The notion of identity – and how to balance online anonymity with accountability – has been a conundrum since the internet was invented. Indeed, the concept of digital identity is one that continually evolves alongside various regulatory and technological developments. But what exactly is digital identity?
Since 2015, France has had an identity federator called FranceConnect, and more than 40 million users have already used it. However, the digital identity offered remains a low-level identity. In 2021, FranceConnect+ was deployed to remedy this problem and offer the possibility of accessing more secure digital identities (substantial and high levels). France is one of the first countries to have introduced substantial-level identity into its national regulations, acting as a forerunner in this area.
What is digital identity?
Digital identity is the digital counterpart to the evidence we can provide in the physical world. As the digital counterpart of the identity document, it can provide the same level of confidence in online and sensitive use cases as an identity document can in physical use cases.
It is therefore a means of proving identity, but not only that. It is also a means of secure authentication, and can be used to prove certain attributes of identity such as age or nationality. CNIL (Commission Nationale de l’Informatique et des Libertés or French Data Protection Authority) points out how, “identity is more than just civil status”.
Identification and authentication using a digital identity is a three-way game. The user, having created his digital identity with the help of an identity provider, will use it to authenticate himself with a public or private operator, more commonly known as a service provider.
The best-known use case is when entering into a remote relationship. Here, digital identity makes it possible to retrieve reliable identity data, rather than an identity document. It is also a means of accessing the different accounts we use every day. In this way, it makes our everyday lives easier, while improving the level of security of the services we access.
What are the different levels of digital identity?
Digital identity has been regulated at European level, enabling it to be transposed into national law. The eIDAS regulation sets three levels for digital identity:
- Low level: Most of the time, this is a username and password. However, this identity is subject to various risks, including phishing. Nevertheless, it is still interesting for uses that do not require a very high level of trust (checking the number of points on your driving license, for example);
- Substantial level: This is the level of identity most expected for sensitive transactions in the world of payment and finance, but can also be useful for other uses. Substantial level identity is created face-to-face or equivalent, using a piece of identification and involving strong two-factor authentication (2FA). The first factor is the telephone used to prove ownership. The second factor involves proving what you know, such as a personal code determined when the identity was created;
- High-level: Although there are still few cases of this being used, most Member States have adopted a high-level identity. Despite the fact that it is created on the same basis as a substantial-level identity, the identity card used must be fitted with a chip, which acts as a cryptographic element at the time of creation. When used, the cryptographic element must be used for verification as a strong authentication vector.
How does digital identity work in practice?
Digital identity can be created in one of two ways: face-to-face or face-to-face equivalent, i.e. remotely. In the second case, which represents the majority of use cases, the process only takes a few minutes to complete. To do this, you need to take a photo of your identity document and a video of yourself to determine whether the person creating the account is really the same person as the one on the document submitted. At this stage, a number of automated checks come into play to verify the veracity of the information submitted. Finally, when a substantial or high-level identity is created, a human operator checks these elements.
Once the identity has been created, it can be reused in a matter of seconds on different services using two-factor authentication. For the user, the digital identity eliminates the need to use multiple IDs/passwords, thanks to a single gateway to a wide range of uses. They will also not have to scan or provide their ID every time they enter into a new relationship.
Finally, it gives them greater control over their personal data. The advantage of digital identity is that it provides only the identity data needed for the service, rather than all of it. This represents a step forward in data control. In terms of privacy protection, the CNIL recommends “identifying the need for trust in the service and using the lowest level of identification and authentication that meets this need”.
What are the benefits for service providers?
Digital identity offers a number of advantages not only for users, but also for service providers. Without competing with current identity verification solutions, digital identity logically coexists with existing solutions.
Thanks to digital identity, the level of confidence in authentication procedures is strengthened, particularly for those who do not yet have strong authentication. By eliminating the need for back-office document verification, digital identity reduces costs and eliminates a tedious and time-consuming task. It is also a major commercial advantage, since it reduces friction during the initial contact, thereby improving the conversion rate.
In all areas subject to Anti-Money Laundering & Combating the Financing of Terrorism (AML/CFT) regulations, digital identity makes it easier to meet Know Your Customer (KYC) obligations, by correlating numerous identity elements.
Last but not least, digital identity has a direct impact on the fight against fraud. By being verified by identification specialists, the data submitted is more reliable and less likely to have been stolen or falsified. Digital identity thus guarantees the reliability of identity data. In addition, digital identity providers are regularly audited and must comply with strict obligations, ensuring the security of the entire value chain.
What is the outlook for digital identity?
Although there are many use cases, digital identity is still in its infancy. It is set to become the standard for authentication and identification in the next few years, and we need to be prepared for this. By offering numerous advantages for both users and service providers, digital identity will revolutionize, simplify and secure our identification habits for the long term.
At European level, the prospects offered by the European Digital Identity Portfolio are also opening up new horizons. In addition to making it easier to identify oneself within services in other countries thanks to the interoperability of identities, it will be able to contain additional attributes, such as driving licenses or diplomas. The arrival of such solutions will have a direct impact on the user experience and on the way we interact with all our day-to-day services.
Content Manager at IDnow
Connect with Mallaury on LinkedIn