It’s time to start taking digital identity seriously

Digital fraud has never been more prevalent, potentially costing the world $10.5 trillion USD annually by 2025, a truly staggering sum.

In the U.S. alone, $382 million was stolen in COVID-19 related scams, often by fraudsters registering for stimulus checks and unemployment benefits with stolen identities. This theft illustrates the fundamental problem at the heart of online fraud: how can organizations tell that a person is who they say they are? In real life, there are clearly identifiable identity markers -- from faces to fingerprints and DNA are supplemented by certified documents like passports and driver’s licenses – that limit a person’s ability to pass themselves off as somebody else. Online, a bad actor (or increasingly an automated bot) who enters the correct username and password on a website has access to everything the person who set up the account does. Digital identities clearly must be as strong as offline identities.

Congress has already identified this problem and introduced a bill aimed at providing a solution. The Improving Digital Identity Act aims to develop standards to guide government agencies when providing digital identity services, upgrading existing systems and creating interoperable tools for verification. It’s a promising start, but it may be hampered by the lack of clarity around digital identity itself.

How will digital identity be secured?

Digital identity documents are already used in applications like the biometric IDs that are issued to non-resident aliens, but these aren’t interoperable -- they have specific use cases and are not an “all in one” digital identity that could be used anywhere. Even with the Improving Digital Identity Act, there is unlikely to be a single government-mandated ID in the U.S., but there may be multiple private-sector suppliers offering approved digital IDs under a regulatory framework established by the legislation.

Any framework will have to be based on a public-private key architecture. Asymmetric cryptography, where freely available public keys can be used to verify a private key held by one person, is a highly scalable, robust method for keeping digital IDs secure. It is already used in thousands of applications in the public and private sector.

But there is an Achilles' heel to this procedure: The private keys must absolutely remain secret, which makes hardware security modules the ideal choice for generating and securely storing strong private keys. Unlike software solutions, the keys themselves are not read into the main memory of a computer, which means that they cannot be compromised remotely.

Promising approaches

With online fraud as pervasive as it is, it is no surprise that the government is looking for digital identity solutions for immigration, deterring identity theft and speeding up government services, even those as mundane as renewing a driver’s license. Given how important getting it right will be and the substantial benefits from doing so, both the government and private sector must work toward meeting the very highest standards of security.


Author: Malte Pollmann, CSO, Utimaco
Source: It’s time to start taking digital identity seriously -- GCN


Technical Training for Hardware Security Module (HSM)

utimaco trainingCREAplus, authorized Utimaco training partner, is going to deliver an online hands-on technical training for hardware security module (HSM), on 28-29 October 2021.

Read more ...

From Fundamentals to Quantum-safe algorithms

 Cryptographic JourneyIn the modern, digital world cryptography is an indispensable tool for protecting our systems and data. Without knowing we rely on cryptography daily, be it to check our email, safely login to a computer, or drive a smart car, since the magic happens in the background, unseen. 

Read more ...

CREAplus awarded with AAA Creditworthiness Certificate of Excellence

AAACompany CREAplus has been classified into legal entities that have received highest AAA Creditworthiness Certificate of Excellence, awarded by Analytical House Bisnode.

Read more ...

Utimaco acquires Realsec to strengthen its solution portfolio and expand its regional presence

Utimaco acquires Realsec to strengthen its solution portfolio and expand its regional presenceUtimaco, a leading global provider of IT security solutions, announced that it has signed a Share Purchase Agreement with Realsec, the Spanish IT security company and Hardware Security Module (HSM) provider. The closing of the acquisition is expected in July.

Read more ...

CREAplus Successfully Delivered Training for Utimaco HSM

utimaco LAN V5 4CREAplus, authorized Utimaco training partner, successfully delivered another 2-day online hands-on technical training on hardware security module (HSM), in April 2021.

Read more ...