Por: Juan Carlos Escudero, Director de desarrollo de negocio de IPSA
From what we could call "physical identity", defined as the basic data set inherent to a person which is compulsorily registered (date of birth, sex, place of birth, name and surname....), with the digital economy we have arrived to the "digital identity", understood as any information related to a person which is distributed through social networks and other Internet services, and the one we are not fully aware of.
Another phenomenon that has occurred is the expansion of the concept of Identity to both Legal Entities (companies, institutions,...) and Assets (especially with the rise of the Internet of Things).
As well as its own evolution or expansion, identity is associated with different regulatory frameworks: some attempt to preserve people's rights (eg. Data protection laws), others regulate financial transactions or try to prevent criminal acts (eg. Laws to avoid fraud, money laundering, or the financing of terrorism).
This scenario has turned identity into a developing industry that includes services, platforms as well as hardware and software elements which allow a person to be identified and authenticated, to obtain the permissions to access certain resources and carry out transactions through Internet or private networks.
In this growing industry new technological solutions appear with great implications (Big Data, Blockchain…) but also new problems (such as the recent case of Facebook and Cambridge Analytica with the use of information from over 50 million accounts to influence the latest USA elections).
In this series of articles we are going to delve into the transcendence of the present moment and, especially in the immediate future of this industry: Identity. We will also discuss what is Addalia's vision for the "Identity Industry", its positioning and the the solutions it provides.
What is identity?
To begin with, and leaving academic definitions aside, we can say that identity is
the fact that a person (or a legal entity or an asset/thing) is who he or she is.
However, in practice, identity is not a generic concept, but is related to the type of transactions we make. Therefore, identity consists in the set of attributes that must be verified by one of the sides of the transaction in order for it to be carried out. Thus, we can say that identity is the fact that a person is who he or she is and that he or she has the attributes necessary to carry out certain transactions. In this way, a person could have several types of identities simultaneously (financial, health, etc.) that they would use conveniently in their different transactions.
The cycle of identity use
Once the identity-transaction link is established, we are going to discuss the cycle of identity use: the fundamental actions that are carried out on identity to do a transaction.
The first step, which is always necessary, will be to create the identity (which will constitute the core of a certain type of transactions) and on which some key operations can be carried out (Verification, Authentication, and Authorization) depending on the type of transaction. Let’s see what these fundamental actions consist of.
A. Identity creation - Question: ¿Who are you?…
To create an identity is to construct a new interpretation of an identity to be used in
a certain number of transactions. In this process, credentials of trust that may be used in future transactions are established.
Thus, the creation of an identity is an authoritative process that delimits a particular attribute or a set of attributes of an individual, entity or thing, so that the attributes can be used in future transactions to demonstrate the existence and uniqueness of that individual, entity or thing.
In the introduction we already mentioned that, for most people, the creation of a physical identity is carried out in the form of government birth registration. However, this identification mechanism which seems so familiar to us doesn’t exist in all countries. The number of people without an identity in the world is estimated at 1.5 billion, which is a problem if we consider that identity is considered to be an fundamental right by the UN.
There are other processes for the creation of identities by Public Administrations, or
authorized entities such as the National Identity Card (ID) or the Tax Identification Number (TIN), driving license or digital certificates for electronic signatures.
Answer:…. You already have an identity
B. Identity Verification (Evidence of Identity) - Question: How do we prove who you are?
Verification consists in demonstrating that the specific identity attributes are really connected to the person (entity or thing) that they are supposed to represent.
Its a confirmation process of at least one of the attributes of an individual or entity, either through self-certification or confirmation by a third party. Verification is also sometimes known as proof of identity.
Identity verification is normally carried out at the beginning of a transaction with a service provider. Verification is a requirement in the context of financial services in compliance with the KYC and AML protocols. The most widely used mechanism of identity verification is the physical presentation of an identification document.
Currently, there are services that do not require verification, such as websites and social networks where you can create accounts using pseudonyms without providing any identity attributes.
Verification processes are normally slow and costly for the service providers and tedious for users. In addition, they have to comply with the regulations on safeguarding and protection of information.
With ADDALIA’s solution IDDILIGENCE we help financial institutions and “regtech” companies to automate their identity verification processes.
IDDILIGENCE performs an automatic analysis of sensitive information in documents provided by the customer in the verification procedures of what we might call "financial identity”, in which, in addition to verifying the physical identity (through the established identity documents such as the ID card), it also verifies the capacity and the willingness to meet future financial obligations (documents such as pay slips, tax returns, utility bills, bank statements, etc. are used for this purpose).
Integrating IDDILIGENCE in their analysis and decision processes, our clients carry out the identity verification processes in a comprehensive, agile and efficient way, ensuring, in addition, compliance with current KYC and AML regulations.
Answer: Okey, we have proof of your identity.
C. Identity authentication - Question: How do we know its still you?
Authentication demonstrates ownership and control of a unique feature connected to an identity over time.
It provides, therefore, a unique evidence of ownership of a certain identity.
Authentication also carries out the process of establishing that one is performing transactions with the same institution iteratively over time.
There are several methods for performing online authentication procedures, the most efficient use multiple factors that are based on combining something the user knows (e.g. Password), something the user has (e.g. Smartphone), something the user is (e.g. Digital fingerprint) or something the user does (e.g. Repeat a sentence).
The classic example of authentication on the Internet is to use the User and Password. However, it is estimated that between 70-80% of users reuse passwords in different accounts, which means a high risk if either were hacked.
Answer: The evidence we have is authentic
D. Authorization of identity - Question: What do you obtain once we know who you are?…
The Authorization process determines what a user can and cannot do based on their identity
It is the process of establishing what rights or privileges should be granted to an individual, or entity.
Authorization normally requires a combination of verification and authentication. For example,
an on-line TV service allows us to access the channels contracted in a certain country. If we are in another country we may not be able to see certain content because the service uses the country as the identity attribute to perform the corresponding verification.
The authorization procedures requiere a great amount of resources to carry out the associated verification and authentication processes. One of the mechanisms used to simplify procedures is to directly authorize the devices (computer, smartphone, etc).
Answer: Ok, you have permission to do this.