What government CIOs should know about digital IDs
Government CIOs must find a way to create digital IDs for citizens that are secure yet convenient.
Noémi lives in France. She needs to file her income tax return and — since she’s already doing ‘admin stuff’ — she also checks the status of her healthcare reimbursements and signs up on the local electoral list. FranceConnect enables Noémi to access the public services needed to complete these tasks using a single login.
Noémi’s story is a clear example of how digital identities can make citizens’ lives and interactions with government agencies easier.
According to Arthur Mickoleit, Senior Principal Analyst at Gartner, governments have long been investing in digital identity and authentication methods to make sure citizens can easily, securely and legitimately access public services.
But Mickoleit says success has so far been very patchy. In some Nordic countries like Norway or Sweden, almost the entire population uses digital citizen IDs. Other countries, such as Australia, Germany or the US, have long tried to establish a system but have not succeeded for reasons that often revolve around an overly bureaucratic culture, which leads to an underperforming customer experience.
To create working and successful digital citizen IDs, government CIOs must focus on three things: governance, technology and user experience.
Government CIOs whose agency provides a digital service have to choose between two models:
- Manage the entire identification and authentication process in-house
- Turn to a growing list of digital identity service providers (IDSPs)
It’s become clear that the better option, in most cases, is to use one or more third-party IDSPs. This allows government agencies to focus their limited capacities on their core business: providing citizen services. And it reduces the ‘clutter’ citizens perceive when having to deal with multiple logins for different institutions.
By 2023, at least 80% of government services that require authentication will support access through multiple digital ID providers, according to Mickoleit. Citizens can then use the digital identity of their preference to interact with government agencies instead of having to manage single-purpose identities for each agency.
However, governments must keep in mind that there are different options for outsourcing digital identity provisioning — from government-issued digital IDs over those issued by companies to combined approaches like FranceConnect. Each option has its pros and cons.
For example, when commercial IDSPs gain greater control over citizen identities and potential insights into their use, privacy concerns will arise. Government CIOs must find a balance between the benefits of faster take-up when partnering with the private sector and potential clashes between the interests of different stakeholders.
Government and citizen expectations around digital identity can be difficult to balance. Government CIOs prioritise a high level of security to ensure citizens are who they claim to be when they access a service. Citizens, on the other hand, mostly want easy and convenient access.
In the past many governments favoured caution over convenience, which often resulted in very secure systems that were difficult to use. Only the most tech-savvy citizens took on the challenge, while everyone else stuck with the traditional, analog points of access.
To balance security and convenience, government CIOs should take a more flexible approach and ensure levels of security are specific to the service offered. For example, booking an appointment should require less rigid security measures than declaring your taxes, let alone casting an online vote in national elections, as you can do in Estonia.
Governments need to understand that secure design of identities is not only a technology matter. The recent incidents of digital ID misuse in Estonia were mostly a mix of phishing and social engineering, which needs to be anticipated. Government agencies should run campaigns that sensitise people to the fact that digital identities are becoming as valuable and important to protect as analog identities.
Technologies for digital identity are evolving at a rapid pace. This means that government CIOs must factor change into their technology choices, but also provide a form of continuity for their users.
Mickoleit says the three canonical authentication factors — knowledge, token and biometric trait — will continue to be a part of identification and authentication processes. They are established, they are secure and they constantly evolve in their availability, as you can currently see with biometric sensors.
Nonetheless, it’s critical that government CIOs stay on top of how security and user convenience profiles evolve over time. For example, the standard two-factor authentication methods with SMS-based transaction codes are now being replaced by dedicated code generator apps for more secure and convenient access.
In the future, blockchain approaches might provide even better privacy and user control over identity. And as ID technologies become more widespread and affordable, they can accelerate social inclusion of the estimated 1 billion people worldwide that currently have no formal means of identification.
Originally published here.
How do governments continue to build from the unexpected acceleration in digital transformation...
Australian federal, state and territory leaders have agreed to create an intergovernmental...
The ATO has selected iProov to provide a secure biometric face verification solution for the...