What is digital identity?
It is a subject that regularly comes to the forefront, yesterday in the specialised press, today in the general media: digital identity. It is a recurring topic, because it concerns us all and has an increasingly important impact on our daily lives. If data security is the new hobbyhorse of European public actors, it is today the digital identity that we are trying to standardise in order to protect users' personal data and avoid their abusive or fraudulent use.
Digital identity: definition
The definition of digital identity may still be unclear in some minds, and for good reason, it is a rather new concept on the scale of the internet and has only recently been given attention.
Let us begin by recalling that an identity is specific to each individual and that it evolves with him or her throughout life. Identity is guaranteed by the State and represents the set of criteria that make it possible to identify an individual: first name, surname, date of birth, physical characteristics, parentage, etc. Other attributes may complete this identification, such as marital status, fingerprints or employment. In legal terms, identity is :
All the elements which, according to the law, contribute to the identification of a natural person (in society, with regard to civil status): surname, first name, date of birth, parentage, etc.
Digital identity extends this definition by adding digital attributes such as login credentials (email address, password) or IP address. More generally, digital identity is the set of attributes and data that identify an individual, an organisation or a company online.
With the massification of Internet use and the democratisation of the cloud, the issue of storing personal data online and securing it has become central. This is illustrated by the massive data leaks experienced by private companies such as Facebook or public players such as the AP-HP, which have highlighted the vulnerability of personal data management systems, which are often centralised. It is to counter these possible flaws that many players are now offering solutions enabling users to benefit from a secure digital identity.
Digital identity management today
Today, it is possible to create an account or to identify oneself through a single service such as Google or Facebook (to buy a product on an e-commerce site or to subscribe to a streaming service...), but also LinkedIn (to send an application to a job offer). These ways of identifying oneself to access online services have enabled millions of Internet users to benefit from a simple solution - no need to remember all one's passwords - and practical - automatic entry of login information on any device saves precious minutes - but are they any more secure?
In view of the increasing number of data leaks and personal data processing practices, the European Commission has updated the eIDAS (Electronic IDentification And Trust Services) regulation. This second version aims to provide a strict framework that applies to electronic identification, trust services and electronic documents. It provides a real interoperability framework for all EU Member States for electronic identification and transactions and thus allows the development of a single market for digital trust.
This regulation provides for three levels of guarantee for electronic means of identification which are granted according to compliance with minimum specifications, standards and procedures. These are as follows
- the low security level which simply reduces the risk of misuse or identity theft
- the substantial level of security, which substantially reduces the risk of misuse or alteration of identity
- the high level of security, which prevents misuse or alteration of the identity
Guided by the eIDAS regulation, many so-called trust services have been able to implement secure identification devices. In the future, we will see services related to the management of electronic attestations of attributes in secure digital identity portfolios.
Towards a decentralised digital identity
To facilitate the standardisation of practices and provide users with greater security, many solutions exist and one in particular seems to stand out: decentralised digital identity. On paper, it is the solution that most respects the philosophy of eIDAS 2nd version while offering a level of security that traditional digital identity management systems cannot provide.
Currently, most digital identity management services are centralised. They are based on the creation of a user account per individual for access to an offer, a service or more generally to a platform. In this format, the individual has as many digital identities as he has profiles (it is estimated that each person has, on average, 150 Internet accounts).
With the increase in security breaches in recent years, so-called "security systems" have emerged.federated". Gone are the days of 150 accounts to access 150 services: it is now sufficient to use a single digital identity to access services on different sites. It is now common to use one's Google account to create an account on an e-commerce site or to use one's Facebook account to access the Netflixservice... An approach which is much more practical but which still comes up against the need to create several accounts with several providers because there is not one identity provider that works with all sites.
Both approaches are flawed:
- Centralised systems require users to create an account for each service, which is time-consuming (adopting a password management service is unfortunately not the norm) and often results in the use of a single password for all of these services, which can be vulnerable.
- Federated systems, on the other hand, offer a low level of security - one data leak at an identity provider and all accesses linked to that provider are compromised. Not to mention the lack of control and transparency over the use of individuals' personal data.
How does decentralised digital identity enable control and security?
It is to compensate for this lack of control or security that decentralised digital identity is the solution of choice, while being compatible with the RGPD and the second version of eIDAS.
But what is decentralised digital identity?
Decentralised digital identity can be defined as a mechanism that allows users to directly administer their own digital identity through the use of a distributed ledger architecture such as blockchain technology. Thus, instead of manually creating and managing accounts (centralised identity) or trusting identity providers (federated identity), decentralised identity places the individual - the holder of his or her identity attributes - at the centre of each of his or her digital interactions with an issuer - the author of the documents justifying a person's identity attributes and a verifier - the entity that wishes to verify the user's identity for access to its services / products. This tripartite relationship - also known as the triangle of trust - offers a new level of security and control.
The user thus regains control of all the data relating to his identity and thus decides to whom he wishes to give access or not. This decentralised identity thus allows more secure access to digital services, financial and digital services, health services, data related to private life, etc. To find out all about decentralised digital identity, we have published a white paper detailing the practicalities of a decentralised digital identity system.
The decentralised digital identity mechanism thus offers security and control guarantees that correspond to the spirit and European philosophy of the eIDAS regulation in its version 2 but also to that of the RGPD.
Decentralised digital identity on a European scale
The EUid regulation proposal submitted by the European Commission in June 2021 goes in the same direction as this decentralised identity project, which is already well underway around the world. Here, the aim is to offer all citizens and companies access to a national digital identity that can be recognised throughout the European Union. In other words, it is a question of providing each citizen with a free digital wallet, which will allow him/her to identify him/herself in the same way wherever he/she is in the European Union on the major online platforms. The eIDAS version 2 regulation allows all technological actors to appropriate decentralised identity to create a solution that ensures security and control of individuals' personal data.