The UK’s National Cyber Security Centre (NCSC), which is part of the Government Communications Headquarters (GCHQ), has just published its annual review for 2025. Central to its recommendations is the issue of digital identity. They note, correctly in my view, that “robust digital identity is a long-term problem with a lot of moving parts”. Indeed it is, but if we (that is, society as whole) do not grasp this nettle then we are fatally undermining our safety, security and prosperity.
Digital Identity Means Security
One particular leaf of that nettle is authentication, and here I think we Brits can have some optimism. NCSC is working with the government and the FIDO Alliance on improving the adoption of “passkeys” across the public and private sectors. If you are not familiar with passkeys (which are already widely used), imagine you want to sign in to your Google Account on a new device. Instead of entering a password, a passkey allows you to log in to your account with a device you’ve already verified (eg, your phone). You don’t need to remember a password and no-one else can log in as you because they don’t have your phone.
The FIDO Alliance, in collaboration with the digital identity folks over at Liminal, has created the Passkey Index to track the impact of passkeys. Drawing on data from major service providers ranging from Amazon and Google to TikTok and Target, the Index shows that 93 percent of user accounts across participating companies are now eligible for passkey sign-ins. Of those, around a third have enrolled a passkey, and a quarter of all sign-ins are currently completed using passkeys. Passkey sign-ins average just 8.5 seconds, which is 73 percent faster than traditional methods such as email verification or SMS codes that take over 30 seconds. They also enjoy a 93 percent success rate, compared to 63 percent for legacy approaches, resulting in fewer failed login attempts and service providers report a four-fifths reduction in login-related help desk incidents, which undoubtedly has an impact on the bottom line.
(This why, to use one example, Microsoft is pushing to eliminate passwords by encouraging its customers to use passkeys and making all new accounts password-less by default. The company has removed the password management functions from Microsoft Authenticator, leaving the passkey storage options in place)
You don’t need to read this paragraph if you are not that interested in the technology, but for those of you are who are: Passkeys use real cryptography in the form of public-private key pairs. A user generates a private key and stores it securely on their device when they set up a passkey for an account, while the service receives a public key. This cryptographic procedure makes passkeys more secure than passwords because the private key cannot be intercepted, guessed or stolen: it never leaves security storage on your device. Accelerating the adoption of passkeys means that across all sectors we can migrate people away from passwords and weak multi-factor authentication, such as one time passwords (OTPs) sent by text messages, into more secure, standard and seamless methods.
Those text messages are a particular problem and this is hardly a new opinion. I remember when Charles Brookson, then head of the GSMA’s security group, made the point that SMS has, to all intents and purposes, no security whatsoever. Now, the blog post that links to comes from 2008 and if I remember correctly I’d made a presentation around that time drawing on a story from 2007 to illustrate that the mass market use of SMS for secure transactions might prove to be unwise despite the convenience. So that was two decades back.
A decade back the US Department of Commerce’s National Institute of Standards and Technology (NIST) published their Digital Authentication Guideline (July 2016) which said this about out-of-band (OOB) text messaging:
OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.
I looked up “deprecated” just to make sure I understood, since I assumed in meant something other than a general disapproval. According to my dictionary, it means this: “(chiefly of a software feature) be usable but regarded as obsolete and best avoided, typically because it has been superseded: this feature is deprecated and will be removed in later versions”.
Digital Identity Means Privacy
No more passwords and no more text messages for authentication. I think we can all agree on that. And, indeed, many financial services organisations have begun to move to in-app push notification and in-app confirmation for transactions and this works well. But it really is time go further with general-purpose standardised solutions. For example, the NCSC report also highlights the ability of what they call “novel” cryptography (or what I would call “tried and tested” cryptography) to give citizens and customers the ability to securely prove that they are eligible for services without unnecessarily revealing other attributes about themselves.
What they mean of course is the ability to present credentials rather than personally-identifiable information (PII). This in turn means that we can shift most transactions away from identification and on to authorisation, a long overdue change in the fundamentals of online transactions. This what happens the proponents of “self sovereign identity” (SSI) have been asking for, and for some time. Their view is that by putting personal data in the hands of an individual, SSI has the potential to lower frustration levels of consumers who have to juggle dozens of passwords and accounts sitting in centralised databases that offer little transparency into how data is stored, shared, or monetised.
I am sceptical about maximal SSI, because I think that most people (eg, me) lack the persistent competence necessary to manage identifies for themselves, but I think some form of custodial SSI where the identities are managed by regulated institutions on behalf of customers make a lot of sense. Apart from anything else, if I accidentally leave my iPhone on top of my car and then reverse over it after it falls into the road (as actually happened to a friend of mine recently), I’d like to be able to get my identity back from the safe keeping of my bank rather than have to go around rebuilding it piece by piece.