Event Recording

The 'Credentials-first Mobile-first' Identity Ecosystem


Log in and watch the full video!

This is a new development in the world and touches on mDL, Verifiable Credentials, decentralized identity, and personal data topics. A forward-looking presentation about what the world might look like, the foundational changes represented by this change, and some current and potential innovations that are now possible because of this.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Sure. Thank you. Hi everyone. My name is Andrew Hughes, and as you can see on the slide, I'm director of identity standards at ping identity just started there in late 2021. And it's a great place to work. If you are looking for a new and exciting role, we have many of them, sorry for the pitch I've been working in the ISO credentials space for must be almost 10 years now, eight, eight years dealing with government issued credential standards. That's, that's really where I focus on. And as we'll hear over the next 20 minutes or so I've, I've, I've come to a theory and a concept that is a different way of talking about digital identity. And I think it might be easier to engage conversations with people outside of these arenas with, with this new digital credential mobile first approach.
Well, that's something which is sorely needed, and we can talk about it as much as we'd like to in this room and this space where we hopefully are talking about the same thing. Oh, we never, but unfortunately that's still a hope even in this room. And so when we bring it out very intrigued then to hear what this new and different approach is to talking about it is. So with that, I'll hand it over to
You. Okay. Thank you. Okay. If all goes well in this presentation, I have 10 minutes of material for a 20 minute talk. I'm hopeful that you will ask me questions and challenge some of the statements I'm gonna make so that we can have an interactive discussion. And I would like to learn from you and get some reflection and feedback from you. So please interrupt me after a couple of slides and we'll see how it goes. Okay. So we're gonna walk through a little story today in the, in a few minutes. So, as I was mentioning just a few minutes ago, this presentation is really about a different way to frame the digital identity topic when discussing with people, because strangely enough, people don't understand like regular people, not us don't understand what we mean by digital identity or identity.
Sorry, what I'm proposing here is digital credentials on mobile devices will actually become the leading concept. We've seen it a little bit in verifiable credentials, how people are able to grasp the concept and discuss it. And I think it'll just keep on growing. I work on the standards for mobile driver's license in ISO. So of course, I'm gonna talk about that as an example. So, okay. For people just coming in, I'd like this to be an interactive session. So please raise your hands, ask questions. We'll get a mic to you and go from there. I need feedback from the crowd to see if these concepts are actually crazy or not crazy. Okay. So why do we bother with digital identity service providers want information? That's why just gonna take a slight detour here. I'm trying to actually get the word identity completely removed from a vocabulary in this industry because it misrepresent misrepresents for the most part.
What we're trying to do, we are trying to identify, we're trying to do identification processes for proofing and enrollment. That's usually what we're talking about. I really like this description of what identity is by Joe Andrew in his primary unfunctional identity identity is how you know me. It's not how I know me. It's how you know me. Right? Imagine you go to a website, you enroll. It's how the website knows you or the service provider knows you. Right? I can present. However, I want to be represented to that service fighter. I tell them what they need to know about me, how they should refer to me. And that's how they know me. I can do pair wise identifiers with every relying party to use the jargon. That's giving them the identifier to refer to me. Okay.
Back to the main topic. Okay. So service providers, rallying parties need information. Well, why do they need information? So I've observed, I think that service providers use information about entities, people and things for decision making and also as inputs into their business decisions. Right? In the context of this conference, the information about entities is usually the result of some identification process. Okay. Am I wrong? Not yet. So you're a service provider. Is identification enough information? Well, no, it isn't. You need to know more about the person to do, to customize, to personalize, to ship information, to build them, to personalize their experience. So they will come back and, and be happy during their enrollment and registration process. Service providers ask about qualifications, entitlements, and authorizations. That's what they ask you for, you know, where do you live? Well, does that mean you qualify for a special shipping rate?
That's the qualification. It's not identification right now for returning users. As I point out here, identification plus gaining confidence through authentication. That's probably okay, because they're building the profile gradually in their system. They don't need to ask you for qualifications every time you visit so fine, but for the higher value high risk, that that third bullet is about step up authentication. We refer to as step up or dynamic authentication, regulated interactions. When, whenever you're told, show me your government issued photo ID, that's probably some regulated process for identification. Typically those are the examples we hear or it's high risk and high value, right? So show me your show. Me your bank banking information in a way that can be proven to be an authentic representation of information managed by a known issuer. Okay? Those are important elements there to me there, there.
So what is this authentic representation of information? What it really means is that for that piece of information, that the service fire gets so they can make decisions about what they want to do with you, what they want to offer you. It means that they can see that the, the information is authentic and they can demonstrate to themselves to their own satisfaction that it has not been altered. So it has integrity. It says nothing about truth. It's a claim. It's, you know, it's information, but they know that it came from the issuer that it, that it purports to have come from. And that it hasn't been modified by the user or a malicious party.
Okay. What are these digital credentials? I don't have that many more slides. So you're gonna have to think of the questions. Okay. Get those brains working sweet. Some of you may know that I like fireside chats. So this is, this might turn into one. So what are some of the essential properties credentials? So over the last several years, I've been trying to figure out this statement. So if we assume that service providers want information to make decisions as inputs to their business processes. And if they get that information through a card or a credential, what do they need the card to credential? What the properties of the car to credential? Well, they, they need assurance and confidence that the credential is genuine. It is what it claims to be. It's that thing. And that the information is an authentic representation, representation of information held at the registry at issuance. So play this back in your head, right? So I give you a credential. You're a service fighter. I give you a credential and you have to be able to look at the security features to make sure it's genuine. And it's not a forgery. If you're, if you need increased confidence for a high risk transaction, you might get a UV light scanner to check the, the hidden security features. Or you might check digital signatures to get cryptographic proof that is genuine. And from the issuer that it says it's from
Now, what information is on that credential or accessible through that credential? Well, the service fighter wants to know that whoever issued it believed that data that they put into the credential at issuance time. That's what they need. They don't need the truth. They don't need the current value. They need what the issuer certified and approved and issued. Okay. I, I like this statement by the way, if you don't like it, please tell me and ask audience question. We have online come
To you with the, the mic and that way our virtual audience can also hear
Hello, Andrew. Hey Mike, Mike Jones. What value does the held in a registry clause at? Could you explain what you're thinking there?
So I use the term registry as a synonym of database, right? So if you're issuing credentials as some sort of authority, or as a, as an organization, you're probably gonna keep a database or a registry of information that you issued so that you have your own records. What, what went on? That's what, that's what I mean by
It, but just the service provider care, or why does the service provider care?
They care that the issuer is referring to information in a registry of that point. They don't care which registry it is right now. There might be some dynamic issuance where the information isn't doesn't exist for a long time. Doesn't persist. So yes, I'll grant you that if that's the way you're going,
I'm not sure. Is that registry a pseudonym for what many people are calling a wallet? Or is it a distinct?
No, no, the it's the issuer's database.
It is the issuer's database. Yeah. Okay. Yeah. I thought it was the holder's database.
No, no, I will. I will edit the statement to make it clear that it's on the issuer's side. That
They okay. Then I think we're in sync. Thank you.
Okay.
We have another audience member question over here.
Oh,
No.
I asked them to do this by the way, but I didn't know.
Why, why are you looking twice? Scared. And Mike asked the question. Can you go back to slate? Yeah, just, I think I know the answer, but kind of a question that's elephant in the room, why it has to be without contacting the issue. If I'm the issue. And I issue the mobile driving license to someone who's just killed 10 people on purpose by driving his, when I went to revoke right away without, you know, the very FARs potentially contacting my registry.
Yeah. So I'll edit the statement. So it's more clear what I mean or what I intended how's that without, without making it mandatory, to connect to the issuer without basically having the option to connect or contact or not contact the issuer. Right? So there's not, if I present a credential that you're required, that you must check with the issuer every time you present it, that's not ideal in some situations for high risk, high value transaction. You probably want to talk to the issuer about revocation. Okay. So why mobile, digital credentials? Oh, by the way, did you notice that this statement says nothing about digital? This is paper, plastic, and electronic tricky. A trick. Okay. So why mobile, digital credentials. This is about how to talk to other people, right? So if, if the thesis is that digital identity doesn't mean anything to real people and using the words, digital credentials or cards is more understandable. I mean, there, there is a reason we call crypto wallets, wallets and not secure data storage, right? Because people know what wallets are sh making this shift could help have the discussions about what a credential is for. It's moving information from issuer to service provider.
We can make equivalencies between physical security features and electronic security features much more easily. Cuz people could transfer that their experience over and by putting the credentials in the decentralized identity world on the mobile phone, we reintroduce the actual consent choice and control back into the information sharing activities, which is one of the user centric and SSI and decentralized identity goals. By the way, none of this is new. If you haven't figured that out yet, it's just rephrasing what we already know. I believe so how do we get to mobile digital credentials that are ubiquitous? These are some of the elements. There's probably others, but devices that can keep secrets, right? So your mobile phone smartphone has a security chip in it. You know, it can keep a cryptographic secret, private keys, more and more phones, more mobile devices can do that standards and protocols.
So this is the interoperability discussion. How do you move data between different systems that aren't built together? You use standards and protocols, infrastructure for cryptography. So PKI in limited and constrained uses issuers. You need the issuers. There is no credential ecosystem unless someone's issuing these things. And if you can get governments, issue, digital credentials, that seeds a whole range of activities. Okay. And useful use cases is usually useful as well. How many times can I say useful in a sentence here are just some of the examples of the standard protocols that have been developed have been published or are under development. This is not a complete list. I've rushed a bit preparing this slide, but I'll let you take a picture of it. Slides are happening afterwards for the standards, people in the audience. Are you seeing any that are like critically missing from the list to shout it out? Yeah. Did, did come calm? So
SIOP,
SIOP.
I know
Transport protocols did come cetera. Yes. Thank
You's not a T
Protocol. Oh no.
Give the mic.
If you
Give him the
Money Dick, com's not a transport protocol. Okay. We have five minutes left. This is going well. Okay. So issuers, it'd be helpful to have issuers that issue government vetted digital credentials. We see through evidence within V2, you blockchain projects. For example, in Canada, verified organization network, all the D you know, multitudes of vaccination certificates that we all have had over the last couple years. And importantly, from my point of view, ISO one, a 0 1 3 part five, the mobile driver's license motor vehicle administrator associations are setting up the crypto. The infrastructure for cryptography required to support those credentials. And in north America, at least driver's licenses are photo ID that's. They also let you prove that you can drive, but they are photo ID. So couple of slides about the standard, the mobile driver's license app standard.
Okay. So it doesn't cover everything. It covers the data structures of the mobile driver's license credential and transport protocols over wifi, QR code NFC, and Bluetooth. It has data integrity mechanisms in it. And it has mechanisms that allow you to do selective release of data elements. Okay. This is the scope statement from the ISO standard. If you're curious, and you can see that in the, in the link later on does not cover issuance. We're working on that still just a very light high level introduction to some of the rationale behind the mobile driver's license standard. So really was written to address the needs of the primary stakeholders, which are the issuers of the driver's license. So they have physical driver's licenses globally. They have international driver's licenses, 18 0 13 5 uses the data structures for the ISO compliant, international driver's license. That's why it's structured the way it is. And that's why it looks like and feels like a, an actual driver's license to, to users and issuers. Okay. It's possible to generalize the credentials there, you can define a document type for any data structures that you want. It's completely open you just write this back and off you go. There aren't any additional ones, but it's possible. And very importantly, the ISO standards are recognized by ISO members, which are the national standards bodies around the world. So they're backed by basically governments. Okay.
There's a series of there's family standards called the ISO 2, 3, 2 20 standards, which are building blocks for generic Eids. And the idea is that once we finish writing the 2, 3, 2 20 standards, the building blocks people can create profiles for specific use cases by picking out the parts, the building blocks they need and tailoring them to the use case. In 10 years time, you should look back and see that 18 0 13 5 is actually a driver's license profile of 2, 3, 2, 2 0. That's that's the idea, but you'll have to wait 10 years for that. And that's quick. So here's the punchline. Is it a breakthrough? Yes, of course. I wouldn't be talking about it if it wasn't a breakthrough. And here's why governance for the issuers. Right? Most, many of the use cases you hear about in this conference, it's about the official, the authentic, the authoritative government issued photo ID and how you can downgrade it to localized use cases. Well, all of a sudden we have a mobile, a digital mobile government issued photo ID. It's coming.
Another critical point is that driver's license have the photo inside them. So the mobile driver's license standard has the reference biometric image. That's at the driving administrator's database, the registry in the itself. So now you can start to look at using your device to do selfie, to reference image matching, not selfie to photo of card matching. So now you can see that the subject of the credential is holding it and presenting it to you using a biometric match, which is a new, interesting capability. And third is question here. Third is that the data now comes out from behind the firewall and it's now available and accessible for use authorized use question.
Yeah. Mike Jones, again, I have a guess, but tell me why the reference photo being in the credential is better than a picture of the reference photo.
The photographs that are printed on plastic cards are not intended to be copied by cameras. So they're low resolution they're obscured, and you can just literally paste over another picture. And unless you do liveness detection and testing the comparison systems, can't tell the difference, right? The vendors that are, that are doing this, they're relying very, very heavily on the liveness detection, which is awesome, but the one-to-one match to a picture of a picture of a picture. Isn't really a high bar. That's why any other questions? Comments, cuz it's discussion time. We've got a few minutes.

Stay Connected

KuppingerCole on social media

Related Videos

Analyst Chat

Analyst Chat #152: How to Measure a Market

Research Analyst Marina Iantorno works on determining market sizing data as a service for vendors, service providers, but especially for investors. She joins Matthias to explain key terms and metrics and how this information can be leveraged for a variety of decision-making processes.

Event Recording

Cyber Hygiene Is the Backbone of an IAM Strategy

When speaking about cybersecurity, Hollywood has made us think of hooded figures in a dark alley and real-time cyber defense while typing at the speed of light. However, proper cyber security means, above all, good, clean and clear security practices that happen before-hand and all day,…

Event Recording

The Blueprint for a Cyber-Safe Society: How Denmark provided eIDs to citizens and business

Implementing digital solutions enabling only using validated digital identities as the foundation for all other IAM and cybersecurity measures is the prerequisite to establish an agile ecosystem of commerce and corporation governed by security, protection, management of…

Event Recording

Effects of Malware Hunting in Cloud Environments

Webinar Recording

Advanced Authorization in a Web 3.0 World

Business and just about every other kind of interaction is moving online, with billions of people, connected devices, machines, and bots sharing data via the internet. Consequently, managing who and what has access to what in what context, is extremely challenging. Business success depends…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00