KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
So hello everybody. First, the disclaimer, I I'm Martin I'm product owner for identity NA group, which is a UK bank or group of banks. What I'm talking about today is really my own personal perceptions on, on digital identity. So don't confuse anything else here with an official announcement by net group, but I've been involved in a lot of work on digital identity over the last few years. And really what I wanna do is, is talk a bit about what we've done, where I think that we should be heading.
And some of the experiences, some of the challenges that we've gone through in doing that first off though, I think we, we need to stop and go, okay, what do I mean by digital identity? And, and the reason for stopping to do that is because many people have very differing views on it. And as a product person, I like to abstract it away into what, what ultimately is the objective? What would we expect a digital identity to be once we are, we are out there and real, so fundamentally trustable.
And what I've found is that a lot of people will not towards trust go, yeah, of course it's gotta be trustable, but then have a, a take on trust. That's very much towards a particular dimension.
So, you know, relying parties need trusted or some, you know, the network needs to be trustable. You know, how whatever's distributing stuff, but fundamentally it needs trust in, in many different forms. We need the citizens be happy to trust it for, because ultimately we need people to want to adopt us. And if they don't trust it, then the chances doing so are less. And also if there's that perception that it's not trustworthy, then the information on the quality of the information that people will put into will be less. And that will reduce the usability, the efficacy of the whole system.
But we also need the relying parties to be trustable. You know, sometimes it's, it's thought, okay, as long as the data's good, then we're good. Right? But actually we will see people who will attempt to get people's personally P personally identified information for bad purposes. And we need to make sure that organizations that appear to be valid, relying parties actually are those relying parties. So there needs to be a degree of trust in the receivers of that information.
Also, we need trust across network. We need to be able to say, okay, here's the information that's, that's come through. And here's here are the attributes and the degree to which they're trustable because as with anything involving security, the expectation that you've got a hundred percent security just isn't doable, isn't feasible. So there needs to be a, a way to signal what basis the information being shared is being shared. Is it good?
You know, how, how good is it? And that needs to be part of that trust. So the trust needs to run through what's delivered in a number of different ways into a number of the different parties that are involved in it.
Secondly, inclusive, it's very easy to think of schemes that would deliver digital identity, but only for a small group of people. And I think that there's an opportunity here to solve inclusivity problems that are more widespread. And certainly I realized as I came into this space, but through a combination of vouching and trust from multiple places, we should be able to include people who are really quite excluded in our, our society at this point.
So being able to use digital identity to drive inclusivity is important, then I'm gonna coming from a banking direction, something that's less clear to banks, but I think has to be the case, which is that it can't just be for banks because while we could do this to solve, say some of the fraud problems, some of the financial crime problems that that banks suffer from, that's not the whole of the problem. And that doesn't deal with the bulk of the problems that citizens have with identity online.
We need to be able to help people prove who they are and prove attributes about themselves into all of the sectors that they they want to to deal with. And you know, some of those are commercials. Some of those are, are financial services. Some of those are, are charitable organizations or social organizations that all has to be supportive by a system to drive that usefulness factor. And we'll come back to that later on in my list, really looking at how we make this part of people's lives going forward. So we need to be able to work cross sector next, multiple attribute sources.
It's very easy to think, okay, what's the bare minimum we could share. We name, address, email, address, phone, number it be what I, I refer to as, as the PayPal five, the stuff that sure you need to be able to have it, but actually it's a limited use.
Once you get beyond the onboarding to yeah, merchant, that's gonna ship you some goods and so needs the address and need an email address to communicate back to you and would like a, a phone number, you know, rich attributes open up so more whether that's access to government data, both in terms of approving identity and in the data that government holds be that property or other things, government data's quite key. A number of the, the uses that we can see in front of us involve qualifications.
So has the person got a qualification that's needed for the activity that they, they want to take part in? And that's everything from sub qualifications through medical qualifications, the ability to have attributes that rely on part have available attributes, the relying party wants in order, the journey can be completed, increases usability, increases the, the degree to which the system can get used.
But if we made that happen in a way that was committee standards based very rigid, then we'd, we'd tie ourselves up in the problems of delay and slowness of getting through that approval process. So an ability to extend the attributes in a way where, okay, some basics are, are well known, well understood as it becomes more and more sector specific, then does it need to be centrally defined or can it be defined in a sector? And how do we allow for that? So that attributes that are useful can be shared without requiring huge amounts of delay and administration.
And through that, we can start to do extendable use cases. So if we come into this thinking, the PO purpose of this is to say, do onboarding to financial organizations, then we've kind of missed a point. We need the, the use cases that digital identities put to can grow and we need so therefore support the increase in that attributes. Yeah. New and extensible attributes being added.
And the use cases, aren't a factor in the digital identity mechanism itself, relying parties can ask for what they need yet, what they can be given and then can make a decision on does that allow them to move forward with the journey that the customer and relying party wants to, to take them up. So, and that really all adds up to ending up with the digital identity that can be frequently used.
I think that if we create digital identity, that is for very limited use case, then what we'll end up with is we'll end up with lots of digital identities or with very limited use cases, which drive the, the citizen into the same place that they fundamentally sit in at the moment, which is that they can't remember how they logged into it in the past, what they need to do to get access to it. And they won't recognize it as solutions, lab problems. If we want to get into that mindset where the, the, the citizens are thinking, okay, I can solve that problem with my digital identity.
That won't be an issue because I I've got an attribute that allows me to do whatever it is they want to do next, then we're driving that frequency of use. And that means that we will start to get this positive reinforcement happening where customers would expect to use it, to solve their problems, which means that relying parties will go, okay, we can, it makes sense for us to be part of the digital identity network, such that, you know, we can solve problems for customers and the attributes can be available or can become available to enable those journeys.
So that's really what I see as the underlying principles and objectives of the digital identity. It's certainly different from some other people, and you can have many arguments for why you might do it in different ways and different forms, but that's really my starting point, looking at the experiences of, of, of working in this space the last couple of years, I'm, I'm reminded of this, this graphic here for people who may not have kids. This is from a story and old story, the musicians of Breman, and it's about a, a group of animals that get together to thwart a group of criminals.
And I always think that's kind of at, in terms of the, you know, the fraud and money laundering aspects of digital identity, but here really looking to represent the different participants that we need to have working to deliver digital identity. And one of, you know, the challenges is getting a, a common set of objectives across this group, such that we can, you know, deliver something that has values at all levels. So clearly individuals matter in this also the identity providers who provides identity and what's, what does the, the model look like from their perspective?
Where do those come from and how do we get them to an appropriate degree of level of assurance? The, we need the trust framework to provide governments across the top of it in UK.
We just, this week heard that the, the government's looking to put in place a legislation that will allow governance. Trust frameworks. Europe obviously is very different with AIed a, but a fascinating piece of work in our AI desk. We need reliant parties to need the data that can be delivered by digital identity and to understand the benefits that they can get.
And in talking to a lot of different people on this over, over time, I think that some people get it and others don't that's okay, but we need to make sure that we have enough value in what we get to market with first, that we can be successful and grow rather than really set and almost cavitate. So we need the relying parties to be there and underneath all this, there needs to be the technology that delivers identity data. So the identity itself and the attributes associated reliably out to the participants.
And of course, for each of these types of factor, there are many of them or potentially many of them. And we certainly shouldn't be expecting that there's a, a single monopolistic part to this process. That's a challenge because trying to get consensus across groups of diverse, I not with the same way and multiple of them is, can be challenging. So looking for roots to get easy consensus on, on how we take this forward is a very much a, a priority where I've ended up is thinking about what we're building with digital identity as really building a like railway network.
And fundamentally, once we built the railway network, the ability to communicate between the parties, then really what we're looking at is, is the payloads. What can you carry in that railway network? And at that point, we don't need to know whether we're moving fraud, data, we're moving payments information, we're moving attributes doesn't really matter. As long as it fits under tracks and goes between the parties, then we're solving the problem. We're moving in the right direction. And I think that's perhaps the easy way to Del, to deal with the almost inevitable, long conversations on.
So what's the use case going to be? And you could you find that with large numbers of, of varying participants, the use case conversation can go on and on.
And I I'm, I'm minded that the thinking in terms of a, a transport network, a role, my network means that actually we don't need to worry so much about what an individual use case is. As long as we can be beneficial from the get go, because ultimately the use cases will appear because they're extensible use cases as people find use for it.
But having the network in place is the, the crucial staff I'm also mindful of in this I'm, I'm stealing a piece of a graphic and a, an idea from, from someone else in the industry, which is, as we think about trust frameworks, as we think about digital identity, we need to consider three aspects, illustrate fear with a bacon, lettuce, and tomato sandwich. I'm, I'm sorry if I may keep people hungry, but fundamentally we need to consider business legal and technology. And I think there was a point in the past where many, including me, would concentrate on the technology as part of the problem.
But fundamentally, I think that where we are now, there are multiple technologies, which could be part of a digital identity. And some of those are complete, you know, maybe completely separate different ways of doing things, but actually it's not the technology that is, is the blocker at this point. But we need to do is resolve the business and the legal challenges. And what do I mean by those from a business perspective, it's who pays, how do they get paid? How do the participants need to be paid, get paid? How do we make it?
So the pricing is reasonable and fair, and that we're suddenly from the point of view of bank competition, we're not doing anything that's monopolistic or would be looked on badly by the community competitions authorities, but which allows the network to support itself. So we need to get the business side sorted out. And part of that is, so what does, what did the arrangements look like between the, and that's where we stray into the legal side of things. So contractually, what does it look like legally? What does it look like? What happens when it goes wrong?
How do we deal with liability or limit liability such that participants are, are happy to still play in it, but that doesn't mean that we're gonna get away from our ability together, because we have to realize that identity data is personal and valuable to the individual. And if things happen, then it will have to be made good in some way.
But a lot of the focus, certainly in my mind at the moment is towards that business and legal challenge of how do we make the network work business and legal working from a technology perspective, there are solutions, but business and legal, we need to just put more effort into. So lastly, in conclusion, I think prospects are very good.
I think that the, the challenges are really about making sure we get commitment from these many different groups to address the business on the legal, as well as the technology challenges and taking those forward into a system that delivers many use cases for people, such that it gets frequent use and therefore becomes a part of their lives as they go forwards. And that's really where the benefit happens is where we create a digital identity that benefits individuals in society because it's often used. Right?
And that's the key thing is that create something that's used once every year, once every few years, the benefits are small. If we can make it so that it becomes a, a part of everybody's life every day or many days, then where we're solving the problems of that individual. And we will have a successful digital identity that will grow. Thank you all. Any questions? Thank you very much.
