Dick Dekkers is Director of Business Development at Digidentity, Solera’s global identity verification company. He’s helped make the company Europe’s leading provider of online identity management solutions and eSigning services for governments and enterprises. In 2020 alone, Digidentity facilitated over 300 million authentications and protected the digital identity of more than 25 million people of over 180 nationalities. Dick is a strong advocate of privacy, interoperability, and standards. He talked with Mike Sasaki, leader of the Mitek Systems global customer success team, about the massive changes happening in online government services access and his view of the role and future of digital identity.
Mike: Digidentity has had quite a year, especially with the digital identity services you’ve provided for the UK government. Can you give us your view of recent changes?
Dick: Yes, there’s been a massive surge, of course, in applications for government assistance. Prior to the pandemic, we were processing about 10,000 applications a day—which went up to 125,000 a day at one point early in the crisis.
But I think the most significant change is in what people now expect from online government services. In the past, everyone was pretty much okay with the fact that not all services were available online or that you had to re-register for each service you wanted. Over the past 12 months that has definitely changed. Today people expect every service to be digital, and they don’t expect to have to provide their information over and over again.
What that means for Digidentity is that we’re focusing more and more not only on usability but on making processes simultaneous. We’re enabling our government customers to do more things during the application process while we’re verifying some element of the applicant’s identity in the background.
How would you describe the attitude of applicants toward identity verification?
People are much more willing to provide information now because they understand that to do things remotely we have to verify who they are. They know online activity involves a certain amount of risk, and they’re increasingly willing to accept a little friction in return for higher trust.
Also, people are willing to wait a few minutes if necessary because they understand that while the identity verification process is automated, it’s also trying to handle large numbers of applicants. Most people are perfectly fine waiting, as long as they have a sense of continuation—you can’t let them continue to look at a screen where nothing is happening—and feel that what they’re doing will actually provide them with value in the end.
Digidentity has done a lot of things to try to understand end-users. Can you share some best practices?
Sure, one of the key things we do is tell them upfront what information we need from them, why we need it, what we’ll be doing with it, what the benefit to them will be from giving us that information, and why it’s secure—why, for instance, they don’t have to worry about the fact that they just gave us a copy of their passport. We’re careful not to over-ask for information that’s not necessary for the transaction. For example, if you’re verifying an identity for alcohol purchase, all you need to know is that the person is over 21, you don’t need to know their full date of birth.
We also set end-user expectations. So if it’s going to take several minutes, or maybe even a day or two depending on the situation, we let them know that. We tell them what to expect as the next step and the timeframe in which it will happen.
And we’ve learned that when someone gets stuck or has a question and reaches out for support it’s very important to have human interaction. A chatbot won’t work. People want to feel that a real person is helping them out.
Which technologies have been most helpful to you in meeting these new end-user expectations?
Remote identity verification is the big game-changer, of course, especially technology advancements enabling us to process a wider range of documents in different ways. We need to provide remote identity verification for everyone—not just those with high-end mobile phones who are comfortable using technology—and apply it appropriately to an increasing number of use cases.
When we design a new service the use case drives everything. We’re not just taking an “out-of-the-box” solution and configuring it a bit. We work closely with our customers to understand what the use case needs to achieve. Once the solution is deployed, we closely monitor and measure every step of the identity verification process. We see where the dropouts are occurring, and do A/B testing to quickly determine how to eliminate those obstacles. We’re in the lucky position of having lots of users with lots of different types of services, so we can gather and analyze plenty of data.
Overall, we’re seeing a strong uptick in how fast people go through identity verification. A lot of people are flying through the process, as they’re becoming more familiar with the idea and more confident. In fact, growing numbers of people are comfortable applying for services from mobile phones. Initially, we had thought most users would be sitting behind their computers at home, but that’s really not the case anymore. In the UK, about 40% of people are signing up for the government’s very extensive identity verification process from their mobile phones. And they’re doing it while commuting to the office or out and about for other reasons. During the process, they might be distracted by something or realize they don’t have a document they need, so they come back to it later. Where there used to be just one session, it’s now really important to support multiple sessions so people can drop in and out as needed and keep moving the process forward.
What would you say is your biggest challenge?
Well, in the government sector, the challenging part is that, due to double-blind rules, we don’t know what type of service the user is trying to access. Are they applying for benefits, submitting a personal income tax return or trying to access a university service?
As a result, we’re limited to just looking at overall trends as we design processes. We try to optimize that general process for specific target audiences and make it as user-friendly as possible, but it’s a challenge. Still, we’re a bigger fan of privacy than even user experience.
How do you use biometrics, and are you concerned about bias?
We use biometrics only at registration, and then only in conjunction with some type of trusted identity document. Without that, biometrics don’t provide any assurance about who you are. But by matching the face in a selfie, for example, against the portrait image in the document, we can bind the biometric to the individual providing the identity document.
Previously we also used biometrics for low-level authentication, such as signing in for a financial service. But in some countries regulations prohibit using device biometrics for logins. So we’re forced to revert to something people know, like a pin code, which when you think about it, is less secure than even the cheapest biometric.
In regard to bias, we’ve seen very high success rates for biometrics in remote identity verification across diverse demographic groups. I think the inclusion issue is more around the number and types of documents you accept, the way you do verification, and how you guide users through the process. There’s a lot we’re doing, and more that needs to be done, to ensure remote verification is working fairly for everyone.
In general, what do your government and business customers think about biometrics?
Some of our customers look at biometrics as sort of a holy grail. They think as long as they’re capturing a face, voice or fingerprint, then all of a sudden their process is really secure. Some don’t understand when and why to apply biometrics, and when not to apply them. They may not realize that they’re exposing their organization to risk around questions like how do you store this data, how long do you keep it and whom do you share it with.
Do you think identity verification has an ongoing role to play in end-user customer lifecycles?
Yes, I think persistent identity is a key requirement and will become more and more important. For instance, one of the things we’ve been working on is transactions around house buying. People have to provide the same set of information four or five times during the purchase of a home. You give it to a mortgage broker, who passes it along to a lender, but the lender still asks you to provide it all over again.
Or let’s say I run a car rental agency. It’s great that Mike can show a driver’s license to prove his identity when he comes to pick up a car. But how do I know his driving license is still valid? Maybe it was recently revoked. Same thing in financial services. It’s great that we’ve done our KYC due diligence and so we know who you are. But maybe since then you’ve shown up on a sanctions list or been convicted of something. Or maybe you used your passport to register, and you’re unaware that it’s been stolen since then and someone else has used it. There are all kinds of detailed, timely information which could be important for a specific transaction at a point in time.
Is innovation driving regulations, or vice versa?
I’d say regulations are lagging innovation. All over the world regulatory bodies are struggling to keep up with technology and social change. In most cases, machines are going to be more accurate than humans at authenticating documents and verifying identities. But there’s still a perception that when something is being done online it’s less secure, somehow easier to trick the system, and that’s actually not the case.
What’s your view of the future of identity?
Today establishing a verified digital identity is something you have to do. In the near future, I think it will have moved to something that’s just part of everyday life. For that, identity verification processes need to give consumers better control and consent over how their data is used, but they also need to make life easier. So I think devices will start acting on our behalf. I think there will be identity service providers we can choose from. In general, digital identity will enable many, many good things—as long as we keep track of how and why we’re doing it and exercise strong oversight on our good intentions.
Do you think we’ll actually get to the point of users owning and managing our own digital identities?
Owning our digital identities is probably the next big conversation. Self-sovereign identities that enable people to determine how their data is shared, when it’s shared, and under what circumstances—that’s something we’re all trying to solve. For businesses, one of the difficult things is going to be how do you determine the assurance around an identity? What information do you accept and how do you verify it?
From a consumer or citizen point of view, SSI is strongly related to usability and the quality of user experience. For instance, in the Netherlands, you have a prepopulated personal income tax file. So when I login to the government website using my persistent identity I see my tax filing, completely filled in with information from my bank statements, pension fund, insurances—you name it, everything is there. Someone told me there are more than 600 sources. Now imagine I had to take a decision on each one of those sources just to complete my filing. I don’t really want to control all of that; I just want to be aware that the data sharing is going on. I want the process to be transparent.