Fast forward to 2021 and it’s a very different picture. Applications run on a variety of platforms and in different locations. Meanwhile data can be stored anywhere from a personal computer to a smart watch.
This decentralised approach now needs to be applied to personal identity credentials. Rather than storing this data in a single location, it should be dispersed to individuals to be stored and used as they see fit.
An obvious storage location is the smartphone. From there, an individual could choose which third parties are able to access the credentials and for what purpose. As much or as little data could be shared depending on the context and identity requirements.
A secure digital wallet on a smartphone can store identity data in the same way that details of credit and loyalty cards are stored. All the data can be protected by needing two-factor authentication such as a passcode and biometric input like a fingerprint or a facial scan to gain access.
Individuals should also be able to determine how long shared identity credentials will be made available to third parties. In many cases, as soon as the particular interaction or transaction has been completed, the data should be erased.
A key advantage of this decentralised approach is that it removes the need for a large central store of identity credentials. These stores are likely to be attractive targets for cybercriminals and so decentralising the data removes the potential for break ins and theft.
It also allows different types of identity data to be held in a single location and readily accessed as needed. This can include data from passports, driver licences, and government-issued ID documents.
In the wake of the global pandemic, these secure digital wallets could also contain proof that an individual has had vaccine injections, making it possible to travel oversees once borders reopen.
Guidance and frameworks
To achieve an effective distributed identity system, activity needs to be directed by established guidance and frameworks. Ideally created by central government, these frameworks will ensure that the identity data rights of individuals are upheld and their credentials handled in a secure manner at all times.
Some guidance has already been provided by Australia’s Consumer Data Rights regulations. These dictate how organisations can access and share personal data with an emphasis placed on permissions.
Further guidelines such as these are now required to cover personal ID data, how it is securely stored by individuals, and how and where it can be used.
This is particularly important in the wake of the widespread COVID-19 lockdowns. With an increasing number of people working remotely, there is a need for greater protection of dispersed identity data. Having standards in place that govern how this data is managed and used is now critical.
Staff also need to be educated about the threats they may face when undertaking online transactions. Fraudulent websites requesting that personal details be entered could result in both financial and reputational losses.
Another approach to ensuring the security of decentralised identity information is the use of a blockchain to provide immutable data protection with no single point of failure. This also removes the need to rely on a third party to provide protection and vouch for the validity of the credentials being shared.
While there are clearly some challenges yet to be overcome, the benefits of a decentralised approach to the handling of digital identities is becoming increasingly clear. Taking the required steps now will ensure all Australians can conduct secure online lives in the months and years ahead.