In the real world, proving your identity is pretty straightforward. When you show up in person to open a bank account, rent a car, book a hotel room, gamble at a casino or purchase alcohol, you present your government-issued ID, proof of address or whatever else might be required for the transaction, and the company you’re doing business with can physically see that you are who you claim to be.
This process gets far more complex in the digital world. Now, these same companies must find a way to verify that you are who you say you are, even though you aren’t physically there to present your ID or documentation. Companies must find a way to assure your digital identity matches your real-world identity.
So, what is a digital identity?
A digital identity is a reusable, digital proof of identity issued by a trusted authority with a known level of assurance. In simple terms, your digital identity is the compilation of information about you that exists in digital form — this can be everything from your date of birth to something you like on Facebook.
What Makes Up a Digital Identity?
The information that forms your digital identity can be grouped into two broad categories: your digital attributes and your digital activities. These pieces of information, either alone or combined together, can be used to identify you.
Here are some examples of each:
|Digital Attributes||Digital Activities|
|Date of Birth
ID Numbers (Social Security number, driver’s license)
Government-Issued ID Card or Document (passport, driver’s license)
Login Credentials (username & passwords)
Biometrics (fingerprint, face or eye scan)
Badges and Tokens
|Likes, Comments and Shares on Social Sites
Photos on Facebook, Instagram, etc.
Cell Phone Usage
Digital Identity: Currency for Fraudsters
Your digital identity acts as a sort of currency on the web. It can give you access to your accounts, allow you to open new accounts and give you credibility to engage in a trustworthy way with people, products and services online. On the flip side, the fact that your personal information exists online means that it is subject to hacks, breaches, copycating and theft. And with thousands of publicly disclosed data breaches and billions of exposed records every year, much of that previously personal information is now public information.
Learn What Gartner Says About Fraud Detection and Authentication
Market Guide for Identity Proofing and Affirmation
How Digital Identity Information is Exposed:
- Public Wi-Fi networks
- Unsecured websites
- Third-party data breaches
- Phishing attempts
- Weak or limited number of passwords
- Deepfake videos, voice and graphics
- Location sharing settings
- Adding strangers to social media accounts
“All the information is available if you know where to look,” explained Jumio CEO Robert Prigge. “There’s a very vibrant marketplace for identity information that can be resold and used against you.”
This “vibrant marketplace” is known as the dark web — a network of sites within the deep web, not accessible by search engines or through normal web browsing means. On the dark web, identity data is acquired, sold or dumped.
While people tend to think of Social Security numbers as valuable, they can be purchased on the dark web for as little as a dollar. Banking information and credit card details can garner a much higher price, and medical records are among the most valuable.
These marketplaces don’t just have individual identity data — they have bundles that combine a passport, a selfie and a utility bill to make the job of a fraudster that much easier.
Just having one or two pieces of someone’s digital identity can have a cascading effect that leads to an even more complete digital identity that can be used to access more and more secure, valuable accounts. Your pet’s name? Right there on Instagram. Your mother’s maiden name? Available on Facebook. Your date of birth and email address? Pretty darn easy to track down.
Issues for the Modern Organization
Let’s put our business hats on. Operating in an increasingly digital world, many organizations must be able to verify the identities of their customers and users online. Bad actors don’t belong in the online ecosystems of financial institutions, the sharing economy, online gaming, mobility services, dating sites and elsewhere. Organizations have a business imperative to care about and verify the digital identities of their users.
This imperative is driven by three key issues:
Your customers and online users trust that you will protect their data. But there’s another side to trust. In many industries, your customers or online users are interacting with one another. Whether a buy-sell-trade exchange, ridesharing, social media, dating site or other online platform, trust is the linchpin of it all, and the foundation of trust is establishing that the person on the other end of the transaction is who they say they are.
In fact, a recent study showed that two-thirds of consumers would be more likely to engage with a financial services business if it has robust identity verification. It also found that 83% of consumers think it’s important for social media sites to verify identities to hold users accountable.
2. Fraud Risk
The increasing array of identity information housed online is leading to a growing risk that this information will fall into the hands of fraudsters. This fraud doesn’t just hit your customers in the pocketbook — merchant losses to online payment fraud will exceed $206 billion cumulatively for the period between 2021 and 2025, according to Juniper Research.
Existing and evolving compliance mandates bring digital identity to the forefront of the minds of compliance managers and executives. KYC and AML compliance mandates are probably the most well known when it comes to their direct impact on online processes, especially account opening. But there are others, including California’s CCPA compliance rules and Europe’s GDPR (General Data Protection Regulation) mandates that are driving the need for companies to establish a strong link between digital and real-world identities of their online customers.
Compliance Made Simple
An Essential Guide to Simplify Your Compliance with 7 Key Requirements
What’s Wrong with Traditional Approaches to Online Identity Verification?
Most businesses currently use some combination of a classic security paradigm to gain an appropriate level of assurance that the identity of their online customer matches the real-world identity of the customer. This paradigm includes:
- Something the customer knows (e.g., security question, password)
- Something the customer has (e.g., ID badge, cryptographic key)
- Something the customer is (e.g., biometric data)
The problem with this model, however, is that organizations rely disproportionately on the first two categories — what people know or what they have. Unfortunately, things you know, like passwords and security questions, can be easily gleaned from the internet (or dark web) and things you have, such as a cell phone number or SIM card, are increasingly problematic because they can be damaged, lost or stolen.
At Jumio, we contend that businesses still asking only for a passport and utility bill are asking for the wrong information. They’re merely asking if a person is who they say they are versus who they really are. But what if that person has a legitimate but stolen ID document? Likewise, looking at an account record is no longer helpful. Companies need to know that the person interfacing with them online is who they purport to be at that very moment.
In its 2022 Market Guide for Identity Proofing and Corroboration, Gartner states, “the close interplay between identity proofing, fraud detection and user authentication across the user journey has become critical in establishing trust and mitigating risk online. The need to consider a broad range of risk and trust signals across events such as onboarding, login, credential recovery and high-risk activities like adding new payees and transferring funds in banking is foundational to concepts such as continuous adaptive trust.” Organizations need to move away from identity proofing solutions that rely on shared secret verification, such as out-of-wallet knowledge questions or memorable personal data (often used as part of knowledge-based verification solutions).
Asking the Right Questions
Are you really who you say you are?
Are you still really who you say you are?
If you think about it, these are the two questions companies should care most about when it comes to digital identity. The answers to those questions come through two interconnected processes: upfront identity verification and ongoing user authentication. Identity verification confirms the link between the digital and real worlds on the outset of the customer relationship — during account opening or enrollment. Authentication maintains the person who later logs into the account is the same person who initially opened the account.
Increasingly, modern enterprises are turning to biometrics for identity verification and authentication in order to answer the burning questions we posed above. Companies are using biometrics, alongside more traditional ID verification, to strengthen their defenses against online fraud, maintain compliance with AML and KYC, and to build trust in their online ecosystems.
The Future: Digital Wallets
Digital wallets are apps and services that allow you to manage and securely share your digital identity credentials, providing only the information needed for the transaction. Previously, you would submit your passport or driver’s license to prove your identity, which would give the business or agency access to all the data on that ID. A digital wallet allows you to control which data you share, which is critical for data privacy. For example, if you’re ordering alcohol for a corporate event, you need to share your age but should not have to share your home address, signature and driver’s license number.
At Jumio, we recommend a best-practice online identity verification process that ties the digital identity to a physical or digital ID issued by a trusted authority, and after the ID is proven to be authentic, the digital identity is further corroborated with a selfie and certified liveness detection to ensure that the user is physically present. This powerful combination of verifying who someone is, binding that person to face-based biometrics and further securing the transaction with liveness detection allows modern organizations to operate more securely in the digital world.
For more information on Jumio’s identity verification solutions, contact us to schedule a call.
Originally published: November 12, 2019; updated June 17, 2022