To ID, or not to ID? How to solve the UK's digital identity dilemma

In February this year, Sir Tony Blair and Lord William Hague released a report aimed at tackling the UK's productivity and innovation crisis. But they inadvertently dredged up a discussion on ID cards that few were ready to have, serving to underline once again the public's distrust toward government-controlled schemes.

People in the UK probably don't realise how many government IDs they already have, including tax returns, benefits, council payments and driving licences. But this doesn't mean the UK is ready for a formal digital identity card. Maybe it is OK that these various forms of ID remain disjointed, even if it is neither convenient nor efficient. The key issue is trust, and the public have to believe there is no overreach when they login to a service.

One way to build trust is to enhance security by putting in place a long-term plan that would remove the need for passwords. One of the simplest ways for a cyber criminal to hack an account is to steal security credentials through phishing campaigns. This type of attack represents one of the most significant security threats for UK businesses and consumers. By eliminating passwords, we eliminate the threat of phishing. Removing this attack vector would represent a critical step in building UK citizens’ trust in a digital identification system. Then the government could work in the back end to connect services so the need for a singular digital ID is never needed.

UK citizens are, in fact, quite comfortable with the government tracking and using their data when it is not done indiscriminately. According to a government survey, 81 per cent admitted to being comfortable with the NHS using their data for a ‘particular purpose’. This would enable the NHS to make decisions led by patient data, such as identifying macro disease trends that can inform national decision-making, like with Covid-19. However, the public are worried about whether that data is secure and what it could be used for if various third parties gain access to it.

Again, it comes back to a question of trust. A transparent, reliable, and unbreakable framework backed by safeguards must underpin the digital ID movement before it progresses. Released earlier this year, the government's digital identity and trust framework begins to address this issue. However, the bill lacks a standards-based approach, ensuring consumers remain in control of their data. 

One positive example is the Australian government’s successful digital infrastructure rollout, which introduced a digital identity document earlier this year. The scheme helps to protect the public's privacy and security, while allowing users to prove who they are online and access a range of government services. The system offers safeguards that protect a user's personal information from being collected, profiled, sold, or used for other purposes, such as advertising. The Australian system also promises a high level of security that constantly undergoes rigorous assessment and testing. This approach serves as an example to follow.

People want simple and secure access to the digital world without needing to remember or manage countless passwords. To gain adoption from businesses and consumers, any future ID system must follow fundamental digital identity best practices.

Enhanced data privacy: Giving citizens control of their data so they can decide what gets shared.

Stronger data security: Eliminating passwords would reduce the risk of account takeovers and other attacks.

Better digital experiences: Make it easy for people to access their services safely from anywhere. From proving identity when picking up a parcel to opening a new bank account, the comfort afforded to UK citizens could be very helpful.

Operations across the UK will become more efficient: Businesses become more agile as processes become less complex.

Regarding security, the biggest problem facing operational digital infrastructure in the UK is that passwords are not secure. In fact, of the businesses that identified a cyber-attack in 2022, phishing accounted for 83 per cent of them.

With generative AI empowering threat actors to produce compelling emails in the prose of a CEO or company leadership, we need better defences against people being tricked into letting their passwords be stolen. The only genuine way to level the playing field against hyper-efficient phishing campaigns is to eradicate passwords entirely.

Organisations that use a passwordless system effectively remove the avenues most commonly used for phishing attempts, ensuring no unauthorised access is made. Instead, users can feel empowered with an experience that allows access to the information they need without requiring a password, reducing the risk of compromise and improving the overall trust across that business.

The government can solve its digital identity dilemma by empowering better and more secure digital experiences for the public and encouraging adoption. And then once fully established, and making sure that any digital divide is addressed, they could connect systems, and as mentioned before, have fully up and running digital citizens' services with no need for a singular digital ID number.

 Paul Inglis is SVP EMEA at ForgeRock.