Understanding the First Digital Identity Accreditations
It was once said that “the future is not something to predict. The future is something to build.”
So far, that’s certainly been true of the Internet, which once it was created, changed our entire trajectory and way of life. Through the World Wide Web, we built our future, and now it’s time to upgrade, in a sense—to “build out” for a better tomorrow.
This path forward is through trusted digital identity.
Since the dawn of the Internet, not only have both the business and social landscapes shifted dramatically towards digital, but technology has also transformed to match. Even still, it’s taken over seven years since when the discussions first started regarding using public/private key cryptography to transform Internet trust to get to this new stage of our digital lives.
But we are here now—digital identity has become critical and as such, so has protecting it. Schellman has a dedicated practice in this area, and our experts have authored and contributed to different comprehensive governance and trust assurance methodologies over the years. This article won’t address those, but we will go over what digital identity is, its evolution, and its importance before we introduce the first accreditations that have been announced across the globe.
The Internet is shifting yet again—get a leg up and understand what’s coming so that you’re that much better prepared.
What is Digital Identity?
If you consider what it takes to protect your identity online right now, experts agree—as you also probably do—that the current usage of hundreds of separate user id/password combinations supplemented with activation codes texted to your smartphone doesn’t work and doesn’t scale.
It’s the equivalent of asking yourself, “do I have my phone, ID, keys, wallet, etc.?” before you leave your house. (You likely know the pain of forgetting one of those things and having to go back—or worse, losing one.)
Let’s illustrate this further by exploring how we identify ourselves in the physical world. When you think about it, our identity is comprised of a history of transactions in life and their corresponding documents. We:
- Are born (birth certificate);
- Go to school (transcripts);
- Graduate with a degree (diploma);
- Obtain work certifications (credentials);
- Drive a car (driver’s license);
- Travel to other countries (passport);
- Buy a house (title);
- Get health insurance (health insurance card);
- Buy things on credit (credit card); and
- Join clubs (membership card).
These transactions—and their documentation—define us; the more we have, the more support and confirmation of our identity.
But now that most of our lives are online, digital identity seeks to streamline all these different things with the help of Web 3.0, the upcoming new iteration of the Internet. Rather than all those different digital IDs for different places, stored in all different places, digital identity seeks to give control of that personal information back to the individual user, removing the need to store personal information entirely on a central database.
Why the Shift to Digital Identity?
For that reason, it’s been a controversial subject that’s espoused its share of loud arguments at conferences over the years. But as we experienced during the pandemic when our physical life needs converged with the trust limitations of the Internet, it’s more clear than ever that we must make a global effort to fix a common Internet problem.
Identity theft, phishing, malware, and ransomware have created an intolerable level of anonymous distrust that won’t let us bury our heads in the sand any longer. In 1993, a comic in the New Yorker said, “on the Internet, no one knows you are a dog.” Thanks to all these cyber threats and their increasing levels of sophistication, it’s also difficult for merchants and other people to trust that you are who you say you are online.
Fixing that will be critical, given the now-greater demand to exchange digital assets of true value in the form of currency, titles, and personal credentials. As the metaverse looms out there in the farther-off future, the digital immersion ecosystems we have now require that we solve this fundamental problem of digital identity.
Digital Identity Accreditations Across the World
That will mean protecting these things, and one clear sign that digital identity is moving closer to legitimacy and accountability is the emergence of the first accreditation schemes to do that. Identity proofing and credential services companies will now need to obtain these if they want to operate in major jurisdictions such as the U.S., U.K., and Canada.
Digital Accreditation in the United States
Starting here in America, you’ll need to pass Kantara (US) accreditation based on a National Institute of Standards and Technology (NIST) standard 800-63.3 if you’re deploying digital identity services to U.S. government agencies.
This accreditation—a conformity assessment program—is already required by government contracts to do work.
Digital Accreditation in the United Kingdom
Over in the U.K., a pilot accreditation scheme is also now operational. As overseen by the U.K. Ministry of Digital Culture, Media and Sport’s UK Digital Identity and Attributes Trust Framework, this pilot certifies providers of digital identity document validation technology (IDVT) for the government oversight processes of the right to work, right to rent, and for disbarment (criminal background) checks.
This scheme is based on UK identity standards GPG 44 and GPG 45, and Kantara (UK) is one of a small handful of certifying bodies that are involved.
Digital Accreditation in Canada
Finally, our neighbors to the north have introduced the Pan-Canadian Trust Framework (PCTF), a landmark digital identity governance framework that has been lauded as a model for digital identity serving a jurisdictional ecosystem.
The PCTF was created by The Digital Identity Authentication Council of Canada (DIACC)—a non-profit coalition of public and private sector leaders committed to deploying a Canadian framework for digital identity and authentication—and they have also just launched an accreditation scheme of the PCTF, called Voilà Verified.
Next Steps Toward Protecting Your Digital Identity
As we build our future, one key to our further digital transformation will be how we identify ourselves digitally. Though this shift is ongoing, the fact that there are already three separate accreditations across the world means that organizations should begin preparing now.
We are continuing to grow our practice in Crypto and Digital Trust, but Schellman is already an approved assessment firm in each of these schemes through Kantara (U.S.), Kantara (U.K.), and DIACC. If you find you have more questions about digital identity and your role or requirements, please contact us to learn more about these transformative marketplaces and how we possibly might assist your organization in getting accredited.
About Scott Perry
Scott Perry is a Principal at Schellman where he heads up its crypto and digital trust services practice. Prior to joining Schellman in 2022, Scott owned and operated his own firm specializing in cybersecurity consulting audits and governance, GRC implementation, digital identity and verifiable credentials, and WebTrust. Scott is also a Steering Committee member and co-Chairs the Governance Stack Working Group for the Trust Over IP Foundation (a Linux Foundation project). Scott has worked with the world's most respected SSL-certificate issuers, aerospace and defense companies, and government agencies. He has authored and contributed to a comprehensive governance and trust assurance methodology suite for Trust Over IP, has written a key chapter on Trust Assurance in a published book on Self Sovereign Identity and the FinClusive Rulebook. As a hands-on crypto and cybersecurity consultant and auditor, Scott provides deep and impactful advice that you would expect from a leader in the field.