up, a payment request is generated on the customer’s behalf by the third party – it works quite well, but the setup is totally insecure. A second example is creating a connection between a bank and the Xero accounting platform by tunnelling – while secure, this is a very specific solution for a very specific problem.
I want to make three observations that reveal a lot about 3-party identity:
3-party is underdeveloped. While there are some very important uses, three party identity just has not advanced. The furthest we have got is automating the checking of documents, which is not actually very far.
3-party is hard. This should come as no surprise – identifying yourself to an organization who does not know you is just not that easy when we do not have any general capabilities for Identity. Note that this is not necessarily true for Scandinavian countries! Hmmn, something to ponder there.
3-party may become very important. You might suggest that 3-party is not that important, otherwise we would have developed solutions. I take a contrary view and suggest that 3-party Identity is fundamental now, and that future developments, such as open banking and Customer Data Right, will rely heavily in 3-party Identity. I think that has already been borne out by the need for enduring consent, a form of Identity, that has been key to the development, or lack of development, of open banking in Aotearoa New Zealand.
3-party performance
I’ve added a similar analysis for 3-party performance as I did for 2-party performance (note that for on-telephone,, with no solutions there are measures of three of the performance measures):
The opinions below are based on very few examples but it is difficult to find any 3-party solution that gets a green light!
We have few available solutions.
Ease of use is poor. Few solutions we have are easy to use, other than those that lack security or are supported by closed systems.
Security is generally poor.
Costs are high.
Summarizing
So, in the last two newsletters I have covered 2-party and 3-party Identity processes in three environments. It shows lots of different methods:
My objective has been to measure the overall performance of Identity and my reading of the situation in the previous newsletter and in this newsletter is:
This is primarily a sea of red - performance is poor.
And so what? Well, given that Identity is a significant societal process, surely this is something we should be focused on!
Societies’ investment deficits in public infrastructure are now observable in broken water supplies, inadequate flood protections, road inadequacies etc. Deficits in Identity investment is harder to observe but it is equally real and just as important.
In the next few newsletters I’ll start looking at our options to turn this around.
Regards
Alan