I recall a passionate debate in 2011 with some colleagues on if internationally trusted national passports (sometime in future) will be ever trusted by businesses to allow people access to their premises? Is such a scenario ever possible (as we move to digital
passports and additional information on the chip)? More fundamentally, what does this internationally trusted passport lack that even a small office would rather issue a visitor or employee ID card for access to their premises, even as they trust your passport
as first level of identity check.
Note that here I consider national-IDs and national-ID cards in same “league” as passports for simplicity.
Trust in digital identities is a complex issue and much more than identity-alone issue. Of far greater value than an individual’s identity is “information around identity” for example individual’s rights, roles, attributes, context information for
e.g., where the ID was issued, by whom, validity period, certified living references etc. So if we issued an identity credential with all key additional information, would that become trustworthy or will the businesses still find new valid grounds to not allow
such “extended passports or IDs” as replacement for employee ID cards?
The answer seems to be a straight – NO. Businesses will still not allow you to get through their premises, even with "extended" IDs/ passports with additional information.
That brings us to the other part of trusted credentials – “control”. When it comes to security of an organization (=security of critical information assets), most CISOs do not hesitate long to say how much emphasis they put on “control” (some call it more
softly as “flexibility”). This is because each major business is unique in its definition of “security thresholds and practices” and implementation processes that follow. Risk management and tolerance differ greatly across many organizations and as a consequence
organizations end up working at rather different trust levels. Internal business environment where employees work “is a world of its own” (in the context of trust levels). Standard ISO certifications help organizations get a “feel” for each other, but
that does not remove the differences in security practices.
The difference is not on “what” or even why, but how.
So does it mean we will never get a truly universal ID, allowing seamless travel in electronic and physical spaces?
Trust and security issues are organizations’ and governments’ responses to their needs on security, interoperability and future preparedness to harness new opportunities. Recall that governments actually do make decisions for and on behalf of citizens, as
do organizations for their employees. As long as these two key stakeholders do not reconcile their security policies and practices, a universally acceptable and usable ID seems to be to me) a distant dream.
Does it cause us to worry? Actually not - as diversity of security solutions also allows for continuous improvement in technologies, capabilities and all this keeps electronic security space an exciting area!