Since Facebook transitioned to Meta, JPMorgan Bank has opened a metaverse bank branch and real estate companies have bought metaverse land holdings. Meanwhile, big-tech organisations like Apple, Samsung and Microsoft have launched massive volumes of job postings for roles in this sphere. And many companies have begun looking for ways to present themselves in the metaverse. Because, in the metaverse, physical identities are combined with digital identities to link physical objects, social media accounts and elements from the gaming, augmented reality and cryptocurrency industry. The aim is to create a hybrid, integrated user experience that’s both physical and digital.

While the metaverse (also known as web 3.0) is still in its early stages, it raises many questions about the future of physical and digital identities and authentication online and offline. One of the most urgent questions is how can individuals, products, services and companies represent themselves online and offline? What does an identity mean in this next phase of the internet? And where is the line blurring between physical and digital?

What are the differences between physical and digital identities?

In the physical world, your identity reflects a myriad of characteristics – from where you live, study and work, to how you look and interact with the world. In this realm, you often receive a physical certificate, diploma or other proof from a trusted party such as a notary, university or municipality.

Likewise, your digital identity reflects your virtual address or domain name and also your behaviour on the internet. For individual users, this identity is based on information collected (including search history, past purchases and demographic information) that make up their online profile.

Physical and digital identities are also being combined increasingly more often as physical characteristics become digital. It’s convenient, for example, to be able to request and digitally share a diploma from an issuing authority. There’s no hassle with scanning and sharing physical diplomas – you can use a 100%-digital variant. The same goes for mortgages, buying a car and wall art.

What is the metaverse and how will it change the concept of identity?

The definition of digital identity takes on a new meaning in the metaverse. Here, the principles are decentralised and based on open-platform public blockchain technology that relies on digital identities linked to real identities. Physical items are also increasingly being linked to digital identities.

In this virtual world, users have control over personal identifiers and interactions with other users. They can even disclose information selectively, depending on their comfort level, through a personal wallet (for which they hold the private key). And they can add personal physical items to a digital wallet so they can show them off in a digital way ­– which may signal a new phase for social media and gaming.

Digital identities in the metaverse can represent individuals, as well as institutions or organisations. A person can have multiple digital identities, such as an employee of an organisation, an attendee at a virtual concert and a member of a club, but they’re all based on their real identity.

This anticipates the need for an interoperable digital and physical identity (a kind of digital passport) that individuals and organisations can use in digital environments to prove who they are and why they’re different. This will also enable physical objects to be linked to a unique digital version. Nike, Adidas, Amazon and Shopify, for example, have already indicated that they’ll make this kind of integration increasingly easy.

How can we prepare as a business or brand?

For businesses and brands, an identity is a reflection of its behavior and interactions online and offline. Building an authentic physical and digital identity (whether as an organisation or an individual), starts with knowing who you are. And, most importantly, who you want to be online and offline.

That’s what this new channel, the metaverse, can do for your brand or business. But what implications does it have from a security perspective?

Organisations need to prepare for this next phase of the internet as, inevitably, identities will become both physical and digital. The following steps should play a role in any vision documents relating to identities and the metaverse:

1. As a company, think about your vision for the metaverse and the role employees can play. Which products, services and/or data do you supply and is there a need to record these digitally? Would customers like to add them digitally to their personal wallet?
2. Identity wallets can be managed in a decentralised way, through blockchain, or centrally through Public Key Infrastructure (PKI). How will identity wallets be used and how will the different kinds of data be handled – not just personal and financial data, but data from physical products or services?
3. Securing transactions is also important. Whether the transaction model is decentralised or centralised, key pairs are used. So how do you handle that? How do you encrypt the data? When do you decrypt it? And how do you deal with key management?
4. Think about how physical products and services can be translated into a digital environment. Do you want to deliver something or offer a service as a company in the metaverse? How will you record these services or products? Via certificates or on the public blockchain?
5. If you opt for a centralised model, and therefore PKI, think about the current European and national laws and regulations. Also think about a chain of trust for issuing certificates and attributes. And consider how you can issue identity wallets, whether your model is centralised or decentralised, so people can use them.

The metaverse is an innovative development that will be discussed extensively in the coming years. It’s unclear which way everything is moving. But what is clear is that we must prepare. Thinking about the security impact now is crucial for security managers of the future.

Author: Jordan van den Akker, Chief Information Security Officer (CISO) at AET Europe.