As social beings, people interact with their environment, whether as citizens of a state, as employees of a company or as contractual partners (customers, insured persons) with a company in the private sector. Even if a large number of such transactions can take place anonymously (coffee to go on the way to the office in the morning does not require identification), proof of identity or the reliable assurance of a particular characteristic ("of legal age," "fully vaccinated") is often indispensable.
From a functional and technical point of view, a distinction must be made between different steps. Identification, i.e., the one-time onboarding of a real identity into an identity ecosystem, is usually performed only once per ecosystem, but can be very time-consuming and expensive. The reward for this procedure is simplified authentication, i.e., more or less portable, rapid proof of this identification in the form of an ID card or access to a technical system. Depending on the character of the identity ecosystem (state, bank, insurance company), the stored attributes of an identity are also updated subsequently in order to reflect ongoing developments.
Between KYC and least disclosure
In many cases, a more comprehensive knowledge of the identity and its characteristics will be necessary (for example, when signing) a credit agreement. But in many cases, reliable proof of only a few, specific characteristics is quite sufficient. Permission to dance in a club after a certain time depends on a defined age (name and exact date of birth are irrelevant here). The same applies to the purchase of cigarettes or alcohol.
But even critical characteristics that are not necessarily everyone's business must be verifiable to third parties in individual cases without disclosing an excess of detailed information. Discounted admission to a museum as a pupil or student does not require disclosure of the respective university or course of study. It must be possible to prove an unspecified disability in order to acquire cheaper tickets for public transport without disclosing medical details.
Regaining trust in assured identities is essential
No matter whether it is about secure identification or the proof of individual properties. The reality for all of us is that comprehensive and universally applicable policies and mechanisms do not exist for this very purpose; trust in digital identities has been profoundly destroyed in a time when identity fraud and weak authentication are our daily reality.
Trust in digital identities is difficult to achieve outside of individual silos and islands. In addition to nation states as issuers of digital identity credentials in the form of an electronic ID card or passport, the financial industry in particular, i.e. banks and insurance companies, has already made a strong showing in this regard. The reasons for this commitment on the part of the financial sector are obvious: money is at stake here, and trustworthy identities are the basis for any interaction between customers and institutions. The same applies to other industries, such as telecommunications providers.
Federating beyond the silo has proven difficult
Beyond the use in just one specific industry, trustworthy issuers of identity proofs (verifiable credentials) have recently been found, which can then provide identities and their properties for many business processes. However, again depending on the region or country, take-up (and thus usability) often does not reach a critical mass.
Two dimensions are essential: In addition to the highest possible trust in the identities and their properties, it is about their scope and usability. This is an unsolved problem to date, because while the trustworthiness of the identities is a central challenge for the individual identity ecosystems which is also solved in the respective silo, their focus is naturally on their own customers/citizens in the first approximation. Interoperability is not a core business. This massively limits identity reach as the second relevant dimension.
Putting the pieces together at a global scale
Concepts, standards and technologies would be available here and now, tried and tested, and we use them every day in online shopping or in our professional environment, but they are always reduced to individual walled gardens.
This is where the Global Assured Identities Network (GAIN) comes in, first publicly announced at EIC 2021 in Munich. More than 150 globally recognized experts in the identity environment have brought together their expertise from a wide variety of fields to elevate trust and reach in identities to a global level. Starting from (but not limited to) the financial industry, which has proven to be able to confidently provide identities for your business models, concepts are defined and tested here to enable interoperability for identities from all participating institutions.
End users obtain identities from an institution (bank, government, telco) that certifies them. By federating these, GAIN provides a reusable, trusted identity that they can use against a variety of relying parties/service providers, i.e., government agencies, but also institutions and commercial entities in a self-determined and controlled manner. In line with the concept of verifiable credentials, only those attributes are used that are required for the purpose of a transaction, i.e., proof of age or simple proof of identity without disclosing other attributes.
The complexity of this network, which is global by definition, is hidden by the fact that GAIN, as a network, knows the respective identity providers for the end users and mediates communication with them. Different architectures are spanned, the varying assurance level of different identities and providers is taken into account, and global interoperability is enabled. A variety of positive outcomes could be achieved, including basic increase of trust in identities, simplified on-boarding of customers and clients for arbitrary services, provision of under-banked communities with resilient identities, e.g. based on telecommunication identities (which have already taken over this role in many regions, but without further interoperability), reduction of fraud, but especially also the increase of a person‘s individual sovereignty in handling his/her identity data in the respective transaction (minimal disclosure).
Call to action: Proving viability and achieving a critical mass
The concept is promising, but until a "Login with GAIN" via the identity at my own bank or with my ID card for fast and trustworthy onboarding is available in addition to the "Login with Google/Apple/Facebook" button, a lot still has to happen.
Proof of value and a high level reach are the next steps. Rapid and widespread adoption by the financial industry worldwide, but also beyond, for example by eIDas solution providers or telecom companies, is imperative and essential.
The presentation of the network on the occasion of the EIC therefore also focused on the call for participation in this network, starting with a proof of concept soon. Interested parties are invited to take a look at the compact white paper as a first reading and introduction. The implementation has already started, interested Identity Information Providers are called to register and to interoperate promptly. Technical, organizational and legal framework conditions are roughly outlined, but in particular also possible business models and benefit aspects are documented. GAIN offers a highly exciting perspective for a global network of assured and trusted identities. The task now is to quickly implement a critical mass in order to prove the real benefits at scale.