US market for connecting online actions to real-world identities projected to be $15.5 billion by 2028
Identity Authorisation Networks (“IANs”) connect online actions to real-world identities, Liminal has said introducing their report on market trends in the “evolving digital identity landscape.”
Liminal is a market intelligence and strategic advisory firm specialising in digital identity, fintech and cybersecurity. Its report projects that the IANs market will be worth up to $15.5 billion by 2028 in the USA alone, indicating that digital IDs linked to real-world identities are set to be adopted across sectors, from banking to e-commerce and beyond.
IANs combine digital credentials, biometric data and comprehensive fraud risk signals to “secure” transactions. They enable organisations to confirm the authenticity of users’ real-world identities; grant or restrict access to resources, networks and data based on predefined permissions and policies; and, track user behaviour and transactions, providing a comprehensive audit trail for compliance and security purposes.
The covid pandemic accelerated digitisation. The increased digitisation of transactions saw a surge in fraudulent activity. As a result, platforms looked to secure their newly digitised transaction processes. And so, the covid pandemic served as a catalyst for a surge in demand for identity vendors which create, store and manage digital identities and provide user authentication services.
Now, with the widespread use of artificial intelligence (“AI”) it seems those digital identities and authentication services are no longer sufficient. Fraud becoming more sophisticated and widespread as a result of the growing prevalence of generative AI and deepfake technologies is being used as the justification for IANs.
According to Biometric Update, “the fraud landscape is recognised as full of pitfalls by business and consumers alike, as AI and sophisticated fraud overcome the little resistance offered up by a system based on physical ID cards.” Liminal believes the solution is IANs which combine “digital credentials, biometric data and comprehensive [fraud risk] signals to secure transactions.”
Unsurprisingly, the IANs market is worth a lot of money. Liminal projects the market will reach up to $15.5 billion by 2028 in the US alone with a robust 60.3% compound annual growth rate. The Federal Trade Commission has said the real number may be as high as $158 billion.
According to a report published by Liminal last week, “Since the initial IAN onboarding takes place through banking and government channels, they represent the largest initial markets; however, as the network expands, fintech becomes a significant opportunity as well.”
Liminal’s report is only accessible by creating an online account with them. It is free to create an account but to save our readers from having to go through the signup process we have attached a copy of the report below.
According to the report, “Banks, with their high assurance identities built to meet strict compliance standards, offer a practical entry point for IANs. After issuing credentials, IANs enable the reuse of identities across organisations and industries to secure all transactions online.”
Liminal’s report continues, “Operating as a network provides a wider view of fraud, with access to more risk signals across companies and users over time. Exposure to the same identities across industries and use cases bolsters the IANs fraud-fighting capabilities.”
“An IAN remotely verifies real-world identity up to a high assurance level, binds this identity to a digital credential for use across the network.”
The diagram below, from the report, indicates what the “network” might incorporate. “Banking” and “Government” are coloured dark blue as these are where the initial onboarding into the network takes place. The blocks coloured light purple are examples of organisations and industries that would form part of the IAN network as more organisations join and the network expands.
What they are saying is that the digital ID issued by a bank or the government is now a single digital ID that will be used across the network for all online transactions, from gambling to travel to social media. If a digital ID is linked to fraud, or any activity that the bank or government doesn’t like, that is detected anywhere in the network, the digital ID will be flagged and whatever action necessary taken, e.g. restricted.
Liminal’s report confirms this. It states, “By tying identity to transactions to enable signing and authorisation of transactions across verticals [e.g. social media, e-commerce, healthcare], Identity Authorisation Networks enhance the capabilities of reusable identity offerings.”
What are the “offerings”? Immediately below the sentence noted above, Liminal provides the following diagram. Note the fourth arrow in the flow chart: “Transaction & Event Monitoring: Ongoing review of transactions and events for fraud and compliance.”
What criteria will determine “fraud”? Who reports fraudulent activity? And who decides when a digital ID is flagged? And who decides what action should be taken? All of this will be happening behind closed doors, by unknown people and without our knowledge. To illustrate why this is so important and how this gives others complete control over your life, I’ll give an example.
Many years ago, I made an online purchase through a PayPal account, which was linked to my bank debit card. It was the first and the last time I used PayPal. If I explain what happened you’ll understand why.
Within half an hour of my purchase, my bank account was almost emptied. Someone had hacked into my PayPal account and went on a spending spree. PayPal didn’t pick it up. I only discovered it because my bank messaged to alert me to several transactions that had occurred in a very short space of time to vendors, mostly to a company in Ireland, I had never heard of let alone used. I immediately told the bank those transactions were not my purchases. They acted quickly. They froze my account and told me they would need to issue me a new debit card. However, the bank could only do this after PayPal had confirmed theft had taken place.
At the time I thought, “Phew!” Little did I know how difficult it was going to be and how long it would take to sort out. I had no other account and no cash. I had to borrow money (cash) for the next week or two while I struggled to get proof out of PayPal that I could send to my bank to unfreeze my account. I didn’t have money to buy food or even put petrol in my car to go to work. If a kindly neighbour hadn’t taken the trouble to drive to his bank and draw cash for me to borrow, who knows what might have happened; would I not have eaten for two weeks and perhaps lost my job as well?
And that was with a very obvious and easily provable theft. I suffered twice. Once as the victim of theft and the second time by having no access to funds until PayPal had notified my bank it was theft. Which, fortunately, eventually they did.
I didn’t want that PayPal account linked to my bank account anymore, I didn’t want to risk it. I wanted to close my PayPal account. I thought it would be easy. But it took three months and several phone calls and emails. I vowed never to use PayPal again. And I haven’t; wild horses couldn’t drag me to ever using PayPal again. The experience, made far worse by a lengthy drawn-out battle, literally a battle, to close my account, was that awful.
Mine was a genuine and fairly straightforward case of theft where the bank was protecting the remainder of my money at my request. Now imagine that happening not only with your bank account but with everything you do online. And then imagine that a nefarious, spiteful or revengeful actor reports a fraud that results in your digital ID being flagged or frozen. Or simply a mistaken identity or misunderstanding.
The aforementioned is an example of “fraud” in Liminal’s statement: “Ongoing review of transactions and events for fraud and compliance.”
What about “compliance”? What does “compliance” mean? Compliance with what or with whom? Who determines the rules? Is speaking against the government not “compliant”? Is refusing to have a vaccine not “compliant”? Or as Nigel Farage and thousands of others found out, including The Exposé: is holding an unfashionable view according to the bank’s opinion not “compliant”?
Related:
- Cancellation of bank accounts belonging to customers who do not hold corporate-sanctioned views is a sign we’re on the road to Orwell’s dystopian nightmare
- Letter to the Editor: Dear PayPal, you are aiding fascism in its purest form
If the online activity associated with a digital ID is deemed to be not “compliant” what happens? Will the digital ID be frozen and not be able to operate anywhere in the IAN “network”? Will the real person associated with the digital ID not be able to access their bank account, social media and healthcare?
Currently, if Facebook locks us out of our account for posting something Facebook doesn’t agree with (i.e. censorship), we can create another account. However, if our digital ID is connected to our real-world identity as is the case with IANs, this option is no longer available. But it’s far worse than whether we are permitted to have a social media account. With IANs, will Facebook’s censorship also restrict our access to healthcare or our bank accounts?
BankID Sweden
In its report, Liminal stated that BankID in Sweden provides a direct case study for IANs.
“BankID was founded to promote interbank cooperation in the high-assurance financial services industry, credentials are now used to authorise a wide range of lower assurance transactions,” the report said. Lower assurance transactions are the blocks coloured light purple in the illustration above, for example, e-commerce.
BankID was founded in 2004, with buy-in from all the major banks in Sweden. With over 8 million users connected to more than 6,000 businesses, authorities and organisations, and an average of 18 million identifications and signatures per day, it is Sweden’s most widely used electronic identification (“eID”) and digital signature solution.
While there is some overlap, the terms eIDs and digital identifications (“digital IDs”) are not exactly the same. Both eIDs and digital IDs serve the purpose of verifying identity. The key differences lie in their formats and uses.
eIDs are often embedded in physical devices and encompass a broader range of electronic identity verification methods, while digital ID specifically refers to a digital document or certificate used for online transactions and authentication. eIDs are used for a broader range of applications, including online authentication, digital signatures and accessing public services, whereas digital IDs are primarily used for online transactions, contracts and purchases. eIDs often rely on biometric or cryptographic verification methods, whereas digital IDs rely on digital signatures and database checks.
Perhaps the difference between eIDs and digital IDs is becoming blurred.
To obtain BankID, people must have a Swedish national identification number and be over 18 years old, although some banks also offer BankID to children under 18. When activating BankID, people must provide original identification, which is done in their bank branch.
With BankID, people can identify themselves digitally, leave electronic signatures, access e-services from authorities (such as the Swedish Tax Authority and public healthcare), sign agreements like contracts, payments and loan documents, and use the BankID app on their mobile phone or tablet.
“Key learnings from the Nordic BankID systems suggest that building requisite density can be challenging, and early buy-in from relying parties with strong brand presence and substantial market share (e.g., enterprise banks) is critical to ensure success,” Liminal’s report stated.
We assume “requisite density” refers to the number of people who have registered with the scheme by taking up an eID or digital ID to make the IAN viable. But then marketing jargon doesn’t necessarily mean what we think it means.
