For a long time, the digitisation of our paper and plastic credentials has been underway. Whether it be boarding passes, or drivers licences or qualifications, we are turning those real-world credentials into digital ones. Accelerated by the digitisation of many processes during the pandemic, common standards are coming into view that will help organisations issue them, and users adopt them, with greater efficiency. Interoperability of digital credentials across platforms will be key to even greater adoption.
Some, though not all, of these credentials will be used for identity.
Big Tech companies like Apple and Google have got on board with this to offer digital mobile drivers licenses in the US. Now in Maryland for example, Apple and Google drivers licence-holders are permitted to onboard themselves to an Apple or Google identity wallet system, one that turns a physical identity document into a digital one.
Many who work in the identity management space are wary about these big corporations having so much control over someone’s most personal and useful data – their identity. These companies operate as closed ecosystems. And they are commercial, which could imply that at some time in the future they may monetise digital identity authentication or verification, something that most people working in this space consider a right rather than a privilege that requires payment.
When I spoke to Andy Tobin, a digital identity and innovation expert who works very closely with the plans for Europe’s new identity management system known as eIDAS (electronic Identification, Authentication and Trust Services) he expressed exactly the conundrum: “Big Tech is already there as you have your wallet on your Android or Apple phone and you can have a Google wallet on a Samsung phone…If they own your wallet and you can’t easily transfer out your stuff and put it somewhere else then you’re going to stay with them…because you’re in the Apple ecosystem. You’ve got an iPhone, you’ve got a MacBook and now you’ve got your wallet and it works across all of those.”
And as if to really drive the point home, he considers the hypothetical that the EU-driven eIDAS system might consider incorporating Apple or Google or Meta wallets within the interoperable digital wallets working across member states. He pinpoints the issue, “If Apple and Google and Meta’s wallets were made eIDAS compatible and achieved certification, the legislation would force data portability. However, eIDAS is all about openness, whereas these companies are all about lock-in.”
That suggests that there may come a time when citizens are having to choose between a government backed wallet for identity or a private enterprise wallet or commercial solution, at least in the EU. The UK may find it easier to integrate Big Tech at some point in the future given that the UK’s approach is more about building a set of standards and criteria that commercial companies can operate to in the identity sector.
The next question Big Tech is thinking about is how to “bind” those digital identity credentials to the real, genuine person to whom they should belong.
This is where Apple’s Vision Pro comes in. Being able to know that the person presenting a digital credential is genuinely that person, means that you have to have a tight binding between the two. This is what Apple does with FaceID, and others do with fingerprints and passcodes on phones. When you set up the phone, you set up FaceID plus fingerprint plus passcode. Then, when you do something new like add a credential to your wallet, you do the FaceID plus fingerprint plus passcode again to confirm that the same person that set up the phone is the person adding the credential to the wallet. This is why often there is a step which asks the user to take a selfie or a live video when being issued with a credential. It’s a check that the user matches the photo on the credential. Then when you use the credential, you release it by unlocking your wallet using FaceID plus fingerprint plus passcode, giving some certainty that the same person that got issued with the credential is the person releasing it to be used.
However, it might be that Apple is introducing a new binding process for digital identity with the launch of the Apple Vision Pro. The extended reality headset that was launched to a fairly receptive audience less than two weeks ago, uses biometrics in such a way as to cement the relationship between the user, the platform, their identity, and presumably in time, their wallet.
To use the product, the device employs a new type of biometric, iris identification. This will enable owners to unlock the Vision Pro and to then put it on. A unique feature, called Optic ID (which feels like the next step on from Apple’s facial recognition ritual introduced with the iPhone X) makes this possible. Reportedly, a user’s iris is analysed under invisible LED light exposures and matched with the user’s fully encrypted Optic ID data which is held on the device not on Apple servers.
With Vision Pro, the device is scanning your actual face all the time, so it can get a high level of assurance that you really are you. Currently this is all positioned as required for representing your face digitally in these extended reality environments. However, what it will be used for if successful, is to enable you to identify yourself in the virtual world with quite a high degree of accuracy and assurance.
It is perhaps in this immersive media environment where identity is going to be most difficult to prove and yet most important we do so. With Generative AI increasing the threats of fraud from the creation of synthetic identities, and digital injections or face swaps, users will be looking for the utmost security. When I returned to Andy Tobin to ask him about this, he confirmed that “under the skin Apple are ensuring that Vision Pro solves one of the main problems with metaverses, which is how you know if you are dealing with a real person or not, and if that real person is the right person”
Only a few weeks ago, Apple was granted a patent for binding biometric authentication to a person’s digital ID. And earlier this year Apple applied for a patent to capture face, finger and iris biometrics from under the display of an electronic device. According to Biometric Update the published patent application, “describes the use of infrared sensors, possibly quantum film infrared sensors, to capture various user biometrics, and possible hand gestures.”
“Just as the Mac introduced us to personal computing, and iPhone introduced us to mobile computing, Apple Vision Pro introduces us to spatial computing,” promised Tim Cook at the recent launch. But it seems that Apple is introducing us to a whole lot more than that, including a complex and exclusive new system of identity authentication and verification that will either empower users or imprison users, whilst technology policy-makers seem some way off from seeing the full picture.
Read the full article here