Digital Identity is fundamental to digital strategy—not just as a (the!) key component in keeping people, data, systems, and organisations, secure; nor just as the way to ensure that we meet our sectoral, regional, national and international regulatory compliance requirements; but as the primary enabler of any digital-first business.  To put it another way: without a strong digital identity foundation, your online aspirations will falter.

In the physical world, if your business is hard to access, you will see less footfall—customers will find what they need somewhere else.  If you put barriers between your internal workforce and the third-party services they need to use, then at minimum your business will be less efficient than it should be; and at worst your team members will look for a job somewhere else where they can be more successful.  In a digital context, then, this means making it easy, as well safe, for customers (or citizens) to log in and to use your services; it means making supplier or distribution partners systems easily accessible, without having to authenticate anew every time.

Hopefully this isn’t news to you! But the world of digital identity—the tools and techniques available to us, the new threats against which we must protect, and the regulations we must comply with—is changing fast.  Keeping pace is a challenge, but there are real advantages to be gained in staying current.

Take, for example, the advent of passkeys.  An industry standard replacement for the traditional username and password, passkeys provide a much safer way for users to log-in.  A passkey is a digital key—a cryptographic key-pair—which is resistant to phishing.  Put simply: with a passkey, there is no password for a bad actor to steal.  This is evidently safer for your users, but it is also safer for the organisation. If you suffer a data breach, there is less sensitive information for the bad actor to steal. Thousands of organisations worldwide have already adopted and deployed passkeys: this is an active and present trend that you can already take advantage of.  (Visit FIDO Alliance for more information about passkeys.)

You can, of course, combine passkeys with additional two-factor authentication methods to provide additional security, which brings us to an emerging innovation which Identity teams are starting to put into practice: continuous identity.  With a continuous identity design, we make risk and access decisions about a given user continuously as they work with an application, based on additional real-time inputs.  A simple example: we could use a passkey for initial log-in, but then prompt for an additional security factor when that user tries to carry out a more sensitive operation.  Now imagine that we can actively receive additional indications—“signals”—from multiple sources whilst the user is navigating the application. These might be fraud or risk signals from a third party, or they might be internally-derived data points which can tell us more about the overall risk level for that particular user.  We can then actively adjust what the user is able to do, always starting from (and returning to) a position of no access—“zero privilege”.  This approach is relatively new, but early adopters are starting to leverage the relevant standards (in particular the Shared Signals Framework from the OpenID Foundation) and the emerging architectures, and are seeing significant benefits not only to their risk profiles, but also to the overall user experience.

Looking further ahead, digital identity wallets and related personal digital identity tools are on the horizon.  Identity wallets have the potential to put ownership of personal data back into the individuals’ control, whilst at the same time providing that data in a more authoritative and trustable way to an organisation that needs it for a given transaction.  Wallets and related credential specifications (including, for example, the verifiable credential and the mobile drivers license specifications) also offer powerful tools such as selective disclosure.  Imagine that you need to know whether or a not a customer is over 21.  Today, you might find that you need to run a full identity verification process (with the attendant data collection and storage risks, as well as the friction impact on the user experience).  WIth selective discloser, the customer could simple provide you with a verifiable proof that they are over 21, without having to provide additional and unnecessary data such as their date of birth, or proof of identity.  Personal identity constructs like these will be vital in providing ever-smoother online experiences for customers and workforces alike.

Crucially, they will also help protect organisations by significantly reducing the amount of data they have to collect and store.  There has been a tendency towards collecting more data about people (and organisations) rather than less.  Recent regulatory developments coupled with the over-promotion of identity verification tools have led many organisations to conclude that the collection and storage of sensitive personal information is a business necessity rather than an option.  A more discerning perspective is both possible and desirable to avoid proofing fatigue and trust erosion; to mitigate immediate risks to the organisation; and to avoid the longer-term systemic failure of identity verification constructs.  When identity proofing is truly required, we need to be able to trust that it will work.

This is just a snapshot of direction in the digital identity sphere. There is plenty of active development in areas like authorisation; identity for AI systems—both for large language models (“LLMs”) and for AI agents; machine and workload identity; and much more besides.  Particular innovations will, from day-to-day, get more or less hype; and in some cases there will undoubtedly be pressure to move more quickly than might be wise!  But take time to get the fundamentals right, and take advantage of the new but well-grounded technologies and techniques that are available today.  Doing so will yield immediate benefits and at the same time will lay the right foundations to meet future demands.

—Andrew Hindle

About the Author

Andrew Hindle is an independent consultant focusing on digital identity, privacy, cyber security, and corporate governance. He is the Identiverse^® Conference Chair, serves as a non-executive member of the board at Curity^®, and sits on the program committee for Authenticate and the UK Advisory Board for the Kantara Initiative. Andrew has over 25 years’ experience in the software industry in a range of technical sales, pre-sales, product marketing, business development and corporate governance roles. He maintains CIPP/E, CIPM and CIPT privacy certifications with the IAPP; a CIDPRO certification from IDPro; and holds a BA in Oriental Studies (Japanese) from Oxford University together with an advanced professional diploma in corporate governance. Andrew is based in the UK, and can also be found online at hindleconsulting.com and linkedin.com/in/ahindle.

Hi-Res Photo (colour): https://hindle.link/pic
Hi-Res Photo (B&W): https://hindle.link/pic-mono