Will we ever see Digital IDs that can’t be faked?

With all the leakage of personally identifying data happening around the globe, will we ever see a digital or other ID that can’t be faked?

It is for political, not technical reasons that Digital IDs are held back.

The current state of identity documents is based on the premise that the public cannot get access to advanced technology, e.g. a printer that can print on plastic, with holograms, embossing, etc. This is no different to rubber stamps from an earlier age. In a nutshell it requires access to an advanced technology and can be visually assessed by a lay person. Contemporary attempts to adapt visual decorations to a digital ID are absurd but effective as a form of security theater for consumer confidence.

The current practice of proving an identity through a digital scan of a physical ID is a remnant of an earlier form of security being adapted to the Internet. It is insecure for many reasons: forging IDs with photoshop templates is trivial, copying IDs is trivial, and organizations hoard scans of IDs, leading to data breaches and identity theft.

The current state of Digital ID apps around the world abuse the privacy rights of ID holders by tracking each presentation of the ID, along with other metadata, while simultaneously failing to thwart the risk of fake digital ID apps being created by teens with basic mobile app experience. This is an generalization that is based on my knowledge and experience with government ID projects that are currently used and those that are in development.

If all we wanted to do was prove that an identity is a citizen, over 18, their name is correct, or that an ID holder matches the photo on their card, then that can be trivially solved. We have had the technical capability to prove authorship or identity since 1976 when public key cryptography was invented by Diffie, Hellman, and Merkle. This technology is used every day on the Internet.

Next, we have had the ability for a centralized authority to sign certificates, and this is what x509 certs that underpin Transport Layer Security (TLS) on the web use. This ability gives authorities such as government agencies or companies an unforgeable “stamp”. This, combined with public key crypto, can give users the ability to make a “claim” which can be as great or as little as they wish, e.g. that they are a citizen, that they are old enough to buy alcohol, or proof of address and it can be signed by an authority. All a user requires is a set of claims that are signed and can select which one to present as the situation demands. Note that I suggest a set of pre-made claims, not the ability to arbitrarily sign things on demand. To meet the current purposes of ID does not require that an ID holder have access to, or sign things with their own private key. That goes well beyond the scope of a digital ID system and is more like the Estonian e-ID that is usable for voting.

This system can easily be combined with a physical photo ID card by providing a signed QRcode containing a low-res compressed photo along with a public key that’s signed. The identity verification system can be verified offline and this is an important feature for the IDs to work in disaster zones, during DoS attacks, and so on. A low-res 1kb photo can be packed into a QRcode easily for the purposes of visually matching a higher resolution photo that is printed on the card. This is much less vulnerable to abuse than encoding biometric data onto a card that cannot be visually confirmed by a layperson to match a photo. For example a bouncer can’t look at a face, look at the card, and then verify that the biometric data such as their height or length of nose are correct.

Such a system would adequately balance the privacy of the user while enabling any vendor to verify the identity of the ID holder. It also continues to give the issuing authority the ability to create fake identities, which is something that stakeholders require.

In the absence of a workable ID system, merchants and service providers supplement scanned IDs with credit cards, mobile phone numbers, and email addresses. This is analogous to how these artifacts are used with MFA and act as a proof of ownership based on a flawed assumption that only one user may have access to one of these items as a time. Of course there are a range of vulnerabilities with using these: gift credit cards, sim-swap attacks, temporary mobile numbers, temporary email addresses and so on. These artifacts are what the cyber underground currently use to generate online identities from Apple to Uber.

The risk of such a system is the same as the CA risk. If someone steals the private key for a CA, and secondary CA’s, then they can sign arbitrary IDs at will. In contrast to the physical IDs where any nation-side or sufficiently funded adversary can acquire the advanced technology to print holograms or plastic cards, any teenager with a stolen private key could forge IDs.

The risk of an adversary stealing a key to sign their own IDs is much less than the current risk of people obtaining “real” fake IDs, for example through identity theft. On mitigating this risk, although a Hardware Security Module (HSM) may go some way towards protecting a private key, it’s no panacea.

I don’t expect our IDs to be secure within the next 10 years.