The question of digital identity needs to be taken seriously

Malte Pollman, CSO, Utimaco explains the importance of digital identity.

In eCommerce and digital finance it is vital that the person logging into an account is the person associated with it. Fraud does happen in physical spaces, but it is much rarer because a person trying to pay on a card can simply be asked for an identity document like a driver’s licence to prove their identity, and even if they have somehow forged a driver’s licence they will be visible on security cameras. Digital spaces don’t have anywhere near that level of deterrent – anyone with a username and password can potentially access an account as if they were its legitimate owner.

The idea that there should be ways of proving one’s identity digitally that are as secure as those in the real world is not new. The UK government has already created a framework that would allow private companies to create digital identity systems, called Verify. Although they have now been taken off the table, a hypothetical ‘vaccine passport’ would have also bridged the gap between analogue and digital identities.

Analogue identity checks are based on a document with a high level of protection against forgery which is issued by a trustworthy authority – a passport or drivers license for example – and are considered the gold standard when proving identity. How can we create something just as trustworthy and secure in the digital space?

How are digital identities created?

Currently, many websites offer customers the option of logging in via existing Google or social media accounts, often secured with two-factor authentication or app-based verification. These are, by definition, digital identities but they are flawed in that anyone can create a new Google or Facebook account and there is no need to use a government-issued ID to verify your identity when setting one up. There is no equivalent of what the UK government wants to create – a single digital ‘document’, perhaps based in an app with biometric identification, that allows anyone to prove that they are who they say they are. It would necessarily have to involve submitting analogue forms of identification like passports when setting one up, which would then have to be verified as authentic either digitally or by humans, both of which have their problems and a potential for fraud and identity theft.

The transfer of an analogue proof of identity into the digital space is only one of the challenges with electronic identities. The other is to protect eIDs against misuse and data leaks. This means that there must be a simple way for a verifying authority to determine whether an eID presented to it is genuine. Under the new UK digital identity plans linked to above, the authority that issues and manages the digital identity plays a major role: the ID’s integrity is guaranteed either by the fact that it is issued by government institution or through certification and audit procedures if it is a private company.

The checking authority knows which issuers of certificates that confirm the digital identity are considered trustworthy and will generally only accept such certificates – in the UK, they will have to follow a trust framework. However, each time an ID is used it will still need to be clarified whether the certificate is genuine. This requires a process that guarantees a very high level of protection against forgery as well as easy verifiability and can be automated.

This is where asymmetric cryptography comes into play: the method is based on a private and a public key connected to each other using mathematical operations that are difficult to reverse, such as the multiplication of large prime numbers. Generating the public key from the private key is therefore trivial but getting to the private key from the public key is extremely difficult. The public key can therefore be made available to everyone. If this matches a certificate that was created with the corresponding private key, the certificate is considered authentic.

Any digital ID framework will have to be based on a public-private key architecture. Asymmetric cryptography is a highly scalable, robust method for keeping digital IDs secure, already used in thousands of applications in the public and private sector.

Promising approaches

But there is also an Achilles’ heel to asymmetric cryptography: the private keys must absolutely remain secret. Regardless of whether they are private trust service providers or state institutions, anyone who offers identity services based on private and public keys must ensure that the private keys are optimally protected. Hardware Security Modules (HSMs) are the ideal choice for generating and securely storing strong private keys. Compared to software solutions, they have the advantage that the keys themselves are not read into the main memory of a computer, which means that they cannot be compromised remotely. Some HSMs also have a real random number generator – important for generating top-quality keys – and are designed to resist next-generation quantum computing.

Digital identity documents solve a key problem in the digital world: being able to tell that somebody is who they say they are. Although there is likely to be a civil liberties pushback if a UK digital ID were mandated, they are likely to slowly become more common. For this reason, they need to be secured to the very highest standards, and the level of security that is possible with modern hardware security modules will be a key way in achieving this.

 

To stay up to date on the latest, trends, innovations, people news and company updates within the global security market please register to receive our newsletter here.

Media contact

Rebecca Morpeth Spayne,
Editor, Security Portfolio

Tel: +44 (0) 1622 823 922
Email: [email protected]

About Security Buyer

Security Buyer is the leading authority in global security content, delivering expert news, in-depth articles, exclusive interviews, and industry insights across print, digital, and event platforms. Published 10 times a year, the magazine is a trusted resource for professionals seeking updates and analysis on the latest developments in the security sector.

To submit an article, or for sponsorship opportunities, please contact our team below.

Rebecca Spayne picture 2025

Rebecca Spayne

Managing
EDITOR

Georgina Turner image

Georgina Turner

Sales
Manager

Afua Akoto image - Security Buyer

Afua Akoto

Marketing Manager

Read the Latest Issue

Follow us on X

Follow us on X

Click Here

Follow us on LinkedIn

Follow us on LinkedIn

Click Here

Advertise here

Reach decision makers and amplify your marketing

Advertise here

Click Here

Related News

OneLink

Product Spotlight – Gallagher’s OneLink

Gallagher Security presents, OneLink – the product that is elevating remote security through the power of the cloud 
Pinaccle systems

Pinnacle Systems further supports Installers and System Integrators

Pinnacle Systems has launched the Pinnacle Partner Programme, a new initiative designed to provide enhanced support for installers…
Stephen Tickle

Comelit-PAC Appoints Stephen Tickle as Regional Sales Manager

Comelit-PAC has appointed Stephen Tickle as its new Regional Sales Manager.  Stephen will focus on supporting PAC’s access control…
Intersec Saudi

Intersec Saudi Arabia returns with record exhibition space

Intersec Saudi Arabia, the premier industry platform for security, safety and fire protection, will return to the Riyadh…
Abloy UK

Abloy Academy breaks attendance records

Abloy UK has achieved record breaking attendance at its Academy, with more professionals than ever attending its…
Hikvision

Hikvision Introduces X-ray Baggage Inspection System

Hikvision India has recently introduced X-ray Baggage Inspection System with AI- enabled Intelligent Recognition Capabilities…
GBV

IFPO Column: The Quiet Signals of Danger

Yoyo Hamblen of IFPO and Gary Simpson, Nonverbal and Behavioural specialist discuss the important topic of Gender-Based Violence..
Doorbird Carousel

Product Spotlight – Door Communication for the “Neue Wallufer”

 A customised solution case study for a residential complex is presented by DoorBird and CompuNet Systems GmbH 
suprema

Suprema Achieves EN 60839 Certification

Suprema, a global provider of AI-powered access control and security solutions, has achieved EN 60839-11-1:2013 Grade 3 certification
ASSA ABLOY

Electric locks are a vital component in digital access

To protect the important openings in their buildings, organizations need locks they can trust. This means more than just strength…
Scroll to Top