The UK Digital Identity and Attributes Trust Framework – Could This Be the Holy Grail of Digital Identity?

In February 2021, the UK government unveiled a policy paper on a 'trust framework' for digital identity. Aimed at building trust between transacting parties, whether individuals or enterprises, the UK Digital Identity and Attributes Trust Framework details the principles, policies, and standards that must be followed by organizations providing or using digital identity services. Establishing trust and transparency between transacting parties is critical to the growth and evolution of the digital economy. The proposed framework expects to streamline the fragmented and proprietary digital identity landscape into a foundational digital identity infrastructure, promoting interoperability between service providers and letting people confidently identify themselves.

As products and services across industries increasingly go digital, the need to prove one’s identity becomes crucial to access them safely. Opening a bank account requires verifying identity. The gaming industry for long has battled with challenges of age verification. The health industry has identified the need for identity verification to drive its mission to increase access to health services in many countries. Usage of physical evidence and face-to-face verification continues to be the dominant form of identification in many industries. However, producing physical identity evidence may not always be possible. It can also make digital processes inefficient. This is especially true in the case of social distancing necessitated by COVID-19. Additionally, the fragmentation that exists in the digital identity landscape across public and private solutions puts a question mark on their trustworthiness to protect identity data. 

How Does the Trust Framework Work?

The proposed UK Digital Identity and Attributes Trust Framework attempts to address these concerns. The trust framework is a set of rules, standards, and a governance structure that all organizations involved in creating, using, and managing digital identities agree to follow. The framework does not mandate the development of digital identities. Instead, it aims to ensure that exchanging them is safe and secure. By conforming to common standards, all participating organizations become certified entities, making them trusted parties in managing identity data. The framework lets users create transaction-specific or reusable digital identities. Digital identities are created using a combination of identity attributes which are pieces of information that describe something about a person or an organization. Identity attributes could be related to:

• Physical or digital documents such as a bank statement
• Devices such as a mobile phone
• Health records 
  

Examples are mobile number, insurance number, bank account number, age, number of children, etc.

Since attributes are granular elements that make up a digital identity, the trust framework prescribes that the user should be able to assign access entitlements and privileges to chosen attributes. E.g., bank account-related attributes may be made accessible to financial institutions, whereas they may not have access to health-related attributes that only a health provider might have.

Organizations participating in the trust framework will require to take up at least one of the following roles:

• Identity service provider: Entities that prove users’ identities through offline and online channels by using one or more data sources
• Attribute service provider: Entities that collect, create, check or share identity attributes
• Orchestration service provider: Entities that facilitate data sharing between all other parties
• Relying party: Organizations that consume digital identity data to provide a product or service
  

The trust framework makes sure that any participant, regardless of their role, follows the prescribed rules and standards to meet the following principles

1. Interoperability promoted through common technical specifications
2. Data security through encryption and cryptography
3. Quality management standards and best practices
4. Information security and management
5. Risk management
6. Fraud monitoring and reporting
7. Privacy and data protection
8. Incident response mechanisms
9. Records management
   

A governing body chosen by the UK government will oversee the trust framework. It is expected to work with other bodies and organizations to ensure that using the trust framework involves minimal complexity.

Setting a new path

Technology is not a silver bullet to solve the problem of digital identity. As is evident from this initiative, the government, industry bodies, and the participating and consuming public and private entities must be aligned on a set of standards and governance framework to ensure implementation and adoption at scale. By splitting the digital identity chain into its constituent parts, the trust framework aims to improve innovation independently in each of them. With a reliable identity verification framework in place, companies must be able to see significant benefits both in new revenue and cost reduction. The UK government has been successful in the past in implementing financial data sharing based on open banking standards and governance. The digital trust framework adopts a similar approach in operational and implementation guidelines. Once turned into a law, this framework could become the benchmark for other digital identity initiatives worldwide.

Get in touch

‍