Apple Pay whatever, Apple ID wowza

We’re all familiar with Apple Pay and Google Pay and how much easier (and more secure) they make online commerce. It would be nice if this security were to extended to online interactions of all kinds, not only payments. I think this is not that far away. Apple has recently registered a number of patent claims across the general field of “verified claims of identity” which quite rightly attracted some attention. In July, they filed an application with the U.S. Patent & Trademark Office that describes the technology it is trying to develop to replace traditional driver’s licenses, passports and varied ID cards for government purposes or access to private property. I think these applications are really important and that the fact that Apple wants to control means of presenting and verifying “identity” through devices, including iPhones, is a signal to the industry that the wallet wars are about to heat up.

What's in your wallet?

If I look in my wallet, most of the stuff in there is nothing to do with payments.

If Apple or Google want to replace my wallet, that means that they have to replace my driving licence, my loyalty cards, my rail discount pass, my blood donor card, my AA membership… well, you get the point. And in the real world, I only have twenty or thirty of those cards but in the virtual world I have hundreds if not thousands. Replacing the payment cards was easy. Replacing the identity cards is hard. But in the long term, it’s much more valuable.

It would be nice if the security and convenience of the digital wallets were to be extended to online interactions of all kinds, not only payments. Perhaps this is not that far away. We already use them make online access easier. If I’m signing up for a new services (eg, when I signed up for the New York TimesNYT recently) then I’ll look for the “sign in with Apple” button first and only if the web site does not support it will I then select “sign in with Google” (after first remembering to log in to my “John Doe” Google account). But this is about authentication, not identification. Apple told the New York Times that I am “blahblahblah@blah.apple.com”, not that I am David Birch or that I am over 21 or that I am a UK resident or whatever.

It’s about time, Frankly. The lack of a digital identity infrastructure is big problem in an online world and it has to get fixed whether by governments, financial institutions, specialist players or someone else. Since governments, banks, telcos and others have not fixed the problem (at a level of global interoperability comparable to the internet and mobile phones), it looks as if someone else is going to have to do it.

Since governments, banks, telcos and others have not fixed the lack of a digital identity infrastructure, it looks as if someone else is going to have to do it. Click To Tweet

At the time of writing, Apple are advertising a vacancy in Cupertino for a product manager for identity. The job description posted is for a “top-flight identity product professional with industry experience in physical and digital identity to join us on the journey of replacing the physical wallet”). Maybe Apple is going to be the someone else who is going to deliver mass market digital identity.

They can do it, and I’m hardly the only person to have said this. A couple of years ago here in Forbes, for example, Panos Mourdoukoutas predicted that Apple’s next big revenue source wouldn’t be another device, but the “monetization of the ID Apple assigns to its customers”. This prediction, I should stress, was not especially radical or unusual. Indeed, back in 2016 I was working on the strategic assumption that this was an inevitable direction. I wrote at the time that “it is a very short step from Apple Pay to Apple ID, where revocable identification tokens are loaded into the tamper-resistant hardware”. This was hardly a mystical prediction. I was merely building on the obvious fact that if the “secure enclave” inside an iPhone is safe enough to store payment tokens then it is safe enough to store a variety of the virtual identities that I will need in the online future, having written back in 2015 that if my “Apple ID” provides a convenient mechanism for mutual recognition in person and on line, it will be indispensable in short order.

(Without getting distracted by technical details, it is important to note that what Apple appear to envisage is that a device — such as an iPhone, to highlight the obvious example — will be storing credentials obtained from a variety of sources. My hope is that Apple, Google and others support an interoperable standard — W3C VC, to highlight the obvious example — so the credential providers and users will move to authorisation-based transactions as soon as possible.

So the idea that the platforms might step in and provide the digital identities that will be crucial to our online existence — because banks, governments and others have not — is not what is new. What is new, and why we are talking about identity now, is the coronavirus and the extent to which is has both illustrated the problems caused by not having digital identities and accelerated the drive toward workable solutions. Suddenly we are having to figure out not only how to shop and bank online but how to work, learn, visit the doctor, vote (to pick a very current and contentious example) and access government services online. In the UK, as in the USA, we don’t yet have anything like the infrastructure needed to do this so we end up with costly and imperfect silo solutions.

My point is that we need to put some serious thought into developing a digital identity infrastructure. And we must think about how that infrastructure will evolve and develop. Does the USA want a system as in China where you have a single identity that must be used to do everything and the government knows what you are doing at all times? That has some interesting consequences! For example, for years, the government there has been trying to stop kids from playing too many video games. Now the Chinese have ruled that anyone wanting to play a game must log in using a state-run authentication rolling out this month.

Now, that may be the right way to run a country or the wrong way. That’s not my point. My point is that we need to think about the problem and make some choices about what we want because if you think that digital identity is just about making it easer to log in to your bank, you are wrong. Should the government know that you have logged in to my bank? Should Apple know that I am playing Fornite? Should Facebook know that you are voting online? How exactly can we design an infrastructure to deliver both privacy and security? These are serious questions: Digital identity is the foundation of existence in an online society and choices that are made about how those identities work will be fundamental to how that society is going to work in the future. We need to begin this discussion now.

[This is an edited version of an article first published on Forbes, 29th August 2020.]

Leave a Reply