Photo: iStock / Muhla1

Digital Identity is the Gateway to Growth, So Why is it so Broken?

  • Viewpoint
  • By Sarah Whipp (Callsign)
  • 29 July 2019

Sarah Whipp, CMO and Head of GTM Strategy at Callsign - which uses an AI-driven intelligence engine to analyze thousands of data points to help prove that someone is who they say they are - explores why digital ID systems must start with the individual

In the physical world, identity is easy: we meet someone – either through someone we already know who vouches for them or via a common interaction – that leaves enough of an impact that, should we see them again, provides a point of reference. As humans, we do it instinctively based on physical attributes and context; the more we interact, the easier identification becomes.

Not so in the digital world: after establishing identity (registering), each and every time we come back to interact, it’s the same set of steps, for everyone, regardless of familiarity or context. This is typically through a username and then a proxy (or substitute) for our identity, e.g. a password. We are all treated the same way every single time – it delays us from getting on. Now, multiply this by the number of different digital interactions you have every day.

“Digital” has moved beyond homogenous user journeys. We are in a personal world, with 56% of consumers abandoning brands that they considered had offered them a “bad customer experience,” and 25% “hating” having to repeat themselves according to the latest Freshworks study. The software that powers identity journeys has typically been built to reduce the associated operational and security costs – for example, the fraud costs of incorrectly identifying someone and the operational costs of password resets. As a result, users have homogenous journeys that cannot satisfy most people. What is the chance that the ideal digital experience is the same around the world, across all contexts and cultures?

Digital identification is the key to inclusive growth, according to a recent McKinsey Global Institute report, unlocking value of up to 13 percent of GDP by 2030. However, it does come with a lot of needs – whether it be an individual needing the means to create an ID to open up employment opportunities, or an individual wanting to close down opportunities fraudsters have to exploit her or his ID.

Access and use of digital identity has long been a concern to people. Companies need to fight against fraudsters gaining unauthorized system access, as well as managing the operational cost of forgotten credentials. And in addition, regulatory bodies are adding differing jurisdictional privacy and security laws.

So why is digital access and identity management such a challenge? Well, software programs started by using credential proxies like passwords, which were invented in the 1960’s. This was later adopted for internet access and evolved from there to higher level proxies like multi-factor authentication (rather than press the “reset” button) as our lives became increasingly digital. As a result, we have a plethora of proxies that can identify us on our behalf. But, most of the solutions are put in place by the various companies who want to confirm our identity fits into one of two buckets – either isolating some users (e.g. by requiring a smartphone for use), or providing a lowest common denominator approach (e.g. unsecure passwords).

From a societal perspective, one of the highest-growing global challenges we are facing is digital isolation. By putting in place solutions that require possession or capability – for example the means to own a smartphone, or location or ability to use it – companies exclude access to services for swathes of populations who arguably need access the most.

Organizations who offer digital goods and services are like most organizations – typically looking to drive the greatest adoption at the lowest price. This has meant designing journeys that the “average user” has the means and abilities to go through. It is a one-size-fits-all approach to access digital services and channels. “Username and password” is the most common approach. But as already mentioned, this old-fashioned method is proven to be unsecure, doesn’t allow for a personal approach (meaning a bad user experience), and ironically it is still costly. Moving to a more sophisticated methods tend to require smartphones, which exclude many people.

It is difficult to see how taking an “average” approach across any user population can work. This is identity we are talking about; it is about as “individual” a concept as there could be. In the physical world, we don’t segment the people we know into groups and then remember their characteristics by how they differ from the norm. The more we meet someone the better we know them, and the more we recognise them by their face, their voice, their walk.

Per the principles of Good ID, digital identity must start with the individual, based on their needs, circumstances and capabilities. By building a digital picture for each user, a government or company can provide a user experience that is customized for both organizations and their users. Callsign solutions are built around user consent, control, and choice. The value a user receives from accessing digital services can be reduced if accessing the service is difficult; by making sure all users have the capacity to get on and access services quickly and securely, Callsign helps entities meet the standard of Good ID.

Callsign’s software is used to authorize and authenticate both customers and employees. It protects both users and organizations from fraud. This can be done through collecting a broad variety of data across behavior, device, and locational use. By having the capability to build up a digital picture through the broadest dataset, organizations ensure that all users can build their own specific picture – an identity that is individual.

This picture needs to take into account culture (e.g. does the user want to share biometric data), circumstances (e.g. do they have the right technology), and capability (e.g. can the user manage the process). It should be able to do so without sacrificing security and transparency.

At Callsign, we have built our software to identify based on individual traits and means from the outset, so users can choose how they wish to be identified – e.g. allowing biometrics (or not), and at the same time companies can dynamically adjust their user journeys based on these preferences. We do so by supporting all options to confirm identity, ranging from telephone calls (for those with limited cell phone coverage), to biometric or behavioural recognition – importantly only using data at the time a person wants to access a service. Our customers range from global banks to the newest start-ups, and they offer users the ability to log on and use their services with appropriate friction.

By putting in place solutions that require possession or capability – for example the means to own a smartphone, or location or ability to use it – companies exclude access to services for swathes of populations who arguably need access the most

People often talk about frictionless-ness in our industry, but we believe that sometimes people want friction: for example, if you are transferring a large amount of money a little bit of friction can be reassuring, but if you want to view a balance you may not want any friction – it is both contextual and personal. We think our job is to design software for people, not users, and people deserve to have their needs respected, whether that is in terms of their personal choices or cultural preferences.

It is important not to ignore privacy needs of individuals, both now and in the future. Although a person may be willing and able to share biometric data, that might not always be the case. And certainly, those that are already privileged enough to have a digital footprint that is coveted by advertisers and the like want to have the option of managing what information is collected and how it is used. Callsign's approach helps illustrate how systems can be put in place, designed with the privacy needs of individuals in mind, by allowing users to choose which authentication elements to share and which to block, without impacting security.