Share Let's Talk About Digital Identity
Share to email
Share to Facebook
Share to X
By Ubisecure
5
11 ratings
The podcast currently has 103 episodes available.
What is Identity Governance and Why is it important? Craig Ramsay, Senior Solutions Architect at Omada joins Oscar to explore all things Identity Governance including – the role of Identity Governance in compliance with regulations and standards, how it affects security and risk management for organisation, alongside some real-world examples of Identity Governance in use.
[Transcript below]
“We’re still trying to shake off the thing that – security is a barrier to efficiency. There’s an old adage that ‘efficiency is insecure, but security is inefficient’. But I don’t think that’s true anymore.”
Craig Ramsay, Senior Solution Architect at Omada, from Edinburgh, Scotland. I have worked at Omada for 3 years and have previously worked at RSA Security and different financial services organisations in the UK within their Identity functions. Outside of work my main interests are hiking and travelling.
Connect with Craig on LinkedIn.
We’ll be continuing this conversation on LinkedIn using #LTADI – join us @ubisecure!
Go to @Ubisecure on YouTube to watch the video transcript for episode 102.
Oscar Santolalla: This week I am joined by Craig Ramsay from Omada, here to discuss the importance of identity governance and how it is helping to solve problems in real-world. Stay tuned to find out more.
Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar.
Oscar: Hello, for today’s episode about Identity Governance and Administration, mostly known as IGA, we have invited a super interesting guest who is Craig Ramsay. He is a Senior Solution Architect at Omada. He’s from Edinburgh, Scotland. He has worked for Omada for three years and has previously worked at RSA Security and different financial services organisations in the United Kingdom within their identity functions. Outside of work, Craig’s main interests are hiking and travelling. Hello, Craig.
Craig Ramsay: Hey, Oscar. How are you doing?
Oscar: Very good. Nice talking with you.
Craig: Thank you, you too.
Oscar: So, let’s talk about digital identity. As usual, we want to hear more about our guests. Please tell us about yourself and your journey to this world of identity.
Craig: Sure. So, I mean, thank you for the introduction. And I guess, in terms of my journey into identity, it was a little bit by fluke rather than by design. I studied Computer Science and when I graduated, I joined an operational IT graduate scheme. They had recently started a new IAM project, because I think back in 2008, identity and access management, identity governance wasn’t as mature as it is now. It was still kind of seen as an operational IT project rather than an information security principle. So, the drivers there were more about the efficiency, automated provisioning and stuff. But yeah, they were looking for a graduate on that project. That was me.
And apart from a few years where I decided to try what it was like being a policeman, I have worked in identity ever since either for, as you said, financial services organisations doing the work at the coalface or for vendors, either in project delivery or, and you know pre-sales in my solution architect role.
Oscar: Excellent. So, let’s go first with the basics. We have not talked about IGA yet in this podcast, have not focused on that. So, tell us, what is that? What is Identity Governance and Administration, IGA? What is important?
Craig: Sure. So, I mean, identity governance, when you focus on it, at its core, it’s a solution that will ensure the right individuals have the right access for the right reasons at the right time in your organisation. So, it’s protecting the authorisations or the resource assignments within your organisation. And that’s often policy-driven to ensure that all of, and I think the important distinction here when we talk about IGA, that’s traditionally your internal identities, maybe your third parties and contractors.
And then in terms of the overall importance of identity governance, as I said, it’s evolved over the years from being primarily driving and focusing, looking at the provisioning element of things. But as governance has become more and more important, as we start to take a more holistic view at identity, when you look at the adjacent technologies; privileged access management, cloud infrastructure and tailored management, user endpoint, behaviour analytics, identity governance is now really being seen as the kind of control plane across that identity fabric. So, I think it is becoming crucial. And there’s a lot of visibility on the importance of identity now, right up to C-level and maybe wasn’t 10 years ago.
Oscar: You mentioned this concept about identity fabric. Could you also explain a bit more about that in this context?
Craig: Yeah, sure. So, I mean, identity fabric is a term that’s been coined in the last maybe few years by a lot of industry analysts out there. It’s maybe a new phrase, but I think the concept isn’t necessarily that new. So, I think we also hear people calling it an enriched security ecosystem. So, it’s where you look at these solutions in the PAM space, UEBA, your SIEM solutions, etc.
Those traditionally have worked in perhaps a bit more of a siloed manner. And the integrations have been maybe limited and not as seamless. Whereas now, I think this concept of that enriched security ecosystem, that fabric is that these things should be joined up and they should be – the convergence of intelligence and data between those solutions, I think is becoming more and more important so that you can take a holistic approach to reducing your identity-related risk.
Oscar: It is very important, as you said, because there will be anyway, other solutions working together with IGA. Yeah, absolutely.
What are the main problems, just – I’m sure there are many, but what are the top main problems that IGA solves?
Craig: Yeah, so from a business problem or business challenge perspective, I think the main thing that we always focus on when we’re helping people build their IGA business case, is that we focus on security, compliance and efficiency. So, it’s looking to increase the efficiency and productivity of your end users and their experience, all whilst ensuring that you’ve got increased compliance, increased security and reduced risk.
So, when we look at that, some of those common challenges and problems within that would be reducing the attack surface in the organisation. So, removing unneeded access, adhering to the principle of least privilege, making sure that your identities only have the access they should. I mean, combining those two things is going to reduce the likelihood and the impact of a potential breach in the organisation. It provides you with a unified view of access across the organisation, which a lot of people often haven’t had previously. So, understanding who has what access.
And then there’s the automation around identity lifecycle management. So that’s reducing the time taken to provision your joiners, your movers, your leavers. You’re putting governance and auditing around all of these processes too. So, when people are requesting access, you’re ensuring they’re getting it for the right reasons with the appropriate approval. And you’re cutting down on things like rogue IT administration and stuff like that.
So that’s high level, there is more obviously, but I think those are the high-level ones that we see frequently when we’re speaking to prospects out there in the market.
Oscar: It’s a security compliance, and efficiency. Yeah, we’d like to talk about this. But before actually it will be interesting to – so people can understand the broader concept, how we try to imagine in their minds.
If you can see in a real-world example, how work for a typical corporation that uses IGA. So, tell us what are these main processes that you say, mostly employees, right? What are these main processes? Let’s say a new employee goes from beginning until the end.
Craig: Yes. I mean, if we’re going to talk – the phrase we kind of, is from hire to retire. So, when I try and explain this to my friends, maybe aren’t so technically minded when they ask what I do, I sort of give them an example. I say, OK, you join an organisation, and you are working in their HR department. So, from day one, you should have access to be able to log into the network, an email account, access to various file shares to do with HR to enable you to be productive from day one.
So, the IGA solution will help you identify the policies to automate that process, to make sure that you are productive and also make sure that you’ve only got access to what you should. So, if you’re joining HR, you shouldn’t be getting access to any file shares to do with finance, R and D, anything like that. And then as you move around the organisation or your needs change, you should be able to request access that goes through the appropriate channels.
It should be reviewed regularly to make sure that it is still appropriate as you go through your life cycle as an identity in the organisation. If you are promoted or changed departments, that should change automatically in line with those policies too. And if you either leave the organisation, be it permanently or temporary for maternity leave, garden leave, that kind of thing, your IGA solution should then disable or provision that access in a timely manner too, to make sure you’re reducing risk.
So, I mean, those are kind of some of the high-level things that it’s that right access for the right people at the right time for the right reasons is kind of trying to, in a nutshell.
Oscar: Indeed, that was in a nutshell, very, very easy to understand. Thank you for that. Some of these at least main problems and how these are being solved. But IGA, let’s start with security as you put security first, how IGA is helping with security?
Craig: So, in terms of how it contributes to, you know, maybe security and risk management, I think, it’s providing stronger access control. So, it’s starting to limit access to your sensitive and privileged information. So, when you start to look at either personal identifiable information, financially sensitive information, or privileged access, so this is when you start to look at integrations with adjacent technologies in the PAM space, you’re ensuring that the access control is limiting that access.
Reducing risk. I already talked about the fact that that principle of least privilege means that if there is a breach in the organisation, the identity of the account that’s breached should have only the access needed to do the job that it can, and it shouldn’t have any elevated permissions permanently. The ability to traverse the network or to have a much more impact on that breach should be reduced. You’re also reducing the likelihood by integrating with identity providers to perform strong authentication. And those unneeded accounts or unwanted accounts or unused accounts have been removed over time as well. So that should be helping you reduce the risk and then improve your security posture.
In combination with that as well, if you look at some of the real-time monitoring and identity incidents or detection and prevention you’re starting to see integration with abnormal access patterns, maybe you know impossible logons, for example, we integrate with the Azure identity risk subscription so that’s looking at – user logged on from Edinburgh one minute and they’re trying to log on from Beijing the next. That’s impossible, so that may be an indication of compromise. And then your IGA solution could lock down that account.
So, there’s many ways you could do that and it’s obviously a maturity journey, you need to crawl before you can walk before you can run. But it’s a maturity journey you go on to take a holistic view in reducing your identity related risk.
Oscar: Yeah, indeed. From basic essential functionalities of security to much more advanced like some of the ones you described.
The second one is, of course, we’re interested about compliance is very common that someone comes, start to ask someone from Omada, or from another company even Ubisecure, we also do identity access management and one of the key drivers for them is compliance especially in some industries, it’s more important that. So, tell us about compliance.
Craig: Yeah. So, I mean, when you go out there in the market and you’re speaking to organisations like more and more and more we are speaking to organisations that operate on a global basis. So, you’ve got country or region-specific things like GDPR, SOCS, HIPAA, PCI, DSS etc that are external regulatory compliance frameworks that you must comply with. And you know we keep a track on with things like Schrems II as well. We’re always keeping an eye on that to ensure that the solution we provide is compliant with those things.
But then we’re also helping our customers comply with how they are storing, processing and managing the data in relation to those things. So, if you look at what I often say is that an identity governance solution is a technical translation of your business processes. I think you always have to look at making sure your people process and technology are working in harmony with each other. Technology alone will not resolve your problems. So, I think as part of a wider identity information security strategy you should ensure that your internal policies and standards are created in such a way that it will help you comply with those external regulations if they apply to you.
But you should always look, I think it’s a healthy thing for any organisation across any vertical to have these well-defined policies and standards and ensure that they can comply with those. And as I said that’s where identity governance comes in, because it helps you comply with those things by defining policies that can detect when you’re non-compliant, you’ve got that audit trail. So, it offers – you’ve got transparent auditing for your internal and external users to prove compliance. You will go through regular recertification, attestation, reviews, whatever you want to call it. But that also ensures that you’re demonstrating regular compliance.
And then we already talked about risk management as well, but compliance and risk often do overlap each other. So, you’re identifying and mitigating compliance risks through the definition and enforcement of these policies as well.
Oscar: Indeed. So, there is some reports that can be directly created, right, from the IGA system. And that can be directly taken by the compliance officer or whoever requires it, right?
Craig: Yeah.
Oscar: The other you mentioned there was the operational efficiency, right? So, as you mentioned, it’s one of the three main problems. Let’s – I’d like to hear more about that as well, how IGA helps.
Craig: Yeah. And I think that’s one of the things that I think separates IGA and the information security market sometimes. That it’s not always focusing on risk reduction and things that are maybe potentially seen as negative. So, you talk about fear and certainty and doubt within the sales process, etc. When you’re doing that, it can often be quite a hard sell because it’s hard to quantify the risk. We can’t help with that. There are formulas out there of calculating the impact of a risk based on, you know, and the likelihood, the cost of the actual breach, etc.
But to bring it back to what you actually asked about from an efficiency perspective, if you look at – if organisations are still heavily manual in their provisioning and their processes, there’s a huge cost to that from areas like your service desk, your operational IT administrators. And often it leads you to the potential for human error as well. So, if you start to automate those things, you see a reduction in numbers of calls to the desk, a number of manually created events and things that are being done. And you can put a pound, euro, dollar sign against that clearly from an efficiency and a cost reduction perspective.
From an end user perspective as well, I mean, it’s always, I think there’s – we’re still trying to shake off the thing that security is a barrier to efficiency. There’s an old adage that I keep using for it regularly that ‘efficiency is insecure, but security is inefficient’. And I don’t think that’s true anymore. I think if you correctly apply your policies in a way that apply the appropriate level of risk, your users – to them, it should be seamless pretty much all the time. They shouldn’t see these processes as an action. They should see it as; they request the access they need, it gets granted to them in a timely manner. When they move around the organisation, a lot of that should happen automatically.
Overall, you should see an increase in productivity. Your line managers aren’t getting frustrated when people join the organisation and they’re having to submit 10 different requests to get them functioning from day one. So, it’s overall operational efficiency and cost reduction. But the productivity. And end user experience of it as a result of a well-delivered IGA program, I think is clear to see as well.
Oscar: Yeah, cost reduction is clear and is a great reason to buy a product like IGA. Absolutely. Well, if you quantify that to a buyer, it’s like, wow, you can convince him or her very easily. Yeah.
At Ubisecure, we are working with CIAM, and I experienced directly that sometimes requests come from potential customers, and they are looking for identity and access management. And when we review closely, we see that sometimes what they need is IGA or what they need is both IGA and customer identity and access management. So, and in those cases, the customer will need to deal with these two types of system, right? The IGA and CIAM.
So, what is your perspective from your experience working integrating these two types of tools? What are the main things that a buyer bought from business and technical perspective should know at least?
Craig: Yeah, so, I mean, funnily enough, I have worked on a couple of opportunities where Omada and Ubisecure have been working together on those kinds of joint proposals where people are looking for IGA and CIAM. And I think it’s interesting because you can make a very strong case about where the overlap is, but you can also equally make a very strong case about why they should be separate because of the nature of the requirements.
From a CIAM perspective, you’re looking for that seamless, really quick response for all your consumers. And then you should be able to deal with high demand periods when you’re very, very busy, when your consumers are consuming your services. And from an IGA perspective, you’re very much looking at the internal and the control and the level of these privileges that we’re talking about. And there are similarities in the capabilities in terms of, you know, being able to provision in a timely manner, deprovision in a timely manner, ensuring that it’s the level of appropriateness.
So, if you look at it from an integration perspective, a unified management of the identities, I think, could be important whilst treating them differently. I think your end user experience again should be important. So, you’re balancing security and efficiency for your internal and external customers. And then you should be able to have that from a scalability perspective by seeing those things integrate well with each other as well.
I think what is important when you’re speaking to people, understanding their requirements is crucial. So, when they’re talking about, you know, B2B or B2C capabilities and requirements, it’s OK, well, how do you manage your B2B and B2C use cases? Because I think if you take software or technical organisation where their consumers consume their services in a far, far different way to maybe a retail bank or a supermarket. The requirements for end users from that perspective, they’re opening up a loyalty card in a store and you’re processing their personal data in that manner is very, very different to maybe a software company where people are having accounts created and consuming those services.
So, as you can probably tell, not an absolute expert in the CIAM space, but I think whenever those opportunities arise, I think the first important question is why? To understand what it is exactly they’re trying to achieve. And then you map the use cases to the functionality in each of the appropriate solutions to make sure that it’s well matched. There will be overlap in some cases. But as I said, there’s a strong case for when there’s similarities and when they should be managed separately. But ultimately, it’s part of that wider identity fabric we mentioned earlier that it’s kind of all identity in the end, I guess.
Oscar: Yeah. Indeed. As you say, you put it very clear, the importance of really knowing very well the requirements because in a conversation, they might tell you we need this one, two, three, five things and can be also in a written Excel file or whatever. But then you have to go deeply to understand what they meant by saying this B2B or anything, right? So, yeah. Indeed. Thank you for sharing that.
Looking now at the present and future, let’s say, because IGA, as many other types of products have been evolving, are evolving all the time because there are different needs. So what customers are asking today when they are clear that they need an IGA software? What they’re asking today and what are these new problems that need to be solved, are being solved now and need to be solved if they are not solved today?
Craig: Yeah. So, it’s a very timely question. To be fair, we recently released a State of IGA for 2024 report at Omada and we did a webinar discussing the findings of it and it did exactly that it looked at how seriously people were taking identity. And then as you said what are they looking for currently and what are they looking ahead at as well. So, and we just talked about the why and the use cases, so I think, number one that we still see is that the solution they’re looking at adapts and meets to their changing business needs. So, the requirements they have now and the requirements they think they’ll see in the future, it’s the core capabilities must adapt and must comply with that.
We’re seeing an increased importance being put on the ability for the solution to integrate as part of that security ecosystem we talked about. So being able to play nicely with the adjacent technologies across the identity fabric. And then from a connectivity perspective, I mean I talked earlier about a unified view of access across the board, the nature of organisations has changed massively in terms of on-premises systems to a lot more cloud services being consumed. So the ability to extend and integrate with a growing list of different target systems is important for them.
Looking ahead, we do see AI and Machine Learning coming up again and again. And I think when we see that it’s important to take those as separate things. So, from ML perspective, you know, if you look at kind of the role mining capabilities that have been there for some time, recommendations during reviews, recommendations for decisions or decision support for approvals, that stuff has been around for a little while.
From an AI perspective, I mean there’s a huge buzz around what’s happening in AI. Just now Google just released their Gemini Chatbot to rival Chat GPT and that the generative AI stuff and the practical uses of that are going to start to be seen. So, you know integrating generative AI, we have stuff where it’s looking at… you can ask questions about the documentation. So, like what is this object in Omada and like what’s the difference and it’s starting to respond to that so we’re in the process of testing and releasing that.
And then looking further down the line, it’ll be generative AI within the solution. So, user logs in and it says, “What are you trying to do today?” “I need the same access as my colleague Allison.” And it’ll say, “OK she’s got this, this and this. Maybe this is what you need to request.” Or it’s becoming more mature and more complex or sophisticated in what it can do.
So, I think ultimately what people are looking for is ensuring that the solution they have can do what they need to do today and can do it well, it’s scalable, it’s easy to upgrade, it’s easy to maintain. They’re reducing the complexity of management of it so they’re simplifying it from that perspective. But looking ahead they’re needing that generic connectivity that can allow them to connect to any of the systems they have now and ones they want in the future. And then being able to take advantage of the advances in the AI and ML space to improve end user experience and also the maintenance and administration of the system itself for their administrative users.
Oscar: So, you believe that machine learning and the other what we call artificial intelligence is going to be used. It’s to be solving those problems that today customers are bringing up.
Craig: I think it’ll augment, and I think – because that’s the thing people get worried about AI replacing us and whatnot. And maybe somebody using AI more efficiently than you might replace what you’re doing but AI itself can’t and I think any algorithm that – it does do in the output of it still needs human validation particularly in a field like IGA where OK it’s taken a huge amount of data, provided this output and most that might look OK. There’s probably some human context in terms of exactly what that business does that’s needed to say, “Yes I’m still OK with that.” Because ultimately the human’s going to have to be accountable for the decision that’s made. I don’t think and I don’t think we’re going to see algorithms being fined or sent to jail for data breaches you know, I mean.
Oscar: Yeah, a human will go to jail anyway. Hopefully not. Hopefully that doesn’t happen.
Craig: No, hopefully not that’s what we’re trying to prevent. You’re right, we’re trying to prevent that but yes.
Oscar: Exactly, exactly. Yeah, yeah definitely. Also, one thing you mentioned, it comes back to what we discussed earlier these identity fabrics. Yeah, the way to coexist all this all these tools, IGA, PAM, CIAM all together that’s also, as you say, it’s something that is becoming more important because the environments are getting more complexes.
Final question for you, Craig. For all business leaders listening to us now, what is the one actionable idea that they should write on their agendas today?
Craig: So not to spoil the magic of the podcast but we’re recording this just before Christmas towards the end of the year and I don’t know when it’s going to be released but that’s always a time for reflection and looking at where you’re at and where you want to be going. And I think for any business leader right now, I think conducting an identity maturity assessment is something that you can do actionably right now. So, look at where you’re at from an identity maturity perspective and identify gaps that you need to start filling, or priorities looking ahead and aligning that with your business goals, your business risks to ensure that your information security strategy, your policies and standards support your overall business objectives.
And then from that, building a plan of continuous improvement, some milestones as well. And I think any well-delivered IGA project should be doing that. It shouldn’t be looking to boil the ocean or deliver everything at once at big bang. It should be continuous improvement and continuous demonstration of value.
So, I appreciate that might be – that’s not something cutting edge or brand new or innovative, but I think it is really something actionably you can do now to take a step back, assess exactly where you’re at and then build that plan and start to try an action that. Do that at the end of the year, at the start of the year. There’s never a bad time to take a step back and reflect and put that plan in place. But I think that’s definitely something actionable that they could put on their agenda right now to do from today.
Oscar: I couldn’t agree more an assessment, absolutely. It’s something needed. Yeah, it takes time. And it’s very actionable, as you said. Yeah, thank you very much, Craig, for having this very interesting conversation about IGA and other topics, related topics.
So, let us know for people who would like to continue this conversation with you, or follow you, or find out more about what you do, what are the best ways for that?
Craig: Yeah, absolutely. So, you can find me on LinkedIn, Craig, I think my username is Craig86. Obviously, I work at Omada Identity, but that’s, again, if you search for Omada, you’ll find us there. I mentioned our State of IGA 2024 report, you can download that free from omadaidentity.com. And there’s also an on-demand webinar where myself and Rod Simmons, our VP of Product Strategy, discuss that report in-depth.
But yeah, please do feel free to reach out and connect. If you want to chat about all things identity or just want to know a bit more about Omada or myself. But yeah, it’s been a pleasure talking to you, Oscar, as well. Thank you.
Oscar: My pleasure as well. Well, all the best. Happy New Year. Now, this coming the new year, 2024, I wish you all the best for you, Craig, Omada, and everybody who is doing all this great job in the identity space. Thank you. All the best.
Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.
Is now the right time to invest into Identity and Access Management (IAM)? Join us for episode 101, as Oscar is exploring why now is the right time to invest into IAM with Jesse Kurtto, DPO and Data Scientist at Ubisecure – as they delve into the current economic situation and some of the key factors of investing into identity management.
[Transcript below]
“Digitalisation is ongoing, it’s accelerating, it’s unstoppable.”
Known as the guy who shortened the world and lived to tell the tale, Jesse’s career is gradually arching from the Wild West world of finance to his current position as the DPO and Data Scientist at Ubisecure. Learning to program before learning to read Finnish and visiting 25 countries before 25, he’s no stranger in exploring uncharted waters and discovering connections that others might miss. Surrounded by a delicate balance of the latest technology and dozens of carefully tended houseplants, his secret hobby is putting the hiking boots and RPGs aside for a moment in order to write to his beloved snail mail friends across the world.
We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!
Go to @Ubisecure on YouTube to watch the video transcript for episode 101.
Oscar: Is this the right time to invest in Identity and Access Management? This week Jesse Kurtto from Ubisecure has joined us to answer this question and discuss the current economic situation. Stay tuned to find out more.
Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.
Oscar: Today’s guest is Jesse Kurtto. Jesse’s career has gradually arched from the Wild West world of finance, to his current position as a Data Protection Officer and Data Scientist at Ubisecure. Learning Program before learning to read Finnish and visiting 25 countries before 25. He is no stranger to exploring unchartered waters and discovering connections that others might miss. Surrounded by a delicate balance of the latest technology and dozens of carefully tended houseplants, his secret hobby is writing to his beloved snail mail friends across the world. Welcome Jesse.
Jesse: Thank you for the invite, Oscar. Nice to be here.
Oscar: Great having you, Jesse, definitely. We’re going to have a super interesting conversation about the market in Digital Identity and Identity and Access Management.
First of all, we always want to hear more about our guests. So please tell us a bit about yourself and your journey to the world of digital identity.
Jesse: All right. So, like many or even most of us in the digital identity field, I actually never really actively sought to be a specialist, IAM specialist, on purpose. And my personal background is actually nothing technology even, but in finance and investing more specifically. So, a chance encounter and I liked the people who interviewed me and decided to stay for a while, and that while has been over seven years now. And I’m still learning something new every day, checking out how we really the world of digital identity like and frankly haven’t ever regretted decision. No two days have really been the same and the field continues to evolve and develop quite a bit every year.
Oscar: Yeah, excellent and definitely hearing at Ubisecure, we definitely appreciate having this – well call it, like a blend of knowledge – the financial market, not lesser than what you bring with the security and digital identity knowledge, very practical knowledge you also had. So, it’s always super interesting having those conversation with you.
And for the first time here on the podcast, we are going to have that, a bit more financial touch on that – What is coming, especially in this well this year, and I think also the years to come. The previous year and the year to come I think, we are already end of 2023 in which – well the financial situation is not good we’re going to talk about. But of course, no matter how the economy is, the companies organisation has to protect their services, have to upgrade the services, maintain them, so they have to invest some money in that.
So, from the perspective of companies who today need to upgrade their digital capabilities, what would you say is the piece of the current macroeconomic situation that they should know well? So that was at least what they should know well, from what is happening now?
Jesse: Well, first of all, we all know the macroeconomic situation hasn’t really been dancing on the roses over the past few years. But first, we had a massive shock with the COVID pandemic starting from spring 2020. Then we got massive economic stimulus to recover from that slump. And right after we were starting to climb up, then the war in Ukraine saw that all kinds of new problems everywhere around the world seemed to emerge just within three or four months.
The energy uncertainty in Europe and the economy went down the drain, and macroeconomic in quite a difficult situation here in Europe. But we would actually want to have some kind of stimulus in order to recover. But at the same time, we are suffering from quite persistently high inflation, which makes any kind of stimulus package basically equal to pouring more gasoline to the flames.
So, the European bank is really between a rock and a hard place here. And I can only look over the Atlantic to the States and be very jealous how they are able to both fight inflation and with high interest rates, five and a half percent this talking and meanwhile still have a blisteringly red-hot labour market all but there.
So, my first point would be that not all markets are equal. And the second important point is that now is actually a really great time to invest in any digital capabilities, including digital identities. Because now, we are in the middle of a small recession in Europe and investing in recession has historically been the very best time to invest in growth.
And if we think for a while, it actually makes perfect sense. After all, the alternative is to invest in the middle of a growth season when everybody else wants to invest in growth as well. Pushing prices even higher and reducing the availability of experts to help with these transformation projects. But now it’s still for a while kind of a buyer’s market.
So best time to invest in future growth is now.
Oscar: So, time to invest is now.
Jesse: Yes.
Oscar: Okay. So, let’s go into what – because there are many things that the company can invest now and many things that many companies might need. But if you were one of the – chief executive, like CISO, or someone who is top decision makers in companies and there has to be some budget for digital identity. Thinking of – first of all broadly. Broadly but in digital identity, what would be the most important products that today would be the top priority for buying now?
Jesse: Today I would say that the absolute top priority would be – to establish really low friction user journeys from the very beginning account registration to the actual purchase, including solid online self-service. And now this low friction user journey is no way exclusive with security or compliance, but it is actually reaping the benefits of digitalisation. Digitalisation is ongoing, it’s accelerating, it’s unstoppable.
So, the question is for every organisation – should they try to fight this change to the last or embrace it and be among the first to actually reap its benefits. It’s actually interesting because my background in finance, the many finance sector operators were among the first to embrace digital identities, but they kind of stopped it halfway there; “Okay, we can build self-service portals for our users, but for many, many procedures we still require hand signed paper documents being sent via physical mail.” And this is really only reaping a very small part of the benefits of digitalisation. So, there is plenty to go.
Oscar: Yeah. Interesting what you say in finance services. That’s correct. For reasons of security had to be always in the latest of technology for security. But some of the process has been, as you say, very old fashioned like the old school, many paper fax I think still use or cheques. So, these kind of.
Jesse: Oh yes, those ones to.
Oscar: Still alive.
Jesse: Yes. And it truly hurts the user experience a lot. It even causes direct missed opportunities. Let’s say new bond is coming to a market and you wish to buy a piece of it and participate. But if it takes three or four days just to do all the paperwork, then the opportunity has simply passed.
Oscar: And indeed, the price changed completely. Okay, so you say that the top is to – the user journey has to be digitalised. So, what is the category of products that address that?
Jesse: Would say a real CIAM system would be the one to go here, and not try to build the user journey from, let’s say 4 to 6-point solutions and then somehow glue them together. I think the best solution would be an IAM solution that’s designed for a whole user journey from the scratch and not something homemade or batched together.
Because when business grows, as it will eventually grow, no recession will last forever. And to user numbers pick up and suddenly there’s a nightmare of issues of having 4 to 6 different vendors and trying to keep their products up and running with ever increasing user numbers. And that again, is doing digitalisation the wrong way, if I may say.
Oscar: Yeah. CIAM being – so how, well the evolution of the more broadly speaking, Identity and Access Management. Maybe you can give us an overview of that evolution of the Identity and Access Management, what – how we started and what we have today.
Jesse: Yeah, that’s a very interesting topic. Through the IAM are from big enterprise internal needs at once to employee numbers just grow to a certain level, they can’t be managed with excel sheets or pen and paper before that. But these kind of internal IAM solutions scale and fit really badly for end customer facing journeys. Internal users can always be taught how to use some kind of system, even if it’s not immediately logical or it feels unwieldy.
But for the customers, it’s not realistic to expect that they would spend tens of minutes or even hours to learn how to use some kind of system to log in. And no, they would simply instead put down their laptops, pick up the phone and call your customer service. So, it will actually just cost you more money to have this kind of system.
And now, in the past ten years, there have been massive uptake of different CIAM systems. And lately, let’s say after the pandemic, it’s interesting to see that now the full circle is coming back towards internal users with remote working. Remote working, different kind of partnerships, there are more kind of internal and kind of external users than ever, and trying to keep these as fully separate groups is very challenging.
Oscar: Yes. So, what about the investment of a company in Identity and Access Management? So what does that imply if the company does not have even, let’s say, a first personal CIAM or open source, something that they started, if they if the company really doesn’t, which actually to me surprise me that, you discover companies don’t have it, don’t have it, almost anything like identity access management and they are looking for some solutions or they are or they know that they need it. Maybe the decision has not come.
So why would you say is important for the buyers to know about the product, the Identity and Access Management product?
Jesse: That’s an interesting detail what you said that there’s still about 20-25% of companies in Europe that do not have any kind of Identity and Access Management system in place. So, one could argue that every IAM’s companies’ worst competitor is doing nothing. But to the question at hand, I’d say scalability is one very important thing, and compliance. If one doesn’t have any kind of identity management system in place, then it’s extremely hard to tell where and by who are the user identities actually stored.
And of course, that is a massive no in the eyes of the GDPR and this kind of adventures just don’t usually end up well. So first job would be to map out how many identities there are in the first place, how it has evolved over the recent quarters and where they are located, how many systems actually are connected, including partners, including systems like let’s say payroll providers, insurance providers, and usually the number is quite surprising. It can often be more than ten individual systems.
And now managing all these identities from a single centralised place is frankly a godsend compared to trying to manage this and plus sprawling network identity some here, some there. And of course, it also brings centralised identity management, also brings massive security benefits. For example, if you wish to revoke the access for, let’s say some external consultants that have already finished their projects, you only have one place to do it or you can even automate it.
But if the identities are in ten systems, 15 systems, then it’s really easy to forget just one. And who knows, maybe five, ten years later, one of those passwords will get breached and now the attacker gets to your system for free.
Oscar: Yeah, what is normally called silos, identity silos. Having so many data repositories and it’s -through the years it’s easy to forget at least couple of those are forgotten but they are still there somewhere in there in some machine, in some server. So, the data is there.
Jesse: Yes. And of course, I’ve heard many times the counterargument that it’s not wise to put all eggs in one basket, but when it comes to information security, we as the defenders must secure every single system that we use. But the attacker only needs to find one weak system to exploit.
Oscar: Yeah, yeah, exactly. They can just find the forgotten one, the one that nobody remembers that.
So, what the company – the buyers should ask for a technology vendor? So, for a CIAM vendor? So, what are the most important things that’s should be – has to be asked to the vendors?
Jesse: I would ask them to demonstrate the self-service capabilities first. What exactly the users can and cannot accept less without external help? Meaning customer service assistance. Because that sets quite stringent limits on the benefits of digitalisation. And of course, all the usual user journeys should be handled by the system automatically. So, I would guess that any IAM project touches deeply.
So, I would first describe the challenges we are facing. And then I’d ask vendor to explain, just in plain English, that – how does the solution work and how does it actually solve the challenge that we just presented? And after all, one should never invest in anything that one doesn’t understand.
Another point I would like to address early in any IAM project is to what is actually included in the price and what isn’t. In order to actually accurately measure the TCO and how it would evolve as internal and external user base grows. And for example, there are many vendors out that charge ten to even hundred times for internal users compared to external users, and that’s not usually put on a large print on the front page.
And finally, I would discuss any coming changes in legislation because I would be very interested to know whether any changes will be covered under the current proposal or will it occur additional project and additional costs in the future. Change is, after all, inevitable.
Oscar: Yeah, I think that’s very important. We know in – in the European Union it’s coming the digital wallet that’s going to come in. Well, how many years do you predict at this moment?
Jesse: I’m optimistic and say late ‘24 launch for some countries. ‘25 mass adoption and hopefully organisational identities soon after.
Oscar: Yeah, and that’s something that I think very few people would argue that that will be – that will not have some considerable success because there’s a lot of time invested in people preparing all these new standards in this part of the evolution. What we have been seeing before with Self Sovereign Identity (SSI), the wallet itself is something that is already becoming very popular in the commercial side. So that will come in.
Similarly, in other geographies, there will be similar initiatives, there will be new regulations. So that, through all this, the vendor has to offer that, has to tell whether we offer or not. So that’s definitely a good, good aspect you mentioned.
Jesse: Yes. And the commission has made clear goals here to avoid repeating the mistakes of the eIDAS 1.0, that was supposed to bring cross-border digital identities to Europe. Well, we all know that it was a commercial failure, but they have really learned from that, and I have great hopes for the EUDI. Both for personal identities and for organisational identities, and especially for the latter one.
I believe that the market is currently suffering from a kind of chicken and egg problem here, that everybody’s waiting for cross-border organisational identities and not building services because they aren’t here yet. So, we might see the floodgates open in the late 2020s.
Oscar: Yeah. I also believe that as a lot will change in more or less like the, as you say in the next 12-24 months is going to change a lot, in a good way I believe. So definitely exciting to be at this moment. We’ve been talking a lot about Identity and Access Management, other aspects, other type of technology that are also in the minds of the executives who are going to upgrade their technologies. We hear a lot about passwords in the last year. Well, ‘cryptocurrencies’ is getting a bit more quiet. Today we hear a lot about artificial intelligence.
Would you recognise some technology that is actually underrated, that not many people are talking about? But these business buyers should be aware, because the impact will be even bigger than those buzzwords. So, what would you say?
Jesse: I would say that the coming EUDI and its principle of Self-Sovereign Identities is something that might cause quite big ripples in the identity landscape. The very basic idea that it’s the end user themselves who collect attributes and control to whom and when they release those attributes. That that is very different from the usual data repository centric view that – okay, we have this database, and we control everything here. Everything is set in stone.
But when the end users actually decide which attributes to release and which not. Then one can’t take for granted that, “Okay, we always have every single field in our database field. Every user record looks similar in a structural level.” That is no longer true and that might cause some changes.
As for technology, I have great hopes for machine learning and especially how it can help accomplish not zero trust, no. But zero friction user journeys. And I don’t mean a strong AI that is still decades into future, if ever. But simple things like; is the user using a different device to log in or the same device as before? And so on.
For example, I have a recently having a quick holiday in the US, and I was frankly quite shocked when I logged into some financial services – using a completely different device that I had never used, on completely opposite time of the day. I was even physically located on a different continent. And no MFA prompts, nothing. Just inputting my password, I was in.
And that’s a lot of missed risk management there, for both parties. For me as an end user and for the financial service provider. And I believe this is something that will change sooner or later. And of course, I would like, as an end user, for this to work for the opposite way as well. That if I’m logging in using the same device, about the same time of the day, from same city that I’ve done it for hundreds and hundreds of times – then perhaps I could be spared the MFA fatigue and just get in with my password managers embraced password.
Oscar: The technology doesn’t bother you when you are in the habitual way of interacting with, let’s say, the banks.
Jesse: Yeah, exactly. It should take always the context of the transaction into account. And frankly, what I would like to see many companies to do is; do a more thorough risk analysis at what they are actually trying to defend against. I can give a real-world example.
About a month ago, I drove to a gas station, put my car to charge, decided that I’ll have a coffee there. Opened the app and saw, hey, there’s an offer for a coffee and a doughnut €1 off. Great.
Okay, it seems that first, I needed to update the app to actually buy. Okay, well, I’ll do it.
Then they wanted to add the credit card directly to the app, alright. Got an MFA from that.
Then when I actually wanted to make the purchase, I got yet another prompt and confirmation, this time from my bank. That – ‘Hey, in order to buy this €3.50 product, would you please update our app again, and use it as an MFA to confirm this purchase’. For the third time.
And by that time, I already got notification that, ‘hey, your car has charged’, and my coffee was called by then and left it there.
So that was the opposite of Zero Friction. That was more of a zero trust like game. But the security solution that’s very fitting for, let’s say, authorising nuclear missile launch, is very different than the security that’s needed to confirm a €3 coffee purchased at the gas station.
And as discussed earlier, I believe this problem stems – that solution was built from very small parts and every individual vendor only looked after their own interest, only want to save their back in case of any kind of misuse. But nobody took a step backwards to actually see; What we are trying to defend against here? What is the attack vector here? That okay, somebody misuses this app and clones this coupon and gets two coffees and doughnuts for a €3 each. Okay, so how much is an attacker willing to put time and money into such attack? I guess nobody stop to think about it. And as a result, the whole user journey was just failure.
Oscar: Yeah, complete failure indeed. Very good way to bring back the very first thing you said, User Journey. Yeah, that’s a specific example how things can happen. Sounds like a marvellous opportunity, not to get a deal nice and then becomes complete failure.
Jesse, one final question I would like to ask you is – for all business leaders listening to us now, what is the one actionable idea that they should write on their agendas today?
Jesse: I would dream that every executive would dedicate one day, one whole day to actually be an end user for a day and go through their company’s entire flow. All the way from account registration to actually purchasing to product or service that they’re selling. And if there’s time trying out things like forgotten password resets. And then the next day repeating the same procedure for the top competitor and even more importantly, their newest competitor, because that is where the threat of digitalisation is coming.
Oscar: Going to be very revealing.
Jesse: Yes, and it’s important to go through the entire journey. If one, simply takes it piecemeal. And of course, every piece may look perfectly fine. Okay, this works like this. It has confirmations like this. Great. Next piece. Next piece, Next piece. All right. Everything looks fine. But then actually going through the process, one gets hit by four or five different confirmations, forced updates, all kinds of non-user-friendly things, and that won’t fly.
Oscar: Yeah, definitely a very good experiment, actionable idea. Absolutely. Well, thank you very much, Jesse for telling us all this about the – how the companies and why companies should invest in the digital identity and why today.
Let us know why people would like to get in touch with you or follow you or learn more about what we are doing. What are the best ways for that?
Jesse: All right. Thank you. First, I would ask everybody to check out ubisecure.com, and see how we are approaching these problems on the market. And if needed, I would be very happy to have a chat, over a virtual or real coffee, and I can be contacted at [email protected] at anytime.
Oscar: Excellent. Again, thanks a lot for joining us, Jesse, and all the best.
Jesse: Thank you, Oscar.
Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.
This is the 100th episode of Let’s Talk about Digital Identity – in this special episode two of our most popular guests, Heather Flanagan and David Birch, rejoined the podcast to explore what is exciting them in passwordless, identity wallets and digital money.
[Transcript below]
“Passwords have got to go. As we’re moving to passkeys, I think there’s always room for improvement on – even on them. If nothing else, focusing a little bit more on the user experience so that people will have a better understanding of what this means.”
Heather Flanagan, Principal at Spherical Cow Consulting and choreographer for Identity Flash Mob, comes from a position that the Internet is led by people, powered by words, and inspired by technology. She has been involved in leadership roles with some of the most technical, volunteer-driven organisations on the Internet, including IDPro as Principal Editor, the IETF, the IAB, and the IRTF as RFC Series Editor, ICANN as Technical Writer, and REFEDS as Coordinator, just to name a few. If there is work going on to develop new Internet standards, or discussions around the future of digital identity, she is interested in engaging in that work.
Listen Episode 74, where Heather discusses Making Identity Easy for Everyone or connect with Heather on LinkedIn.
“The thing that’s broken in digital money at the moment, is identity, not the payment bit.”
David G.W Birch is an author, advisor and commentator on digital financial services. Principal at 15Mb, his advisory company, he is Global Ambassador for the secure electronic transactions consultancy, Consult Hyperion, Fintech Ambassador for Digital Jersey and Non-Executive Chair at Digiseq Ltd. He is an internationally-recognised thought leader in digital identity and digital money. Ranked one of the top 100 fintech influencers for 2021, previously named one of the global top 15 favourite sources of business information by Wired magazine and one of the top ten most influential voices in banking by Financial Brand, he created one of the top 25 “must read” financial IT blogs and was found by PR Daily to be one of the top ten Twitter accounts followed by innovators (along with Bill Gates and Richard Branson).
His latest book “The Currency Cold War—Cash and Cryptography, Hash Rates and Hegemony” (published in May 2020) “paints a fascinating and stimulating picture of the future of the world of digital payments and its possible impact on the wider global and economic orders” – Philip Middleton, OMFIF Digital Monetary Institute. His previous book “Before Babylon, Beyond Bitcoin: From money we understand to money that understands us” was published in June 2017 with a foreword by Andrew Haldane, Chief Economist at the Bank of England. The LSE Review of Books said the book should be “widely read by graduate students of finance, financial law and related topics as well as policy makers involved in financial regulation”. The London Review of Books called his earlier book “Identity is the New Money” fresh, original, wide-ranging and “the best book on general issues around new forms of money”.
More information is available at dgwbirch.com and you can follow him @dgwbirch on X.
Listen to Episode 75 with David discussing Digital Currencies or connect with David on LinkedIn.
We’ll be continuing this conversation on X using #LTADI – join us @ubisecure!
Go to @Ubisecure on YouTube to watch the video transcript for episode 100.
Oscar Santolalla: This is episode number 100 of Let’s Talk About Digital Identity. And for this special occasion, we have invited back Heather Flanagan, and David Birch.
Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.
We have invited back to the show two of our most popular guests. So, these two guests, let me introduce them is Heather Flanagan. She is Principal at Spherical Cow Consulting and Acting Executive Director for IDPro. Hello, Heather.
Heather Flanagan: Hello, Oscar.
Oscar: Nice having you back.
And our second guest is David Birch. David Birch is an author, advisor and commentator on digital financial services. He is Principal at 15 Mb, his advisory company. Hello, David.
David Birch: Hi. Thanks for having me.
Oscar: It’s a real pleasure having you both for this special episode, a bit different style, so being out of our usual script. But yeah, hearing a little bit more about yourselves.
So, I’d like to hear something in particular, because we want to hear something – a moment in your lives. So, what I want to hear – think of one specific moment in your career in which you told yourself, “Yes, this is why I love working in the identity industry.” Which moment would it be? Who wants to start?
David: Well, and it’s a bit self-centred, but probably when my publisher agreed to publish my first book. I thought I had some interesting ideas about identity – I mean you always think that your ideas are – but when you get that kind of validation that your ideas actually are interesting to other people. That really did change my career. Yeah, otherwise, I probably would have just carried on being a pretty average consultant and carried on in payments and banking. So yeah, it’s – but I put it all down to my publisher.
Oscar: Which one was this book? Tell us which book was this.
David: Identity is the New Money. It was Diane Coyle, the Economist, who encouraged me to publish it. So yeah.
Oscar: Fantastic. Heather?
Heather: I don’t have anything. I’ve been actually thinking about this question for a while, and it’s really hard to point to any one thing, because there were no lightning from the sky moments. It’s just, it’s always been such a foundational aspect of everything that I’ve ever done since I started in tech in the mid ‘90s. Where the first question was always – when you’re taking over something from a bulletin board system to an email server, “Who can access this? What permissions do they need to have? How do you set up accounts for them?” That was where everything always started. So, no one moment, it’s all of the moments.
Oscar: Well, that’s great that there are several exciting moments. I’m sure for all of us, it’s been like that. Several moments in which we feel that this is exciting to be in this industry. But thank you for sharing that with us.
Being already towards the end of this year 2023 – so there are some keywords which were buzzing in the last years. But some of these buzzwords today are more reality, we have access to those. What do you think, what you feel about these technologies or techniques. And let’s get started with passwordless. So, if I ask Heather, what excites you today about passwordless?
Heather: I’m really excited about the fact that the technology itself is solid, the standards themselves are really, really well-done. But as excited as I am, I am concerned. Like at all the new modern technologies, I look at them and go, “Wow, that’s really cool.” and little anxiety making because for passwordless, what I observe is when you actually get out of the tech field and talk to my mother, she doesn’t trust it because it’s too easy.
And so, I do wonder about as bad as passwords are, the friction that they add, it’s something that people can wrap their heads around. Whereas they don’t understand the magic that’s happening behind the scenes that makes passkeys better. And if they don’t trust it, they won’t use it. And if they don’t use it, we lose out on all the benefits. So, one of the things I’ve been trying to think about for you know, the future is OK passkeys are amazing, but how can we make them less magic scary?
David: I’m a bit frustrated with it really, because I’m extremely lazy. And so, you know, like eBay, for example, uses passkeys, the whole thing works perfectly. So as soon as I go to a site, as in fact I just did 10 minutes ago to look at something and it’s log back in. I’m like, “What I have an account? I didn’t even know I had the account.” And then I had to remember the password. And of course, I didn’t get it. So, I had to click on, I forgot my password, and then I got the password reset. And then I put in the new password. And it said, “You can’t have a new password that’s the same as the old password.” And we just go around in this loop. And it drives me crazy. I’m like, “Why can’t you just all implement this?” Despite the fears of your mom, which I mean I can’t discount those because they’re real. The sooner we make people stop using passwords, the better.
I was reading a fantastic story in the Insider this morning. Did you see this story about the Zelle fraud on Insider? It’s typical kind of thing, you know, guys getting some work done by a contractor. The hackers get into the contractor’s email account, they send him a thing to send money to a different account, which is the hackers’ account. And they make off with all of the money. And so, they go and talk to the contractor and said to him, “You know, did you know that your email has been compromised, you should change your email password.”
And the guy, it says in the article, “We may as well have been speaking Romanian.” The guy had absolutely no idea what they were talking about. Because he’s a normal person. He doesn’t care about all of this stuff. You don’t say to people, “Oh, here’s a car, would you like a seat belt with it? Or would you like a piece of string that you could attach in, you know, particularly opt in place.” You know, as a society, it comes to a point where you say, “I’m sorry, not wearing seatbelts, there’s just too many people dying. So, cars have to have seatbelts. And you have to put the damn things on. End of story.”
And I sort of feel we’re getting to that point. Fraud and scam, it’s just so completely out of control. And this thing about whether you know, you need to put people in charge of their own data and so on. I just don’t believe that for a moment. I just don’t. Most people don’t have the persistent competence that – including me, by the way, I’m not casting the first stone, I’m one of those people that lacks the persistent competence to make this happen. There are reservations but passkeys are a billion times better than passwords, and we should make people use them. I’m sorry, you got to stop pandering to populism.
Heather: No two ways about it – Passwords have got to go. As we’re moving to passkeys, I think there’s always room for improvement on – even on them. If nothing else, focusing a little bit more on the user experience so that people will have a better understanding of what this means. And when they click this button, why would they click this as opposed to clicking something else that might be a phishing site that they wouldn’t recognise. So, it’s an ongoing education.
David: Then you sort of think of contactless as the, you know, in the early days of contactless people, “Oh, it’s too scary.” And in some parts of the world, it appears to be witchcraft, that you can pay for things by not touching it with your card and this, people are going to come and steal all the cards. And there are going to be people of Eastern European origin on the subway system, putting their hands inside your clothes to read your cards and all this. Remember all of this stuff that was going on?
And now, you walk into a store, anywhere in the world. I’m not talking America, I’m talking about developed countries, of course. You walk into a store anywhere in the world, and there’s that little contactless symbol and you pay, and you go, and no one thinks anything about it anymore. It’s a bit different in America. In America, you have to look for the till and where’s the sign? And then you have to press some buttons. And then sometimes you have to sign something as well. It’s baffling. I don’t understand any of it.
Heather: Oh, the day you understand what happens in the United States will be a marvellous day. Because nobody understands what happens.
David: No, it’s mysterious. But the point is, generally speaking, you know, we came up with this symbol, and everybody knows, you tap your card there, and it works. And guess what? All of your money isn’t stolen by Eastern European fraudsters. So, they’re not all Eastern European, obviously, other fraudsters are available. Because the corollary is going to be basically, people like us will start using passkeys, and so all the fraud will transfer onto people like your mom. That seems a little unfair to me.
Oscar: Yeah, seeing that you are excited indeed with passwordless. But of course, there are some concerns and some things to improve. Absolutely. Interesting what Heather said that, yeah, some people have been using password for so long, but that anything else feels like how do you say the…
David: An improvement? Real security? System-wide integrity? I don’t know, what’s the word you’re searching for there? I don’t know.
Oscar: How you say the…
Heather: Magic.
Oscar: Magic. Yeah, magic.
David: So, I’m excited as Heather is, I’m probably just a bit more militant on how quickly we should be pushing it out.
Oscar: Yeah, we’ll see what comes in the next year as how it really rolls out. But the next one is about identity wallets. So, what excites you today about identity wallets?
Heather: Oh, I have a list on that one. I’m particularly excited over how – as much as I worry about people not understanding the magic, they do understand the concept of flipping through a wallet to get to the right card, the right credential, the right thing they need and then using it and giving them that level of control is a vast improvement, I think over some of the other technology has been going on today.
I’m watching what’s happening in Europe quite closely because I think that – how the governments are handling digital wallets and digital identity is a very interesting model. I will be curious to see how other countries do it. How they do it well, how they do it poorly. And if there’s some way we can actually – I’d love to standardise ‘what’s a wallet’, you know. That’s one of my little pet peeves, there is no standard for a wallet. There’s standard for credentials, but there’s not a standard for ‘what is a wallet’.
David: I mean, it’s interesting to see what the Open Wallet initiative and various other people are doing in this space. I agree with Heather. I think as much as the technology is important, and certainly, in technological terms, the wallet is the sort of crucial pivot between the kind of online and offline world. It’s very central to the next phase of evolution of commerce. A lot of it has to do with – in fact, we won’t even call our wallets now identity wallets, we just call them wallets. But if you actually open up my wallet, I mean, I won’t do it over there. If you open up my wallet, it has no money in it. Everything is in my wallet, it has to do with identity, driver’s licenses and loyalty cards. And my wallet is already an identity wallet, we just don’t call it that.
So, extending that wallet across sort of virtual and real world seems to me, pretty straightforward. But of course, that does rather interestingly open up what I think will be quite a vicious battle about who’s actually going to control those wallets. Because certainly, Heather mentioned kind of the European approach. They’re very, very unhappy with the idea of big tech controlling those wallets. We’re very unhappy with the big tech or big government controlling the wallets. People like me will prefer that it was regulated institutions – banks primarily, that control those wallets. Other people think banks should be absolutely the last people to have any sort of control over those wallets. So really, I’m not smart enough to figure out like the end dimensional gameplay as to how this is going to work out. But it’s pretty serious. It’s pretty serious.
Heather: Yeah, people understand the concept of a wallet. But what we’re talking about in today’s world is that, you know, “how many wallets are you going to have to carry?” Because there may be one that’s issued by big tech, perhaps via your browser or via your mobile device. But then, you know, as governments are saying, “No, we’re going to issue something that’s completely separate and have its own app, and what is that going to look like. And then how are people supposed to be able to find the credential they need across 2, 3, 5 different wallets?
David: No, I agree with you completely on that, Heather. But I think there’s another level of complexity there as well, which is – because is the wallet going to be like if you imagine there’s some kind of standard wallet, is that wallet the app? Or is that wallet, essentially the underlying SDK the apps plug into?
So, my British Airways app and my Barclays Bank app, they’re all actually the same wallet underneath. They’re all plugging into the same wallet. But is it going to be like that? Is there going to be like a travel industry wallet? Or is British Airways going to have its own wallet? That’s really hard to know. I would think, and this comes from kind of what I think is a reasonably rational calculus. The credentials that are going to be in those wallets are the embodiment of individual reputations.
My British Airways credential is the embodiment of my relationship with British Airways, that I want to take and show to other people. It’s not obvious to me that British Airways would benefit from owning the wallet, because they’d have to maintain it and upgrade it and whatever. They’re having enough trouble just with their own website to do that. On the other hand, I can see why they’d be nervous about just handing the whole thing over to Apple and Google, because then they’ll end up paying a tax, which I’m pretty sure they don’t want to do. So, I don’t know how that’s going to work out. But I listen to a lot of smart people about this. It’s a very fascinating topic to me.
Heather: I talked to Don Thibeau and Juliana Cafik and a couple others about “what was the Open Wallet Foundation trying to do?” And they’re trying to work towards interoperability in code and maybe a standard will come out of that someday when they see what works and what doesn’t work. But at the moment, they are not standardising wallets. They’re just…
David: No, that’s true. There’s…
Heather: They’re just putting together a platform to try and make it work together.
David: But as you pointed out earlier on, some of the components are standardised. We have VCs, we have MDL. We’ve got MDL 7 and 9 coming in a few months, a year or something. So I mean, there is some pretty useful standardisation going on anyway.
Heather: Yeah, more in the credential format space.
David: Yeah, yeah. Yeah, absolutely. That might give us enough interoperability to get started.
Oscar: We’ll see. Indeed, it sounds like it’s…
David: I’m a naturally simple and optimistic person. Heather’s looking at all the nuances here. And that’s why she’s so, that’s why my superficial, cheery approach to this – it’s not washing with her I can see it from her face.
Oscar: You seem to be both excited about identity wallets, I think.
David: Yeah, I think wallets are really interesting topic for the coming year.
Heather: Huge potential.
Oscar: You, David, mentioned that as far as I understood, you don’t carry cash anymore, that was my understanding how you have your wallet, your real wallet without cash.
David: No, actually, I mean I don’t carry my real wallet, it’s in the drawer over there. So, I had an interesting conversation with somebody last week about premium cards. That’s how interesting my life is, Heather. I just, I benchmark, I had an interesting discussion with someone else last week about premium cards. This is a tragic trajectory of my life.
But I have this fancy new American Express Platinum Card, which is made out of some sort of metal. I don’t know if it’s actually platinum, but it’s sort of metal. And it’s really fancy and heavy and solid and whatever. And I couldn’t even tell you where it is. It’s in the house somewhere. I haven’t the slightest idea.
Oscar: Don’t activate it.
David: No, no, because as soon as I got it, it’s on my phone. I only ever use it on my phone. I don’t know where the actual card is, I have no interest in that. I’m going into London in a minute, I have a ring. So, the ring I use for getting on the subway and bus because I don’t always want to take my phone out. But if I’m paying in a restaurant so I got to use my phone. I think the days of physical wallets, I mean, lots of people keep saying, well, there’s going to be a backlash at some point, and people are going to want to use cash, sort of the way they want to use vinyl records, I suppose. But I think that will just be like a few hipsters. I don’t think it’ll be the rest of us.
Heather: I don’t trust having network access consistently enough to go without some kind of physical something. Do I use my wallet on my watch and my phone more often than not? Well, when I’m in Europe, yes. When I’m in the US, maybe. I don’t count on it. I don’t think I can count on it yet. So, there’s always the physical components that I think I have to have.
David: Yeah, I mean, I would say that’s an interesting argument in favour of using offline verifiable credentials. And it’s also a crucial argument in favour as to why Central Bank Digital Currency should operate offline. So, I mean, I agree with you about that. As to the state of things at the moment, well, if the transit gates fail and can’t go online, they have to fail open, it’s a public safety issue. You can’t fail transit gate shut. So, they have to, they should have – I can always get home, you know, but it’s never happened. But when push comes to shove, I’ll get home, so I’m fine.
Oscar: Yes, and that related to my last question, but just to hear what you liked the most. So, what excites you about this digital money that we were already starting to discuss?
David: I’d say there’s probably three things. I mean, Heather’s going to disagree with me on every single one of them, which is why it makes for an interesting conversation. But I’d say there’s probably three things.
So, the first thing is digital money, well, certainly digital currency is the subject of irrational delusional comment by conspiracy theorists, which makes for entertainment. So, I get emails, “oh, you know, Central Bank Digital Currency is the mark of the devil. And we know this because Bill Gates implanted microchips in us through the vaccine, and the microchips are going to steal the digital currency from unvaccinated people and send it through the 5g towers to Satan.” Or somebody, I can’t remember exactly, I don’t remember. But you get emails like this, which add to the gaiety of the nation.
So, the first thing is, there are parts of America where non-existent digital currency is already being banned. So, this is all getting a bit, sort of witch trail-y, so that’s quite entertaining.
The second thing is, and I wasn’t joking about that offline point, which is any scale digital currency in any developed country, even where you have networks and infrastructure has to work offline. It’s the crucial design requirement of it. If you’re going to have a cash substitute, it has to work offline. And that, for me, poses very interesting technological problems, all of which I think, have already been solved. But nonetheless, it’s really intellectually interesting, so I sort of like that.
And the third thing is, I think a lot of people look at digital currency as ‘the thing’. Like, you know, we need digital currency. And that’s it. I mean, what we need is a platform for innovation and development. Digital currency in itself is sort of not that interesting. As we’ve just established, I can already buy milk in the supermarket without using physical cash. So that’s not, but this idea of permissionless innovation that you could bring into our space from the cryp– because digital it doesn’t involve any credit risk, you see. So, you could imagine a situation where as long as you’ve got an approved chip in your iPhone, or something, they’re certified as being capable of storing digital dollars or something like that, then you can use the API to do whatever you like, there’s no credit risk involved. So, allowing people to experiment with interesting new things – micro payments, and Escrow and blah, blah, blah. On top of it is really where it’s at. And that’s why, you know, I get it a bit when people say, “Well, what are the sort of key uses?” Well, I don’t know, I’m too old. Give it to some kids in a garage and let them come up with something.
Heather: OK. So, for one thing, I really want to see your emails about this because they sound hilarious. I admit, I’m absolutely a digital currency sceptic. For one thing, as David has said, right, you don’t generally need to carry cash now anyway, so what is it getting you? And everything I understand about it is like, “Well, yes, but then you’ll be able to transfer money quickly without the bank getting in the way.” And I’m like, “Hmm, you say the bank getting in the way and verifying the transaction is a bad thing.” “Oh, but it’s expensive.” And I’m like, “Well, that’s a different problem, not just because the banks are charging a lot.” So that’s like a completely different problem to solve that it’s not a technology problem at all.
So yeah, I’m definitely not convinced. Having the permission to innovate and work with this kind of currency, to me in a way, that’s like saying, “Yup, let’s turn this into a barter system, except you’re bartering these digital currency components.” “OK. Go for it, go to town.” That’s just people agreeing with each other. And it’s a completely different system in the same way that a barter system is completely different with my cash system.
David: That’s a really interesting point. And I don’t mean that in any sort of patronising sense, I really mean that because you’re right, of course. And what that means is, if this stuff worked, then downstream you could imagine an environment where if you and I engage in some sort of transaction, right, I’m going to pay you to write something or you’re going to pay me to come and speak or something like that. My, you know, supercomputer at the end of a wire, it can be a through my mobile phone, my giant killer robot artificially intelligent wallet will negotiate with your super intelligent giant killer robot Terminator wallet to exchange baskets of tokens to an agreed –
The idea that you would need money as an intermediary when you have that kind of barter that works. I think that’s really, that’s as a very interesting point. So, if our super computers could agree on these baskets of assets to exchange, which sounds weird when its people talking about it, but it’s a few nanoseconds for super computers. Why would you turn those assets into dollars or something in the first place? Why wouldn’t you just swap the assets around?
So, I actually rather agree with that point. But I think that’s much further downstream. I think, in the short term, you see the demand for dollar stable coins in particular, as an indication to me that a lot of people around the world and in America, for that matter, wants to hold digital dollars. They would find digital dollars useful to do things with that you can’t do with regular dollars, and I sort of agree.
So, I can see sort of both things. But to me, the short term and the long term are quite different there. Because I probably do drink my Kool Aid, and I’d probably do think that that’s kind of a stupid expression actually it’s, don’t drink that Kool Aid because everybody that drank the Kool Aid died, didn’t they? Or am I getting the stories mixed up?
Heather: I wasn’t going to say it.
David: Yeah, no, I think they did. OK, that’s a bad example. But the point is, I think in the long run, you might well be right. I think in the short term, digital currencies, I think would add to the net welfare. I mean, I can imagine, you and I agreeing to something, and the money just goes from my digital wallet to your digital wallet. It never goes anywhere near the banking system. It just goes over Bluetooth or whatever but yes. It is exciting. That’s true.
Oscar: Heather, what’s not so exciting to digital money?
Heather: We’ll see.
Oscar: We’ll see. We’ll see. Anything else that it’s for you is exciting?
David: What’s not working digital money, you know, these answers are intertwined, because the thing that’s broken in digital money at the moment, is identity, not the payment bit. Like the reason why you’ve got Zelle frauds and authorised push payment frauds and these massive crypto scams going on all the time. It’s because nobody knows who anybody is. It’s not because the payments don’t work properly. It’s because identity doesn’t work properly.
If the identity, you know, I’m going to sound like a broken record on this one for the teenagers there. I’m going to sound like a vinyl implement that used to go around whether it has a scratch in it. So, this sort of needle would prompt up, down and come back to this, I have to talk them through this metaphor. But I’m going to sound like a broken record on this. Because if you fix the identity problem, payments are easy.
If you know the reputation of all of the counterparties in a transaction, then pricing the risk in that transaction is easy. And that’s kind of what we should be aiming for. The next phase of evolution is really about identity. It happens that I think, and I can’t prove this with any kind of actual analysis, this is just my sort of crackpot theory about this. But actually, if central banks do drive forward with digital currency, digital currency doesn’t work unless you have digital identity. You can’t give people wallets unless you know who those people are. You can’t maintain limits on personal holdings unless you know who’s got the wallets. There must be an identity system for the currency system to work. So it could be that Central Bank Digital Currency actually turns out to be a vector for people like Heather to actually get something done about wallets and digital identity. So, there’s an interesting interrelationship there.
Heather: They are certainly tied together. There’s no two questions about that.
Oscar: Anything else that you think that is exciting today in the identity world that we have not covered?
David: Well, there’s two things I’m excited about today. I can tell you what I was doing before I came on this call. So, one is – I’m very excited about only because I’m not a normal person. I’m very excited about ultra-wideband technology. So, all iPhones for a while, you know some of the top end Samsung’s you know Apple Air Tags, things like this, they all have this thing in them called you UWB, Ultra-Wideband which a lot of people kind of overlook a little bit because we focus everything on Bluetooth and Wi-Fi. But when Bluetooth and Wi Fi came out there were actually three wireless standards. There was Bluetooth, UWB and Wi-Fi. And UWB never really got used because the Wi-Fi chips got cheaper much quicker, and everybody just started building Wi-Fi into things. And meanwhile Bluetooth ranges went up.
But ultra-wideband, which is short range, medium speed that uses this pulsed radio. Because of the way it works, it can only tell where things are, this is how Air Tags work. But it can also tell whether you’re moving towards something or away from it. So, this idea of having a phone that knows you’re walking up to the point-of-sale terminal or knows you’re walking up to a door. And the way that Apple are part of this digital car keys alliance, which I’m very interested in with Google, and I think BMW and people like that.
So, this idea that you have one technology like this, which locates you, you’re walking towards the POS terminal, and then it flips to Bluetooth to execute an actually secure transaction with real cryptography, and real keys. I’m really interested in that at the moment for a variety of different ways. So that’s the first thing.
And the second thing is, and I think we have touched on this before, we think of identity as being about people. But actually, everything needs identity. And when everything has an identity, working out how to get both privacy and security in that environment is really rather complicated. It’s very intellectually challenging. And that’s what I’m spending the rest of my time on with another startup at the moment. So yeah, there’s no end of things to be excited about in this space, honestly. And frankly, figuring out how people can log into their bank account without password is the least interesting of the things that’s going on at the moment.
Heather: Probably the most interesting thing that I’m trying to stay on top of right now is watching the standards development space, because that is like one of my favourite things to do. Because I might also be a little bit of a strange person. So, standards development space, seeing how ISO, the IETF, the W3C, as well as some of the smaller standard’s organisations like the OpenID Foundation, the Decentralised Identity Foundation, Trust Over IP, how they’re all circling closer and closer to each other and sometimes hitting each other, bouncing off.
You know, it’s becoming a really dense space to try and follow and understand what’s happening with W3C verifiable credentials? How do those relate to the ISO MDOC standards, and what’s happening with the IETF’s OAuth and CBOR and you know, all of these different standard’s groups are all starting to get closer and closer at nibbling down this problem. And they’re never going to succeed because they’re reaching the point where it’s not a technical problem anymore. It’s a societal problem. And the regulators are starting to move ahead of them and saying, “No, this is what, you know, we need to happen. And it’s not about technology, as much as it is sometimes about the society and the cultural requirements.” So, seeing these organisations tighten up, it’s pretty cool.
David: I was just going to ask you, because I’ve sort of lost the thread on this a little bit, because unless you follow it with minute detail every day, you don’t. I wonder if the whole kind of MDOC thing doesn’t have its own momentum. So, in other words, in a lot of circumstances, you can see why people are going to go to MDOC and MDL part 5, even for something that’s not a driving license, just because. It reminds me a little bit, and here’s another one of the teenagers, it reminds me of X.500. Because having spent part of my young life, she doesn’t even know what X.500 is, how he’s been part of my – X.400 was the ISO messaging standard that existed before the internet and that no longer exists. And X.500 was the directory standard for that. And that no longer exists. An X.509 was the standard for exchanging public keys in that directory. And X.509 version 3 is how everything works on the internet.
So, the whole of X.400 has disappeared, the whole of X.500 disappeared. And I just wonder if MDL isn’t going to be in the same place, like people are going to end up using MDL just because it exists. It may not be the optimum for a lot of the appli– but it doesn’t matter. The format exists. Wallets can understand it. Apple and Google Wallets can understand it. The MDOC stuff will carry on standardising, and I think maybe a lot of stuff will just get sucked into that.
Heather: What’s getting complicated about it – is the MDL standards. They are in their own way the X.509 to the modern world. They’re specifying a credential. This is a discrete concrete, and this is what this is supposed to be used for. It is your driver’s license. It is your identifier. Verifiable credentials using W3 capital V, capital C verifiable credentials. That’s not what they are really, those are much more generic thing that’s actually more an authentication thing. So, the fact that they’re hitting each other in the ways that they are is very interesting and a little disturbing. And the fact that the browser vendors are debating within themselves, which one they’re going to support when ultimately, they serve different purposes, I worry that we’re going to be driven towards…
David: No, no, I… your analysis is spot on. I agree with you completely Heather. I’m just saying that in practice, what seems to be happening is like people like me would say, “Well, actually…” you know, use the canonical example going into the bar, you know, people like me would say, “Well, you should be presenting an ISO W3C verifiable credential that says that you’re over 18 or over 21. So, I’m going…” But that doesn’t exist. The standard for the credential exists, but the contents, whereas on MDL, OK, that’s not really what it was meant for. But actually, demanding to see your MDL driver’s license, I can do because the standard exists. And I, you know, so I agree with your analysis. I’m just saying I wonder if actually, well, Trust Over IP and all these other things are kind of circling around, bumping into each other. MDOC is just steadily progressing, you know.
Heather: Told you Oscar, I told you, you’re going to have all sorts of fun things to talk about.
David: He’s going to get very bored on our – just our island, Heather. Like after the plane crashes, we’re going to be fine. He’s going to be, I don’t know what he’s going to do all day, making those little token at men or something.
Oscar: Yeah, fantastic. Hearing all this from you. You’re definitely super passionate about – many of these things that you’re talking about, frustrated about some of them, but yes, super excited about most of them. So, thank you very much for joining us in very special episode for us. So, thank you very much. And please tell us how people can learn more about you, Heather?
Heather: Oh, easiest thing is – go to LinkedIn and find me there. I check it every day. It’s one of my major social media accounts.
David: Yeah, I mean, I spend more time on LinkedIn now since Twitter kind of went all weird. So, I mean, I’m on LinkedIn too. But it also you can just look up www.dgwbirch.com.
Oscar: Excellent. Well, thank you very much. So, let’s see how exciting comes the next coming months, years and yeah, how all the things we were discussing today will roll out. So, again, thanks a lot and all the best.
Heather: Great. Bye
David: Bye guys. Talk soon.
Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.
Join this episode of Let’s Talk About Digital Identity where Gautam Hazari, mobile identity guru, technology enthusiast, AI expert and futurist & is the CTO of Sekura.id joins Oscar to discuss the missing identity layer of the internet. Gautam shares details about what the missing identity layer is, more about mobile networks as well as discussing Gautam’s TEDx talk.
[Transcript below]
“Internet did not have that identity layer. So what did we do? We created a trust-less model.”
Gautam Hazari is a mobile identity guru, technology enthusiast, AI expert and futurist & is the CTO of Sekura.id, the global leader in mobile identity services. He led the implementation of the mobile identity initiative – Mobile Connect – for around 60 mobile operators across 30 countries. Gautam had also been an advisor to start-ups in digital identity, healthcare, Internet of Things and Fraud and Security management. He is a thought leader for digital identity, advocating solving the identity crisis in the digital world and speaking on making the digital world a safer place. If you ask Gautam, “What is the best password?” you’ll always get the same answer: “The best password is no password”.
Connect with Gautam on LinkedIn.
We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!
Go to @Ubisecure on YouTube to watch the video transcript for episode 99.
Oscar Santolalla: On this episode of Let’s Talk About Digital Identity we are joined by Gautam Hazari, from Sekura.ID as we discuss what is the missing Identity layer of the Internet. Stay tuned to find out more.
Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.
Oscar: Hello and thank you for joining us, a new episode of Let’s Talk About Digital Identity. Today’s guest is Gautam Hazari. He is a mobile identity guru, a technology enthusiast, artificial intelligence expert and futurist. And he is the CTO of Sekura.id, the global leader in mobile identity services. Gautam led the implementation of the mobile identity initiative Mobile Connect for around 60 mobile operators across 30 countries. He has also been an advisor to startups in Digital Identity, healthcare, the Internet of Things and fraud and security management. Hello, Gautam.
Gautam Hazari: Hi, Oscar. How are you?
Oscar: Very good, happy to have you here in the show.
Gautam: My pleasure. Thanks.
Oscar: It’s going to be super interesting. Now, we are focusing on mobile – mobile initiatives, like the one you are working with, can help us to solve the identity problems we usually discuss in this show.
First of all, I would like to hear a bit more about yourself. So, if you can tell us your journey to this world of digital identity.
Gautam: Sure. Thanks, Oscar. I have been in the identity space for quite some time now. And it started in the telecom world and that’s why I talk about mobile identity a lot. So I spent many years of my life in the telecom, so I worked with the Vodafone group for nearly 14, 15 years. What I realised is that there is one thing that the mobile operators have done quite efficiently is solving what I call the identity crisis of the internet. I started to talk about it quite passionately in different forms.
And in 2013, end of 2013, GSMA approached me. GSMA as you know is the GSM Association which is the trade organisation for the mobile operators. So the GSMA board was discussing that there were some assets within the mobile operators which can actually help in solving the identity crisis in the internet. Then they approached me that, “Hey, you were talking about this identity thing for quite some time, do you want to come and join?” And that’s when I joined GSMA to do the initiative for mobile operators to solve the identity crisis of the internet.
Then I led the technology for what was known and still known as Mobile Connect Initiative. I was the Chief Architect for Mobile Connect. And then me and my team created the reference architecture, the specification. And then of course, that’s not enough, so I went around the world, worked with the mobile operators to implement it as well. You know, at that time, there were around 62 mobile operators around the world who implemented it. And they did very passionately and this is where I met some of the founders, Mark and Keiron, in GSMA, working with the same team. And then I’m taking that journey forward in a much more accelerated and commercial way in Sekura.id.
Oscar: Yeah, excellent. Well, definitely a lot of your journey is in identity already and mostly in mobile, as you said. Before we start going to what you are doing in Sekura.id and we definitely want to hear more about that. I know that you have a special experience which is you have even a TEDx talk. So if you can tell us a bit of that experience.
Gautam: Yeah. Thanks, Oscar. It has been a fascinating experience actually, while preparing for the TEDx talk and also after that. So I was invited to do this TEDx talk to share my vision and dream of a world without passwords. I have been talking about these things passionately and that’s kind of my personal journey has been as well.
So, I had a lot of learning, you have to compact all that you want to talk within 18 minutes and that’s very interesting, right? If you have a free floating, I mean I’m really, really passionate about this identity thing, I can keep talking for days. But if you need to give your message within 18 minutes that’s quite interesting. So I learned how to deliver the message in that concise way.
And after delivering that, and once the TED organisation published the video in their YouTube. Interestingly, they didn’t actually remove any part of that, generally they do some editing but they didn’t do that for me. I’m really thankful to TED on that. So it happened end of last year. It’s been just one year completed and it has been viewed more than 157,000 times. And I have been receiving some very, very interesting messages from all around the world. From identity enthusiasts to security specialist, and also, from general public as well, saying that awareness is important. And we are having some inertia, right? We have been using passwords since, you know, 1961 actually, even before the internet was invented in 1989. But we don’t actually think that we are actually using it, and the complication that it brings too. I have been fortunate enough to hear lots of personal stories as well. These viewers, they have been sharing their personal stories related to passwords, and discussing what is the solution that can actually solve this.
Yeah, so it has been a fascinating experience and I’m really, really thankful for all the viewers who have been watching it and also most importantly, interacting with it and sharing their stories.
Oscar: Yeah, excellent. Yeah, I also watched and as you said, the way you explained also definitely appeals to the general audience which is of course what mostly TEDx is about, reaching wider audiences. So it’s definitely a good job you have done there. And I am happy to hear also that there have been a lot of conversation because that’s also important that people not only hear the stories or the ideas but also get involved in, spreading those problems, sharing their own pains, et cetera.
Gautam: Thanks, Oscar.
Oscar: I also know that you have written, of course, you write blogs, particularly, I read the you talk about the missing identity layer of the internet, missing identity layer of the internet. Could you tell us what is that?
Gautam: Yeah, absolutely, Oscar. I mean it’s extremely important that we acknowledge and realise that. Let me go back to when the internet was invented, right? Let’s face it, the internet was never designed to identify the human users. It was designed to identify the computers, right? That’s why there are IP addresses. Fortunately, or unfortunately, we humans don’t have IP addresses.
So, in the initial days of the internet, if you remember, all we used to do in the internet was browsing, right? We used to browse AOL, we used to browse Yahoo, different stories within Yahoo. So, it did not matter if for me, Gautam, is browsing AOL or Yahoo, or it’s Oscar browsing, or there’s fraudster who is browsing, right? Because all we did was browsing the internet. Yes, the returning user needed to be identified, not as Oscar or Gautam but whoever was browsing, right? So that’s why cookies were invented just to provide a continuity of the experience, right?
But then we started to do interesting things on the internet. We started to do commerce on the internet. We started to look for things on eBay and started to pay for those things. We started to do banking on the internet. We started to interact in the social media in the internet. And then it did matter whether it’s me, Gautam, doing that commerce transaction, whether it’s me, Gautam, who is doing that banking transaction or it’s you, Oscar, or it’s the fraudster. Or, in the current days, if it is that AI chatbot who is doing that transaction, right?
Internet was not designed to do that. Internet did not have that identity layer. So what did we do? We created a trustless model. So, if I want to pay for some things that I found on eBay, or if I want to do a banking transaction, my bank will say, “Hey, you cannot do that, because I don’t trust you. First, I’m challenging you to prove that you are Gautam.” That’s what we created, because the internet didn’t have that identity layer.
So how did that challenge happen? And they initially did this, this challenge happened in the form of user ID and password, right? And again, we all aware of all the complications related to password from convenience to security, right? Then we said, “Hey, passwords are not enough. Let’s add other things.” So, we started to talk about MFA, Multi-factor authentication, we added SMS OTP, right? And again, OTP, the last P is about password, right? Just changing the acronym doesn’t change the problem.
But then again, they said, “OK, maybe that’s not enough. Let’s add the biometrics on top.” But again conceptually what we are doing is, we are creating a trustless model where these services are challenging me and the human user to identify myself, right? And whenever the human user is involving in providing a response to the challenge, for example in form of I need to type back the password, or I need to provide back the OTP, however I give, whether by typing back the OTP or some auto read happens. Or even if I do this, let’s say, biometrics in the form of facial recognition and so on, I, as a user, is the weakest link in the chain. I do something wrong, which is perfectly fine because me, as a user, is not a security architect. As a normal user, I am not aware of all those security complications that can go away, right? And that’s where all the problems that you have seen and again, why? Because the internet was not designed to identify this human user. Internet never have the identity layer. It still doesn’t have.
But we almost ignored the fact that almost at a similar time, there was a parallel internet that was getting created. So, as you know, I’m actually using the world wide web as synonym to internet, so when I say internet, it’s actually the world wide web, right? So, 1989, this wed, world wide web or internet as we call it was invented. In 1991, there was a parallel internet that was created. And we never call it the internet, we call it the mobile network, right? The first SIM-based GSM mobile network was used in 1991. And that parallel internet worked completely differently.
So, as we discussed, in the traditional internet, if I want to do any interaction, where I, as a human user, needs to be identified, I’ll be challenged, right? My bank will challenge me, my social media will challenge me, my e-commerce provider will challenge me, even my grocery store, online store will challenge me, right? But this parallel internet, which we call mobile network, worked completely differently, still works differently.
If I need to make a phone call, receive a phone call, send an SMS, receive an SMS, it doesn’t challenge me. My mobile network doesn’t say that “Hey, I don’t trust you. First, you prove that you are Gautam, then only you can make a phone call.” It doesn’t work that way. It just knows that it’s me, who is Gautam. So how did they do that? They actually created this identity layer. They actually created a mechanism which identifies this human user from day one, since 1991.
But we know this. How did they do that? They did that using this small gadget that we always carry in our mobile phone, this is the SIM. We almost forget that I, in the SIM, stands for identity. It’s Subscriber Identity Module. SIM was created to solve this identity problem in that parallel internet, which we call the mobile network, right?
So, isn’t that a solution? We were just ignoring it and also, just unfortunately, these mobile operators knowingly or unknowingly, kept this with themselves, right? What we are doing at Sekura.id, I’ll just mention here, that we are bringing in that identity layer from this parallel internet which we call the mobile network into this traditional internet so that we actually solve the fundamental problem rather than keep creating technologies on top like password, like SMS OTPs, like biometrics. And that is what will solve the problem from its root and bringing in an identity layer from this parallel internet to the traditional internet.
Oscar: Thank you for the explanation, of the lacking, missing identity layer of the internet. And then you put a parallel, I haven’t thought of it in that way, the parallel of the mobile network which always had this identifier of the subscriber. As you say, even in the term it’s subscribe, the SIM card. So, I understand that Sekura.id solution is primarily based on the SIM card. Tell us a bit more how it works and if you can give also how it works, Sekura.id besides being based on the SIM card.
Gautam: Sure. So, GSMA doing this Mobile Connect, the conceptual idea was very similar, right? It’s to utilise the assets from the mobile operators, not just the SIM card. SIM card is a cryptographic engine. But there’s a lot of data available with the mobile operators which can help to identify the human user without challenging them. And also, protect them without putting a hurdle for the user, like what user ID, password, OTPs or biometrics are. They are hurdles, right? They are actually saying, “Hey, you cannot access the service until you pass that hurdle.”
This is where Mobile Connect started and this is the journey that we are continuing in Sekular.id as well. So, in Sekular.id, what we do is, as I say, the SIM is a cryptographic engine. And now, in the digital world, there is realisation that all the different, let’s say, identification and authentication methods where the user is actively involved, which means the user is challenged to prove who they are, or authenticate themselves, that is a limitation. A limitation in the form of that you know, if let’s say the user has got an OTP they have received, these fraudsters will always call this user and say, “Hey, I’m calling from your bank, or I’m calling from the government, you have received an OTP, can you hand it over, right?” If the user is not involved, right, these fraudsters can call the user but they have nothing to handover. So in that case, we solved this problem of all the fraudulent activities that’s going on.
So now, there is a realisation in the digital world as I was seeing that we need to avoid involving the user. So we need to do passive authentication. And how do we do that? Cryptographic authentication is one way to do. So, Apple last year in WWDC announced these passkeys which is basically based on the FIDO, the Fast Identity Online mechanism, where this is reliance on cryptography and cryptographic key on the device. And then that’s how we identify the user, right?
But exactly same mechanism is what happens in the SIM. And it is happening for the last 30 years. There is a cryptographic key which sits in the SIM which the user is not even aware of. And that’s an important thing. The user is not aware. As soon as the user is aware, or the user is involved in that awareness, OK, all these problems will happen because these fraudsters will approach the user and try to do some funny things, right?
And that’s another aspect that we say that here, this cryptography is humanised. If the user is not involved, it just happens behind the scene. In that case, this technology is humanised. Invisibility is more humanised. Steve Jobs used to say that technology should either be beautiful or it should be invisible. So here, this technology is invisible so that makes it much more humanised, right?
So, at Sekura, we’re utilising this cryptography in the SIM to seamlessly, invisibly authenticate this user. At the same time, there are a lot of what we call signals associated with the SIM which can help protect the user, at the same time, identify the user. For example, one of the largest fraud happening in the digital space right now is SIM swap fraud, right?
If we can identify that hey, is there a recent SIM swap happen? By recent, I mean in the last few hours, for example, to one day. If there is a SIM swap happen, in that case, that’s a red flag, that might mean that the user who is in the transaction process, who is interacting with the digital service may not be the genuine user, it could be a fraudster who have got access to the phone number of the user and using their own SIM. That’s one data signal that’s there in the mobile, with the mobile operator, that doesn’t need to involve the user to ask if something has happened or not.
Similarly, setting up a call redirect, right? The fraudsters can actually setup a call redirect for my number calling up the operator, doing some mechanism, some process there where they can say, “Hey, I have lost my phone, or I left my phone at my home and I’m expecting an urgent call from my family who is in the hospital. Can you please redirect all the calls to my number to this?” If I can convince the operator, in that case what will happen is, all calls, SMSs will be redirected or forwarded to me as a fraudster, right? So, if we can actually identify, is their call forward active for this number? That data itself can protect the user, again, without involving the user. So, we have identified 66 such potential data signals which can invisibly protect the user and their identity. And that’s what we do at Sekura, working primarily with the mobile operators.
Oscar: I like the idea of this invisibility because from the beginning you started that the human side is going to make security fail, right? But if the human doesn’t have to be involved, yeah, I’m sure, there will be less hacking. So that is definitely the concept, it’s very interesting.
Gautam: And just to add there, Oscar, you know, of course, there is this identity protection, there is this authentication without involving the user. That element is there. At the same time, it is allowing these good guys to access the service, right? So, as I was giving that example, it’s me, right? I’m not the fraudster. It’s me who wants to pay a particular merchant online, right? And I’m assuming I’m the good guy, right? And I want to pay. In that case, there shouldn’t be a barrier for me, right? And it’s good for the business because the business will get me to pay them. That’s what they want, right? So, in that case, it’s important that the good guys should sail through, right? For them, there is no barrier.
If we make it invisible for the user, in that case, these good guys can actually access, you know, without any trouble. At the same time, because it’s invisible, we can actually protect this user behind the scene as well. What does that mean is – it’s not just helping out with the identity verification, security and authentication, it’s also getting better business. Because if we put barrier to the good customers, good users, in that case, there are dropouts happen.
We have been told by our clients all around the world that on an average globally 20% of the users dropout due to all these, let’s say, challenges. They say, “Hey, I’m not going to use it.” SMS OTP is needed to do our transaction or to pay and OTP doesn’t get delivered or it is delayed, the user say, “Hey, I’m not going to pay now, right?” So that will direct 20% on an average globally, dropouts happen.
Here, if you make it invisible, you don’t have any dropouts, right? Because there are no barriers. There is no door which is closed that needs to be opened. So, in that case, the businesses get 20% more conversion, so that’s more business, more revenue. So that element is also there, if you make is invisible using the mobile operator’s asset like the SIM and all the data. That needs to be considered as well alongside security.
Oscar: And what if, myself as a normal user, I want to try Sekura.id, how can I use it already? There might be some services which is already available?
Gautam: Yeah, absolutely, Oscar. So one element here is you know as you can understand, this is B2B service, right? So the businesses are using us. Businesses are protecting that. All our services are, you know, they go through one single API, right? So, it’s not the user who is accessing our services directly. As I was giving the example, I, as a user, accessing my banking service, right? And my banking service is using the Sekura.id services through the API, right? So that’s how I, as a user, as a consumer use it. Not directly through Sekura, through my services. And then again, I may not be even aware that that service is getting used, right? Because this service, as I said, for the human user it’s invisible.
So majority of our clients right now are mostly from the financial services, so the major banks in the UK, they are using our one or more of the services like Barclays is using our services, Virgin Money is using our services. In the US as well, Morgan Stanley, they are using our services, Flora Bank, they are using our services.
But again, just to reiterate, it’s not a B2C service, right? So it’s not that me, as a consumer, is using the Sekular.id services. It’s my business who is using the service to help me as a user getting protected. And at the same time, no buyer has been put by the businesses to access it. And we are actually expanding globally. As I mentioned to you earlier, I was in India, I came back yesterday, we are actually launching in there. We have some very, very exciting discussions happened across the use cases there, not just in the financial sector, beyond as well. And then we will be announcing those pretty soon.
Oscar: OK,as soon as they are launched, it will be interesting to know what are these use cases. So, very interesting initiative that you have in Sekura.id. So what happens for instance if – because this depends on people having good mobile networks and good phones, so what happens if that’s not available in some regions in the world?
Gautam: That’s a very important question you ask, right? And there are two elements you said, one is good mobile phone. One of the thing that we really passionately believe in Sekura is inclusiveness. And that’s very important for us. We have a mission statement for identity for all and everything. So no one should be excluded from identity protection, right? And this is why we tackle it from multiple angles.
So for example, we have platform that we have created from ground up based on all our learning from the GSMA and also my learning from Vodafone. That platform can integrate with any mobile operator in the world, right? Because all mobile operators are different. There are 700 plus mobile operators there. Right now, we are connected to around 75 mobile operators globally and we want to connect to all. Why? Because we don’t want any operators to be excluded because if we exclude that, their consumers or their users will be excluded.
So, one example is in India, one of the phone smallest operator is BSNL, right? It’s government-owned operator. They are quite small. They don’t have platform. And they were actually not included in this identity space. So what we have done is we have provided our platform to them so that, that platform can actually connect to that mobile operator and then it can actually expose their services, right? So that we don’t want to exclude their users.
At the same time, it is important, as you rightly asked. What happens if I don’t have a good phone? So, this is where the principle that we use in all our services has got two major aspects. One, I already talked about – not involving the user because if you don’t involve the user, we increase the security, because user is the weakest link, right? And rightly so. And the second thing is not depending on the mobile device, because that’s extremely critical. Because let’s say, if the user can afford an iPhone 15 right? Of course, that’s extremely secure. The key chain there where the keys are stored is a hardware, right? That’s an HSN. So, it will be extremely secure.
But what about the user in let’s say Southeast Asia or in Sub-Saharan Africa where it’s a sub $10 phone? That may not have that much security. So, it’s unfair on the user because they cannot be pay for that advanced phone, they are getting excluded from security and identity verification. At the same time, it is unfair on the businesses, they cannot rely on a security because the user cannot afford that high end phone.
That’s why that’s the principle we use. We don’t rely on the mobile device. What do we rely on? The SIM. The exact same SIM is in the iPhone 15 or any of the high-end devices or in the low-end, not so expensive phone and provides the exact same security, right? The cryptographic security that I talked about doesn’t differentiate whether it’s a very high-end, expensive phone or not so expensive, much simpler phone. So that’s an important element here, right? So, our services don’t rely on the device. It doesn’t matter what device the user is using.
Secondly, all the data elements that I talked about is in the mobile network. This is completely independent of what device it is. So that way as well, all those data elements that I talked about, all those 66 potential data elements are independent of the device. So, that’s how we use the service and then make it inclusive end to end, for any user, right?
The other thing you asked about is what if there is no mobile network? It doesn’t really matter. So, the way to look into this thing is, we are relying on the mobile network. But the user doesn’t have to use the mobile device even at that moment of time for majority of the services. For the authentication services, the mobile device need to be in the network. But again, if the mobile device is not in the mobile network, it is connected to Wi-Fi or any other networks, in that case, we have fall back mechanism because we cannot really, rely on the mobile network because the device is connected to Wi-Fi, still we have a fallback mechanism.
And in some regions, like in US, we have worked with one of the large mobile operator there. Where we have worked with them to utilise the SIM, even if the device is connected to Wi-Fi. Because even if the mobile device is not connected to the mobile network, still there is a SIM there, right? If you can reach out to the SIM, we protect the device anyway.
And the other thing I was talking about, all these 66 potential data signals, they are available at the mobile operator’s secure CRMs, CVM and all the OSS, BSS system, right? So they don’t need the user to be using the mobile device at that moment of time. For example, if there is a SIM swap that has happened in the last few hours, the mobile operators databases, they already are aware of that even if there is no network. So, all our services other than the authentication service which we call SAFr Auth, all our services are data-related or signal-related services where these businesses, let’s say, this is a bank or an e-commerce provider or even a social media provider, their server makes the API call to our platform to get this data signal. So the mobile device is not involved, mobile network is not also involved there. Because again, we want that inclusivity for every user to be involved in there.
Oscar: OK. Well, definitely very novel way of addressing these problems. So I’d like to ask you one final question, Gautam, for all business leaders listening to us now, what is the one actionable idea that they should write on their agendas today?
Gautam: Thanks a lot Oscar for asking that. The most important thing to add into their agenda is an acknowledgement that the internet doesn’t have that identity layer. Because that’s a fundamental problem. Because if we start to add technologies on top to fill the gap, that will not solve the problem. And we have seen over the years, right? We have seen user ID password, they didn’t solve that, SMS OTP or any form of OTP, they didn’t solve that. Then we added all sorts of other OTPs, right? TOTPs, authenticated apps, we even used those RSA tokens that we used to carry on. Then we evolved into biometrics. And by the way, biometrics, I’m sure your audience is aware of this, after Generative AI, every form of biometrics is challenged.
And then actually, you know, interestingly, LexisNexis, which is one of the largest fraud management provider on app based in US, their CEO of the government affairs came to the press. This person gave an interview to Fox News in June, saying that we are so much relying on these biometrics and after Generative AI revolution, there is a financial impact in the industry and then that impact is around 1 Trillion USD because every form of biometric is challenged through this Generative AI. Not just through deep fake, through all sorts of mechanism. I mean you can actually search the internet on those kind of fraudulent activities happening on almost a weekly basis.
So, let’s acknowledge that there is a fundamental issue with the internet and that’s no one’s fault because internet was not designed for that. If you acknowledge that, then we can solve the fundamental problem, right? And that can be done through the already existing identity layer which is existing in the mobile operators. Let’s work through that and solve the problem forever.
So, basically, what I am saying is, let’s bring in that identity layer from that parallel internet which we call mobile internet into the traditional internet. And let’s solve that problem at the root. And that’s what we are doing in Sekura.id. And that’s what we would invite all the leaders in the digital space to look into and solve the problem.
Oscar: Thank you very much, Gautam, for this very insightful conversation. And let us know if people would like to find more about you on the net, what are the best ways for that?
Gautam: Thanks a lot, Oscar. Thanks for inviting me. I am on LinkedIn. Please connect to me. It’s Gautam Hazari, G-A-U-T-A-M H-A-Z-A-R-I. If you Google me, you will find me there as well. And also, please visit Sekura.id, S-E-K-U-R-A.ID. You will find insightful solutions there and also we post lots of insightful stories, articles, blogs and what the future is looking like. Recently, one of my article is published in Forbes, I’m calling it Internet of Thoughts, where the future is coming and where, if you don’t solve this identity crisis in the internet it may create more issues. So, please reach out. Please look into Sekura.id and let’s solve this identity crisis together.
Oscar: Yeah, of course. Again, thank you very much Gautam for this conversation, and all the best.
Gautam: Thank you very much Oscar for having me.
Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.
In episode 98, Russ Cohn the Go-To-Marketing for IDVerse joins Oscar to explore Generative AI within Identity Verification – including what is generative AI and deepfakes, why deepfakes are a threat for consumers and businesses, and some of the biggest pain points in the identity industry and how generative AI can support this.
[Transcript below]
“It’s very important that we understand these threats and start to mitigate and create ways of helping to support and stop these practices.”
Russ Cohn is the (Go-To-Market) for IDVerse, which provides online identity verification technology for businesses in the digital economy. Russ has spent more than 20 years scaling businesses of all sizes by delivering successful growth strategies across the UK, EMEA & US markets within fast-paced and high-growth online media, fraud, identity, SaaS, e-commerce, and data-driven technology solutions.
His strong tech knowledge is coupled with deep operational and commercial experience building teams within SaaS, advertising and marketing technology-driven revenue models. Russ was previously a key early member of the Google UK leadership team who grew the team from 25 to 3,000 people and the revenue from £10m to £1billion during his tenure. He brings deep experience supporting international technology companies and has a passion for marketing development, startup growth and technology solutions.
IDVerse empowers true identity globally. Our Zero Bias AI™ tested technology pioneered the use of generative AI to train deep neural network systems to protect against discrimination. Our fully-automated solution verifies users in seconds with just their face and smartphone—in over 220 countries and territories with any official ID document.
Connect with Russ on LinkedIn.
We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!
Go to @Ubisecure on YouTube to watch the video transcript for episode 98.
What is generative AI? This week Russ Cohn, from IDVerse has joined us to discuss generative AI and deepfakes and the threat this imposes on businesses and consumers for their digital identities. Stay tuned to find out more.
Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.
Oscar Santolalla: Hello and thank you for joining a new episode of Let’s Talk About Digital Identity. Artificial Intelligence, in particular, Generative Artificial Intelligence is a topic that has been, I believe on most of our radars in the last 12 months, particularly. And there are amazing things going on. But also, we know that the bad guys are also using those tools. And one of those is related to deepfakes that are being used to cheat the identity verification system having existing until now.
So, to see how we are going to solve those problems in identity verification, these newer problems, we have a special guest today who is Russ Cohn. He is the go-to market for IDVerse, a company which provides online identification technology for businesses in the digital economy.
Russ has spent more than 20 years scaling businesses of all sizes by delivering successful growth strategies across the UK, EMEA, and US markets, within fast-paced and high-growth online media, fraud, identity, SaaS, e-commerce, and data-driven technology solutions. His strong tech knowledge is coupled with deep operational and commercial experience building things with SaaS, advertising and marketing technology driven revenue models.
Hello, Russ.
Russ Cohn: Hello, Oscar. How are you?
Oscar: Very good. Happy to have you here.
Russ: Thank you. Very glad to be here.
Oscar: Fantastic. It’s great to have you here. And we’ll talk about the deepfakes and how the newest practices in identity verification are solving these problems. So, let’s start, let’s talk about digital identity, Russ.
So first of all, I would like to hear a bit more about yourself, your story. Tell us about yourself and your journey to the world of identity.
Russ: Absolutely. I am fairly new to identity. I’ve only really started in the industry probably just over three years ago. I was the first international employee of OCR Labs, which is we recently rebranded to IDVerse, but I joined about three years ago. We’ve since then built the international team to over half the company, and we continue to grow in EMEA and the US.
As a background, I’m a marketer, a commercial leader, investor. I’ve spent probably over 20 years in technology-driven companies of all sizes. And I was lucky enough to join Google very early on, and there were 20 people in the UK, and 600 people around the world. And I grew up with them a little bit, and I left there with 65,000 people. So, I’ve got a fairly good experience at scanning companies and have invested and advised companies since then.
I’m now, as I said at IDVerse. And I’m focused on the go-to market. So, helping them globally, to take our products and execute them in the best possible areas and help our customers with the most cutting-edge technology to drive identity verification, make it effortless. Obviously, through the use of our sophisticated technologies and techniques, including Generative AI.
I’m excited about the opportunity for identity verification, as the need for verified trusted identities has grown exponentially, globally, really, since the pandemic. And with digital growing at such a phenomenal rate as well, we’re now living in a mobile-first world, and we need the right kind of identity verification to support that growth.
Oscar: Indeed. So, let’s go to some basics. For someone who has heard about that term, Generative AI and still is not so clear what it is, particularly. Could you tell us what is that? What is Generative AI?
Russ: Yeah, sure, I think, you know, everybody is talking about ChatGPT and Bard and it’s brought these techniques, the AI techniques to the public, and we can’t get enough of them. But everyone is using ChatGPT and Bard, etc to learn more, do their jobs better, find new facts. It’s pretty addictive and very, very useful but still at the at the fairly early stage.
So Generative AI, short for Generative Artificial Intelligence refers to a class of artificial intelligence systems and techniques that focus on generating new content or data rather than simply recognising patterns or making decisions based on existing data. Now these systems are designed to create original content that resembles human created data such as images, music, texts, videos, and more.
I use Spotify extensively. I’m sure most people do. And I’ve got an AI system on there now a couple months ago that’s going through my music catalogue in my background and choosing the right music based on my tastes. Generative AI models are generally trained on large datasets, and they learn to understand the underlying patterns and structures within the data.
So once trained, they can produce new examples that are similar to the data they were exposed to during their training. These models are capable of generating content that didn’t exist in the original dataset, making them a very powerful tool for creative tasks in content creation. Now at IDVerse, we’ve been doing Generative AI for a long time, probably since the start, seven or eight years ago.
And we use a technique, a very familiar technique called Generative Adversarial Networks or GANs, I’m sure a lot of your audience will be familiar with. Now GANs, just to go back to basics, consists of two neural networks, a generator and a discriminator. These are trained together in a competitive manner. The generator creates the synthetic data, and the discriminative task is to differentiate between the real and the generated data.
So, the competition between the two networks leads to the generation of increasingly realistic content, which we see everywhere in videos, photos, documents, et cetera. Now, we’ve trained millions of synthetic and real documents and millions and millions of synthetic faces using these techniques. For us, just to be clear, we only use ethically sourced or fair source data for face biometric, particularly in the training. This refers to the facial recognition datasets collected and used in a manner that upholds strict ethical standards and respects individual’s privacy, consent and fairness.
Such data is obtained transparently with informed consent, minimal intrusion and efforts to mitigate bias. So, these measures ensure the responsible and equitable use of biometric technology. In the context of facial identity verification, training data refers to the specialised datasets of facial images used to train the machine learning algorithm, or deep neural networks that are responsible for recognising and verifying individual’s identities based on their facial features.
So that’s quite a mouthful. Hopefully, that gives you some context. But this is how we look at Generative AI in identity verification.
Oscar: Yeah, thank you for that introduction. Of course, in one of the products of this type of Generative AI, in related tools are deepfakes that we are seeing more often, sometimes we saw that only for, like, say celebrities or famous people. But now, they can be used to attack me or to attack you, actually anybody right?
So, tell us how the use of deepfakes is a threat, a real threat for both consumers and businesses?
Russ: Yeah, absolutely. I think they are a massive threat as the rise of Gen AI, and you touched on it, fraudsters use the same if not better techniques than we do, or many companies do. And they are very, very good at surging ahead of these technologies and finding ways to create very realistic synthetic identities to both impersonate real people, as well as to create brand new identities of people who actually don’t even exist in real life.
And so, while that’s exciting as we talk about Web3 and avatars and these opportunities and possibilities, I think both consumers and businesses will continue to fall victim to many of the risks out there, unless measures are taken to prevent this.
Now, I just want to highlight a couple of examples of these like disinformation and fake news, right? So, creating videos of public figures, you can grab off Facebook or YouTube, and replicate those and make them do things that they never did. That can be exploited to spread false information.
This can incite conflicts and it can really manipulate public opinion. For us, we see and obviously, we’re very close to and care a lot about frauds and scams, so businesses and consumers of course, can – in the UK particularly we have a huge fraud problem. And we see a lot of deepfake base scams that can impersonate company executives, trusted individuals, they can deceive employees or the customers who can make them reveal sensitive information for financial transactions.
We’ve seen some of that just recently with MGM in the US in this recent breach. We don’t know it exactly, but we do know, I think somebody, an employee was actually targeted. This can cause you know I think like reputation damage of people, you know, politicians, businesses and people, fake videos and audio can be created. To endorse a product or not support it and that can create problems. And of course, the things we care about a lot of, identity theft, right?
And deepfakes can be used to impersonate individuals leading to identity theft. This may result in unauthorised access to personal data or systems. And of course, manipulation in financial markets, personal bank accounts, breaches of banks. So, this can cause big issues like privacy concerns, security threats and erosion of trust, through the wide use of this, and internal security problems for businesses, and privacy for people when they violated, and their identities are stolen.
So, it’s very, very important that we understand these threats and start to mitigate and create ways of helping to support and stop these practices.
Oscar: Yeah, indeed, you already explained some cases in which these criminals are already targeting the identification system that has been existing in the last years. If we focus on these services that are today and have been protecting us or helping us in identifying people in the last years. So, what are these – the biggest pain points or the weaknesses that they are being attacked by these criminals?
Russ: Yeah, look, I mean, there’s a lot of weakness in existing systems, which can come across in the fact that vendors don’t disclose, for example, that they don’t use their own technology, and they can’t always deliver on their promises. So, I think a lack of global document coverage, old style techniques like templating exclusion, like racial bias, gender and age in these poorly designed systems can cause huge problems. And systems that don’t have the ability to understand where these attacks are coming from with these synthetic IDs.
We create all of our own tech in-house. So, we don’t use external vendors to drive our fully automated solutions. So, we feel pretty confident. But they are, as you mentioned, these legacy systems that we’ve relied on, that aren’t necessarily up to speed. We’ve seen, from a pain point of view, is badly trained human spotters in remote locations, for example. So, some people in the industry and vendors use those, this can cause slow response times, and they can’t keep up with the standards and the technology that’s being used to identify fraudulent documents.
And also, the biometrics of people that are not real. So, it’s very difficult for them to keep up. And then, we’ve seen an issue around a lot of bias or differentials in the natural bias that’s in previous ID systems designed by, traditionally older white male engineers. And that’s a problem because these biases are built into these systems. And the humans who are evaluating physical documents, depending on where and how and what can inflict their own biases on age, gender, and race as well.
Now, this can slow down experiences for customers, as they take a lot longer. And of course, they aren’t as accurate, you know, humans can’t scale. And so, technology can do a lot of that heavy lifting, and can solve a lot of that. And you can still have humans for critical tasks, but it’s important that you use technology to identify these gaps.
In fact, we ran a study a few months ago with an external testing company called BixeLabs of 1500 subjects, male, female and transgender, across eight regions in the world for our facial biometrics. And we came back with zero bias on either race or gender on the facial biometrics. So, it’s pretty important that businesses start to use, and people start to get comfortable with one of the strongest, probably the strongest biometric there is for lots of actions that we do take in our everyday lives, whether it’s on a personal or work basis.
And I think that the other things that are challenging for us in the identity space is we see a lot of unethically sourced based biometrics, right? And that can refer to the acquisition usage or distribution of these, that can violate privacy, I mentioned earlier consent or ethics.
And these practices really can result in privacy infringements, discrimination, social harm and legal issues. And some examples of that are data scraping and profiling, lack of informed consent, data breaches, of course, we’ve seen that recently and frequently, deepfakes as we talked about and manipulation of people, government surveillance, employment discrimination. These are big issues.
And I think the lack of unified government standards around these things is also difficult. And it’s important that people use the latest technologies like computer vision and Generative AI to start, to be able to scale and address some of these issues and keep users and businesses safe going forward. But those are definitely some of the issues that we’ve seen accumulate over the last few years.
Oscar: Yeah, yeah, I can see there are quite a few. And how these more recent generation of identity verification system that are working together with Generative AI. So, if you can tell us a bit of the how, how they are different to the previous products, and how they are tackling these problems?
Russ: Yeah, as I expressed in some of the technologies that we use, I mean, training data for Gen AI, for example, if you think of it, if I can frame it in like nutritional labels like food, right? So, you’re feeding a machine, essentially. And so that training data should come with some sort of nutritional label, and to know what the macro nutrients will affect performance. So, you know, it’s important that when using Gen AI, you understand that the nutritional makeup of their training data, supply chain transparency, where do you get their data from, for example.
But it’s important, these techniques are able to detect the proliferation of these fake documents. I think digital identity is becoming more and more, of course, prolific and governments are starting to bring onboard connectivity into these digital identity databases that are able to verify customers in a much more robust way than potentially documents were.
So, I think we’ll see that constant trend of digitisation of technology, mobile-first, wallets, and of course, documentation that will become digital will make life a little bit easier. But, in order to protect themselves, consumers and businesses really need to think about what they can do to stop and be vigilant, right?
So, I think consumers need to educate themselves. They need to use things like password protection and protect their devices and be aware of things like phishing tactics in social media and email. So, we can do as much as we can for businesses, but I think businesses need to invest in these systems because they are stronger, the security measures are stronger, and will help protect them and their customers ultimately.
I think the differences that we see, we believe facial biometrics is a very, very strong and has been proven externally through, you know, NIST iBeta certification, for example, we have a 99.998 certification of liveness biometrics, I mentioned the inclusion and lack of racial bias. If you want to capture and work with people of all races, all genders, all colours across the world, it’s important to use systems that are inclusive, otherwise, you’ll end up discriminating and losing customers.
So, it is important to make these investments into these systems to help protect your business and help protect the consumers behind that. But ultimately, consumers have to also be educated themselves. They have to think about what they’re doing and be aware of things that are out of the ordinary or suspicious, unsolicited requests, for example. And then lastly, I think, you know, government needs to engage in some sort of public dialogue as well to help consumers about understanding what they’re doing in these initiatives.
And government needs to work with business as well to inform the public about things like biometric technology, ethical implications, and why they should be using these. But ultimately, there should be some ethical guidelines and review boards to be able to support the usage of this new technology that’s coming at us at such a pace. It’s really strong, really powerful and really useful.
But there have to be some guardrails around that, and I think it’s going to take a collective effort from consumers, businesses and government to get us there.
Oscar: You mentioned, for instance, a liveness detection that is one of the ways that this identity verification tools are checking that the person is a real person moving in front of the camera. In terms of the end user, so when the end user is in front of this identity verification system that are based on Generative AI, so let’s say user experience is similar, is so how transparent or is different?
Russ: Yeah, I think, look, with facial recognition, for example, and the techniques we use in identifying people when they’re going through the process of verifying themselves or for account access or re-authentication, no personal data is stored. So, the use of those biometrics is the ability to give people a robust way to prove themselves and their proof of life, if you will, when doing a particular action.
And I think what’s been missing in the past is people have accepted a document which could or could not belong to that person to be the valid form of identity. The reason why identity documents around the world had been the standard is there was always a picture of your face on that document.
So, you had a passport or driver’s license, you could see it was you in a sense. So, with liveness, people are protected the same way as using phones to open up access to your phone and to those systems. But these systems are tested and there is no personal data. People should feel very comfortable that the data that they’re using to generate that action is protected and their own in terms of doing that.
We’re just using technology to be able to verify that that person is live and present, and is not a deepfake, was not a synthetic ID. Because what we see a lot is these presentation attacks when people are using video footage that are grabbed from external sources, for example, to try and fake systems or try and trick systems that they are actually live and present.
But we are able to detect these digital footprints and be able to detect using multiple sources of multiple techniques on the mobile phone that we build software for that that person is live and present and is presenting the document that they say they are in order to verify themselves.
Oscar: Thank you, for explaining better how it worked for users. So, it’s simple for users. It’s not more complicated.
Russ: Simple and seamless and quick as well. It’s not more complicated. It’s less complicated, in fact, right? So, when you presented with it – there has to be a trust of course in the environment that you’re doing, and then providing your face to do that.
But ultimately, it’s safer and quicker, and ultimately more secure than any sort of biometric that they might have used previously.
Oscar: Yeah, it’s true. You mentioned also faster sometimes I think, being in front of these systems and yeah you are, waiting a little bit in front of the camera, right until it processes.
Russ: Yeah, look, it depends on the speed and the connectivity in the region you’re in, and it might be the phone and your mobile network, for example. But we account for all of that in the software that we design in helping people to process that. So, we shoot like a live stream video, and we take the best shots out of about 100, 120 frames that we shoot out of that video. It’s a very quick two or three second capture, and we’re able to compare the best quality face to the document that’s presented in this process.
Now, we can account for age, facial degradation, loss of hair, glasses, et cetera because we are looking at the underlying structure of someone’s face when doing that. So, we’re 3D mapping essentially that person’s face, and are able to then tell against the original document that’s presented if that person is the same person.
And that you can’t do, it’s very hard to do with humans, for example. And that’s why technology can do a lot of this lifting very, very quickly. We can do it in seconds and verify the person against very old very age documents or changes to their facial structures. And so, we’re very excited about how these techniques can verify people to the grade that I mentioned before.
Oscar: Yeah, indeed, it sounds like there’s a lot of innovation hearing what you’re talking, you are describing. So, what we say looking at the future, so what is the future of Generative AI in identity verification?
Russ: We were excited about Gen AI’s ability to create these huge datasets of synthetic personas, because it’s going to help prevent fraudsters trying to use this synthetically created people and documents that they create to trick and penetrate low grade systems.
And the more people we can support, the more businesses we can get our technology into, the more we can stop this the synthetic IDs and penetration attacks that are happening. And we’ve seen the velocity of these increase as we see better and better tools and faster processing time to be able to do this.
So, the ability to cover the identities of the world’s population through technology and creating inclusivity for all ethnicities, all genders, means that people can be granted access regardless of where they live, what device they’re using, what colour they are, what gender they are.
So, we’re very excited about how Gen AI can train and help people. And again, this is all ethically sourced data, right? So, we didn’t go and grab it elsewhere. It’s very hard to get in front of tens of millions of faces of variations of age and, again, colour, ethnicity, gender, et cetera.
So, Gen AI really helps us to do that, I think detection tools. So, developing and using advanced technology like Gen AI to detect this deepfake content can be crucial to mitigate the potential harmful effects that might come from that. Authentication mechanisms. So, implementing strong authentication, like facial can help, again, verify the identity of individuals and reduce that risk of impersonation.
So, trust has to be ensured that it’s in place there. And of course, eliminating frauds and scams, so businesses and consumers fall victim to deepfake base scams and others every day. For instance, a scammer can impersonate a company executive, as I said, and deceive employees into revealing sensitive information or maybe making financial transactions.
So, we want to stop fraud at the door. We want to stop fraud internally, externally. And we want to help protect businesses and their customers, whether their business or consumers from the rising threat of what’s coming on synthetic identities and the scale of using Generative AI at the fraudster level.
Oscar: Sounds good. Final question, for all business leaders that are listening to us right now, what is the one actionable idea that they should write on their agendas today?
Russ: Yeah, look, there are a lot to choose from. I think the one action from my opinion, maybe is – you’ve got to think like we’re living in a mobile-first world, right? And Gen AI solutions, as we’ve talked about are surging.
So, the action I would take is take the time to speak to your fellow executives and to the teams and to the people inside your business and understand how identity is currently viewed in your approach to your people, your processes, your security, your products and your customers. Where I sit and where we sit, is we are seeing the velocity increase of identity usage across the world.
Governments are enforcing and implementing more and more identity standards in order to control obviously, governmental services. And so, it’s important that people think about identity for their own businesses. It’s going to become critical to protect them and their customers. They need to think about everything from employee onboarding, how well you know your employee and your customers.
And of course, ultimately, what we’re all achieving, or trying to achieve in digital is improving user experiences, anything from onboarding to account management, to customer services interaction. So, it’s everything that your customer, your employee might touch within your business, potentially has something to do with identity. And the better you know the people in your business and your customers, I think, the better positioned you’re going to be to be able to not only stop these threats but take advantage of beating your competition by staying ahead and knowing your customer much better.
Oscar: All right, thank you very much, Russ, for all this very interesting conversation about how Generative AI is going to help us for the identity verification now and in the future.
So, for the ones listening to us who would like to know more about you or get in touch with you, what are the best ways for that?
Russ: Yes, thank you again, for the time letting me talk about something we, you know, and I’m very passionate about and obviously we’re very passionate about fraud and particularly technology.
If they want to get a hold of me, I’m on LinkedIn, you know, Russ Cohn, C-O-H-N. IDVerse.com has a repository of amazing content and information and thought leadership around a lot of these areas, so please take your time to look across the site. And if you want to get in touch with us, there’s lots of ways to do that on the site.
So, look forward to seeing and speaking with anybody who’s interested in learning more about IDVerse and about – chatting about fraud and identity.
Oscar: Perfect. Again, thank you very much, Russ. And all the best.
Russ: Thank you, Oscar. Appreciate the time.
Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.
This week, Oscar is joined by Riley Hughes, Cofounder and CEO at Trinsic and host of the Future of Identity podcast. They delve into Verifiable Credentials, including what verifiable credentials are, some examples and success stories of how these are being used and implemented, the connections between verifiable credentials and wallets and whether verifiable credentials will become interoperable.
[Transcript below]
“It seems like the future of identity will be much better than it is today.”
Riley Hughes is CEO and Co-founder of Trinsic, a reusable identity infrastructure provider. As a leader in the decentralized identity community, Riley has pioneered efforts on making emerging, privacy-preserving technologies such as identity wallets and verifiable credentials adoptable to the masses. He began his career in the decentralized identity space as the second employee hired at the Sovrin Foundation where he established and led several teams.
Connect with Riley on LinkedIn.
We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!
Go to @Ubisecure on YouTube to watch the video transcript for episode 97.
Oscar Santolalla: This week we are discussing verifiable credentials. I am joined by Riley Hughes, the host of The Future of Identity Podcast, to explore some of the most recent success stories of verifiable credentials and how we can work to improve adoption moving forward. Stay tuned to find out more.
Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.
Hello, and thank you for joining a new episode over Let’s Talk About Digital Identity. One term that has been in our radar for the last – I would say four or five years has been verifiable credentials. Which I will say personally, I’m feeling that is becoming in the last one, two years pretty crystallised. And we have not talked too much about this lately, so I have a very special guest who has a lot of insight – what’s going on worldwide about verifiable credentials.
Our guest today is Riley Hughes. He is the CEO and Co-founder of Trinsic, a reusable identity infrastructure provider. As a leader in the decentralised identity community, Riley has pioneered efforts on making emerging privacy preserving technologies – such as identity wallets and verifiable credentials – adoptable to the masses. He began his career in the decentralised identity space as the second employee hired at the Sovrin Foundation, where he established and led several teams. Hello, Riley.
Riley Hughes: Hi, Oscar. Great to be here.
Oscar: It’s great to have this conversation with you. So very welcome. And let’s talk about digital identity. And as usual, I want to hear more about our guests. So, if you can tell us about yourself, and especially your journey to this world of identity.
Riley: Happy to do so. I am very fortunate to have totally fallen into this amazing industry. And it happened because while I was at college, I was seeing all those smart people around me going and getting jobs at elite places, you know, investment banks and management consulting firms, and so forth. And I thought that I wanted to kind of differentiate my resume enough that I could, maybe I could get an interview as well at one of these places. So, I thought, “What is the most, kind of, off the wall internship that I could get that would differentiate me from all of my peers?”
And I ended up getting a job at the Sovrin Foundation, as you mentioned. Sovrin at that time was very early. I was, as mentioned, the second employee hired, and it was kind of a blockchain meets identity meets nonprofit, you know, meets early employee kind of a role. And so, it, sort of, fit my criteria for differentiating my resume. But it was also just really, really exciting to be part of an early organisation. It grew up to about 25 employees in short order. And I was able to participate in some of that growth. And that was a lot of fun.
And what I realised is that there are a lot of problems to solve in this world of digital identity. I remember just thinking, “Man, it seems crazy that we are sending people to outer space, and we’re editing genes, and we’re doing all kinds of unbelievable things with science and technology. And yet, the best way to prove who I am on the internet is to take a photograph of my government-issued document and a selfie, or something. It just seems kind of backwards.” It seems like the future of identity will be much better than it is today.
And so, although I didn’t necessarily know whether Sovrin would be the ultimate manifestation of that better digital identity future, I did know that something would happen here that would lead to that better future. And so, I thought I would stick around in this space. I decided not to go for those other kind of recruiting opportunities that I alluded to. And instead, I started Trinsic with a couple of -. And that’s kind of how we got to where we are today. That was a little over four years ago.
Oscar: Yeah, super interesting that one of the first jobs – when you start to differentiate yourself – it was Sovrin. How did they find you? How did you find them?
Riley: The Chair of the Board of Sovrin was Phil Windley. And he was a professor at the university that I was attending. So, they had a job posting out for university students. And they didn’t have any money yet so they couldn’t pay very much and so they needed a university student and that’s sort of where I came in.
Oscar: Right place, right time. Fantastic, those coincidences that sometimes happened.
So, you’ve been around, as you said, four years/five years in this space already. So, what would you say has been something that has surprised you the most, something special you would like to tell us?
Riley: Yeah, that’s a great question. I think that when I started in this space, and the way we were talking about verifiable credentials, was as if it was a digital representation of a physical document. Right? And we can get into more about what verifiable credentials are and what they aspire to be. But the thing that was most kind of interesting and surprising recently, is – at Trinsic we are an infrastructure provider for verifiable credentials. And so, when companies want to incorporate a verifiable credential-based solution into their offerings, we’re an infrastructure to enable them to do that.
And as we did a kind of – an inventory or a survey of the landscape, of all of our customers and the ones that were most successful. What we realised was that people were not using verifiable credentials as a replacement for a physical document, generally. Instead, what they were using it for, is – in the same way that a FinTech developer might use an open banking API, right?
Basically, open banking allows you to unlock your data from its original silo, which is your bank account, and reuse that financial data and make it interoperable across other third-party applications. And, you know, what our customers were using verifiable credentials to do is something similar, but for personal data. Unlocking that personal data from its original silos and making it useful and interoperable and reusable across multiple applications.
And so, it actually changed, Oscar, the kind of form factor of the product we needed to build, right? And we realised that the correct – you know, we needed to change some things about how we were approaching our product.
So that’s been what we’ve been in the thick of doing for the last few months. And it’s been a fun journey. Startups are always a little bit of a roller coaster. And this is a fun part of that roller coaster.
Oscar: OK, super interesting, Riley. So, let’s jump into the main topic. So, tell us please, what are verifiable credentials?
Riley: Yeah, I alluded to verifiable credentials often being talked about as a digital representation of a physical document. And generally, when you hear the term verifiable and credential – a credential is sort of an attestation, or a claim made about one party by another party. So, in healthcare, right, your credentials are something that you’ve obtained, from a trusted source, that you can use to prove to somebody else certain things about you, and what your qualifications are, et cetera. And verifiable credentials are a way to do that verifiably, cryptographically in a digital form.
Now, if we’re talking about – I think there’s two ways that people use the term ‘verifiable credentials’ today. One is with an uppercase, V and C, an uppercase Verifiable Credentials, that is the formal official W3C Verifiable Credential Data Model Standard. And that is a specific kind of verifiable credential that is sort of an interoperable, and probably the most well-adopted, and well talked about kind of verifiable credential.
And then you have the lowercase, vc, verifiable credential. And there are lots of different kinds of lowercase verifiable credentials. Lots of things that can fit this model of an attestation that is given to you by some trusted party, and used to get access to the things you need throughout your life. So, I guess it depends on which of those you’re talking about. But I hope that that’s a helpful kind of intro.
Oscar: All right, thank you for that. And the same term can mean different things from different perspectives. Let’s make even more concrete.
So, let’s hear from you some concrete examples. If you can tell us something that is already widely used, some that most of us might already know about. So, tell us a bit of some examples of verifiable credentials.
Riley: Yeah, I mean, again, if we’re to zoom out a little bit and talk about verifiable credentials in the broadest sense. Even something like a credit card could be considered a verifiable credential. It is something that was given to you by a trusted source, likely a bank, and you can use it with third party merchants in a way that they can authenticate that card and charge your account based on your actions with that card. And so it is, you know, in the broadest sense, even something like a credit card or a government-issued ID could be considered a form of a verifiable credential.
But if we’re talking about specifically, the new W3C Verifiable Credential Standard, I think, one example that is helpful to conceptualise what this looks like, is the vaccine, or the sort of travel pass type products – that many of us used throughout the pandemic. I think this is where – this is the first use case that we found that Trinsic received broad adoption. And, you know, these are products that allowed you to prove that you were vaccinated against COVID, or that you had obtained a recent COVID test, and that you are therefore eligible to travel. And you know that is a form of verifiable credential, Apple and Google even were accepting those credentials into their native operating system wallets as verifiable credentials as well. And so that is maybe an example that a lot of people have used in the recent years.
Oscar: And those were already based on the W3C standards.
Riley: Yeah, technically, I think the smart health cards was what they were based on, and smart health cards were based on the W3C standard, so yeah.
Oscar: OK. Yes, definitely that has been a case that millions of people have used. Those helped us during the pandemic without knowing the term of ‘verifiable credential’. So that definitely has been widely used in different regions, different implementations. But yeah, that’s correct.
OK, if you tell us also some other examples, how has been, yeah, across different sectors, let’s say verifiable credentials are being implemented and as well, interesting stories.
Riley: Yeah. So, I think when you look at Trinsic, we are, again, an infrastructure provider. And so, we see companies all across the spectrum using Trinsic to accomplish their verifiable credential use cases. Everybody from a car manufacturer to a B2B supplier, an invoice management solution to a consumer product application for events and concerts, to education and healthcare use cases, I think.
A use case that I really like, is the medical staff passport. It is something that’s easy to conceptualise, really, it’s an identity wallet that a provider, a physician or a nurse could use to prove that they have the correct credentials and qualifications to do that job.
And so, if you’re a physician that needs to go to a new hospital, to substitute for some staffing shortage or something. The way this works today is there’s a big, long credentialing process where the new hospital needs to spend a lot of time checking lots of different things to make sure that you are eligible to do your job. And still, there’s fraud that gets through. With a digital staff passport, a doctor could simply prove who they are much faster, prove their credentials much faster, and get to work serving patients much sooner. So that’s a use case that I think is pretty helpful and has been succeeding, I think there’s four or five projects that I’m aware of around the world that are that are doing that, including some that are being built on Trinsic.
But I think regardless of where you look across all of those different industries that I mentioned, you see a couple of common patterns. And one of those common patterns is – you often need to anchor that credential in something, some foundational verifiable credential. So, what we’re seeing is, you know, if you’re a doctor, and you want to get your credentials in a digital verifiable credential form. The first thing that you’ll do is not actually go get your doctor credentials. But instead, the first thing that you do is verify your identity, scan a government document and authenticate yourself against some authoritative, again, government type document. And then when you obtain your doctor credentials, you can then make sure that those match. And then when you prove who you are in subsequent interactions, it’s much higher trust. Because you can cross reference the two credentials, and that brings a high degree of trust.
And so, what we see across a lot of these use cases are people doing, sort of, an identity verification step. In addition, and that becomes the foundational verifiable credential, or reusable identity (as we call it) that anchors some of these verifiable credentials. And that step is something that we at Trinsic help facilitate as well.
Oscar: OK, so the very first identity verification. So, when you mentioned that for this healthcare professionals, credential, you mentioned, there are a few worldwide. So, will these initiatives, I don’t know how much if they are in production, or is still in development? I don’t know, but if you know enough about the difference of these projects, do you think they will become interoperable or they are following different paths? What’s your view?
Riley: Yeah, I think that, yeah, I think that they will become interoperable. It’s hard for me to say a blanket statement that every single one will definitely be. But yeah, but I think that many of these projects are based on the W3C Verifiable Credential Data Model. And if they’re not based on that data model, they’re based on something else that is very similar. And I think the important thing to remember as it relates to interoperability is there’s a little bit of a conflict, actually, between two very important things.
When you’re launching a product, you want the ability to move fast, to iterate on the form factor, and change things to the extent that they’re not working, and bring the best technologies to bear, to build the best product that you can for the customer. And at the same time, you also want interoperability and compatibility across applications. And these things come into conflict because in order to be interoperable or compatible with other applications, you sort of need to slow down and agree upon a set of standards. But to be sort of innovative and moving fast, you kind of need to speed up and be willing to throw away your old solution and replace it with something better. And so, you get is this tension between innovation and interoperability.
So many of the solutions that you see out in the market today are not interoperable simply because they’re focusing more on the innovation side of the equation. And yes, there are proof points of kind of interoperability testing and interoperability suites that people can come into compliance to. But oftentimes, that’s kind of a steppingstone and will come into compliance with that. And then you’ll see another divergence of different attempts, and then they’ll sort of converge back to another point of interoperability at some point in the future. And so, it’s never quite as cut and dry as just interoperable or not.
And so, the important thing, before you build a bridge between your island and someone else’s island, you need to make sure there’s stuff on the islands for people to do, right? You need to make sure that people actually get to drive their car across the bridge. And so, in my opinion, the most important thing to do first, is get a product out there and get people using it and get happy customers where you’re solving their problem. And once you’ve done that, you can incorporate interoperability to make your product even better for those customers and solve even more problems. But I think trying to solve interoperability before you have a product in market is a little bit of putting the cart before the horse in some ways.
Oscar: Yeah, definitely. Definitely a good observation. And I agree that, yeah, you need adoption, you need adoption, you need to solve problems. To see that yeah, this new technology, this new product is really solving, solving problems for a big enough mass of users. And from that perspective also, my impression is that most of the companies who are building these products are not the big ones, right? Not the big companies, that’s my impression. So, it’s like, startup entrepreneurs, mostly. So how is the – are they doing profit in this space of verifiable credentials? What is, what you have seen?
Riley: Yeah, I don’t think I can say that there’s a, you know, hundreds of really successful, kind of, high profit generating companies out there. But there’s definitely companies earning revenue. To the extent that their revenues exceed their costs, I don’t know. But from a revenue standpoint, I think, you know, the key to making money with verifiable credentials is not the verifiable credentials. The key to making money with verifiable credentials is to – solving a problem with a customer. And to the extent that verifiable credentials can help you do that better and more effectively, that’s the extent that you will profit with verifiable credentials, right? So, you know, what we’ve seen is really not a whole cloth reinventing of the fundamental economics of the internet, or anything like that.
I’ve seen a few ways that people are making money. The first way is they build a consumer product that makes a person’s life better, and they charge the consumer for that product. Right? Password managers cost a few bucks a month. CLEAR is an identity product that you might see in airports, especially in the United States, you know, where you can skip the line at the security by enrolling in this identity company called CLEAR. These are examples of consumer products that consumers pay for because it makes their lives a little bit easier.
And I’ve seen verifiable credential type products that do the same thing. I’ve also seen products that solve a problem for our business, and they take, maybe it’s a subscription revenue, maybe it’s a usage-based fee for that. And they follow the software as a service playbook that is sort of tried and true. And, you know, this is – I mentioned the doctor, kind of the staff passport solutions a minute ago.
And I’ve seen some of these types of solutions that have done really well by leaning into a vertical, a vertical software approach. And using the kind of verification of individuals and employees of a given hospital or something like that, as a benefit, a value-add to their existing software as a service product. And so that just sort of strengthens their revenue proposition there.
And then the third way that I’ve seen are companies that are already doing some kind of an attestation, but in a non-verifiable credential way. So, for example, this might be an identity verification company, a background check company, a student ID verification company, and the list goes on.
And I’ve seen, you know, these kinds of companies incorporate reusable identity or incorporate verifiable credentials into their product. Or in other words, issue their attestation as a verifiable credential, instead of just simply, you know, an API response, and continue charging the same business model that they always have, and actually make more money than they were making previously. Because now that it’s a reusable credential, people can use it more places than they otherwise would have. Or it becomes their go-to resource for authenticating themselves, which then leads to even more revenue for the attestation provider. So, these are a few ways I’ve seen people make money with verifiable credentials, and then our fundamental kind of transformations of the business models that may have come before.
Oscar: Yeah, but it’s very interesting to see that there is value generation on top of solving problems and solving people’s problem. Excellent. So, one, relatively new term that is relatively new is wallets. And that is a term that I feel that is already reaching the masses, so people hear about that more commonly at this point, 2023, that we are having these conversations. So, what is the relationship between – or the connection between verifiable credentials and wallets?
Riley: Yeah, it’s pretty simple. I think the easy answer is wallets are where your verifiable credentials are stored. So, you get – just like in real life, you obtain a driving license. Where do you put it? Well, generally speaking, you put it in a wallet. And in a verifiable credential world, that holds true. I think this breaks down just a little bit if you think about wallet in the way that most people use the term. Most people associate a wallet with payment of some kind.
So today, your verifiable credentials are unlikely to fit inside of your Apple wallet. They’re unlikely to fit inside of your crypto wallet. They’re unlikely to fit inside of some other things, which are called wallets today. But I think that’s just a function of the maturity of the technology. I think, you know, we’ll get there.
For now, the term that I use are ID wallets, right? They’re sort of wallets that are built for verifiable credentials. And today, they sit alongside other kinds of wallets. So, in the Web3 space, we have some customers in that world. And for the users of their products, the ID wallet is a separate container or a separate data store or separate wallet that sits alongside or next to a crypto wallet for those Web3 applications. And, you know, in a Web2 world, again, a user ends up getting a wallet, oftentimes, they don’t even know that it is a wallet, they don’t even know that we refer to it as a wallet. To them, it’s just storage of their verifiable credential, or of their staff passport or something. But, yeah, hopefully that helps.
Oscar: But the ID wallet that you mentioned, it’s also from a normal user perspective, you just want one more app in the mobile, something like that?
Riley: Yeah, it could be an app. It also could not be an app. I think oftentimes if you are requiring your user to redirect out to an app store, download an app, authenticate to the app and get on boarded through the onboarding screens, and then obtain a verifiable credential. Also, that they can verify themselves and get the thing they actually want, that user experience becomes pretty tricky.
So, while we have seen some apps, you know, mobile apps, you know, succeeding and that is a model that is definitely a viable option. It definitely should not be the only option. And I think we’ve even seen web-based wallets or cloud-based wallets really taking off in much, much greater numbers than a lot of the mobile app wallets that we have, that we’ve seen. And I think it’s just a function of the friction required for a user to go through that journey is just so much less.
So yeah, it could be an app on your phone, it could be embedded into an existing app you already use. Or it could be a web resource that you, you know, authenticate to and get access to your credentials that way.
Oscar: Looking at the future from where we are now, what do you say is needed in order to see a broader adoption of verifiable credentials?
Riley: Yeah, I think we need more products, and more focus on product. So, you may have kind of heard from some of my previous answers that I, you know, I tend to think a lot about adoption. I think a lot about product. And I think a lot about business models. And that’s obviously because of my background. You know, I’m not an engineer by training.
But I do think that a lot of times, people get a little bit lost into the weeds with the technology. There’s a lot of cases where, you know, we’re talking about theoreticals in the technology, before anybody is actually using the product and we’re sort of holding up these, you know, certain technology principles as gold standards or best practices. When in reality, many verifiable credential approaches do not have product market fit yet. And so, we could build the most amazing, elegant, utopian technological solution. But if nobody uses that solution, then what’s the point?
So, I think really, the thing we need to focus on so much more is adoption and product execution over anything else. The technology is there, it’s good enough, it’s plenty good enough. It’s been good enough for – I mean, four years ago, literally, we launched the first version of our product, which allowed any developer to issue a credential within five minutes on Sovrin. And then a few weeks later, we expanded it to where there was a dashboard where even a non-technical person could issue credentials within five minutes.
So, the technology has been really accessible for a long time now. And when we look at our customer base, and we look at the success rates, and then we try to correlate those success rates with something and see what predicts success in this market. Every single time it comes down to product execution, and just being focused on solving a real problem for people. And so really what we need to get more verifiable credential adoption, is we just need – more of that, more problems being solved for businesses and people who are willing to pay for it. Right?
Oscar: Yeah, I agree. All right, thank you for the explanation of what’s going on verifiable credentials. And I agree a lot of your views on the focus on solving problems. So, leaving us with a final question, for all business leaders listening to us now, what is the one actionable idea that they should write on their agendas today?
Riley: Well, I am going to piggyback off my last answer for this one, Oscar. I’m going to say, if you are a company that has an identity product, or some kind of attestation service for people, or something like that. You should write on your agenda to explore how verifiable credentials could augment your business, because it’s likely that there’s some startup out there that is sort of doing something using verifiable credentials in your space or an adjacent space. And, you know, and they’re learning fast about what’s working and what doesn’t, and what this new world will look like. And so, as the world moves to fully digital and moves to reusable identity, the ones that sort of obtain those insights fastest and move first are going to get a lot of the benefits. And so, that’s the first thing.
If you are not in that category of a company that would sort of incorporate verifiable credentials, then the action item that I would give to you is to be a user of one of these products. And if you can’t find a product that uses verifiable credentials, if you can’t find an ID wallet that solves a problem for you, that’s maybe a little bit of an indicative of where we are as a space. But if there is something that you can use and try out and actually use it in the real world to solve some problem for you, I encourage you to do it, give it a try and give feedback to the developer of that product and let them know your experience. Because these are the kinds of things that will drive adoption of better identity systems in the future than what we have today.
Oscar: Yeah, definitely. Oh, thanks a lot for this very interesting interview, Riley. Please let us know how people can follow the conversation with you.
Riley: Yeah, I – so the first thing I’ll say is that we do a podcast as well. This has been a blast, Oscar. This is a great podcast. I love it. I think if you’re interested in reusable identity, specifically, and diving deeper into some of the stories of companies that have launched reusable identity products, or verifiable credential-based products out into the wild, I have a podcast that we do, called The Future of Identity podcast. And so that’s what I would encourage you to check out.
If you’re interested in following me or getting in touch, you can email me at [email protected]. Find me on Twitter @rileyphughes. I’m also accessible on LinkedIn. If you search my name, I’m sure you’ll find us. And I’m always open to feedback and love the conversation so please reach out if you think there’s a way we could work together.
Oscar: Yeah, thank you and indeed I’ve been listening to your podcasts, The Future of Identity, so it’s highly, highly recommended. So, if you want to learn more in identity especially the topics that Riley has been bringing us today. So again, thanks a lot Riley for joining us. And all the best.
Riley: Thanks, as well, Oscar. You as well.
Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.
In this series opener of Season 5, Drummond Reed and Andy Tobin join Oscar to explore vLEIs and Self Sovereign Identity (SSI). They explore what LEIs and vLEIs are, how SSI principles are used within vLEIs, the benefits of vLEIs, which sectors and industries will benefit the most, and some use cases of where the vLEI has been leveraged.
[Transcript below]
“If LEIs were digitised in a way that could be instantly verifiable, it could transform company onboarding.”
Drummond has spent a quarter-century in Internet identity, security, privacy, and trust infrastructure. He is Director, Trust Services at Gen, previous Avast after their acquisition of Evernym, where he was Chief Trust Officer. He is co-author of the book, ‘Self-Sovereign Identity’ (Manning Publications, 2021) and co-editor of the W3C Decentralized Identifiers (DID) 1.0 specification. At the Trust Over IP Foundation, Drummond is a member of the Steering Committee and co-chair of the Governance Stack Working Group and the Concepts and Terminology Working Group. At the Sovrin Foundation, he served as co-chair of the Sovrin Governance Framework Working Group for five years.
From 2005-2015 he was co-chair of the OASIS XDI Technical Committee, a semantic data interchange protocol that implements Privacy by Design. Drummond also served as Executive Director for two industry foundations: the Information Card Foundation and the Open Identity Exchange, and as a founding board member of the OpenID Foundation, ISTPA, XDI.org, and Identity Commons. In 2002 he received the Digital Identity Pioneer Award from Digital ID World, and in 2013 he was cited as an OASIS Distinguished Contributor.
Connect with Drummond on LinkedIn.
Andy Tobin leads European and eIDAS strategy for Gen’s Digital Trust Services business. He is one of the pioneers of self-sovereign identity and helped to establish Evernym as the world leader in this field. He is a well-known public speaker and writer on the topic of digital identity and has delivered some of the largest SSI projects to date.
His career has spanned the three rapidly converging sectors of identity, mobile and payments. He has written code to control cash machines, built the world’s first mCommerce server, run a £1.2bn mobile messaging network and been CTO for Europe’s first fully mobile bank. He is a passionate technology strategist who believes that the identity ecosystem and the personal information economy is poised for massive change, enabled by the capabilities being built right now by Avast.
Connect with Andy on LinkedIn.
We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!
Go to @Ubisecure on YouTube to watch the video transcript for episode 96.
Oscar Santolalla: Welcome back to Season 5 of the Let’s Talk about Digital Identity podcast. In this series opener I am joined by Drummond Reed and Andy Tobin, from Gen Digital, joining us to delve into vLEIs and Self-Sovereign Identity (SSI). Stay tuned to find out more.
Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.
Oscar: Today, we are very happy to have two expert guests, Drummond and Andy. And today, we are going to discuss vLEIs and what is the connection with self-sovereign identity.
First of all, we have Drummond Reed. He is Director of Trust Services at Gen, previously Avast after their acquisition of Evernym, where he was the Chief Trust Officer. He is co-author of the book Self-Sovereign Identity, published by Manning Publication in 2021. And he’s co-editor of the W3C Decentralised Identifiers, DID 1.0 Specification. At the Trust Over IP Foundation, Drummond is a member of the steering committee and co-chair of the Governance Stack Working Group and the Concepts and Terminology Working Group. At the Sovrin Foundation, he serves as a co- chair of the Sovrin Governance Framework Working Group for five years. Hello, Drummond.
Drummond Reed: Hello, Oscar. It’s very good to be here.
Oscar: Welcome Drummond. Our second guest is Andy Tobin. Andy Tobin leads European and eIDAS strategy for Gen Digital’s Trust Services Business. He is one of the pioneers of self-sovereign identity and helped to establish Evernym, as a world leader in this field. He is a well-known public speaker and writer on the topic of digital identity and has delivered some of the largest SSI projects to date. His career has spanned the three rapidly converging sectors of identity, mobile, and payments. He has written code to control cash machines, built the world’s first mCommerce server, run a £1.2 billion mobile messaging network, and been the CTO for Europe’s first fully mobile bank. Hello, Andy.
Andy Tobin: Hi, Oscar. Nice to be here.
Oscar: Welcome as well. I’m very happy to have both of you, Drummond and Andy.
So, let’s talk about digital identity, and as usual in this show we want to hear a bit more about our guests. So please, both of you tell us a bit about yourself and your journey to this world of identity.
Drummond: Oh, the journey. I don’t think we have long enough in this podcast to cover the whole journey. Yes, I’ll just say, originally, I was very interested and focused on solving problems of what we’d now call decentralised data exchange, and how people can share data, sort of directly peer to peer over wide area networks, like the internet, when it was first getting going. And I had no idea that to do that you actually had to solve the problem of digital identity and trust. And so, working on that led me over into this area.
We didn’t even call it identity when first working on it, we just said, “Hey, there’s this challenge that you have to be able to establish a trust network.” And turned out that the problem there was identity. And doing that on a decentralised basis. And at that time, I was working on it was really centralised identity. Where you have an account with every different system you were interacting with. That was the norm, and it was – the pain was such that we had to have some solution to that. And so we thought it was federated identity, where you could take one account and reuse it in a whole bunch of other places. And in the end that’s what most people, encounter with social login. The login with Facebook, or Google or Twitter now X, whatever.
And so, we spent 15 years and three generations of standards developing a federated identity. And it seemed like we could get there and then it just – we hit the ceiling. It just – federated identity by putting an intermediary in there made it – you could solve certain problems, but you couldn’t solve others. And then blockchain came along and sort of taught us, “Oh, there’s a way to make this fully decentralised that actually simplifies things tremendously.” And so that era, I really, market starting in 2015, 2016 that’s when Evernym came together, which is where Andy and I met. And we’ve been working on decentralised ever since. Over to Andy to talk about his journey.
Andy: Yeah. Thanks, Drummond. I think the thing I like to look at most frequently, and that gets me most engaged is – seeing how megatrends that emerge affect existing businesses and capabilities. So, I’ve seen, for example, the digitisation of payments happening. And then digitisation of telephony happening and the emergence of mobile phones. And then the digitisation of commerce through the internet.
And with the digitalisation of identity, we’re seeing really something a little bit different, which is – we need to have the ability as people to identify ourselves or prove things about ourselves – it doesn’t need to be identity, it could be anything – without having to rely on anyone else to help us really to do that. So really, we’re looking at a return, if you like, to the world we used to inhabit where you could go along with a piece of paper and show it to someone, like a passport, for example, and say, “Hey, look, this is me.” We don’t have a digital way of doing that.
And so, there’s lots of, what I call, work around solutions in place and Drummond’s just talked about a bunch of them that fudge the problem. The problem is solved properly by giving people digital versions of the paper documents they’ve got and giving them to those people in a way that enhances their privacy and security online. And when you have that capability, you can apply equally to companies who find it very difficult to prove who they are online, and also to things as well.
And as we move into the next megatrend of artificial intelligence. Underpinning artificial intelligence is – how do you know who or what is at the other end. And as it gets much easier to fake everything, there’s going to be an explosion of trust issues. And if we can solve that with some of the techniques that we’re working on, which we can, artificial intelligence gets a lot less scary.
Oscar: Yeah, indeed, through your life, I could see the reasons why this topic of self-sovereign entity had to happen. But just a few years ago it is getting, mainstream finally in these very recent years. And now we talk also about the future, there’s a lot, a lot of problems to solve still.
In this conversation, let’s go into much more specific topic related to self-sovereign identity. This is going to be about vLEIs. But to give a bit of concept, if one of you could throw a simple definition. What is an LEI?
Drummond: The LEI, that’s pretty straightforward. In fact, what’s ironic, is an LEI is really a classic, what we would call federated identifier, it fits into that second category. And that’s because – so it’s, to be very, very concrete, it’s a 20-digit identifier of a legal entity. And it’s important to clarify that term legal entity, because it can – in some legal jurisdictions, a legal entity is either a person or a corporation. They call it a legal person.
But what LEI means are – the legal entity in LEI means – a legal entity that’s not a person. So, anything that’s legal entity that’s not a person – a corporation, a partnership, government agencies, whatever it is, it’s to identify what we would generally call an organisation.
And so, the LEI is 20-digit identifier, and then it is issued. GLEIF, the Global Legal Entity Identifier Foundation, is a public-private partnership that operates the GLEIF LEI system. And they’re based in – it’s a Swiss nonprofit, it’s headquartered in Frankfurt. And they oversee I think it’s roughly in the mid-30s, the number of, they’re called Local Operating Units or LEI issuers around the world.
They have to be qualified, and when a business or organisation wants an LEI, they have to apply for it. They have to basically go through what we call identity proofing for individuals, but this for an organisation. You have to prove yes, you whoever supplying is a legal representative of that organisation. They have to provide their local business identifiers, like identifiers that they’ve registered like a corporation ID or a tax ID in one or more jurisdictions, and some other what they call reference data. And that entry, the reference data entry is then associated with the LEI. It’s all verified and then the LEI is issued. It’s good for a year. You have to renew it every year and it goes into a global database, a public database, anyone can check to verify the LEI for an organisation.
Oscar: Very, very good explanation. And so, something that caught my attention, you mentioned that it’s still the federated model, right? So, which it is –
Drummond: Yes.
Andy: There’s a central body that is in charge of the governance of the whole LEI capability. And there are, as Drummond said, regional bodies that do the actual certification. But they’re all approved by the central body as well.
Oscar: Exactly.
Drummond: Right. So that makes it a federated identifier system, which is going to setup this wonderful conversation we have about how that fits into the SSI model.
Oscar: Exactly. So now let’s move to – what is vLEI?
Andy: So vLEI is a digital equivalent of an LEI, so Verifiable Legal Entity Identifier. Now, when I was contacted by Stephan Wolf, the Chief Exec of GLEIF years back now, six years ago probably. Who had been following this emergence of SSI very, very closely and thought there’s something in this. Because underpinning self-sovereign identity is a technology called verifiable credentials.
And verifiable credentials are packets of data, they can contain anything that can be passed from an issuer to a holder. So, an issuer, like an LEI issuance body, to a holder, like your company. And that holder can then present that data and it can be verified by a verifier, which could be a tax authority, a government and other company, instantly as being authentic and the integrity of the data is preserved. So that’s the technology underneath it.
And what Stephan wanted to know was – how these verifiable credentials could be used for LEIs. Because he could see the direction of travel, of the digitisation of identity documents and paper identity information. And he saw that if LEIs were digitised in a way that could be instantly verifiable, it could transform company onboarding for bank accounts, for example, supply chain management, et cetera.
So, we sat down and included also Karla and Stephan from GLEIF, I think it was in an office in Canary Wharf, and we designed the way the vLEIs would work.
We designed a cascading chain of authority that allowed a local LEI issuance body to be certified by GLEIF and have a credential themselves that says they are a certified LEI issuer. And they were then able to issue these vLEIs to companies. It’s essentially a very similar set of information, but a bit more detail in there, than in the LEI. But issue that as a verifiable credential to a company, and the company would keep that in a digital wallet that the company runs.
But enhanced on top of that is that then employees of that company could prove that they work for that company. And those employees could themselves have verifiable credentials saying, “I’m an employee of Gen, and Gen is this business with this vLEI. And you can check the vLEI is authentic, because it came from this vLEI issuer. And you can check the vLEI issue is authentic because it came from GLEIF.” So, you can run all the way back up the chain.
And then you can also add the ability to provide employees with – for example, confirmation they’re allowed to submit accounts to the tax authorities. So, it could be – “Andy Tobin, who’s a member of Gen is allowed to do X”. So, you end up with a cascading hierarchy, which is driven by the vLEI as the identifier for the company and then that being chained into lots of other relationships relating to that company and to the employees of that company.
Oscar: And how do the vLEI use the self-sovereign identity principles?
Drummond: OK so, as I mentioned earlier, the definition of a federated identity system is it has one or a relatively small group of organisations that almost – in fact, I’ve never heard of federated identity system with an individual that run it, they are always organisations or governments that run it at the centre. And then there, it’s federated around them. So, for instance, when we we’re using social login, it’s Google, Facebook, X, LinkedIn, they’re the – called the identity providers. You have an account there, and then you go use it in other places.
And so, the GLEIF LEI system, as we said earlier, it’s a federated identifier system. GLEIF is at the centre, they authorise a set of the LEI issuers around the world, and they issue the LEIs. And that’s how you can sort of trust the whole thing. So, some folks look at that and say, “Ah, well, that’s a federated identifier system, how is this self-sovereign?”
So, with self-sovereign identity, as Andy said, it’s all about the entity that is being identified that needs to prove their identity to anyone else. Having a digital wallet, and a set of credentials they can use to prove their identity.
What GLEIF did with the vLEI was say – Hey, we are a federated identifier system. But we can provide verifiable credentials as one issuer, one hierarchy of issuers to organisations around the world, any place that can in turn, as Andy explained, then issue the next credential in the chain to their employees, or their contractors or their alumni or anything to prove their relationship with the legal entity that then can prove its relationship to the issuer and all the way up to GLEIF.
Fundamentally, what Stephan Wolf and Karla McKenna and the GLEIF team saw was, we can take a federated identifier system, and actually bring it into the world of self-sovereign identity credentials, digital credentials, from hundreds, thousands, to maybe eventually, millions of different issuers, that all serve as what we call Root of Trust, right? And, yes, GLEIF is one Root of Trust, and the whole GLEIF, what we call digital trust ecosystem, it may end up being one of the largest in the world. And it’s very important, I think, to note that it is adjacent to – it doesn’t replace government issued identifiers to organisations, but it’s adjacent to it, and it’s worldwide.
It is – the G is global. So, you can get an LEI and any entity in the world, any legal government or other entity can recognise it, and then translate it to the local identifiers that it might need. But that credential, once it’s issued into a digital wallet, is just like any other credential in that digital wallet. It can be used for that entity, in this case, an organisation, to prove its legal identity any place that’s needed. That is exactly what self-sovereign identity is about.
Andy: And I think it’s really worthwhile here describing the incentive. So why is this interesting, right? Why is a vLEI interesting? And at the moment, it’s very, very difficult for a company to prove that it’s a legitimate company and it has a bunch of certifications, it’s got the right ecological credentials, it’s got the right qualifications in place to operate as a company in the business it does. And that causes huge problems for supply chains.
As an example, I was talking to some very large pharmaceutical companies, we call them big pharma in Switzerland about this very problem. And they spend millions and millions and millions and millions of Swiss Francs trying to work out who is in their supply chain. And they kicked off something called Pharma Ledger, which was an initiative to use this concept of digital identity for companies and the qualifications and certifications they have, to allow an onboarding of a new supplier in a few seconds rather than weeks and weeks and months.
And the same thing with banking, it’s very, very difficult for a company to get a bank account. You’ve got to supply lots of pieces of paper, you got to send them in, they’re going to be notarised and signed by somebody. It’s horrendously complex, and very, very slow and very costly. So, the dream here is instantaneous, you know, a few seconds verification that a company is legitimate, and the person acting for that company is legitimate. And the potential savings are in the billions and billions and billions of dollars worldwide. So that’s why people are interested in it. And I think people get a bit hung up on the tech under the skin. And this term, self-sovereign identity, which I kind of wish we’d never promoted in a way because it’s about…
Oscar: Scary.
Andy: … the credentials under the skin, rather than yeah.
So, this ability for an organisation to have verifiable data about itself digitally, which anyone can check is authentic. Without that company having to go back to GLEIF and say, “Hey, please give me a new version of this that I can use today.” That’s the sort of self-sovereign, the company has this information, they can use it wherever and whenever they want, for whatever reason they want. And the verifier can, or the recipient can check it’s authentic, instantaneously. Even if GLEIF cease to exist, you could still do that.
So that’s the big picture here. And the vLEIs are one aspect, but a very important aspect of this new digital ecosystem for organisations. There’s an anchoring credential that says this company is this company. In some jurisdictions, you legally have to have an LEI – vLEI makes things a lot easier. So, it’s the anchoring credential that says this company is this company, and then you can hang lots of other verifiable credentials on the back of it as well.
Drummond: I want to make that point that Andy just did. So, the LEI, because of its cross jurisdictional characteristics is legally required in certain jurisdictions for certain kinds of transactions. For instance, in Canada, if you’re involved in the financial services industry, you have to have an LEI. The regulators, and GLEIF has a board of I think it’s roughly 72-75 regulators from around the world. It’s called the ROC, the Regulatory Oversight Committee. Those regulators are now – the next step is to start to mandate the vLEI. Because the regulator is saying, “Hey, it’s really expensive for us to have to, verify, audit companies and the records and everything when we have to manually process papers.” So, they’re basically saying you must do these things digitally. The Securities and Exchange Commission here in the United States requires electronic submission of reports.
So, the emergence of the vLEI as a credential, for example, digitally signing those submissions to regulatory authorities is starting to be mandated by regulators. And I expect it’s just going to grow and grow and grow. And so, in certain places, organisations, as part of their formation and maintenance they’re going to get maintained vLEIs in order to be – handle their regulatory documents. At a minimum of this many other uses.
Oscar: Yeah, indeed, you explained very interesting cases, problems that are being solved by this concept. And also, when you put it in numbers, it also sounds very convincing. Indeed, to understand a bit more what is – how does it work in practice, I think you have explained pretty well.
But let’s say, if I want to visualise, ‘so what is the vLEI?’ So vLEI is – will be registered in an app? So where can I see if my company has registered a vLEI, where can I see it?
Andy: Yeah. So, vLEI, we need to introduce here the concept of an organisational wallet. So, you’ll be familiar with digital wallets that you might have on your phone at the moment as a person, so an Apple wallet and a Google Wallet. Gen has launched its own digital wallet called MyD and there are others that are being launched as well.
So digital wallets are going to be huge. And there’s going to be a big fight about who’s going to have the best digital wallet. And a digital wallet is a container that you put these verifiable credentials in. And in the case of you, as a person, that might be a digital version of your passport. In Europe, it might be the new personal identity data credential from eIDAS. They could be a driving license, a boarding pass, et cetera.
Imagine the same thing for a company, rather than sitting on a phone, it’s going to reside probably in a server somewhere. I guess it could sit on a phone. But it’s the same concept. It’s a secure container that will hold a company’s credentials, including a vLEI. And that’s just like your own wallet, you control that wallet yourself, and you have a fingerprint or something else.
Access to the organisational wallet will be most likely controlled by a number of people who have credentials that they can use, that will prove that they work for that company, and they have the right to access and execute transactions from that wallet. So, you can see the way the personal credentials and organisational credentials come together. And a vLEI will sit in an organisational wallet, it could manifest in many different ways. It could be embedded in the enterprise planning software that that company has. It could be in a cloud-based software facility that company is using, well, names like SAP workspace, that kind of thing might do something like that. I don’t know if they have or not, but it would be logical for them to do so.
So that’s how the vLEI would manifest. And it would be used when a business transaction requires the company to prove something, prove who they are, prove their legitimate organisation. And a lot of those interactions at the moment are handled fairly manually, something will pop up into somebody’s queue. And then they will have to go off and do something and then they’ll go in and fax some document that they’ve had signed by some notary or whatever it might be.
In this new world, all that gets digitised and happens in milliseconds. So, requests will come in digitally saying, “Hey company, please prove who you are.” The organisational wallet will respond back immediately saying, “Here’s my vLEI. You can go verify it.” And that will be verified instantly. So, the business process improvement you get from this, this is what this all comes down to is optimising and digitising business processes that so far had been too expensive or complex to optimise. There’s been no good way of doing it. vLEIs are the key enabler that helps you to get those digitised business processes working.
Oscar: Yeah, excellent. The concept of organisational wallets I think it’s something that yeah, it’s – well, it’s new in this equation of the LEIs as compared to how we see it today.
You have already explained some examples of some industries in which vLEI will help tremendously. But if I ask you what are the top industries or sectors that will benefit the most, which one would be?
Drummond: I’ll start out with one of – what has become one of my very favourite examples. And I’m going to do that by reading you some texts that I have recently received. The first one is, “Hello, are you the dentist that Candy introduced me to? When do you have time?” The next one is, “Your Amazon – spelled with a little accent in it – your Amazon has been locked. Click here to fix all your bills”. My Netflix subscription is on hold. I have to renew that one. And then “Hi, it’s Hillary, can you join me for lunch as you promised?” OK? I get – I don’t know about anyone else. I’m getting several of these a day now.
It’s called smishing. Right? It’s SMS phishing. They’re just trying to get me to respond, to click a link, to do whatever. So, once you know spam and phishing attempts have moved into our phones. And of course, they’re also, they’re hitting me now on iMessage, on WhatsApp. We’re getting to a level where yeah, we’ve learned to live with spam in email. But when it starts hitting our phones and our most intimate ways of communicating, it’s not just a pain. All right, a lot of money is lost that way, and it erodes confidence in our most important communications infrastructure.
So, my personal favourite use of LEIs, vLEIs – well both actually. Because if we’ve never said it, we want to make it clear, the vLEI credential contains the LEI as one of the pieces of the data in it. So that’s how it all ties together. It is going to be used for signed, digitally signed text messages. Initially it will be used by the telcos themselves that deliver that message. They will do the filtering out of the spam because they will be able to basically differentiate and say, “Oh, this is a digitally signed message from a legitimate company, and we can deliver that.” Give it the green light to the consumer and anything else is going to be suspect.
That doesn’t mean that suddenly you’re going to stop getting any smishing attempts. But it’s going to introduce a fundamental solution that over time will, I think, essentially stamp out that industry. And this is not theoretical, there are several companies working on putting this in place. I think it’s going to start going operational in 2024. So that’s one example.
Andy: Yeah, I think I’d add in any regulated industry, banking, particularly, especially corporate banking, where you need to know who the corporation is, and there’s so many rules, they are coming in about identifying which corporate you’re dealing with. This was one of the main use cases when we were designing vLEIs in the first place with GLEIF, which was if you’ve got a corporation, you need to find the ultimate beneficial owner of that corporation in order to give that corporation a bank account.
If that corporation has a bunch of shareholders and those shareholders of other corporations and those, some of those corporations have shareholders at the other corporations. You get an exponentially worsening problem of trying to work out who everybody is, because they all have to provide information about who they are and who their shareholders are.
And this is the case with Evernym when we set little Evernym in the UK in 2017, I needed to get a bank account. And to get that bank and I had to prove who Evernym UK was and the ultimate beneficial owner of Evernym UK was Evernym, Inc. in the US. And Evernym, Inc. had a bunch of shareholders. And I then had to prove who all those shareholders were. And this involved getting the largest shareholders over 10% to provide documentation about who they were and notarised certificates and so on and so on. And the ones that were corporates then had to give me their shareholders. And I think, eight months to get their bank account setup, which is insane. So, you can imagine the potential benefits there.
I’d also point as well to the European eIDAS program. Which is the eIDAS 2.0 it’s the next evolution of the European digital identity scheme. There’s a consortia and there are four consortia working on large scale pilots now. One of them that Gen is in called EWC has two use cases for people, which is travel and payments, and a use case for organisational identity as well. And that’s been championed by the governments of Sweden and Finland. And has got a lot of traction now, because the same technology that is being used for credentials, for people and personal wallets can be used for organisations as well.
So, I see a lot of potential for vLEIs and other organisational credentials, like VAT number and tax identity and Companies House type information. To be provided digitally in that way to transform business processes with corporate to corporate. But also in our human use cases with people. If I’m using my eIDAS wallet to book travel, the vLEI or organisational credential will allow me to check the travel agency I’m booking it with is legitimate. And if they’re ABTA based and certified and are they the right company, all of the problems that Drummond outlined, these scammers pretending to be companies, those will go away because I’ll be able to instantly verify if a company is authentic or not.
Oscar: Yeah, you have listed at least three very important sectors, industries, in which it’s very clear the benefit that will come. We know that vLEIs are available now, you have explained pretty well the cases, how they can help to solve these problems. When do you estimate that the full benefits will be realised? So, we are still in 2023, what we say it’s a time in which, OK, it is a massive impact the vLEI have done.
Andy: Yeah, it’s good question actually. I think in Europe with the eIDAS program running, I think that’s going to be a big catalyst. And we’ll see how that evolves, these large-scale pilots are going to run for two years. And the actual eIDAS regulation when it comes into place, the governments of the EU will have two years to implement it and get wallets issued.
I think we need to look back at the incentives and companies move quickly when the incentives are big enough. So, there’ll be a number of market proving pilots that happen and the output that comes from those will say, “Hey, this is actually real. It really works. And here’s how much you can save.” When the suppliers of software, that businesses used to run their operations start embedding vLEIs into their businesses just like email, or just like, you know, web pages. It’s going to be completely transformational at that point.
Drummond: Exactly. It really depends on the industry and the use case. I compare the adoption of SSI digital wallets and credentials, there’s a precedent, the adoption of the web, right? It won’t happen everywhere all at once. OK, that’s not how these things ever happen. Right? It’ll be particular, just like you had certain websites, it started out with physics websites, right? And then authors got involved and said, “Hey, this is a great way to publish.” And eventually we had blogs and things like that. And then pretty soon the web is pervasive.
We’re working the same way. There are pockets, as we said that, you know, like the smishing problem. I think one of the important things to keep an eye on is governments are, you know, they’ve inherently been in the identity industry. They always are, because they’re foundational issuers of identity. And some governments, forward leaning governments that have gone straight, or are seeing the benefits have already moved into. One of the ones I’m closest to here in Seattle, is the province of British Columbia in Canada, which already has a digital wallet that’s all based on open-source code that’s in market and they’re starting to issue credentials to British Columbia citizens. And they’re already using vLEIs for organisations.
Another of my most favourite example is the small but very influential country of Bhutan, which has basically said they just adopted a National Digital Identity Act, implementing or mandating a self-sovereign identity infrastructure for the whole country. And that will require LEIs for every legal entity that is signed up and going to be part of that SSI ecosystem. Every organisation, every bank, travel agency, grocery store, it doesn’t matter, if you’re in the Bhutan SSI ecosystem, as an organisation, you sign up and have to get an LEI and a vLEI to participate in that. So that’s the kind of thing that can really generate large adoption.
Oscar: Indeed, yes, super interesting discussion about vLEIs and the state of the self-sovereign entity. I’ll ask you a final question for both of you. For all business leaders that are listening to us now, what is the one actionable idea that they should write on their agendas today?
Andy: I think that one would be to get up to speed on vLEIs and verifiable credentials, generally. Not to worry too much about the technology under the skin and keys and encryption and DIDs and so on. But to understand the business implications of digitising processes that they haven’t been able to digitise so far, and the benefits to them of doing that.
There’s a significant competitive advantage to a business, to digitise processes that a vLEI will enable you to do. And the companies that do that soonest, or a bank, for example, if a bank can onboard a corporate customer in 10 seconds, instead of 10 months, they’re going to have a massive, massive advantage competitively against the other banks in the market. So that’s where the prize is. So, they need to understand the implications.
And generally, I think, what would be the word, get into the program. That’s probably not the right way of saying it, but it’s about understanding what is coming down the line. And if they don’t move fast, then somebody else will out compete them very, very quickly. It’s a bit like the early days of the web, get online, get digitised and if you’re not, you’re not in the game.
Drummond: Yeah, I think we clearly saw with the web, those companies that got a website early and started to have a digital presence, they significantly expanded. In some cases, they completely dominated new industries, because they went fast.
I’m going to provide a very, very concrete step. If your organisation doesn’t have an LEI today, just a regular LEI, just go check out the GLEIF website. You’re going to find very easily how you can get one and go through that process. It doesn’t necessarily take very long, but it will educate you about that. And then ask your LEI issuer, whoever you choose, “Are you issuing vLEIs? When will you be issuing it? Educate me about that.” And you know, just start to climb the path.
Oscar: Yeah, indeed, very actionable. Thank you very much, both Drummond and Andrew. It was a fascinating conversation with such experts in this topic. So finally, tell us if someone would like to follow you or continue this conversation with you, what are the best ways?
Drummond: For me, yeah, @drummondreed on X. It’s the first time I’ve ever had to say that on a podcast, and it just doesn’t sound like the same.
Andy: Does that still exist?
Drummond: Yeah, I’m really seriously worried about it. I, you know, I’m finding it degrading and I’m not sure how much longer I’m going to use it. Or [email protected]. You can contact me via email too.
Andy: Yeah. And I’m [email protected].
Oscar: And are you at X, formerly known as Twitter?
Andy: I am but I’m broadcast only because it’s just too much hard work. LinkedIn is kind of interesting. You can find me on LinkedIn as well. I write on the topic of digital identity and verifiable credentials and eIDAS quite frequently and I know Drummond does as well.
Drummond: Yeah, yeah, we do. And I’m more and more paying attention to LinkedIn that way.
Oscar: Fantastic. Again, thank you very much for this conversation and all the best.
Andy: Thanks, Oscar.
Drummond: Thank you, Oscar. You bet.
Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.
In episode 95, Elizabeth Garber and Mark Haine, who were editors on the Global Assured Identity Network (GAIN) paper, join Oscar to share the latest updates for GAIN, including recapping what GAIN is, the challenges that have been faced, alongside successful case studies and what developments we can expect to see for the future of GAIN.
[Transcript below]
“It’s all interconnected with standards development and has a really big impact on how identity systems will work, interoperable, in years to come.”
You’ll remember Elizabeth Garber, who was one of the lead editors of the GAIN paper – we interviewed her in episode 52 (back in October 2021).
Elizabeth has a long background in Customer Strategy and Product Management. She has also led the Open Digital Trust Initiative at the Institute of International Finance and co-chairs the OpenID Foundation’s GAIN technical proof-of-concept, which strives to create globally interoperable networks for exchanging high-assurance identity information. Since we last interviewed her, she co-founded IDPartner, a venture-backed startup that puts people in control of their digital identities. It will be a key player in any Global Assured Identity Network (GAIN) as interoperable networks begin to flourish.
Elizabeth and Mark recently published a draft paper for the OpenID Foundation called “Human-Centric Design: a primer for government officials” which is all about how to design identity systems to sustain and promote human rights. It is open for public comment – and may feature on a future episode. You can find it on the OpenID Foundation website and blog, openid.net.
Connect with Elizabeth on LinkedIn.
Mark is an engineer and entrepreneur who has focussed his career on building solutions that enable business and mitigate risk in financial services.
Through Considrd.Consulting Ltd. Mark and his team are providing strategic security consultancy to a range of clients. He has also taken on a leadership role in the OpenID Foundation as Co-Chair of the eKYC & Identity Assurance Working Group and is a co-author of OpenID Connect for Identity Assurance specification. Mark also is a board member of the Open Identity Exchange.
Connect with Mark on LinkedIn.
We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!
Go to @Ubisecure on YouTube to watch the video transcript for episode 95.
Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.
Oscar Santolalla: Hello, everyone. You will remember Elizabeth Garber, who was one of the lead editors of the GAIN paper. We interviewed her in episode 52, late in 2021. Elizabeth has a long background in customer strategy and product management. She has also led the Open Digital Trust Initiative at the Institute of International Finance, and she co-chairs the OpenID Foundation’s GAIN technical proof-of-concept.
Since we last interviewed her, she co-founded IDPartner, a venture backed Start-Up that puts people in control of their digital identities. This will be a key player in any global assure identity network, as interoperable networks are beginning to flourish.
We have a second guest. Our second guest today is Mark Haine. He is an engineer and entrepreneur who has focussed his career on building solutions that enable business and mitigate the risk in financial services through Considrd.Consulting Ltd. Mark and his team are providing strategic security consultancy to a range of clients. He has also taken on a leadership role on the OpenID Foundation as co-chair of the eKYC and Identity Assurance Working Group and is co-author of OpenID Connect for Identity Assurance Specification. Mark also is a board member of the Open Identity Exchange.
Elizabeth and Mark recently published a draft paper for the OpenID Foundation called Human-Centric Identity: a primer for government officials, which is all about how to design identity systems to sustain and promote human rights. As we speak, it’s open for public comment. You can find it on the OpenID Foundation website – openid.net. So, let’s get started.
Hello, Elizabeth. Hello, Mark.
Elizabeth Garber: Hi.
Mark Haine: Hi.
Oscar: It’s very nice having you. Welcome back, Elizabeth, and welcome for the first time Mark. So, we’ll hear more about GAIN, this initiative that was launched a bit less than two years ago. And we really want to hear the news about that. But to get started, we always want to hear about our guests.
So, for all of you, please tell us about yourself and your journey to the world of identity.
Elizabeth: Okay, I’ll go first. For me, the journey really started in identity when I was working at a bank. We had introduced a new vendor into our identity and access management program. I won’t say who because it didn’t really go very well at first. But I was brought in as kind of fresh eyes to lead a root cause analysis exercise and make some quick changes and fixes. And that led to two things.
First, I ended up taking a digital products role on that team and having more and more to do with identity. And second, I was absolutely hooked on the industry. So, there were just so many interconnected challenges and opportunities. The stakes were really, really high. So, I started to form partnerships outside the bank, and most notably with the person who would become my good friend and my Start-Up co-founder Rod Boothby. So, he brought me into the Open Digital Trust Initiative with all the world’s leading banks, the IRS, and also the OpenID Foundation.
And that, of course, led to the GAIN paper where I quickly raised my hand to help out and Mark my colleague here and the other co-editors. I then still co-chair the proof-of-concept along with Mark and authored the follow up paper, which will be out by the time this podcast airs, I think.
Mark and I then wrote the paper you just referenced, which is addressing how government identity systems can sustain and promote human rights. All of those papers can be found on the OpenID website, by the way, openid.net.
Since we last talked, I co-founded my company IDPartner, which is really in the spirit of GAIN and is seeking to help banks and other parties connect into such a global network. So yeah, I’m still relatively new to this industry of being a few years in now, but it’s pretty much consumed the majority of my waking moments for the last three to four years.
Mark: So, we’re in some ways similar to Elizabeth, but in other ways slightly different. My background is also from financial services. I have had a number of operational roles and then design and architecture roles in primarily UK banks. I’ve had a rich array of roles. I’m taking on some really interesting challenges along the way. It started out with operational I.T., moved into networks and security design and after some time and lots of rich experiences.
I ended up in the Identity and Access Management team at a large UK bank having done a bunch of work on future architectures for that organisation and innovation team. And around that time the UK was starting to move towards open banking. I managed to switch over to become a core member of the Open Banking UK implementation Entity Security Team, where I was involved in designing various aspects of the open banking architecture and the protocols involved. And that led me to interact with a bunch of people from the OpenID Foundation, who recruited me to come and help on the open standards side of things more actively, after I moved on from open banking to do other things.
Since then, we’ve been working on new draft specifications, and writing a number of white papers, including the GAIN white paper and the one that Elizabeth and I have been working on together about human rights in the context of government digital identity. And here we are today.
Oscar: Excellent. Thanks both of you for sharing your story. Before starting to hear the newer things that happened for GAIN, I hope you can give us an overview. So, what is the Global Assure Identity Network?
Elizabeth: Well, so back in 2021 when we last spoke, GAIN was just a paper. It was – we used to say it was no logos and pro-bono. It was 156 individuals, identity and industry experts who signed as individuals because it contained so much that they could all agree on. And primarily that was that we wanted to build a globally interoperable network for high assurance identity.
We wanted to connect the islands of trust that exist out there today, the different ecosystems where you can be trusted. And we want to create new ones and connect those too. We want to make it possible for somebody in the US, like me to transact with somebody in Finland confident that you could trust who it was on the other end of that digital session.
And we wanted to do that in a really – privacy preserving way. So, no new databases being introduced of PII, full customer consent for sharing and really the minimal amount of information required. All of that was the stuff that the original authors could agree on. At the time we wrote it addressing financial institutions. We didn’t think any such network were going to be inclusively or exclusively led by banks.
But we did argue the banks were really well-placed to catalyse such a movement as they had done in Sweden, Norway and other places. And also, open banking was a growing enabler and there were lots of benefits to them, their customers and others. If they took a lead and did so with a sense of urgency. What we have seen in the intervening years though, is that while that’s still true and still would be a great catalyst, but other corners of the market are moving very, very quickly. We’re having broader conversations now in relation to GAIN, including with the European Union and those designing mobile driver’s licenses.
It’s all interconnected with standards development and has a really big impact on how identity systems will work, interoperable, in years to come. Sorry, that was a summary and a movement into the present day.
Mark: There was a couple of things I would raise from the original paper, that holds true today as well, I think. And those are that we felt back in 2021 that there wasn’t a need for any particularly new or ground-breaking technology to enable this. And probably the most critical thing to allow such a scheme or system to emerge was a way for the three key classes of entity involved, all to find benefits from the services provided.
So, the identity provider, the relying party and the end user, who is subject to all of us, all needed to have their own benefits arising from this for such a thing to become viable. And I think that was something that really hadn’t been voiced quite so directly before.
Oscar: Yeah, well, no surprise of course. From a paper to the implementation for a proof-of-concept that nowadays you, and some of your allies, are working on. So, I think it’s time to hear more deeply, what are the main updates in advancement that GAIN has had since then?
Elizabeth: Okay, so after we launched the paper, we had five organisations initially, who had signed a MOU, a memorandum of understanding. It was legally not binding, but it meant that they would loosely collaborate and align efforts to further the GAIN vision of interoperability. So, I share those organisations now and you can go learn more about what they’re doing in the space. So that’s the OpenID Foundation, the Open Identity Exchange, the Global Legal Entity Identifier Foundation (GLEIF), the Cloud Signature Consortium, the Institute for International Finance. And since then, we’ve had one more organisation formally sign up, and that’s the Secure Identity Alliance.
Each of those organisations does work that’s relevant to GAIN and feeds, whether it’s standards or requirements maybe from the financial sector. They feed into the work that is done at the moment through two major communities that we should drill into what both of these communities have been doing. So, we have the technical proof-of-concept of the OpenID Foundation, which is where Mark and I co-chair a community group, and we really have built a prototype that interconnects multiple trust networks.
And then there’s the policy work at the Open Identity Exchange, OIX. It’s called the Global Interoperability Working Group, and they’re really looking at more of a semantic interoperability; how two different policies interact, how do the policies in one trust framework translate into another and what enables that. Mark, do you want to give an update on the technical proof-of-concept that we’ve been running?
Mark: Yeah. So, to GAIN proof-of-concept within the community group in the OpenID Foundation, has been taking a number of steps to dispel any suggestion that this stuff can’t be done with the technology we have today. One could argue not terribly ground-breaking work because it’s showing that stuff can be done using existing protocols. But at the same time, we’ve been doing it in a way which demonstrates quite significant Cross Domain Examples.
So, our first little proof-of-concept was simply allowing existing identity providers from multiple different countries to provide digital identity data to a relying party. And it was existing trust networks of various different types. It wasn’t terribly complex. In some ways. That’s kind of the beauty of it. A relatively simple OpenID Connect implementation with a relatively simple layering of eKYC and Identity Assurance Working Group specs as well on top, to allow us to be explicit about the assurance level for the individual.
We’ve then moved on from that Federation example to addressing the question of trust between the entities involved. So, allowing the identity provider and the relying party to be more confident in each other, that they are dealing with an entity that is another member of the network. And the big realisation we had when we were doing that was that we shouldn’t try and have every party register to a GAIN instance. There’s plenty of identity networks out there already and we shouldn’t expect their members to have to reregister for something else. That’s not a terribly scalable way at a global level. So, our decision at that point was to build an instance of a network of networks so that we could keep the implementation impact as low as possible for each member and at the same time enable that global reach.
So, we did some work using a protocol called OpenID Federation to allow communication of trust to some of the technical details like; how to verify cryptographic keys across networks. And we ended up building a really nice little demo whereby the end user arrives in a Japanese airport and is able to present their identity from a German network to the local telephony company, so that they could then pick up a new eSIM as they entered the country. It sounds simple. There were a few challenges along the way, but we managed to overcome them and have a little demo which we could share at some point with any interested party.
Elizabeth: So, the two main concepts that we’ve been testing there have been – we often break it down as the data plan in the control plan. So, the first piece that Mark was talking about where we tested the OpenID Connect for identity assurance standard, that’s how does the data move between one party to another. And then the second, which we spent a lot more time on, was the control plane, how do we enable one party in one network to trust another party in another? So how does a relying party in Japan trust an identity provider in Germany? And that’s where OpenID Federation came in, as a really scalable way of delivering that kind of trust.
Mark: Yes, it avoids having to build direct 1 to 1 relationship between every entity, which clearly on an international level, it’s not going to be possible.
Oscar: How many countries have you – mentioned two countries in this example – but how many countries so far have you managed to connect?
Mark: We’ve got members from quite a range of countries, actually. Our initial proof-of-concept involved contributors from UK, Sweden, Germany, Netherlands, Italy, USA and Japan. I think there may have been more. My memory isn’t the best on these things. And then the second one, again, we had Italy, Japan, UK, Germany, the US. Any others Elizabeth?
Elizabeth: Not off the top of my head. But what I think is really cool about the prototype that we have operating right now is that you’ve got three different trust networks, in three different countries, in I guess four different verticals operating. So, we have the German bank based, yes.com Federation. Then you have that connected, both at a data level and a control level, to an open banking system in Japan and the relying party is in telecommunications. And then you have all of that connected, both at a data level and a controlled trust level, all that connected to what is essentially an Italian government implementation. So, we’ve got lots of different types of systems, different types of architecture.
And in that early prototype that we did it with just the data passage, was that we interconnected with wallet-based ecosystems as well there, and we’re looking to bring that back into this larger multilayer proof-of-concept that we have going on right now. So that’s our next stage. But that’s a preview.
I want to make sure we don’t move on before we talk about the work that OIX is doing. Their emphasis has been on mapping different policy frameworks. They looked at how well policies relate to one another and how bilateral agreements can enable one trust framework to trust another, and then ultimately landing on the idea that bilateral agreements are not actually scalable the world over. And so, what they’re looking at now is something that Nick is calling, this as Nick Mothershaw, a ‘smart wallet’. So how can an agent or something –
Mark: Global Interoperability Working Group has been focusing in a couple of areas. One has been to discuss how we might communicate assurance levels between different jurisdictions. One of the challenges we have is that there are different standards for identity assurance in different countries. And as part of that, there’s been a bunch of analysis work going on in partnership with the Fraunhofer Institute to do a comparative review of the different assurance standards and see whether they’re readily mapped or not.
And there will be a report coming out from the Open Identity Exchange in the space sometime in the next few months. Then net-net is that it’s unfortunately not terribly easy to do a mapping and there may be a need to take it to a lower level and map the underlying data points to each other rather than to map to the abstract assurance level.
Elizabeth: So, they’re looking at, how can an agent work on behalf of a user to help translate those policies from one framework to another. To how can an agent or a wallet understand what credentials are inside it that meet the needs presented by a verifier? And does a new credential need to actually be issued? They’re looking at how can we know what wallets can be trusted in an ecosystem? How can it dynamically understand what policy requirements need to be met, what credentials qualify? Is there a common format that can be agreed upon for these policy decisions? And all this is underway at OIX.
Mark: In terms of analysis there as well. They’re looking at the UK Digital Identity and Attributes Trust Framework, the European digital identity eIDAS assurance levels, the US NIST standards in the space and at the trust framework that exists in Canada and Sweden are on the list as well. Although I don’t think all of the analysis is in. So, a fairly broad reaching comparative review of assurance levels and the new policy framework around them.
Oscar: Yeah, it sounds definitely, definitely really good. I haven’t heard of this. I want to hear more information about this.
Mark: The best way to find out more about this analysis would be to join an OpenID Exchange and come and attend something that, some of the working group calls that happen. The report I don’t know whether it’s going to be publicly available or a ‘members of’ report at this stage. There might be a summary report available for non-members. So that remains to be seen.
Oscar: Excellent. If you see as a retrospective have there been any main challenges or barriers that you had to overcome in this nearly two years?
Elizabeth: I would say one of the biggest challenges is really an exciting one, is how quickly the market moves. When you’re talking about global interoperability, you’re talking any kind of shift around the world has an impact on the interoperability aspect. So, I think we do a really good job as a group, both at the technical proof-of-concept level of the Open Identity Exchange and as the GAIN six non-profit, we do a really good job keeping connected to a lot of those moving pieces around the world.
Proud to say that we have close relationships both inside Europe and the European Union, those leading mobile driver’s license efforts, or I should say, North American mobile driver’s license efforts. You know, sometimes this stuff means that actually new concepts, new standards are embraced. And we need to make sure that our prototypes move and shift to ensure that we’re still keeping up to date with the standards that are being embraced and matured by regulations and others around the world.
This is a really exciting problem to have to see things develop and mature. I guess the connected challenge to that is just making sure that we’re aware of all of that’s going on. We recently got in touch with a group working out of the UN on a similar challenge of; how do you enable one entity to build trust with an entity in a different trust network. And they’re really, you know, we’re all working on similar things and exploring. Once we know; what have been your lessons learned, what have been ours and cross-pollinated ideas about how we can achieve these things together and maybe work together. So yeah, a big challenge is knowing what is going on everywhere.
Mark: Yeah, I completely agree Elizabeth Yeah, I completely agree Elizabeth. A couple of other names to drop as well, I know that the OpenID Foundation has been working quite hard to establish and develop relationships in various parts of the world. And I would say the engagement with the European digital identity project has been really good. We had some nice sessions in Berlin around the European identity conference earlier this year. The engagement with the NIST guys in the US around what they’re doing, and their update to their digital identity guidelines has been really positive.
Gail Hodges, Executive Director of the OpenID Foundation has also been reaching out quite successfully into a project called ID for Africa, and trying to bridge that global north, the global south part of the problem space. And I would also say that interoperability, I think, is probably one of the biggest challenges that spans across technology, data and policy. And it’s really good to see the OECD call that out explicitly in their drafts digital identity guidelines that are open for review at the moment and coming out, I think later this year, now.
There’s an awful lot happening in this space. It’s really dynamic. And echoing Elizabeth’s point, the biggest challenge is keeping up with all of the activity that’s going on.
One thing I would say that we’ve been doing in our GAIN groups, has been to try and make sure that we’re relevant to all sorts of different technical architectures. So, this is something that can interoperate across technology difference, at least. Ultimately, the technology should be there to serve the people of various sorts, you know, people who represent organisations and the people who are trying to access services. So, a particular protocol should not necessarily the boundary for interoperability.
To that end, although our first couple of proof of concepts have been OpenID Connect focused. The one we’re working on now is to extend that proof-of-concepts to delve more into the W3C quality-based architecture. We’re doing that in part with people involved in the European digital identity wallet, as well. So, there’s a lot going on. And I think, a lot of real dynamism and action in the marketplace at the moment as well.
Elizabeth: And the more we do in this proof-of-concept is – the more that we do to really test the specifications of these standards, the more we learn, and the more those standards mature. So really benefits from having a lot of participation. Because the both the Federation spec and the IDA spec, I think have been improved as a result of people trying to build it coming together trying to align it, make sure that both parties understand the same things that are using the same configurations. It just, it makes all the specifications better and more mature.
Oscar: Well, excellent. You mentioned already a few examples, but if you have any other success stories in particular that you would like to tell us more.
Elizabeth: I think our big success story is the one that we raised connecting the German banking network, a Japanese banking network with coms roaming and Federation’s run by the Italian government, both at the data level and the trust level. Can I trust the relying party and an IDP in two different networks? The big proof of GAIN, there’s always going to come when private companies or other entities actually bring it out there into the public domain, and people are actively using it to create their eSIM in another country. And I think that’s the next big hurdle is to see something out there in the wild. And I’m hopeful that you’re going to hear some more about that in the coming year.
Mark: Yeah, likewise. I mean, ultimately what we’re driving towards is something that gets implemented. But I do think that the debates that the white paper originally provoked and the groups that have been acting, following on from that have surfaced a few difficulties along the way. And these were difficulties that needed to be surfaced in order that a solution could be built.
I’m not yet certain that all of the challenges have been addressed fully. In fact, I’m fairly certain they haven’t all been addressed fully yet. But we’re working through them as they emerge and prioritising our efforts as best the way we can. I would say a lot of this work is being done either by companies who are contributing their staff’s time to working groups or even individuals contributing their time to these working groups.
So, you know, if anybody out there thinks that they may have the ability to devote some time or even some implementation efforts, that would be, I think, a valuable thing to do, either whether that’s in the policy domain or the data domain with the Open Identity Exchange or in the technical protocol domain with the OpenID Foundation. The only way these things are moved forward is by people contributing the time.
Elizabeth: Absolutely.
Oscar: So, they need more contributors, absolutely.
Mark: Just to drive one particular point home. In particular, at the moment, the OpenID Foundation, GAIN POC community group is looking for digital wallet implementers, particularly at the moment, and secondarily, issuers of digital identity credentials as well verifiable credentials. So, if anybody listening to the podcast is willing, able and has some expertise in that area, they would be very, very welcome. Indeed.
Oscar: Perfect. Yeah, based on your observations when I asked you the hurdles, or what you find on your way – you find a lot of things moving on projects that have similar goals, let’s say. But now looking at the future, what is coming in the near future, if you focus on the near future. So, what would be the main potential future developments that you think is going to happen in the next, let’s say, one or two years?
Elizabeth: I would say three things.
Verifiable credentials, as Mark was just saying, we need to be interoperating, with wallet-based ecosystems. And our technical proof-of-concept in the short term, in the next few months, needs to be extended to incorporate those issuers and those wallet providers.
I think the OIX work on smart interoperability that takes us beyond the next few months, but into you know, the next year or so I think that that work will take shape a bit more. And we will hear more about how interoperability can be enabled, semantically through such systems. I think that work is really, really exciting.
And then the next thing I think you’re going to start to see is more commercial implementations of this use case, of cross border, high trust identity.
Mark: Clearly, the European digital identity project is going to march forward dramatically over the next couple of years as well. And I think that will produce a number of successes and identify a number of challenges along the journey as well. At the moment, the topic of international interoperability is a really interesting one to me. And I think the European Union has certainly within its power, the ability to solve that between the member states. But I think there will be challenges to do with interoperability to other nations.
I also think that there will be quite an interesting series of events around who wins in terms of wallet provider. Clearly, the big tech have wallets already embedded into a lot of consumer devices. But it’s going to be interesting to see how that plays out. Particularly in the context of the European Union project, as they have quite a different perspective on how a wallet should be governed more than anything else. So that’s going to be a really interesting thing to watch over the next couple of years, and I’m sure will produce some great and informative outcomes. It’s an extremely interesting experiment.
Oscar: Yeah, it’s sounds great.
Mark: And I think some of the members of our groups are active in that space as well. And indeed, the OpenID Foundation has been contributing quite strongly to that project with a couple of the key protocols in and out of the wallet being selected for the first round of proof-of-concept work in the European digital identity programme. And there’s definitely conversations going on around trust of issuers and wallets. In the context of the OpenID Federation spec as well. I know that some of the Italian contingent are quite keen to promote the use of that protocol in the European digital identity wallet space for organisation-to-organisation trust effectively.
Oscar: Excellent. So final question for both of you. So, for all business leaders that are listening to us now, what is the one actionable idea they should write on their agenda today?
Mark: I’m going to say that they should be considering how they integrate reusable digital identity into their business processes at some point in the future. A lot of what has been done before has been very organisationally with focussed and very transactional. So, us poor end users have to go through identity verification processes quite frequently. And I think going forward it would be better for end users and better for organisations to be able to reuse those assured identities.
Elizabeth: I totally agree. So, I’ll take a different angle on the question. I would address, rather than business leaders, namely standards bodies, regulators and yes, potential ID providers, including government providers, even banks. There’s a lot going on in this industry as we’ve talked about so many exciting movements forward. So many standards reaching points of maturity. And we’re really, really excited by the developments that we’ve seen over the last few years. As we put in our paper that we’ve written for government officials, no single solution or standard or architecture is going to be a panacea.
No one thing is going to solve all the world’s problems. So, we would all really benefit from, if not slowing down, then at least taking the time to speak to each other. Make sure that we understand how we’re going to establish multi-party trust, checks and balances in the systems, mitigate the risks of fraud while protecting privacy. I would love to see more, even more open, transparent communications, public private partnerships forming in this space. So that’s what I’d put on your agenda.
Oscar: Both sounds very good. Well, I’m very happy to have had this conversation with you and hear this very good news, the progress that GAIN and all the partners have had. So, congratulations and well done for you, Elizabeth, Mark and everybody has been involved and is involved.
So, a final piece, just let us know how people can find more information about this project or get in touch with any of you.
Elizabeth: Yeah. So, I think the fastest way is probably – there is the OIX Global Interoperability Working Group. The fastest way might be the openid.net, there’s a GAIN, community group there. Either way that will get you to where you need to be. You can also obviously reach out to Mark and myself. We are available on LinkedIn. So yeah, please get in touch.
Mark: Let me just reiterate then openid.net and there’s a search box there. Please put in GAIN. You’ll find a number of items there that may be informative.
Oscar: Perfect. Again, it was a pleasure talking with both of you, Elizabeth and Mark and all the best.
Mark: Thanks Oscar.
Elizabeth: Thank you.
Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.
In episode 94, Keith joins Oscar to delve into Single Sign-On (SSO) best practises and how organisations can implement SSO – including technical aspects, how it used in practise and the advantages of SSO.
[Transcript below]
“The best type of single sign-on is where the user doesn’t notice it.”
Keith is VP Customer Success at Ubisecure. As an Identity and Access Management product expert, he leads the Sales Engineering team and is involved in many stages in the planning and design of demanding customer implementation projects. Keith is active in various industry organisations and has a keen interest particularly in government mandated digital identity systems. He holds a bachelor’s degree in I.T. and a master’s degree in Economics, specialising in software business.
Check out Keith’s SSO video series.
Connect with Keith on LinkedIn.
We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!
Go to @Ubisecure on YouTube to watch the video transcript for episode 94.
Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.
Oscar Santolalla: Hello and thank you for joining a new episode of Let’s Talk About Digital Identity. Single Sign-On is one thing that, today we take it for granted. So, it’s even hard for us to remember when was the first time we have used it. Today, we’ll go a bit deeper into that and in which direction Single Sign-On is going. And for that we have a special guest, who is Keith Uber, VP at Ubisecure. Hello, Keith.
Keith Uber: Hi, Oscar.
Oscar: Thank you for joining us for the second time. So, you have been – two years ago. Two years ago, you’ve been here before talking about mergers and acquisitions. So happy to have you back here.
Keith: It’s a pleasure. Thank you for the invite to come back.
Oscar: Yeah, nice to have you, Keith. And we’d like to hit a few things about yourself. So, you can tell us about your journey to the world of digital identity.
Keith: Yeah. So, my entry into the world of identity probably began around the year 2000 when I had just moved to Finland from Australia. I was working for telco provider, who was in the – around the dot-com boom era had been acquiring lots of small businesses. Lots of startups, they had their own projects and all of these have many different types of identity systems and lobbying systems. And my introduction to that process was – my job was to evaluate different solutions to their problem and ultimately, take part in a commercial pilot to implement a product to solve that problem.
Oscar: Excellent. And I already can imagine that a single sign-on had some role on that. Just guessing that yes, single sign-on is something that. I was really trying to remember when was the first time that I used it and it’s quite difficult. Because it has been coming in different, in different flavours I would say.
Probably the first time I used was in one of my first jobs when, you know, you go to the office – people used to go to the office every day, and today is not, not for everyone at least. And then you sit down, and you login to your computer. You login to the domain and then suddenly, you can access some of the internal applications without logging in again. So that is one of the ways. And then later it came, what we see more often today is the web single sign-on, right? So, several applications.
So, in order to start with the basics, how you define single sign-on in a nutshell?
Keith: Yeah. Single Sign-On is maybe a more technical term that the industry understands. But for the end users, they don’t really understand what the single sign-on means. But they do understand that they don’t want to have to sign in again and again to different parts of the same website or different sections of the same company. So single sign-on is the ability to sign-on once using any form and use that same session information across many different services. For the end user, that’s great. That means that’s one less username and password, or many, many less username and passwords, or many less authentication methods for the user to manage.
And you mentioned the internet, or the web-based applications has a kind of thing they sort of came along. So, a long time ago, we all used to have desktop machines, and we would have PAT [personal access token] client-based applications and we’d even have to sign into those. Early on, there were different solutions for remembering and replaying the usernames and passwords across different PAT client applications. And that’s what we call enterprise single sign-on.
That’s very much faded away as the world has moved to web browser-based applications where people are spending most of their time in a browser or signing into applications based on browser-based technologies.
Oscar: Thinking of we, as normal user, like majority of users, we are using without noticing, right? You might ask people what is single sign-on and not sure or maybe they try to find meaning from the name itself, but it’s everywhere.
So, if you can tell us a bit more how people are using single sign-on, SSO, in practice? So, what are the – how many ways, what are the scenarios? How many scenarios? Or just mention of a few of the most common ones.
Keith: Yeah. So single sign-on in essence is the reduction in the number of times that you have to sign-in to the different services. So instead of signing into different parts of the same website that might be based on different technologies, you only have to sign in once. And then when you transfer to a different section of the website or a different application within an organisation. You’re already logged in, your name appears, and your information appears.
And a lot of what’s happening, or the technology behind that is happening behind the scenes. It’s mainly invisible to the user and that sometimes makes demonstrating single sign-on, for example, quite a boring demo. Because you’re actually removing a lot of the things which you don’t want to see, and the end result is you see nothing. So, the best type of single sign-on is where the user doesn’t notice it.
But there are other advantages. For example, in order to create an account, you only have to create that account once. So, the user registration process is also simplified with a single sign-on. Without single sign-on, you would have to have a registration process for every individual user application. Or at least some way to authorise your account to be used on other applications. So that makes it easier.
And then password reset, or credential management is then simplified. Because instead of having to reset your password in different services, you can reset your password in one spot, and it’s the same password used for many different services.
Oscar: Yeah, indeed, that illustrates the advantages that as you also said is the users don’t notice. It’s well, in a way, invisible once it’s set up.
So, going deeper into, what are the nuts and bolts of single sign-on? I’m sure there are many technicalities behind, but what are the main standards that make single sign-on possible?
Keith: Yeah. So single sign-on doesn’t have to be done using standards. But of course, standards simplify the implementation process and simplify the management of the solution. There’s basically two main standards which are in use today. The older standard is called SAML 2.0. And this is an XML-based standard. A way to transfer information about the user and the login session between different services using public key-based technology. In more recent years, and the more modern technology is what we call OpenID Connect, which is based on OAuth 2.0. Different workflows use different parts of those two standards.
And that’s a JSON-based, REST JSON-based protocol. It implements most of the same use cases, most of the same user flows. But of course, as technology has developed, new use cases have come, now OpenID Connect is what we call the gold standard. Even though it’s the gold standard, there’s still a lot of software systems and products which are based on the SAML 2.0 standard.
So, to truly implement SSO in a – as wide range of target applications as possible, the best thing is to have a solution that supports multiple standards. And there’s ways to bridge between these two standards. So that some applications can use SAML 2.0, and other applications we use OpenID Connect and you don’t have to do a lot of your own development work. Because if the products and the servers support those standards, it’s pretty much plug and play.
Oscar: Yeah, indeed, as you said, two main standards, even though there are other ways, but then two main standards is SAML 2.0 and OpenID Connect. Yeah, even though there are two main standards, there are a lot of software that can make single sign-on happen. We know because from experience being talking with customers, organisations in different sizes. And even though we feel as user that single sign-on is almost ubiquitous. There are still many organisations, companies that don’t have single sign-on or don’t have single sign-on, at least for all the applications.
So, it’s common that there might be in an organisation, let’s say 20 applications and a portion of them, let’s say four of them, which have some similarity, they have single sign-on. But all the rest are disconnected, different identities for that.
So, there is still some technicalities behind putting that in practice from an organisation perspective. So, if you can tell us how organisations can implement SSO. The main step, let’s say, for setting up single sign-on.
Keith: Yeah. What you described is a common scenario that even a company that’s implemented SSO in their environment. There could be a lot of applications which are outside of the system, either they’ve been implemented by a team that was unaware of the technology or unaware of the how to do it, or the product developers were unaware, the people buying it didn’t know what to ask for. So, there’s a lot of situations where a company can be – have SSO in place for maybe their main applications. But maybe for their own employees or different user groups, such as external suppliers, they might really go back to square one where the users have to log in many, many times.
The best way to implement SSO is to pick the most used applications, that are used by most of your customers. Who are probably requesting that today, especially for consumer customers. The most typical situation is that there’s a main application, it might be a web shop, or some service portal, it’s connected to some other related application such as a support portal or documentation system or something. And these two services are used hand-in-hand and they’re used often buy most of the users. So, you try to work on the principle of bringing in the most used applications that touch the most users sort of in a priority order.
SSO isn’t something that you would implement across the whole organisation and across all applications overnight. It’s done as a roadmap project, where over the lifecycle of different applications, you would plan carefully which applications you’re going to switch on for SSO. That might be on-premise applications or cloud services. It’s important at the very start to do an inventory of the applications which you’re offering to different user groups. Clearly define those different user groups, see what dedication they’re using already today, and then prioritise how you’re going to move them across to a true single sign-on system. It’s something that has to be done bit by bit.
Some applications may need to wait until their supplier switches on SSO or makes it available for the customers. Some cloud services might charge additional service fees for enabling corporate SSO, some might already have that today that’s just not turned on for your organisation.
It’s really good to work with pilot organisations, especially in B2B. And these are probably organisations which are already coming to you, already asking, when will you support my corporate login? When will I be able to click through and not have to log in? When will I not have to synchronise my users with your service, for example?
Because one of the big advantages of SSO, when we’re talking about business-to-business use cases. Is allowing customers, not only to move between their applications that you offer but allow them to use the authentication method which they already have. Which is their corporate login. That might be their own SSO system, or typically today, it’s Azure AD corporate login that they use. Not only for the Windows desktop and cloud services, but you can use it for third party applications as well.
And as the project goes forward and people start to see the benefits, then it becomes a little bit like a tsunami. That then you get requests to switch on every application that you have or to have a goal, to have as many as possible.
Of course, for some applications which are used by a very small user group for a very specific purpose, or very infrequently. The cost and effort of implementing SSO for – even if it’s just configuration, may not be worth the effort or the return. But you’d focus on the high volume, high value applications first.
Oscar: That’s definitely a good observation. High volume applications and the most relevant applications, those are the ones to do first and then gradually all the others.
In terms of best practices that you could give us – let’s do it from two perspectives. From the end users in which might be easier, and then you can go deeper into the – what are the best practices for organisation. So, what would you say to users, either they’re aware or not, they are using single sign-on. But to users who are regularly using single sign-on?
Keith: Yeah. So, for end users, these are the untrained, for example, citizens or consumer users for your services. You have to make it as easy as possible and as simple as possible and use the language that the users understand. So best practices there are to avoid any of the technical terms which are not understandable to begin with. But to make it a very simple and easy process for the user to – for example, register an account, approve terms and conditions, approve attribute consent to allow their information to be processed. To make it easy for them to adopt strong passwords, and have a suitable password policy for the target service.
And then, of course, a way to – or today, it becomes basically standard that you would – enabling a two-factor authentication. Which is familiar for the target audience, something that they’ve done before, they know how to use and something that’s appropriate for the risk, sort of the risk involved in the transaction. You don’t want to have to get the user to do some very complex authentication process just to look at their information. But you might want to have a step-up authentication or a stronger two-factor authentication. For example, in conjunction with some high value transactions, such as a bank transfer or termination of an account service.
My recommendation for end users is just to remember that it has to be understandable and easy to use and configure or design the system accordingly.
Oscar: And for organisations?
Keith: For organisation, it’s really important that the whole process and the whole project around single sign-on is very, very well documented. It’s a core part of security for the applications. It should be regularly reviewed, to understand is it keeping up with the latest threats in the environment? Part of that review is not only the paperwork review of the policies and configurations. But regular automated reviews of logging events, things that happen in the system to trigger evidence of potential attacks or anomalies in the processing. And to address those swiftly and quickly to make sure that there’s no impact on the organisation.
So, it’s important that you dedicate adequate resources either within the organisation or through a partner. Not only through the implementation project, but through the ongoing day to day running of the system. To understand the responsibilities of who is responsible for what and who is monitoring and actioning those events.
Of course, for organisations, one of the downsides for single sign-on is that in some ways, you put all of your eggs in one basket. That if the single sign-on system fails for one reason or another, it can become a single point of failure. But it’s a risk that could prevent users from signing in, and it could prevent customers from buying things. It could prevent customers from moving to a new application within their session.
So, it’s important when the system is scoped and system is implemented, that’s taken into consideration. So, it’s highly available, works at a high performance, can deal with any sort of attacks from the outside world. Because it was, it becomes, in a sense a front door for the organisation. So not only does it have to be welcoming for the user community, and easy to use. But it has to be very well hardened, with very strong locks, so that you’re not a victim of any kind of organised attack on the system.
Oscar: Absolutely, it’s very good that you emphasize this importance of hardening the systems that are – which single sign-on has been built. As you put a piece of software and behind there’s a lot of infrastructure servers. Everything has to be well-secure indeed. Even though, as you see, we haven’t talking about this easiness of its function, single sign-on. It sounds like a solution that you just switch on, and it’s ready. But it’s very good that you emphasize all these security and availability aspects, because it’s so important.
Keith: On that topic, the standards, for example, SAML 2.0, OpenID Connect. They give you a lot of protection. They have well-defined and reviewed and audited protocols and flows, which have been tested and seen the test of time. But even though the specification says something, it’s the implementation which has to be examined. So, it’s very easy for somebody to make a simple mistake, which can put either an individual application or the whole system at risk. For example, incorrectly validating a signature, or looking at the incorrect audience information or so on.
So particularly where in the coding is done by an individual team, it’s important to have the technical reviews and technical audits and importantly, testing of those solutions. Luckily, especially for OpenID Connect there is very, very powerful tools for automated testing of implementations. Which is a great way to give yourself faith in an implementation. To see how it complies with the various risks involved in poor implementation quality.
Oscar: Such tools that – for instance, in especially in the OpenID community there are these, of course products of several years of, I don’t know thousands of organisations contributing to that standard. So, and there has been, of course, evolution of those standards.
So, seeing also the evolution of the standards behind SSO and what other functionality that comes along with single sign-on. What do you see today are trends related to single sign-on?
Keith: Yeah, I think single sign-on is quite mature in terms of, how if for generic single sign-on, for example, for web applications, moving between one application and another. What’s interesting is multi device single sign-on when you’re, for example, signing into a setup box using your mobile phone or signing into applications across devices where a session will follow you.
Today, we’re seeing the better understanding and the commercial release of passkeys. So, this is the culmination of years and years of work on standards such as WebAuthn and the FIDO Alliance standards. Which is now finally wrapped up into consumer understandable services which we know as passkeys. And that kind of takes the user out of the equation when we’re creating – it’s no longer creating passwords of a passkey. They don’t have that risk of creating a credential which is too weak. It’s all, in a way automated and easy to understand. And I think that’s a really exciting thing.
Something new for users to understand how to manage their own collection of passkeys, their own wallet. And how to keep that safe and be able to recover if they lose or break their device. It has its own challenges, but that’s probably the latest, biggest trend. It doesn’t mean that you use the same passkey for every service, still you have a different passkey for every service. So, it’s not like all of the different services are connected in that way. So, it’s privacy protecting.
The related technologies, which I think is a current trend is more of an authentication method. Which is used for single sign-on systems, is related identity wallets. Which are now really starting to come into the public use. Where an organisation can issue a credential and assign that credential and the user can be asked to present that at various services. And they can present as much or as little information as they want. And the service receiving that information can be sure it’s issued by the organisation that issued it.
It’s really exciting, the EU identity wallet projects will bring that into the forefront as more and more governments adopt those type of services. And we’ll see that, we’ve seen that already with, for example, electronic driver’s licenses and electronic professional credentials. So, they will spread, and it will make things easier, I think, for the user. A lot of time and effort into hiding the complexity and the security beneath it all and making the user experience friendly and familiar. Using the service logos and branding and colours and the analogies to cards that you have and so on. So, it’s a big thing.
And this might also drive many, many single sign-on projects. As customers won’t know how to ask for single sign-on, but they say, “Why Can’t We? Why can’t we sign into all of these applications with a passkey instead of using individual credentials for each service?” Those discussions become the underlying discussion of a single sign-on set up with passkeys and authentication method.
Oscar: Yeah. I’m sure the user will be pushing the companies or organisations to deliver single sign-on now that these technologies, passkeys and wallets are reaching that usability level. That it’s ready to be used for the masses.
Final question for your Keith, for all business leaders listening to us now, what is the one actionable idea that they should write on their agendas today?
Keith: I think for single sign-on, one of the related technologies is what’s called federation. And federation is when you have single sign-on across organisational boundaries. So, for example, I could sign in using my Ubisecure login into a third-party application where I do work, for example, with other companies. And this federation signing in with your own commercial credentials across organisational boundaries is something that I think a lot of organisations haven’t benefited from enough today. And that would be – maybe my actionable idea is to look at the B2B applications that you have. Look at the time it takes to manage the users in those systems. For those users to get an account, those users to ask for access, for audits to be done. How do you check what the company is? Are they still in operation? Does that person still work for the company?
A lot of those problems can be solved by implementing cross organisation single sign-on – this federation. And it can be as simple as entering your email address and then signing in using the – or approving the login using your existing home organisation single sign-on. Or are signing in using, Azure Active Directory sign in. In that way, the target application or target organisation gets all of the up-to-date information about the user that they were allowed to get or that they requested to get. They get evidence that the user has a continued relationship with that organisation. And of course, they get single sign-on, so they don’t actually have to sign in again. They might just approve the login and get to work.
It’s got benefits for all parties in the transaction. It improves security, it improves the auditing. It’s easier to use. It’s convenient, less hassle, less clean up, less risk. And I think it’s not anything new in terms of technology, but it’s something that’s underutilised and maybe undervalued.
Oscar: Yeah, I agree with that. I think organisations could use more to fulfil the potential of more collaboration between organisations. By using these techniques that there has been for a while, and we have been discussing today.
Thank you very much, Keith, for joining us today. It has been super interesting to hear more in detail what single sign-on can do for different types of organisations. And of course, ultimately, to make our lives and users life much easier. So, if someone would like to follow this conversation with you, what are the best ways for that?
Keith: Best way to keep in touch with what I’m doing and what Ubisecure is doing is through our website at www.ubisecure.com. There you can register for various newsletters and so forth. I’m not so active in social media in recent years, but I do have a Twitter handle @KeithUber. Through the Ubisecure Twitter, @ubisecure, we’re happy to engage and participate. We share lots of ideas, including this very good podcast and related interviews.
Our team is also responsible for the IAM Academy Training Program. The IAM Academy Training Program is a way that we share our knowledge with our customers, partners, and anybody who is interested in learning more about the nuts and bolts, the policies and practices of Identity and Access Management and Consumer Identity and Access Management. We run that training various times over the year. And that’s a great way to have a deep dive into the field. So, I welcome you to register for IAM Academy, which is also through our website at www.ubisecure.com/iam-academy/.
Oscar: Yeah, absolutely. Very welcome to join us in IAM Academy. Well, I’ll be there if you join us. So, fantastic. Again, thank you very much, Keith, for joining us in all the best.
Keith: Thanks Oscar. It’s my pleasure.
Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.
In episode 93, Oscar is joined by Kalev Pihl, to answer ‘What are the cultural aspects of digital identity?’ They delve into the role of culture in shaping digital identity and how digital identity is being treated as a detached technology, without considering cultural differences. Alongside discussing the challenges in recognising these cultural aspects, as well as sharing some of the solutions at have successfully prioritised the human aspects of digital identity.
[Transcript below]
“We have to be designing mindfully those digital identity solutions for a specific culture, and I think that this is a value in the world.”
Kalev has worked with digital identity over 25 years. Started with the topic in governmental side preparing Estonia for electronic identity on national identity card. Has since worked in financial sector and in Microsoft. Last 15 years he has been CEO of SK ID Solutions – trust service provider that serves digital identities in Estonia, Latvia and Lithuania.
Connect with Kalev on LinkedIn.
We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!
Go to @Ubisecure on YouTube to watch the video transcript for episode 93.
Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.
Oscar Santolalla: Hello and thank you for joining a new episode over Let’s Talk About Digital Identity. What are the cultural aspects of digital identity? So that’s definitely a good question and very relevant questions and this is one of the questions that our guest today is going to answer.
Our guest today is Kalev Pihl. He has worked with digital identity over 25 years. He started with a topic in governmental side, preparing Estonia for electronic identity, or national identity cards. Since then, Kalev has worked in the financial sector and in Microsoft. During the last 15 years, he has been the CEO of SK ID Solutions, a trust service provider that serves digital identities in Estonia, Latvia, and Lithuania. Hello, Kalev.
Kalev Pihl: Hi, Oscar.
Oscar: It’s nice talking with you, Kalev.
Kalev: It’s been a while.
Oscar: Yes, Kalev. So, let’s talk about digital identity. And the first thing we want to hear from our guest is something about yourself and especially your journey to this world of digital identity.
Kalev: I think of the journey to digital identity for me went through this very physical, governmentally controlled national identity. So that was my starting point. And I guess that’s where I’m a bit stuck with my mindset as well, sometimes. And this is my limit. But that’s how it started.
So, it started from the idea that in the world of physical human beings. Governments tend to have this role in society to name, number and identify the residents, they treat as their residents of the country, we are speaking about.
And whilst we have probably different other nicknames in different other societies. And somehow, globally, these governmental-issued identities have become the norm of; How do we know each other across the world. How do we identify the people whom we don’t know beforehand. So, I think from that angle, I’ve stuck with the idea that governments have the role of naming and identifying who we are.
Oscar: Yeah, indeed. I think it’s – I mean, in my view, probably in the constitution in most countries, I’m not a lawyer, but I’m sure it’s written in some of the laws. So that’s one of the functions of the government. And yeah, and that has been translated in our very, let’s say, not very recent time. But talking, especially in the last maybe 20 years that we have such digital identifications, like Estonia is pioneering and in a few other countries as well. It’s pretty digital, pretty well-established.
Kalev: Yeah. I think that the – for the beginning of any country or state in the physical world, some limit, some borders, what is the ground they own. Then we are talking about some legal framework, what is the agreement. Then we need to know; between whom is the agreement? And those are then the human beings in the society, and that’s kind of what every state or country is made of, I would say.
And that’s something that if we go now, from this real-life identity and tried to tackle the digital identity, the idea. Then there are two kinds of attitudes. One is that digital world is borderless, global or universal even. And therefore, doesn’t require and there’s no relation to any, these kind of physical limitations and countries, states and therefore, like no borders, no anything. And then the other is that it is just – it should be, is and will be always a reflection of something that physically makes sense. Only then it becomes meaningful in a larger context when it is physically meaningful.
So, I think that’s one of the staring points if we say that there is point to the cultural differences. Then the culture that we started off is clearly not so much digital, but rather what is the culture before any digital and then definitely, we have different digital cultures as well.
Oscar: Yeah, yeah, that’s true. Every country has internally a different culture while some often several cultures inside a country as well. And this is something that shapes digital identities that we, the ones who are in this industry have been shaping and continue shaping today. So, yeah, tell me more about that role that the culture plays in shaping and influencing the current and the ones that are coming in the digital identity.
Kalev: Yep, sure. That’s the topic for today. So, the culture that we can see in the digital identities is quite a lot, related to, the ways how we culturally trust our own governments. How the government trusts its citizens, residents. And also, it’s very tightly connected to the idea of what is and how the privacy as such is defined in the society. A couple of episodes ago, you discussed heavily again, this kind of ISO standard on the privacy. And privacy is something that is cultural as well, and it’s not globally, universally defined as a value. And where the value kind of lies actually and these cultural differences. How they look in the digital identity is exactly, I would say, let’s take the two extremes.
One of those extremes is that digital identity is something that is central, that binds all of the digital actions that one does in a digital world together. And therefore, makes you, in essence, traceable, recognised everywhere. You cannot hide in a digital world, based on that identity. This identity reveals you everywhere.
And then we have the other extreme. We have digital identity that must, in essence by definition, protect you from being recognised from one environment to another. You must have different representation in different contexts. You have to have the right not to be recognised and not to be traced.
So, I would say that, culturally, the need might be on both of those extremes and something in the middle. And that’s I think, something that we are struggling globally now, that we are trying to talk about digital identity and what this identity does. What kind of privacy does it guarantee and what the privacy means to anybody.
And then we – then we are stuck with the fact that we don’t define the digital identity. We believe that everybody understands the identity and digital identity in the same manner. And then we also tried to say that the privacy is preserved. Privacy is granted. Privacy is by default as we like to say, or by definition and by default. But what this privacy means in this context of digital identity and usability also is not defined. So, we kind of use the buzzwords, and we neglect the background from which we come from. And therefore, we don’t understand each other, and we try to regulate that into different places. And well, do a lot of mistakes in that.
Oscar: Yeah.
Kalev: I don’t know if that makes sense to you, Oscar.
Oscar: Of course, a lot of sense. So, one concept, one particular concept you mentioned is privacy, right? Which can – well, not can but means different things in different cultures, in different countries. That’s true. I understand that. And it’s a challenge to try to have a definition and based on that create the laws, create the technologies that support that. Yeah, indeed. It’s a very, very good reflection that you are doing.
Kalev: I think that with the privacy, again, similarly, those extremes. And as I said, one of those extremes is on this identity and the definition regarding that privacy is that: OK, the privacy means that there is no data about me anywhere that I specifically didn’t reveal myself knowingly, giving the consent to that specific data to be revealed about me. Which makes me in the centre of all the transactions about me. And well, gives me a lot of work, let’s be honest, because there are several institutions all the time that work kind of for me. Make my digital life easier, and they need to make decisions. And if those decisions need my data, then therefore I need to make a lot of decisions to reveal or not reveal that data to them.
And the other side of that is and I would say the other way of looking at the same privacy, kind of, from the same concept. Still saying that privacy is preserved, privacy is kind of granted and by default, by definition. Is that whenever your data is used, then you, by nature of the setup, have the control over who and where and for what used your data. And therefore, you can kind of trace back it and say that, well, why did you do one or the other thing? And if they didn’t have the right, didn’t have your permission, didn’t have legal rights to something then they will be punished by the law.
So, it’s kind of – one is preventing anything to happen upfront. The other is giving the privacy through the control that you know everything that has happened with your data. And therefore you are able to take the parties involved and make them responsible for their actions. So, like these are maybe couple of ideas of how to look at the privacy from different angles as well.
Oscar: Yeah, indeed, in the case of privacy, just to give a concrete example. But how this would start if privacy or any other concept has to be defined based on the culture of our country, or our region? So how it has really defined?
Kalev: Yeah, the question then, when we talk about like, building creating digital identity. We kind of often think that this is one type of things to be done everywhere. What I’ve learned over the years, and I’ve really had happy accidents of meeting so many different countries, cultures, in different places talking about digital identity now, really tens of years. Then it still turns out that we are building the digital identity for a specific set of human beings. And those human beings have some connection to a culture, even if that’s a digital culture. Even if we say that digital identity in a social network, like Instagram, is a digital identity. For the people who use Instagram, who have some cultural preferences, otherwise, they wouldn’t use that environment. So, they have kind of agreed to a cultural norm there.
Or if we say that we are looking at the country, somewhere in the world, like Thailand or Mexico. Then we are building the digital identity for that culture that suits the beliefs and traditions of that set of human beings. It’s not a one-size-fits-all. But rather that this one-size-fits-one kind of thinking that I’m now become to believe, more into recent years. That there is not this one single solution that everybody will, kind of, inherently fell in love into. They have so many things in their historical backpack that it will definitely tilt their preference.
They have some bias to expect something that any other culture would never ever expect from the same solution. And we have to be designing mindfully those digital identity solutions for a specific culture, and I think that this is a value in the world. That we do believe in different things, we do act based in different preferences, culturally and that makes us interesting as human beings. We are not the same everywhere in the world and how to preserve that in the digital world. How not to become culturally one the same. Following one and the same set of rules everywhere, having the same solutions everywhere is an interesting, very interesting challenge, I would say for the humanity.
Oscar: Yes, yes, it is, and I agree with when you said that there shouldn’t be like one solution to be somehow imposed to the globally. That is a reason why they are in practice. I mean, the reason why then – just in the case of the national digital identities. The one from Estonia is different from one from Finland, Sweden, Singapore, et cetera. They are based on similar underlying technologies; open ID connect, publicly infrastructure, et cetera. But in the end, they are – they were designed differently because they’re solving a problem for different cultures. That is correct.
Kalev: Like facial recognition anywhere in the world, fingerprint-based identification somewhere like. Those are things that either are or are not culturally meaningful. I would say Western Europe has some kind of cultural connection in taking, giving and recognising fingerprints, and it’s deeply I would say, related to the criminalistics and then crime. And therefore, this kind of feeling when somebody asks your fingerprint somewhere, well, wasn’t very, very pleasant, I would say. Touch ID and other similar kinds of things have now a bit eased this feeling. But if we’re talking on the national level, fingerprint collection, fingerprint-based recognitions, then this feeling is still there, whilst it isn’t there with a face.
Although like, if we talk technologically then it doesn’t matter based on which kind of biometrics, I recognise you. But the acceptability within the culture, like face versus fingerprint was really, really different, still is a bit different. And the same kind of routing in the criminology didn’t appear in many Asian countries, in some Middle East countries where these fingerprint-based quick recognition tools in physical interactions were introduced. And there was no objection from the society. It was very, very acceptable.
So, all of those, kind of, bits that we are taking from different either literature, or some really historical reference that we take with us. Those too change the way how we are able or not able to roll out any given technology for the digital identity, absolutely.
Oscar: Yeah, that’s a very good example, the one of the fingerprints. I didn’t think about that. But yeah, it doesn’t surprise me that in different parts of the world, the perception is completely different. And it’s just the culture as you said.
Kalev: Yeah, facial recognition in Middle East countries, revealing your face in public for female citizens, well, it’s not very common. And something that again, we from Western Europe don’t recognise easily, but it is, it is a thing.
Oscar: Could you share now some successful examples, or I mean maybe not, it sounds like from these discussion site, like there are not many, at least 100% successful examples. But some, in some extent, successful examples of how these cultural human aspects have been taken into account to deliver good solutions for digital identity.
Kalev: Well, being a CEO for SK ID Solutions. Of course, I have to tell that I believe that we have been able to deliver for at least the Baltic States, Latvia, Lithuania, Estonia, solutions which are relevant for the culture where we are providing those services. And in that regard, we have also faced some clear opposition from the cultural perspective in some areas here. But yeah, that’s one of the things that maybe is possible here and isn’t possible in some other countries. So, our current service that is really used for more than half of the population in the Baltic countries is based on the fact that people know and use their national identity code as a unique identifier for themselves. And it is used in different environments now but is kind of creating unique identifier per any kind of system.
The same pretty much applies to the other countries. But then when we will take that concept, the same concept that is successful in variations also in Finland, in Sweden, in Norway, those are all kind of based on the single one identity. And all of them have like bank ID in Sweden is definitely a success story, from the usability and amount of users behind it. They are based on this idea that there is this one unique identifier, and you can reuse that in different environments. And it’s really serving the culture there and here. So, I would say that this is the way how it has been functionally well rolled out.
And we have to then say that the same ideology would not be allowed, possible, accepted, for example, in Germany. That kind of falls to the pieces in the border, of Germany. Simply isn’t welcomed there, by constitution. Because the constitution in Germany says that: well you shouldn’t, you should never ever create a solution where user is reusing its attributes in a manner that you can trace them. From one, let’s say government institutions to another, from one company to another. You have to be messed up everywhere. Where you try to figure out if that same person came from one institution to another, you are bound to by constitution to be puzzled by that.
Oscar: All right, well, interesting. Well, that’s defined by law in that case.
Kalev: Similarly, it is not allowed in Hungary, for example, to have a unique identifier for a person.
Oscar: And what were the objections or the reactions you had in, you mentioned earlier in the Baltics. So, what, what was not culturally accepted, let’s say there?
Kalev: One of the things was that really this identity code is semantically meaningful, and to use that as user ID at some points definitely was kind of a controversial and needed longer and public debate. In Estonia, I think, 15 years plus, quite long public debate about whether really the identity code as such can be publicly shared. And then it turned out that the reason actually – well, there’s definitely this semantic part that it really reveals your birthdate, which means that well somebody can understand how old you actually are.
But the more practical reason for objecting that was that, and it turned out that and it still is the case. For example, in US a lot of, that kind of identity breaches that we are discussing, and which are like big, big, big fuss around the world. Those are based on the notion that’s kind of user identity, for example, the social security number in US, it is not treated as user ID, but rather as a password. And those are very different things.
So, one is the link like this is who you are. And the other is proof that it is you that the claim is actually correct that this is your user identity. So, when it turned out to be kind of public, then what use cases were hit. And what was discussed quite a lot towards this type of phone-based service when you call in and the operator asks to identify you, your unique identifier. Which is public, which is listed everywhere where you have ever been, which is written into your identity documents. But still, as there was no better alternative then they opted for asking you for the identity code. And therefore, if that was now used publicly everywhere, well, everybody understood that cannot be used anymore.
And somehow the discussion, thankfully, has gone to that direction, at least in this region. that it wasn’t the right thing to do from the beginning to ask this identity code as a password. Because it has never been meant to be secret. The fact that not everybody in the world knows that doesn’t make it a secret.
Oscar: Yeah, yeah. So, what is nowadays, in Estonia, what is the kind of called, the username? Or there is such a username in – for this identity? Tell us a bit on how it works.
Kalev: Yeah, it is like 11 number identity code. It really consists of your, like, six numbers of that represent your birthdate and one of those. Then the seventh one gives the century and the sex you are being given. Then there are four digits that you have to really randomly kind of remember. And it has been long discussion whether those should be or could be changed. And now, in Finland, in Latvia as well. We have had this experiment of introducing another identity code instead of the semantically meaningful one. And this semantically meaningful identity code can be like, in Latvia, you can once in a life, go and replace your meaningful, semantically meaningful identity code to this new identity code, which doesn’t mean anything anymore.
It’s only a couple of years old, this project there so I cannot say how successful it is. But what is interesting with this 11-digit code really that is based on a birthdate is that most of them are able to remember it, because the birthdate is something that you can remember. If a society like Estonia would be able to remember just random 11 digits correctly, I’m not sure. But like bigger populations, I’m even less sure because they should have like more digits remembered, maybe. Then should be based some kind of – and somehow already based in letters and names and so on.
So, in Estonia, it really is semantically meaningful 11 digits which you can easily remember, and people normally do remember their identity code. They are reusing that on a daily basis in different contexts. Therefore, it is something that is not also easy to forget, because the society requires you to remember it. That is also this identifier we are using to allow you to kind of state who you are in the electronic identity context, and the same applies to Latvia, Lithuania.
And then the other, maybe just remember the other part of what was discussed in this context of electronic identity then yeah for the identification maybe the semantical information to recognise person is maybe OK. And then – but is it OK for the signature and then therefore, we have had a discussion of where in the signature this type of information should appear or not appear at all.
So again, something that we are now discussing, not so much on this user identity but still on this, on signature part. You should still uniquely identify who signed something. But do you need anything other than this identification of this unique person? Whether it makes any sense and discussion, culture discussions not happening in all countries in a similar manner. Some countries are more kind of prone to say that it shouldn’t be there. Others say that it is actually well, impossible to do without. It’s very, very different already in those three countries. I don’t know if I answered your question, actually.
Oscar: Yeah, indeed, you have definitely illustrated pretty well how it works in Estonia and also in the Baltics. And that gives us a clearer idea that the –yeah, the problem that you are bringing here is, of course, is big and it continues. As you say, there are some experiments in Latvia, Finland, and there are discussions in Estonia. So, this continues, even though there are good solutions, but this continues, this discussion continues.
So, if we focus now on, let’s say, you and I. We are working in companies who are building digital identity products. There are also, for instance, governmental institutions, who are building also digital solutions or services that rely very heavily on these digital identity solutions. So, from – what is the role of technology developers and designers in addressing these issues, these cultural aspects of digital identity?
Kalev: I think the biggest responsibility we carry is to be mindful about these phenomena of the cultural differences. And not to sell this kind of digital utopia that, that whenever we go to technical solutions, and your culture doesn’t matter, your infrastructure readiness doesn’t matter. It’s just “Buy my tech and you will be happy.” Promises should be avoided everywhere where it’s possible, even if there is a customer who’s willing to buy that promise. That’s really, I would say, the threat in the world what I see.
And maybe the other thing that is culturally important and must be addressed, I would say. In those, kind of, sales processes and discussions about future tech. Is focus on really the cultural position of government, of public sector, how capitalism and making money is perceived in society. All of those things have different perceptions and therefore, your solution must suit the ideology that this culture is accepting. Either the government is the trusted, and well-meaning party in the society where everybody is welcoming stuff that comes from the government because it’s always for the benefit of the bigger goods. Or the government is perceived as somebody who is sneaky. Who is always spying on you, who you suspect of making you guilty over the things that you maybe did or maybe didn’t. So, basically, being paranoid about the government.
Similarly, you have to be mindful about if the private sector is something to be perceived as innovative, as providing service for the value they are actually getting from the market. If they are actually stealing behind the people who are paying to them, who are overcharging everybody, who are greedy. Or if they are really making the economy work and able to kind of collect the taxes in the country at all.
So, like, these perceptions are also reasonable to know and to remember. When we are offering – what type of setup should a country, should a society, should this bunch of human beings were requiring the digital identity. What they should ask for, what they should build for, what is the way how to fund, how to make that environment sustainable? Me, being a capitalist believer, I’m always kind of telling that, that when we are building digital identities, we have to see if there is a way how somebody can earn something from the fact that digital identity is successful. That it is used, that it is spreading, that it’s actually making sense to people.
And if such, for example, motivation is in the society, then there is a possibility that somebody will go after this benefit and therefore make the digital identity successful. If the, like monetary value is taken away from the system, there is kind of everything is free of charge, paid by this anonymous taxpayer or government. Then there might be that we have an environment where if the government is trusted, if the government’s promotional speeches about take it, use it, it’s for better, good. Those could be trusted and could be a good vehicle for rolling out a digital identity.
But it again, very much depends on like, did we provide the same model that this culture accepts? Or we took a model from some other culture and tried to sell it to a totally foreign environment for that proposal? So, I think that what we have to – the technology providers do, we have to really build for those cultures that we are selling into and building into.
Oscar: Yes, yes, yes, we need definitely to understand very well the cultures and where we are selling or helping with these technologies. As you said in some countries, the government is highly trusted, in others don’t. Then can be the banks are highly trusted in some countries, and in other countries, not at all. And then same can happen with telcos, as you said, also the private sector, some technology vendors from the private sector. So yeah, that’s very important. And the first thing you say is about, yeah, be mindful what you promise. That’s definitely a good reminder.
Kalev: Yeah. I think that this kind of naivety about technology being all good for every different situation still lives on. Similarly, of course, exists this naivety that technology, whatever it is used is evil. So, I think that both exist, but you should never fall into one or the other. It is never so simple.
Oscar: Yeah, definitely. All right. I will ask a final question. So, for all business leaders listening to us now, what is the one actionable idea that they should write on their agendas today?
Kalev: Yeah, I think that the message I hope has been quite clear that when building and when asking for technical solution, and especially as we are talking now digital identity. If asking for digital identity, ask: What is the fundamental belief of the environment where you are building it to? Don’t try to change culture through technology. It goes the other way around, culture defines technology.
Oscar: Yeah, you said it very clear don’t try to – don’t try to change culture with technology. Yeah, absolutely. Very simply and well said.
While hearing you, your explanations, came to my mind that for business when people are – businesspeople are traveling to other countries, there are some books that I, for every or for most countries say “what is the business etiquette” of every country. So, you should read that before traveling to that country. So, there should be a similar book but for the digital identity, right? We should have for every country, what and how you should – “what is the culture in every country in terms of digital identity and identity?” So, we know before doing business. So that’s something that came to my mind when I was hearing you.
Kalev: It would be nice if those books exist.
Oscar: Yeah, maybe, maybe I think you could be one of the co-authors, at least, you know a lot about this. Thank you very much, Kalev, for this very insightful conversation. So please let us know if people would like to follow this conversation with you, what are the best ways for that?
Kalev: Yeah, you can definitely find me through LinkedIn or write me. Our contacts on the skidsolutions.eu site are quite publicly available as well. So, I’m very public person in a sense, nothing is hidden.
Oscar: OK, excellent. Again, thank you very much, Kalev for joining us and all the best.
Kalev: Yeah, all the best to the listeners as well.
Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.
The podcast currently has 103 episodes available.
25 Listeners