Event Recording

How can Decentralized Identities reshape the Future of eCommerce?

Log in and watch the full video!

Dr. Michele Nati, Head of Telco and Infrastructure Development, IOTA Foundation

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
We met already yesterday and today I'm going to give a bit more insight on one of the products we are working on public funded project under the horizon framework, like explained yesterday. It's very important for ecosystem to develop around the centralized digital identities and explore new opportunity and prove the value of this new way of managing identities and ensure circuit is providing us one of this, of this, of this framework and collaboration with other partners in eCommerce domain. So I'm going to share very briefly and I happy to have some discussion around that how the centralized identity can help to shape the future of eCommerce. My name is Michael's been said already, and I, the head of Dell infrastructure development for the foundation organization actually registered in Germany in Berlin. So it would've been nice to come around and meet my colleagues and also meet you in the conference.
What is ensure first of all, first of all is ensure it's a large European project. It's composed by 22 partners, a mixture of academic organization. But in this case, being an innovation action, mainly technology provider like AOTA foundation, and let's say, adoption stakeholders, those that will have come with the problem and they want to solve with the use of the technology. And we look for bringing this technology to the market among those. We can see bank at, you were known if you're from Spain, but they almost another place in Europe quite well known. Then we have some, let's say logistic provider like mill speed. And, and, and, and we have all that research organization, but what is the project in particular looking at? So the project is mainly focusing on eCommerce because e-commerce is one of the pillar for you digital, single market. And especially e-commerce rely on, on a critical infrastructure that manage data, manage goods, manage personal data and payments payment networks.
So, and of course this eCommerce infrastructure can be target of cyber physical threat at target can have cascade scaling effect on, on all the systems are connected. And we also experience with the pandemic that we every rely on eCommerce. So eCommerce is becoming one of the, let's say pillar of our economy of our daily life. So we need to make it secure and approach that basically ensures is providing is it's a threeway approach. It's starting from preventing eventually mitigating. And of course recovering in case of risk and does this with technology. But it does also this with basically educating people, educating, especially small middle enterprise on how to best protect data, protect their system in order to avoid accordance of cyber physical threat among this, of course, that's a bit more detailed way on how we see our tool key to, to, to, to develop.
So we, we think that there are need to, first of all, and embed privacy by signing all the system that contribute to eCommerce infrastructure. And of course there are a number of tools that can leverage AI and as well, machine learning in order to prevent at the same time, potential threat and, and try to put in place already strategy to avoid this threat to come. So of course we have the looking and deploying monitoring system and this where actually the centralized identity will play a role. And as well, we have also recovery system recovery strategy that we have to again, check the status of what's going on or what kind of physical threat, cyber, physical threat effect, the eCommerce infrastructure, and try to provide response to this. And of course, set of lesson learning that we can use to educate people and company going forward.
We also as a project, a number of reference scenario. So we have, for instance, a scenario on which we envision, first of all, threat to the payment network and especially fishing campaign that can happen, that can aim to store data from, from customer from end user one to basically purchase on eCommerce. So we have also attack cyber physical tech to the eCommerce infrastructure itself, the delivery infrastructure with the, in particular, we are looking at pharmacy supply chain and in particular to the ability for attacker to gain control on distribution of medicine across supply chain intercept, replaced with fake and eventually distribute this to, to other markets. And of course also we have risk that personal data stored into system of a small and minimum enterprise part of eCommerce. Let's say larger marketplace can be, that can be stolen. These are the reference scenario. We come up with a set of tools that you can see are not go into details.
But what we have to guaranteed is that these tools can share trusted information, can share information, allow this monitoring and allow also eventually to dispatch notification in a way that is not hackable. It cannot be, cannot be replaced. And, and for that inside the project, we start to look to the role of the LTS, this technology like an immutable audit trail. But when we start to look into that, we start to also realize that guaranteeing the inevitability of data is not enough. If you can't guarantee integrity, authenticity of the source that is generating data. So for that, we start to think about, do we need to pay this kind of base kind of tools with trusted identities now, not anymore of consumer, like we probably have seen before in previous, in previous talk, but also of organization that are part of eCommerce domain. Like I said before, an attacker now doesn't have trusted identity, so cannot easily perform attack to the, to the distribution chain.
And of course, object things, sensor that are part of this, let's say infrastructure critical infrastructure. So for that, we start to think about the role of the centralized identity, how the centralized identity can compare other carability electric technology can allow to bring to this ecosystem. So, first of all, before going into details of what we are building and what we are, the use case that we are and how we are solving them, I just want to give a very quick highlight of a Iotta and Iotta features Ayo a ledger technology, and don't call it by recent blockchain because we don't share the same data structure that a blockchain has a chain of blocks, but we still share the same Fisher that targetability security of data. And of course, when you talk about payments, not a possibility to double spend crypto token, but we have better feature in terms of scalability, energy efficiency.
We are a very, our core, perhaps green or sustainable technology doesn't rely on proof of work heavily. So we don't need to think about your energy bill, if you want to run node. And of course we support the, we are fully decentralized. You can see what I said before. The difference stands mainly in the data structure that Iotta use, which is called graph, which I have two effect that the structure is much more distributed. So validation of transaction can happen in parallel in the net. Doesn't need to come into this funnel of transaction to be ordered, like, you know, and need to be delivered to minors. And then the first one be created, goes into, into a valid block. So in this concept, you can also remove the concept of fees in using the network, which is very important again, to go back to the concept of the centralized identity, because if you think an network that to sustain the centralized identity for things for person and organization, we expect a large volume of identities and their credential.
And we can't expect that every time we try to link other centralized identity to some crypto material in the, in the, in the chain, we need to pay for this for doing that. Like I said before, Iotta is very, is very good for this share all the, the properties and the feature of distributed ledger technology and blockchain, and provide so more useful for this industry, which is layer and basically modular architecture. So we have of course core our legend infrastructure than we have a set of tools across among them to centralized identity protocol that run as a second layer protocol. And of course, other protocol that makes relevant in the, in this scenario of sharing data and guaranteeing control on the data that has been shared. So this is a bit of overview, two of the protocol that just as a cap I want to use and makes you familiar also with the, with technology, one of these protocol is called streams.
So streams basically allowed to create channel on top of a ledger infrastructure that allowed allow to store data into the ledger, but without need for additional information that maintain indexing of this information into the ledger. So streams are very good in terms of collecting and sharing and giving irritability to time serious data particular sensor data. Like we, we said the infrastructure for eCommerce can, can benefit. And of course, give access, control the, can get access to this, to this data because this data encrypted and sharing private channel that only the source of the data can, can control the access. And of course we have the centralized entity protocol that works as a standard way. You have three actors, you have the issuer of identities and credential in, sorry, in credential, you have the older can create self sovereign identity in terms of it's a public key store into a ledger private holder secretly by the, by the older and verify that, of course they don't need any integration point with third party system, they can only talk to the ledger.
We provide standardized APIs and by verifying entity, they only verify credential issue by recognized issuers. So the credential verification only require the order to end over the, the, the verifiable credential to the verify and the verifier to check that it contains an identifier of the order is stored into the, into the chain, into our ledger in this case in AEL certain way. So the owner, the order is the owner. And the second check also the signature of this credential belongs to a verified issue. So all of this is built into a protocol that we call identity that is based on Adobe standard for DT and verified credential. That of course provide strong interoperability. We have, of course, ASED allow embedding this into the sorts of identity itself, whether it's ALA or whether it's a sensor. And we have already using some kind of application that I described yesterday are not going farther into retain now.
So going back to let's say eCommerce. So the first challenge was to guarantee secure a mutable sharing of data across the commerce infrastructure and tools. This can be data, different tools, sense, or information they want to exchange between them, whether is not comparable. What we face was the issue that, okay, how we recognize the data tool is alleged tool is part of organization is not injecting fake fake information into that. So for that, we have to start to think about our tools and combine them together. We come across with use of the centralized identity now for e-commerce sorry, for, for, yeah, for guarantee source of information in the commerce. So we start to combine the tool that I explained before the, the streams to create and store and share data on the ledger with identities that identity now belongs to organization that can transfer to their device.
And to show that when I read information, I can always go with the same process we see before to verify actually that the device or the tool that is generating is a tool that has a credential that allow me to verify that the tool belongs to even organization with the same process. So we start to combine for increasing the security of e-commerce audit trail logs, let's say store into a ledger with the centralized identities for, for doing that. And of course, we also start to see that the generalized identity can also play a role into the eCommerce ecosystem. And we start to extract also a separate tool, the centralized identity tool itself and see how we can fit with the previous use case that I, I, I show before. But before going into that, I assume everybody is already very familiar with the, the concept of the centralized identities.
And anyway, what we have implemented here, we have implemented also network of trust. So we are always, of course, we'll have to start from a route of trust. We'll have to start from some trust dish where that need to have a role into the ecosystem. And in our case, once we identify this route of trust, we, we, we design a tool that makes it much easier and very modular to propagate this route of, or trust through certificates that goes down to the different issue in our, in our model. The issuer now are sorry, the different authorized issuer, where we propagate the network of trust. First of all, the first of eCommerce ecosystem player that then taken cascade to their let's say, supplier and so on and so forth and inside, and this create the centralized identity for organization. We create a little model for, for managing this inside of that.
We have, of course, the ability for each company, and it's basically replicate is network of trust to their employees to start to issue credential for their employees that allow access. For instance, the fact that, that the audit trail, we need to guarantee immutability of this information with basically trusted source. We also have to guarantee access to the information from trusted reader, trusted party, so that want to go and access this. So this information is basically managed by cascading decentralized digital identity in terms of credential to employee and device that used from, from the employee. So we have to think about for instance, sensing device in, in a warehouse, for instance, we want to be sure that goods are maintaining in the right way. For instance, the centralized identity that goes into the device, that for instance, can help to identify that actually the scanning of our product when it sent over to the, to the final customer, buying it is actually performed by an authorized device.
So the goods basically are not being replaced and dispatched by another company effect device and or, or goods or medicine instead by the, by the original company appointed for doing that. So all of this is done by cascading this network of trust into credential that goes into device, no matter what kind of device device we need, we, we are able to do to do so all all for saying that again, a central place where this information can be shared and announced with access using the centralized is allowed to verify credential for accessing and writing them that allow to verify their ability to, to track the source of this information. Doesn't exist into the eCommerce, the, all this rely mainly on centralized platform. And the fact that eCommerce ecosystem can also change expand over time and require a lot of, factor's always very difficult to set up this platform.
So to a global platform, this digital ledger, actually the, the best way for doing so and as well, the centralized identity, because establishing all this identity system into a centralized identity system will create HPO of information that basically will create to solve a problem that we set exchange of information and find their source we'll create a new problem because we'll create a new target for a target to, to go and disrupt the system, whether it's with denial of service attack, if it's a central identity management system for the old eCommerce infrastructure, or if it's just about stealing data. So it will create a new, a new, a new thread. So using the centralized and seems to be the, the right, the best problem for, for, for solving this kind of issue, starting from the protocol and how we apply the protocol, where we apply the protocols.
Basically we try to list and also the market. And we basically come up with this reference architecture and we deploy our tools. So it's not anymore left to everybody to integrate other source the tools, the centralized identity in this case, and find, try to share data on the ledger, but we provide some kind of bridge interface because we understood from the industry, especially this industry, that centralized access to the sorry, the centralized trust bring by our information, bring by brought by distributor ledger and the centralized and is good, but a single point of access for each company across is network of, of, of trust zone. Let's say it's set of tools is, is, is welcome. So to, to simplify the integration. So we provide two tools that basically provide a central point of integration for the functionality and accessing the SSI information. So basically the bridge allowed to create for a company identities for their device allowed to issue credential to, to third party and, and so on and so forth. So we, we, we, we experience that this is the best way the industry can facilitate integration and accelerate adoption of this technology.
One example of how we are doing this in a, in a one of use case, we are actually experimenting in real life with a use of SSI. Breach is basically the one of age verification. So we start working in this case with, with banks and bank is one of the partner. So the menu case is here now to how we can prevent fraud from one side, like we said, that people buy unauthorized items, or secondly, how we remove also the burden from a small medium enterprise and also company, actually small, medium seller that actually rely on bank payment systems and can be also source of attack, like explain before with malware and, and, and so on and so forth in order to deal with a number of person information that they have to store, they have to maintain to their system. They have to guarantee the right security.
They have to guarantee the right compliance with the on GDPR compliance. So how we can remove this burden from small and medium enterprise. So all with the expanding now, the scope of selfer identity entity and the centralized, we, we bring into the eCommerce using ensure tech by start to see the role that this credential identity can play for for customers. So we start from the fact that banks of course, have to verify their, their customers. They know about their customers. They have to open them on account and they for sure need to basically create a profile. And by doing that, they need to run some K know your customer process. So at the end of the day, they are the most, the best suit for saying, what is the age of one of their customer? So we start to build a solution application that basically allow customer with their wallet after they have been basically onboarded by a bank to create their, the centralized identity.
This is like I said before, public key, that it's unique and store into the ledger. And the product key is all is held by the, by the app. And to start to collect this, this credential in this case, we, we show that we can collect credential issue by, by a bank, a trusted bank that has already the centralized anti already store into the ledger, using the SSI breach that I present before and start to give credential that states my, my, my, my, my, in this case. So with that, now customer can go on a website where you have to buy some that has some kind of age limitation for buying it, or can be also something that maybe that is not the role of the bank will be the role of other issuer. But for instance, one to that, if it's in case of a medicine or a drug specific for a specific sort specific for given disease or something like that long term disease, you need to know a bit more about the customer.
So maybe this can be a doctor doing the same, or maybe it's only age verification. So all these sort of things now doesn't need to be known by the seller anymore. Doesn't need to be known and store replicated across systems. So you can bring this with a credential. So in this case, if you think about edge verification, now we don't need to build profile that contain out of information to the seller website, but we just present this credential that the seller can verify and can immediately issue or not the requested good or medicine. In this case, if this requirement are met at the same time, we explore the other, the other end of using credential. So because we identify that there is also a lot of frauds going on into the eCommerce and especially in the logistics side, so that customer are impersonating order. So it's not that difficult, especially in, in another country.
Now also imagine, start to ask some data when they deliver some specific goods, but you need to give out data information and things like this. So if you don't want to do this, you want to be sure that information are correctly ended to, to the right person. So seller now can issue credential. That is basically a received, but contain information about who is actually the, the, the recipient of the, the parcel to be received. And this one can easily with the same app, provides a secure code that the logistic company, the courier can, can, can scan and be sure that there is a match and there is a verifiable credential. So the seller can be identified when you end over the, the, so this is something that we already start to implement to solve the issue in eCommerce using the centralized identity as a standalone tool.
And this is just an example. Unfortunately, I was on a short time, I couldn't prepare the, the demo, the live demo, but basically we have create a mock cap of a website. So now everybody can use this, can just implement the front end and connect to the, to the tools that we provide. So you don't need to create anything from, from scratching terms of interaction, with the disability ledger and verifiable credential and identity protocol. You basically cancel select a good, in this case, it's red bull require H verification, and you will have at check account the possibility to upload your credential. So once the credential is upload again, you use the breach and with the use of the breach, you get the information that you need from the ledger to verify that this is a valid or not credential and contain actually the information that IM above or not as issued by, by the bank.
In this case, we are also spending this in future to include knowledge, proof. That is actually a product. Now we are putting on top of our, of our framework. So we don't even need to, to give the credential. Now that contains the information, but we only join an exchange of information that attempt to verify that actually the date is above 18, but without disclosing the final age, one last example on where we are using this all together now, with sharing information and sharing and using verifiable residency, verifiable credential, it's in preventing fraud, that can happen throughing malware. So throughing and malware customer can receive information by mail that point them to some malicious link that require them to install a software that compromise their, their basically tools and, and compromise also their, the integrity of their password or their information. We now start to, like I said before, identify also eCommerce platform with the centralized identity and also creating another trail immutable of information that e-commerce want to share with their customers.
So now when you receive an email, you can always verify and directly the identity of the, the issuers. So the need to integrate now with different centralized identity system that give you the identity of an eCommerce platform, a seller or another one, but you can have the centralized way for identifying them. So you can automatically and very easily add your, your browser. We are developing plugins for doing that, to verify the authenticity of where this information is coming from. And you can also go and verify that actually this information has not be tamped from some many in the middle attack. So you can always get a, a copy of the link that you are asked to, to, to, to, to, to click on and verify again, with a, with a plugin that we are developing directly from the, from the ledger. So the ledger says that eCommerce want to communicate X, Y, Z, want to communi to his customer to click on this link. So we can get approved that this information it's is genuine, is not been fixed on the other end. We are again using now and exploring instead of using password or a second factor authentication, like things that I need to prove that, that I have, I do again, log in using very fiber credential as part of this. So these are all things that we're exploring into the, into the, the project in collaboration with bank. That's pretty much.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00