How Digital IDs are shaping the Future of Identity Verification

Once upon a time, identity verification was simple. You would bring a physical, original document to whoever needed to see it. They would check the validity of it, take a copy if needed, and that would be that.

Then the internet happened.

Now, we all carry a solid brick of metal containing the ever-growing expanse of human knowledge inside. And as we transitioned into the digital space, so did the services we use. This meant identity verification also had to make the digital jump. But that doesn’t mean it was a smooth process. Let’s take a look at how traditional identity verification works, how it struggled to adapt in the digital age, and what the future might hold for private, secure and convenient digital identity verification.

But first, why do we need Digital Identity Verification

For many services, it’s not important for them to know know much about you. Think of going to the supermarket, meeting up with friends or playing a social sport.

This isn’t the case for all services though, especially those in the financial sector or those who provide high-risk services. For these, preventing fraud and identity theft, and assuring non-repudiation, are key. Verifying the identity of any customer is the best way to achieve that. Some of the instances where you will be asked to verify your identity might be:

• Getting a passport, drivers license, or other governmental identity documents.
• Opening a bank account.
• Helping banks meet anti-money laundering and KYC regulations.
• Completing high-risk online transactions.

Even in the digital age, all these things still need to be done. One way to do this is to require everybody to complete identity verification in-person, but that impacts the accessibility of internet services which we have all become used to. So, as we continue to lean further into the digital space, we will rely on digital identity verification as a replacement for in-person verification.

How does Traditional, Physical Verification Work?

When verifying your identity in-person, you need to provide physical documents. Depending on the sensitivity of your actions, you may need to provide one, or a number of them, such as your driver’s license or passport. For example, if all you need to do is prove you are over 18, a driver’s license will generally do. However institutions such as banks need to be extra sure of who you are.

Points of Identification

In Australia, you’ll sometimes be asked to provide points of identification. This point system is designed as a guide for how much different documents are ‘worth’. The Australian Border Force publishes their recommendations on what each document should be worth, with some examples being:

Generally, the goal is to get to 100 points to verify your identity beyond a reasonable doubt. It’s important to recognise here that no single document is worth 100 points: you will always need to provide at least two documents. Some verifiers also require that at least one document is from the highest (70-point) group.

Verifying the Legitimacy of a Document

Once you have your points collated, the verifier will need to make sure your documents are legitimate. Unfortunately, no document will ever be ‘un-forgeable’ since anything done once can always be replicated. What they can do though is make it extremely difficult to imitate documents with the aim of dissuading potential forgery.

Documents can be forged, and that’s a fact of life.

Take the Australian Passport as an example. In 2022, the newest iteration — the R Series — boasted new security measures over the outgoing series. You can see a full list of security measures from Europe’s PRADO portal, but some are:

• Patterns on some pages are only visible under ultra-violet light.
• There is a raised bump-map of Australia on the photo page.
• A ‘colour floating image’ shows a slightly different image depending on the angle of light.

Any one of these measures is hard to recreate, so successfully replicating all of them becomes a daunting task. So if a document has these measure intact, verifiers can be quite certain that the document is legitimate.

Struggles of Digital ID Verification

During the digital transition, it became a critical step to find a way to verify somebody’s identity when they were potentially thousands of kilometres away and sitting on the other end of a screen. There was no reliable way to, for example, compare somebody’s photo to their face when you couldn’t see the real person. Sure, you could ask them to take a separate picture of themselves, but even that is easy to get around.

Something new was needed. But that’s not what we got.

Scanning Documents

To verify your identity, some platforms started asking you to scan and submit a copy of your physical documentation. For low-risk platforms, this method was ‘good enough’, with many platforms like YouTube or Facebook still offering this method to this day.

There are three core issues with this method, however:

1. Many security measures are not retained once a document is scanned. Things like, UV patterns, parallax effects or 3D bump maps have no way to be translated to a digital image, making documents much easier to physically forge. It is also much easier to digitally manipulate a digitally scanned document, so high-risk platforms cannot rely on this.
2. Sending complete documents has privacy concerns. Many platforms don’t let you redact any information, so they often receive, process and store more data than they need to. Not only does this go against data collection principles, but gives platforms direct access to your personal data. For some services, this may not seem like a big deal, but for others where the owner may also run a very lucrative and invasive advertising business, it can be hard to trust that your privacy always comes first.
3. You are placing a lot of trust in the security of the platform. Some platforms claim to not store your ID after verification, but not all services make that promise. And even if the information isn’t retained after verification, an undetected breach risks your information being leaked. You are often placing your trust in large, multi-national for-profit companies who could have ambiguous statements or dubious pasts.

Checking with Trusted Organisations

A method that some platforms have started to use is to verify your identity with trusted organisations. One service that offers this is ConnectID, which partners with Australian Banks to form a chain of trust. In this case, the bank acts as a middle-man, where you trust the bank with your information, and the platform trusts the bank to tell the truth. This means you don’t have to give your documents directly to the platform.

While this is a much-improved method of verification, it is still not perfect:

1. Depending on the provider, you might not hold an account with any of their partners. In the case of ConnectID, they are currently partnered with the big four banks, which a staggering 80% of Australian’s say they hold an account with. While this sounds impressive (and like a slight quad-opoly), it means 1 in 5 Australian’s can’t use ConnectID: a figure that is not nearly good enough to rely on.
2. You still have to provide a third-party some information about your account. Don’t get me wrong; doing this is by far a safer option than providing documents outright. However, you are still placing your trust in a third-party to handle your information with care during storage and transmission. You are also trusting them to not use it for anything else, such as secretly requesting more information about you.

Is this the best we have?

At the moment, probably. But that doesn’t mean things aren’t changing. There is especially one modern development and that might provide a private and secure method of digital identity verification. And it might be closer than you think.

But first ... Digital Identity Verification using Apps

Before we can go through the modern development, you need to know about apps that hold digital identities. Recently in Australia, we have started to see the launch of these types of apps. One of these is the Queensland Digital License app, which allows you to verify your identity in-person using your phone. While this doesn’t replace the old method of showing your physical license, it can be used instead of it.

• If you need to send an electronic document, you can export a PDF from the app which has been digitally signed by the Department of Transport and Main Roads. Digital signatures work by providing a cryptographically-secure way for an entity to certify data, like a document. So if the signature is valid, the information it contains is also valid. This means platforms no longer need complicated ways of verifying documents. Instead, they just need to trust the issuing authority: the much easier of the two steps.
• If all you need is to verify your identity or age in-person, participating venues can use the companion app: Verifier for Digital License. This app connects a verification device with your phone, opening a secure, direct communication bridge. This is great for both privacy and security, and gives venues an quick, easy and trusted way to verify your details without any documents changing hands. You are also in control of how much you share.

The one thing these cannot do however, is verify your identity to other apps. This means the issue of verifying your age to YouTube or your identity to Facebook is still elusive. The good news it, this might be changing.

The Hopeful Future: A chain of trust through your own device

Google recently announced that Android will soon support digital credentials, which could be the final piece of the puzzle for app-to-app verification. Paired with digital verification apps, a perfect world might give you a new option to, for example, verify your age to YouTube:

1. Navigate to where the YouTube app is requesting you to verify you are over 18
2. Select to verify using a digital credential
3. Android shows you all your credentials from all your digital wallet apps that support sharing the requested information
4. Select which credential you wish to use, noting the information it will share with YouTube
5. Android manages fetching the information from the app and presenting it to YouTube
6. YouTube only receives the required information

As YouTube receives your information through a chain of trust, it doesn’t need to see the original document. This method also ensures that only the least amount of information is shared: the only third-party communication that occurs is when the app receives your verified information. No scanning documents, take age assurance photos or going through a third-party bridge. Everything is done by you, on your device, and in your control.

If implemented well, this would be the best way to verify your identity online from a privacy, security and ease-of-use perspective. But that doesn’t mean it’s perfect.

Security of Digital Credentials

Just like all things, using digital credentials does come with risks, however these risks after often far less than those imposed by other methods of digital identity verification.

The primary way risk has been reduced is through relying completely on chains of trust. This shares some of the same benefits as ConnectID: the platform you are verifying with does not need to receive, process or store any unnecessary information. Although the benefit this has over ConnectID however is that all transmissions happen on-device through installed apps. Only once the app has the required information may it transmit it itself. This makes any information far harder to intercept, and doesn’t require any third-party services.

There are still ways your information could get leaked that you should be aware of though. Most notably, if your physical device is compromised, (infected by malware or stolen and compromised manually), your credentials could still be leaked. In these cases, anything on your phone — not just your digital credentials — are up for grabs. The best way to combat this is to ensure your devices are kept up-to-date and secured with a strong pin or biometric authentication.

What this means for our Future ...

Of course, we’ll have to wait and see how this technology progresses, but it is looking promising. By the end of 2025, Australia will have an age-restriction on social media platforms, so millions of Australians will be asked to verify their age with each platform. The current solution of ConnectID could prove an acceptable solution for many, but if digital credentials are available by this time, it could mean that users have a secure, easy and privacy-respecting alternative. This would be good for all Australians, no matter how concerned are about the current ways of verifying your age over the internet.

... which might be just around the corner

According to Google, this technology is coming soon, even if they don’t give any specifics on date. A key launch partner is Railcard, who will allow their customers verify they are eligible for discounted UK railway travel cards using this technology and their UK digital passport. If successful and effective, this could pave the way for other platforms to start rolling it out.

A Warning for an Alternate Future

This is just one direction that we could go, though. There are other ways that companies may try to verify your identity online, which range from okay to ineffective or outright dangerous. There are many out there showing the immense dangers of digital ids, but one of these more dangerous methods that is the collection of biometric data.

While we use this information to log into our phones, the data stored is generally a mathematical representation of our biometrics, is treated with the highest level of security, and never leaves your device. Sending this data anywhere carries unacceptable risk because we’re not just talking about a password here. If you are going verify your identity through facial recognition technology or other biometric-based identification, be absolutely sure about all aspects of the process before even considering using it.

Losing unique access to your biometric information is catastrophic. You can change a password, replace a phone, get a new name, but you cannot change your biometric information. If it gets leaked, so many attack vectors immediately open against you, and your ability to combat them is limited.

So where do we go from here?

Hopefully, we will choose the right path. If nothing else, it’s clear that the current methods of digital identity verification aren’t meeting the privacy, security and ease-of-use needs of the population. But we have a chance to improve this. We don’t need to have identity verification with massive tech company overreach. There is a middle-ground here, even if silicon valley would prefer you to think otherwise.

The key thing is: make sure you understand where your data goes. Removing something from the internet is a daunting, and often impossible task. It’s one thing when an embarrassing photo is shared online, but another thing entirely when it’s your identity at risk. It’ll be interesting to see where we end up over the next couple of years, but as long as you keep that one thing in mind, you’ll end up on better off than those who blindly go forward.