The ultimate goal of an identity system with symmetric recognition is to enable users of one digital ecosystem to securely access data or systems available in another ecosystem. This must happen without the need for a federation of digital ecosystem infrastructures and without further recording of user recognition data on each ecosystem where it must operate.
An identity system based on trust in a third party, which does not necessarily have to be the same for everyone, except in the case of the digital ecosystem, is proposed. Each entity that needs a digital identity chooses its own trusted identity provider (IdP) and then the identity providers, interacting with each other, will perform the entity recognition. An identity provider is an entity that creates, stores and manages digital identities to offer user authentication as a service, with the legal guarantee that the individual exists and the real identity can only be revealed through an authority.
There are many advantages using this authentication scheme, such as a solution for passport recognition or a more secure voting system. The user does not need to register multiple times, which better protects their personal data. Furthermore, the username can also be combined with an email of the same name, helping with contact management. The role of the IdP can evolve toward new services. In addition to managing the email associated with the digital identity, it can also manage the related messaging or voice over internet protocol services. Furthermore, considering the level of legal guarantee of the main identity, the identity provider can issue additional identities without personal data for anonymous but legal activity, such as the whistleblowing process or simply to receive a service without having to present an identity card, like when a person buys a coffee.
The use of blockchain would make it possible to make the set of IdPs as well as the users more robust. For example, this can be helpful when guaranteeing the integrity of the information qualifying the identity, such as the type of identity (natural or legal person) or if the authenticity of the physical identity has been verified by an authority, or if it corresponds to an adult. This general information can be provided without showing any personal data while still being true.
Identity providers must be managed by an international body that verifies their adherence to technical standards and manages the definition of new ones or exclusion of others. Only the existence of an accurate, rigorous and transparent control enables the necessary trust to be granted to the identity provider, in particular to that of the other entity that authenticates itself.
Editor’s note: For further insights on this topic, read Luigi Sbriz’s recent Journal article, “Modeling an Identity Trust System,” ISACA Journal, volume 6, 2023.