Mercator Blog

Distributed ID and Self-Sovereign Identity Are Years Away but Impact EMV 3D Secure Deployment Now
Date: August 15, 2019
Tim Sloane
VP, Payments Innovation
Various new technologies related to identity (ID) are being deployed by different infrastructure suppliers and woven into new solutions that aspire to expand the problems that can be addressed. This can be confusing. For example, identity solutions are currently provided by data aggregators that collect data from multiple sources, including government databases and banks, and make that aggregate data available to help validate individuals’ identity, credit risk, and other attributes. In the United States, that business is under attack from two quarters. The U.S. Office of Management and Budget has issued a memo requiring agencies that have data commonly used to validate identities to make that data available via application programming interfaces (APIs), which may open the door to more competition and apply downward pressure on the margins of data aggregators. At the same time, many key players, including IBM, Microsoft, and Mastercard to name three, have established policies that embrace an entirely new approach to identity management that places individuals in control of their own personal data and to whom it may be released and increases the granularity of the data to be released. This solution, called self-sovereign identity, enables the authenticated user to verify only data that is needed for the purpose of enrollment. A person can have the state verify she is over 21 and the bank can verify that she earns more than $100,000 annually without releasing the actual data behind the claim. At the same time, this solution logs all of the data the person has released and to whom while also enabling fees to be applied by the authenticator to the validator.

Self-sovereign identity can be combined with private/public key encryption to authenticate the individual using biometrics in the mobile device as performed by devices that adhere to Fast Identity Online (FIDO). Each validator using FIDO receives a unique key. If these technologies or others enable a new level of authentication, they will also support the Zero Trust Security model, which replaces the traditional firewall security model. Zero trust security is based on authenticating and controlling access to assets entirely by defining who the user is and what access that person should have. Google’s BeyondCorp initiative is implementing this model today.

Anyone who follows activities of the payment networks will be aware that they are expanding their security solutions well beyond banks and payment cards using tokenization and EMV 3D Secure. The new EMV 3D Secure standard from EMVCo extends the authentication effort directly into internet and mobile devices by collecting device information and sometimes user behavior information. Every major payment network has an offering that extends that authentication to all digital access, web and mobile device alike. To enable this expanded authentication capability, Mastercard acquired NuData Security and Visa implemented Visa ID Intelligence, while American Express acquired InAuth. So the largest payment networks have all expanded the authentication technology they have into web browser and mobile device authentication that utilizes device fingerprinting and behavioral biometrics. The networks are unlikely to stop there.

This Mercator Advisory Group research report, Distributed and Self-Sovereign Identity Solutions: Part 1, Technology Overview, is Part 1 of a two-part review of digital identity verification with a specific focus on self-sovereign identity solutions. Part 1 explains the concept, introduces some of the organizations attempting to advance the technology, and reviews an implementation. The forthcoming Part 2 will provide a profile of suppliers and evaluate their participation in the standards bodies developing these digital identity solutions.