Q&A attributed to Arvind Swami, Director FSI, Red Hat Asia Pacific | 24 March 2022
Director FSI, Red Hat Asia Pacific
Since digital payments are becoming increasingly popular, users are perhaps more vulnerable to cybersecurity attacks than ever before. The answer to this increased risk? A self-sovereign identity (SSI)—especially for the financial services sector.
What is Digital Identity and why is it important?
First, we need to understand what a digital identity is. A digital identity is simply a collection of electronically stored features associated with a uniquely identifiable individual. Examples can include usernames and passwords, date of birth, and electronic transactions. Typically, we establish multiple digital identities, including creating new accounts for each service provider we enrol with, or through third party login mechanisms (although these are generally considered insecure for financial services).
When we establish a new account for each new sensitive service we sign up for, we may potentially face two problems:
- We create several identities with multiple providers, all different but each representing the same person—all of which are vulnerable to identity theft with no easy or standard way to verify them.
- We have no way of knowing when our identity is used, by whom, or when/if to revoke consent to usage of that particular identity.
What are the principal drivers that necessitate a shift towards a more secure digital identity?
The pandemic forced everyone to go digital. Many companies were unprepared for the necessary changes in procedures and infrastructure associated with the wide acceptance of remote work. Network providers were challenged by an unprecedented rising demand of traffic, and many service providers had difficulty anticipating and enabling the corresponding client increase.
Impacts of the pandemic on the consumer side were also immediate, including both quantifiable and behavioral elements. Already an established trend, the virtual consumption model has only accelerated in momentum, based on convenience, health perception/protection, and regulatory mandates. There was a significantly smaller proportion of payments being made in-person as isolation kept people at home.
Customers were being advised to avoid cash for hygienic reasons and many businesses now discourage cash. As a result, contactless cards and digital wallets saw a spike in usage—reinforced by the preferred usage habits of newer generations. In Asia Pacific, digital payments will continue to increase, with a predicted average annual growth rate of 16% from 2020 to 2025.
Over the duration of the pandemic, it became clear that digital identity became of paramount importance as an answer to ever-present security issues and amplified them. In just a year between May 2020 and May 2021, there was a 168% increase in cyberattacks in Asia Pacific. Within the financial sector globally, the number of online card fraud attempts increased by 23%, according to Feedzai’s Financial Crime Report Q3 2021 Edition.
How can we protect our identity in the digital world?
In the physical world, we’ve adopted standard and verifiable practices for obtaining and maintaining permanent identity-related documentation, such as a passport or driver’s license. Either of these documents are accepted globally as identification medium and they are trusted as such.
A self-sovereign identity (SSI) can be the solution for the digital world. SSI is a term or approach used to describe the digital movement that recognizes an individual should own and control their identity without the intervening administrative authorities. It is a two-party relationship model, with no third party coming between the individual and the issuer. For example, SSI begins with a digital “wallet” that contains digital credentials. It acts like a physical wallet where a consumer carries credentials issued by others, such as a passport or driver’s license.
For SSI to work, it should consist of the following four basic flows and elements:
- Decentralized Identifiers (DID): a channel to prove your identity and exchange verifiable digital credentials where there will be no central registration authority, as every DID is registered directly on a blockchain or distributed network.
- Decentralized Key Management System (DKMS): a proposed open standard for managing the private keys you need for DIDs, which includes robust, highly usable key recovery. DKMS key recovery supports both offline recovery (“paper wallet”) and social recovery (“trustee”) methods.
- DID Authentication: a simple standard way for a DID owner to authenticate by proving control of a private key.
- Verifiable Credentials: a format for interoperable, cryptographically verifiable digital credentials being defined by the W3C Verifiable Claims Working Group.
Consumers will benefit in instances such as loan processing (with accompanying credit check verification) or when establishing a new bank account or a new internet contract (with identity and residency manual verification). Service providers will benefit too, as they will be able to minimize fraudulent account creation and simultaneously protect both parties from phishing attacks.
Whether driven by new realities in consumer behavior that might become permanent or taken in response to regulatory issues which hope to enhance security and limit fraudulent activity, the concept of robust digital identity has deservedly risen in importance.