Please, I'm Ben Todd and there's only one of me: The case for a unified identity

We need a single digital identity to authenticate us at work, prove who we are to our energy company, and let us log in seamlessly to our favourite news site

My typical day might look a bit like this - I log into a digital newspaper in the morning and then sign into my virtual office, after which I tend to go to my local health club in the evening, whilst logging in to a music streaming service and I might make a call to my bank or a utility provider during the journey home. Throughout the day I consider myself to be ‘Ben Todd', the one and only Ben Todd born on a specific day to a specific set of parents and with completely unique biometric identifiers. However, each service provider I interact with, whether it's my favourite newspaper, health club, bank or even my previous employer, all seem to think it's a good idea to issue me with a separate digital identity. Moreover, the vast majority of those organisations assume control and ownership over their digital representation of me.

The personally identifiable information of the average Brit is ‘owned' on average by 39 separate organisations

Research we recently conducted with 1,000 UK consumers confirmed that the personally identifiable information (PII) of the average Brit is held, or we could say ‘owned', on average by 39 separate organisations. Perhaps more worryingly, a quarter of those we asked couldn't even estimate how many organisations held their PII. But why does this matter?

Well, we rely on the digital services provided by organisations to access new loans, to shop online, and for our social lives. This has been intensified by new social distancing restrictions which have made us increasingly reliant on the web. Our research found that 3.5 million people verified their identity digitally for the very first time during the recent lockdown.

The situation is becoming untenable. Every day it seems there is an otherwise well managed company in the news for having lost the personal data of thousands, sometimes even millions, of its customers. Since 2014, major breaches have increased by 67 per cent and with more than half of us using the same password to access multiple digital services, this situation is only going to get worse. It's time for everyone involved in identity to admit a new approach is necessary.

So, what should we do about this situation? I have heard some argue that a decentralised network is the answer: self-sovereign identity enabled by a blockchain. While there may be a future for this technology, it is not yet ready for primetime. Whilst a record in a blockchain cannot be changed once entered (immutability), it is still very much possible to attack and alter the data before it is confirmed on-chain.

The answer instead lies in what I like to call a ‘unified identity', a single representation of me ‘Ben Todd' in the digital world, that works when I'm authenticating to log-on at work and also which helps me prove who I am when I call my energy company, or login to my online newspaper. You can consider this a little like a single passport that enables you to prove who you are and to travel to many different countries. After all, when you take a trip to Greece, the Greek authorities don't ask you to register with them and then keep a record of who you are, instead they defer to your single passport.

When it comes to IAM, we really need to draw a distinction between the ‘I' and the ‘AM'

When it comes to authenticating at work or identity and access management (IAM), we really need to draw a distinction between the ‘I' and the ‘AM'. Really two quite distinct jobs are occurring, the first is verifying someone's identity, and as I've explained I believe establishing who someone is shouldn't be the preserve of an employer. Secondly is the ‘access management' aspect, i.e. the level of access or permission the verified person has within the company network, which absolutely should be the preserve of the company's IT and security teams. But the two tasks are most definitely discreet.

In the digital world a unified identity can be delivered by an "accountable guardian". Rather than decentralising a person's identity data, the guardian stores it centrally, but with significant checks and balances. Firstly, the individual's identity data (biometrics and PII) are tokenised and so can be managed securely through the system. Secondly, a fragment of the decryption key resides with the user, offering a cryptographically verifiable mechanism to prevent the guardian itself (or an employee) from abusing its power. It's only when the individual consents that their identity data is provided to an organisation for authentication purposes.

Now, rather than struggling to remember and secure all my various passwords for the multiple services I use, I can simply choose to authenticate using the accountable guardian when I log-in. The business (newspaper, utility firm, etc.) no longer needs to hold my toxic PII and I can prove who I am using my voice or face print, quickly and easily.

This type of approach can be compared to the role the credit card schemes play within payments infrastructure today. They help the individual to shield their card details throughout the payments chain whilst providing the trust and network that enables transactions to successfully occur. When it comes to identity, it's high-time businesses helped their customers to benefit from a unified identity.

Ben Todd is director of worldwide sales at identity specialist Nomidio