Talk Turns to Leveraging Digital Identity Infrastructure as COVID Credentials Retire

Mobile digital identity technology and infrastructure have been dramatically advanced by digital health passes, which provide the foundations of identity verification and linkage to credentials that can underpin mobile identity wallets.

This is according to a LinkedIn post from Zetes People ID Head of Business Development and Innovation Geert Peeters.

Peeters writes that the EU Digital COVID Certificate (EUDCC) and other such credentials intended for cross-border recognition based on reference to an official data source set up the development of “multipurpose mobile identity systems.”

Peeters references the whitepaper ‘Covid-19 as a Catalyst for Advancement of Digital Identity’ by Perkins Coie Partner Charlyn Ho, which identifies trust, user-centricity and security as the three necessary qualities to engender the support necessary for widespread digital ID adoption. Zetes would add interoperability, Peeters says.

Each of these characteristics has been built into digital health passes, if imperfectly, according to Peeters, who reviews the progress on each front.

With a little more progress, Peeters suggests similar technologies could bring digital identity to the billion people who still do not have it.

Planning for COVID credential retirement

The EUDCC system is being extended by a year, to June 2023, to avoid divergence of national systems within the bloc, Healthcare IT News reports.

In various jurisdictions, however, COVID credentials are being rolled back or retired. The Canadian Province of Saskatchewan has already stopped requiring the credentials for indoor commercial settings, CP24 reports, while Ontario plans a March 1 end to proof-of-vaccination requirements.

A program to develop Ontario’s incoming digital ID kicks off this month, and neighbouring province Quebec is targeting a 2025 launch for its relatively comprehensive digital identity system.

U.S. states continue to have widely varying approaches, and in the EU some German states have already begun reducing the use of vaccination and recovery credentials, ahead of their planned retirement.

Now used by 27 EU states and 18 other countries, the EUDCC is considered a success by the EU, but the lack of encryption on the barcodes provided is a potential vulnerability, says Matthew Comb, a doctoral student researching digital identity at the University of Oxford.

If the COVID pandemic had happened just a few years later, he says, the digital identity infrastructure would already have been established.

The concept behind using private keys to decrypt digital credentials is already in production in various systems, but not in the public domain, where the private keys could be stolen. That, according to Combs, is a missing piece of infrastructure.

“We’ve never done this before on a large scale, we don’t have the infrastructure in place to handle encryption keys, relative to a person’s digital identity, in a distributed environment because we have not reached an agreement on the standardised approach to managing the keys involved,”

Combs tells Healthcare IT News.

If the system did not have to work as broadly, such as in offline scenarios, secure servers could have been used.