Designing for success: Strategic approaches to digital ID systems using the cloud
As government services around the world become increasingly digitalized, digital ID systems are a critical part of these transformations—many of which run on the cloud. In our previous post, we discussed the benefits of digital ID systems, and how governments are using them to provide accessible services to the communities they serve. In this post, discover how to strategically design digital ID systems around a common vision and learn how the cloud can help accelerate innovation.
Laying the right foundations
One of the first decisions organizations need to make when designing a digital ID system is defining what model the digital ID system should be: foundational or functional. National governments can establish foundational systems to create a general-purpose identity for each citizen, with which they can link to multiple different credentials and use in a wide variety of transactions. These range from receiving social services to validating a bank transaction. Functional systems, by contrast, serve a specific purpose, such as delivery of one specific social service. A person can have a variety of different functional identities for different purposes—such as a driver’s license, a taxpayer identification number, or voting registration. These systems can work in combination, too.
For example, in Peru, the National Registry of Civil Status (RENIEC) provides the single foundational digital ID, called DNI-e, to all citizens as the exclusive ID accepted for central government services. At the same time, hundreds of other stakeholders managing different functional IDs for regional or niche services have agreements to leverage the RENIEC database to provide higher quality authentication services.
How the cloud supports the structure, security, and growth of digital ID systems
Cloud providers like Amazon Web Services (AWS) provide the data storage and instant processing that digital ID systems require to manage fluctuating incoming requests for authentication. In the cloud, they can elastically scale up or down resources in response to changing needs. By contrast, static, dedicated infrastructure operates off of a fixed amount of capacity, which increases operating costs and locks governments into older, inflexible infrastructure.
AWS maintains stringent protocols to safeguard the privacy and security of customer data. And, the AWS Cloud serves as a flexible platform for future-proof scaling and innovation. For example, during the COVID-19 pandemic, many government services around the world had to rapidly migrate online. Governments already operating identity-based services using the cloud were able to leverage this adaptability to transition quickly and keep services flowing.
Who’s in charge of a government’s digital ID system?
Every country has an ecosystem of public and private stakeholders who both provide and utilize digital identity. Different models can leverage these actors in different ways to establish, operate, and manage digital ID. These include:
- Centralized – A single public entity operates and manages a central repository of identity information and acts as the source-of-truth authenticator in order to best streamline service delivery across a country and government agencies. Countries with this model include India (Aadhaar), the Netherlands (DigiD), Pakistan (NADRA), the Philippines (PhilID), Argentina (RENAPER), and Peru (RENIEC).
- Federated – Multiple public and private entities provide a government recognized system where the central authority accredits other actors and maintains a central repository other identity providers authenticate against. Countries with this model, who may go this route to leverage widespread pre-existing private digital IDs or strong intermediaries like banks or telcos, include Norway (BankID), Sweden (BankID), UK (GOV.UK Verify), Belgium (Itsme), Denmark (NemID), and Finland (TUPAS).
- Open market – Multiple public and private entities provide a composite identity based on other functional ID systems, civil registries, and bilateral agreements. Countries using this model—who may want to provide greater control to individuals and promote innovation, at the expense of a single widely recognized ID—include Canada (Verified.Me) and the United States (National Strategy for Trusted Identities in Cyberspace).
- Decentralized – Individuals directly choose digital identity attributes and share them with relying parties, underpinned by distributed ledger technology, maximizing individual control but potentially not providing a single government recognized ID. This model is novel and not broadly used yet but is being actively trialed by organizations such as the UK National Health Services.
How do governments verify identity in digital ID systems?
Once the fundamental elements of a digital ID system’s architecture are in place, designers of digital ID systems need to decide how to establish proof of identity. Several pieces of information could be used to verify identity:
- Inherent information, such as date of birth and physical parameters of the person;
- Accumulated information, such as behavioral profiles and preferences; or
- Assigned information, such as unique national identity numbers, telephone numbers, or email addresses.
These categories have different implications such as difficulty of gathering the information; uniqueness; whether special software, hardware, or procedures are needed; and technical requirements for how to store, process, and use the information for validation.
Increasingly, digital identity systems are leveraging biometric identifiers, like fingerprints, iris scans, and facial templates. These are unique and inherent to the individual. They don’t require someone to remember a number or carry a special card, which is important for convenience, robustness, and usability. However, capturing some biometric characteristics requires special equipment, and the sensitive nature of this identity information creates a heightened need for technology like the cloud to meet the safety and security challenge of protecting and storing sensitive data.
Building digital ID systems for the future
Technology is evolving at a rapid pace and transforming what digital ID systems can do and how widely they can be used. In addition to traditional biometric characteristics like fingerprints, newer approaches such as palm recognition may be viable in the future.
Additionally, experimentation with distributed ledger-based self-sovereign identity, as well as international integration of solely national identities, may mean that even well-established digital ID systems will face new opportunities and challenges to keep pace with international best practices. Flexible approaches based in the cloud can provide the foundation from which governments can pivot in response to these changing needs and technology capabilities.
Learn more about digital ID systems by reading the AWS Institute report Digital Identity: The opportunity for government with the Access Partnership, or the briefing of the Digital Identity Roundtable, hosted by the Tony Blair Institute for Global Change and AWS Institute, where senior policymakers shared lessons and identified common challenges about digital identification. Visit the AWS Institute for more.
Subscribe to the AWS Public Sector Blog newsletter to get the latest in AWS tools, solutions, and innovations from the public sector delivered to your inbox, or contact us.
The AWS Public Sector Blog needs your help. Please take a few minutes to share insights regarding your experience with the AWS Public Sector Blog in this survey, and we’ll use feedback from the survey to create more content aligned with the preferences of our readers.