Towards a Secure & Streamlined Approach
With the shift to passkeys, biometrics, MFA, the ways we handle and confirm our identities are changing in various ways, but there is still no management solution that allows for 'true' identity management. The Queensland Government has now made their digital license available to the public, is this more than just a digital version and the first step to tackle our multiple digital identity issue?
Shifting from Email-Based Identification
The usual methods, mainly dependent on email addresses and passwords, are increasingly seen as obsolete due to growing cyber threats and privacy issues. A new model that uses secure government digital identity services, third-party identity verifiers, and advanced standards such as those advocated by Thales is emerging.
Our current identity management landscape, where a lot of applications use email addresses as primary identifiers and which is already under scrutiny, is full of security risks, from phishing vulnerabilities to data breaches. But change is on the way. Future identity management systems are expected to move away from storing personal identifiable information (PII) across multiple platforms. Instead, they will centralise identity verification through secure, third-party providers.
The Essential Function of Government Digital Identity Services
The Essential Function of Government Digital Identity Services Government digital identity services, such as the Queensland Government's digital identity project run by TMR (Transport and Main Roads), are becoming increasingly important. These services serve as a reliable and secure source of identity, enabling individuals to prove their identity once with the government. This single, verified identity can then be applied across different services, eliminating the need for repeated proofs.
A promising development in the field is the Trusted Digital Identity Framework (TDIF) from the Australian Federal Government . This framework provides a set of standards and guidelines for the creation and use of digital identities, with the goal of improving security and reducing the risk of identity theft and fraud.
Also is the National Harmonisation of the National Digital Licence initiative by Austroads. This initiative aims to harmonise the use of digital driver licenses and other credentials across Australia, allowing them to be used anywhere and anytime. Austroads is also piloting a Digital Trust Service that will allow businesses to securely and privately verify digital credentials.
One of the key technologies being explored in the field of identity management is the use of Zero Knowledge Proof (ZKP) records of transactions. This approach allows businesses to verify a person's identity using a digital license and online verification, without the need to store any personally identifiable information (PII). Instead, a ZKP record is stored, providing a secure and private way to verify identity. If the government supports this style of process, data breaches will have minimal impact on businesses and their customers.
Thales' Advanced Technology and ISO Adherence
Thales contributes significantly to this change with its cutting-edge technology and alignment with international standards, such as ISO/IEC 18013-5. The Thales Digital ID Wallet is a good example of the secure and compatible solutions that set the standard in digital identity management. Thales' dedication to security and innovation can be seen on their website: Digital ID Wallet – Credentials at hand (Mobile ID Services).
The Rise of Token-Based Authentication
A system of token-based authentication is becoming more likely in the future. A trusted government entity confirms a user's identity and gives them a digital token. This token, instead of personal information, is used for verifications with external products and services, greatly lowering the entities that have sensitive personal data.
User Benefits: Simplified Experience and Increased Awareness
The shift towards a more secure and streamlined identity management system should be welcomed by Australians, as it will alleviate the burden of managing multiple passwords and accounts. Imagine a seamless digital experience, where your password vault contains only a few secure digital tokens instead of a multitude of confusing credentials. This not only makes things more secure, but also simplifies the user experience.
However, a major concern is the lack of understanding and awareness about digital identity among the general public. Many people associate digital identity with data breaches, such as the one that occurred at Optus. In reality, the Optus data breach was related to photocopies of physical licenses and the capture of personally identifiable information (PII) on their systems. With a digital identity, there is no need to capture all the information, which greatly reduces the impact of a data breach.
If the private and public sectors work together to move towards this model, it could help educate users about the benefits and security of digital identity. By promoting a better understanding of digital identity and its advantages, we can encourage more widespread adoption and acceptance of this new approach to identity management."
Looking Forward
The future of identity management is full of possibilities, especially where business solutions like Microsoft's Azure AD and Entra ID meet government digital identity services. This is an exciting area because most government agencies usually use Microsoft infrastructure, creating a crucial link between identity verification and identity management. The aim is to simplify processes and eliminate redundancies in services.
But this shift is not without its hurdles:
Law Lags Behind Tech in Identity Management: Technology moves fast, but the law moves slow. There's a big mismatch between how far technology has come and how far the law has followed. This makes the legal situation for identity management messy and confusing.
Government Response is varied: The Federal Government has a plan for digital identity, but different regions are doing their own thing. For example, NSW tried to be ahead of the curve with digital licenses, but they were not up to scratch for fraud prevention. On the other hand, Queensland's TMR is doing well in this area, but it might clash with federal orders.
I think that in the future, we will have to juggle different kinds of 'true' identities, like how we use different types of cards for Medicare and driving. We might have to deal with both our official government identities and our corporate ones. This could be a great chance for third-party verifiers. They could connect the dots between these different identity systems, making sure that verification is smooth and safe.
This trend is shown by how Microsoft made Entra ID, a complete way to manage identity and access. It hints at a future where tools for managing identity in big businesses and digital identity services from governments might cross paths and maybe work together more, giving better and safer solutions for managing identity.
This evolution in identity management underscores the growing need for a harmonised approach, blending the strengths of enterprise solutions with the robustness of government-issued digital identities. The path forward will require careful navigation of legislative landscapes, technological advancements, and user-centric design principles to create a seamless, secure, and efficient identity management ecosystem.
Final Thoughts
The way we manage our identities is changing for the better in Australia. We're leaving behind the old, messy, email-based system primary keys and moving to a new, token-based one. This means more security, privacy, and convenience for our online interactions. The teamwork between government services like Queensland's TMR, Using Thales SDK, and strict standards like ISO/IEC 18013-5, is making a way for a future where managing our identities online is both safe and easy. This change isn't just a tech upgrade; it's a leap towards a more secure and smooth digital identity world for Australians.
Acknowledgement
We would like to extend our gratitude to Dean Johns, Security and Digital Identity Manager at Aliva, for his valuable contributions to the field of digital identity management and this article. As a key vendor for TMR's digital identity program, Dean has also played an key role in managing Aliva's Digital Licence Verifier product.
