Event Recording

Goodbye Dogmatism / Hellō Pragmatism


Disciples of decentralized identity have preached for years that DIDs are the only true path to giving users control over their identity, AKA self sovereign identity. The lack of widespread adoption is evidence that a more pragmatic approach is needed.

Well, it's almost midnight here. I'm usually wearing my pajamas by this time. So today I want to start off talking about why the best technology. Isn't always the winner. What's the state of identity today, identity dogmatism and identity pragmatism. And hopefully I'll have some time for questions at the end. A little bit about myself. For those of you don't know me, I'm Canadian and for the Americans in the audience, this is where Canada is. I founded a company active state and skip identity. I served a tour of duty at Microsoft, AWS and Alexa. My undergrad was in mechanical engineering, which makes me very pragmatic. And I look a lot more on the engineering ways. How do we make something work? I'm much more of a builder than a science person, particularly around computers. A number of times my career I've had to deal with dogma.
As I try to do something pragmatic. One of the first times was the 1995 before I found it active state and had act of Pearl. I got Microsoft to pay me to port Perl five over to windows and T. And this was a very pragmatic thing for me. I'd been building and running things on windows since windows one, and I wanted to build websites and everybody was using profiles and I want to profile, but the Perl community was a little upset about this. You know, the dog met at this time. Was it? Microsoft was not somebody you could partner with around open source. In fact, they were the devil. The next time was 2007. It skipped by identity. I helped found the open ID foundation and it was really open ID versus SAML. And at this time the dogma was that you needed to do use XML DC for any kind of messages.
Next was in 2012. When I was at Microsoft, I worked on what became and then the dogma was that you had to have signed requests. You couldn't have bearer tokens, and they didn't want to enforce anyone having to go and use HTTPS. So some term or terminology, then I'm going to use here. Everyone here is familiar with relying parties, RPAs. I like to use the term developer. Cause when I, I like to think of it as when I'm thinking of it as markets, rather than as protocols, that developer is a market RPS, isn't really market. And they're the ones that are building the mobile or web app identity providers, IDP, you know, their provider, who would all agree what a user is. And so there's developers, AKA RPS providers, AKA IDPs users, and they're all part of a three-sided market. All three of these entities need to be involved for us to be able to move around any personal identity.
I'm sure most of you know, it's self sovereign identity is SSI where the user has control decentralized identifiers, DIDs. And what's a problem that I'm talking about today. Well, it's personal digital identity. It isn't enterprise identity. So what does digital identity while I gave a talk on this, when I was at skip back in 2005, you can find it on YouTube. And I gave a derivative of that talk at the first EIC back in 2007. And there I talked about digital identity, being all the digital information about you. But today I'm going to talk about re-usable digital identity, heavy emphasis on the reusable. Something that you have that you can use over and over again, to prove who you are. Some are too in their physical world. What we think of as passport uses passports and we use driver's license for. So let's talk about why the best technology, isn't always the winner.
What makes emerging technologies click? Well, I found some great article and a video from Morton around why the best technologies. Isn't always a winner, but the boil it down. It's really around ecosystems. What's the ecosystem of the incumbent technology and what ecosystem does the emerging technology require. And one of the examples that people can relate to is the combustion engine that ecosystem of fossil fuels. And when the first CV came out, it failed. And part of why you can see it fail is you needed a card around this charger to charge up your car because there was no V ecosystem. And so the industry took a intermediate step of hybrids because the hybrid car could work with the IC ecosystem. Toyota had the Prius and they were able to go in and advance their EBA technology. So let's look at some past identity attempts. Microsoft had passport the internet thoroughly rejected that because Microsoft was at the center, they came out with something that was more decentralized and user control with card space and of all the issues with the way I failed.
One of the big ones was the cold start there. Weren't all these players did not have the technology. Mozilla took a run at this with persona. One of the key reasons that didn't take off as well was the cold side of trying to get the ecosystem going with open ID, specifically open ID 2.0, it had this kind of experience where you would enter in your URL, click log in, and that URL could be your blog. It could be any URL you controlled and you can be your own open ID provider. But a key aspect of it was that you could use existing accounts cause Google, Microsoft, and Yahoo, all added support for open ID. And you could use all of them to log into a site that supported open ID. And so this had a warm start for both users and providers. It wasn't a full cold start.
And from the developer's perspective, it was reasonably successful. There were 42,000 out of the top million at its peak of open ID, but it failed because it just couldn't cross the chasm, all the innovators and early knew what to do when they came across this, enter in their URL, their blog or something like that. But most people didn't understand what they had to do, but despite that open ID was actually quite successful in comparison. When you look at where, how Google has done peak, Google was a few years ago and it was only 27 of the thousand of the top million sites. So let's look at identity today.
We've got Fido and web authen, re-usable fishing resistant. Second factors, open ID connect is become the dominant Federation protocol for consumer technology. You've got government Eids that have been deployed and are widely used in their jurisdictions and Siam customer identity and access management has become very popular for developers to use with a wide array of vendors. And this segment of the market really came into its own. When people saw that Okta paid 6.5 billion for all Cyril identity verification is a booming market that been, has been accelerated by the pandemic. You know, a big indication of that as a financing bear raised 69 million id.me a hundred million Junio, 150 million, and truly you 394 million, but all of these things they're successful because they're building on the existing ecosystem or taking existing government ID, selfies photos, the technology it's around to turn that into digital ID for their customers.
What are the common identifiers a day email and phone, most frequent identity verification on the internet today, email and phone. And of course we have social login, you know, Google, Facebook, and now coming up apple or what you commonly see. And they all have hundreds of security engineers looking at hundreds of signals and providing unrivaled account protection and it's reusable identity. So authentication is obviously reusable. They all have name. A couple of them have a profile photo and a couple of them have verified email. But if you look at the stats while Facebook and Google have 10% penetration at top 10,000 sites, when you drop down to the top 1 million sites, it's only in the mid single digits of penetration and you know, Google and Facebook are in decline. They peaked a few years ago and social login is a threat. They own the identity and they can take it away from the user and take it away from the developer.
And now that they're moving identity into their wallets, which previously were used for payments, I think we should all be somewhat concerned as to who they let into the wallet and who they don't let in, which leads us to why kids are so great. They're decentralized. There's no central authority. They have user control and they can be used to identify anything, but there is dogma. And it reminds me often of crypto dogma. There was a reason article in the financial times inside the cult of crypto, predicting the collapse of the bank and attacking anybody who doesn't believe with them and distrust of anybody that isn't in their own circle, worshiping their leaders and of course, sacrificing to change the world. So what's the did dogma self-sovereign identity must use DIDs. Their definition of SSI is that it's very did centric. DIDs must use crypto. And now I must control the key and only did, can empower users and change the world. Now in the EU, I can see why DIDs are Poplar. It's a great way to counteract American big tech, but there's a lot of did adoption issues.
At this point, I start to feel like Shrek standing in front of the villagers, but the haters are going to hate. The biggest issue for kids is really that cold start once again, what are, they're not building upon any existing infrastructure and identity that's out there. And the other big issue is, you know, there's a did standard, but nobody could agree on what it was. There's 109 provisional did methods. Last time I checked. And what about the identity verification vendors? These guys have got a lot of money. They've raised money they're out there dealing with customers, developers today, providing effectively digital identity to those customers. What's their place in the ecosystem. When I was at Amazon, I really aligned on the customer obsession being, working backwards from the customer. So who is the dead customer? Well, when I look at it, it seems to me that the customer are users and as users, they just they're saying like, I want a pony.
Here's the things that I want. I think of the market that developers are really the customer because developers decide what to offer their users and developers. Aren't interested in changing the world of identity. They're interested in the jobs they're trying to do. They have things they're trying to accomplish and they just want a tool that's going to get it done. And that brings us to pragmatism. I was very excited, which is a yesterday. Yep. It's yesterday now about the announcement of game, because they're building on the current ecosystem. An example of that was Netflix. When Netflix they'd had a new business model of subscript scribe content, but they didn't start off in the streaming business. They started off with DVDs and USBs. The existing ecosystem gain is out there to provide a shared identity for both users and RPS. And it's strong, it's heavy duty, but one of my concerns was, is it too strong for, I think it actually is probably way too strong for most use cases.
And they seem to be focused at providers are their customers, which isn't surprising, you know, cause they're working with banks and other regulated organizations. And I see that that actually could become somewhat of a problem. Just how crypto is versus the banks and trying to take down the banks. I'm a little concerned about DIDs and whether the deed community is going to be attacking game. So let me tell you a bit about hello. We like to think of it as visa for digital identity. We're building on the current ecosystem, just like Netflix and gain are doing, but we like to think of developers as our customers. Cause once again, developers decide what to offer their users. And we start with existing technology developers already familiar with OPNET E connect there's light there's libraries in every language, all the Scion benders support it. Users have an account at one or more login providers that already have an existing Federation.
API and users are familiar with this redirect flow. They click on a button and go somewhere else and then come back 10 years ago. That wasn't the case. That was a big lift for us to try to, for people to understand what happened when they clicked on the button. And we connect this with an identity interchange, the hello interchange, and this provides privacy for the user because from the provider's point of view, the user's always logging into hello. Hello looks like an app to them. It is an app to them. And from the developer's point of view, hello always looks like a provider. The developer doesn't know who the user has chosen as their login provider and the user has a broad choice and provider. They can choose any provider hello supports. And if they don't like their provider, they can change providers. And if they enroll backup providers, they can go and recover their account in case their preferred provider takes their account away from them.
So the user has a lot of control in hello. And for the people that insist on using email and phone will support magic links. And if they're on a device that supports web authen, you know, like an iPhone, then they can enroll a touch ID and face ID. And we connect that with a human friendly brand. Hello, rather than sign in or log in the button would say hello. And we chose a low because that word was popularized in our first digital interactions. What did you say when you answered the phone? So just like gain, we have a warm start with users and providers, but people would be concerned there's essential service. Well, the deal with that, the interchange itself is a distributed identity interchange built from independent components that we believe gives users self-sovereign identity. Hello contracts out to independent trustees that are in independent geopolitical jurisdictions, which makes them opaque to an intelligence agency in that jurisdiction, but allows law enforcement access to user data.
But it's a really high bar because they need subpoenas across multiple GOP political jurisdictions. Hello has no administrative control over users or developers. And there's full transparency on the source code architecture dev ops and trustees. Of course the interchange is distributed. Business model is developers pay a small interchange fee for each verified claim like a verified email verified phone, not unlike what they paid Twilio. If they want to verify an email or a phone today in the future, we'll support integration with the verified identity vendors and hopefully the government Eids. And we also hope to be able to integrate with gain.
Excuse me, you may have noticed that hello, the domain is dot co-op. Hello is not a corporation. It's a cooperative. We're not out to extract rants or increase shareholder value. We're all about increasing member value. We have both user and corporate members. And so what's the status below. We have three corporate members that are well-known that have joined active recruiting, other corporate members, well tested UX for testing our dev ex MVP now with a goal of having running code in minutes and deploy code and hours. So if personal identity is core to your business, please come and say hello and let's change the world together. And I think I have a little bit of time left for questions.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00