Digital Trust: Why Nothing Works Without Trust in the Virtual Universe

What is digital trust?

Digital trust refers to the confidence in the security, reliability, and integrity of digital interactions and transactions. It encompasses the belief that digital platforms, services, and technologies will protect users' interests and safeguard their data as intended. In our interconnected world, digital trust provides the foundation for individuals and organizations to engage online without constant fear of fraud, data breaches, or identity theft.

Digital trust is essential because it underpins the functioning of the modern digital economy and society. It facilitates secure transactions by allowing users to engage in activities like online banking, shopping, and communication without constant concern for their safety.  

What role does digital identity play? 

In the digital realm, establishing trust relies on the existence of digital identities. These identities are fundamental to fostering trust and security in online interactions and transactions. A digital identity includes a person's online presence and interactions. It also encompasses various data points that are connected with a person, such as personal attributes like name and date of birth, history of online transactions (e.g., search history or purchase history at an online shop), or the digital footprint left across the internet. 

A digital identity may include multiple user accounts with which we log in to systems and environments. For example, you may have a company user account at work to access company resources and several user accounts for different online shops with which you can conveniently purchase goods without repeatedly providing your delivery address and payment details. Each of these user accounts has a different context. Our digital identity and online presence involve many other accounts in various contexts, each differing in trust level.  For instance, a social media account usually has a low trust level due to the lack of verification of the true identity of the person behind it, while a bank account for online banking has a high trust level as the bank is required to verify the identity of the account holder. 

In recent years, there has been a shift in how trust in digital identities is managed. In traditional identity federation models, trust is centralized or mediated through trusted authorities, such as identity providers like SwissID or federated citizen logins like zuglogin. In contrast to a centralized approach, decentralized identity schemes rely on a distributed trust model. The decentralized scheme eliminates a central identity provider. The identity data is stored in a digital wallet on the user's mobile phone, and the user remains in complete control of its data. The upcoming E-ID implementations in Switzerland and the European Union have adopted the decentralized identity schemes. Decentralized schemes can simplify establishing trust, because they do not rely on only one provider and, thus, have an inbuilt degree of additional mutual control.  

Implicit and explicit trust 

Digital identity is the foundation that defines the user's identity, while access management determines what the user can do once they have proven their identity. Access management is critical in ensuring a digital transaction's security as it makes sure that only trusted actors participate. In access management, there are two types of trust: implicit trust and explicit trust.

Implicit trust assumes that every actor within a system is trustworthy until proven otherwise. It works like an airport security checkpoint. An individual gets checked once and enters a zone of implicit trust where every passenger is assumed trustworthy. In computer networks, implicit trust has been considered sufficient for quite some time. As long as valid login credentials are presented initially at the checkpoint, the actor is trusted, and access is granted to resources within the trust zone. The possibility that danger could come from within was largely ignored until hackers demonstrated this risk through phishing and malware attacks. 

In recent years, the focus has shifted from implicit to explicit trust. In this model, a network is considered compromised by default, so every access to resources needs to be continuously monitored and authorized.  Therefore, explicit trust grants users access to resources based on continuous authorization. Access to resources is continuously monitored, and in addition to correct login credentials further attributes regarding the context of the resource access are considered. The contextual attributes can vary but usually include location, time, and device. They may even include behavioral attributes like typing behavior or other user-specific attributes. 

Explicit trust is the foundation of the so-called Zero Trust Model. Zero trust is a security framework based on the principle «Never trust, always verify». The security measures taken within this model require constant access verification. By shifting towards Zero Trust, organizations can enhance the security of their data and quickly contain the extent of potential security breaches. 

Example digital signature 

The electronic signature is a prime example of a transaction requiring a trusted digital identity and access management system. It validates that the signer comprehends and agrees with the document's content. Its legal validity is contingent upon establishing the creator's identity and verifying that the document remains unaltered after signing. Therefore, it is crucial to ensure that only a trusted digital identity authorized to sign can initiate the signing process. Electronic signatures will become more and more part of our everyday life, as they can eliminate the handling of a large amount of paper documents and streamline user experience. 

No growth without trust 

Digital trust is the foundation upon which all digital interactions are built. Establishing and maintaining digital trust is not just important – it is essential. It enables the digital world to function smoothly, fosters innovation, and drives economic growth. Nevertheless, establishing and maintaining digital trust requires continuous effort from organizations and individuals. By prioritizing security, transparency, and best practices, we can foster a trustworthy digital environment where users can confidently engage in the digital economy.