We have our panel debate. So if I can call to the floor, Martin, Kuppinger you moderating
Close it down? Yes.
Okay. So we have a, have a nice panel. And so I I'll I'll trust. Try to figure out where, where it is on those list. Here we go. A panel is hopefully quite a number of panelists. So I have a seat over here, please. On these chairs. Hey Patrick, you you're have so many panels. You should know how it works. Yeah. So, so we have Heather do from ISU. We have DOE from Miko, we have Patrick Parker from empower ID. We have LTA from Ian BW. We have if Maller here, if hello, pleasure to have you here again from, for rock. And we have Michael Langley here from 14, 14 winters,
And yeah. Raise your hands please. And, and welcome Michael, and leave remotely. We have, we have a nice topic, which is centralized versus decentralized in the context of entities, Shirley, and it's the pros and cons and use cases or cause could also be all or both. So I think a lot of opportunities, I think we only have 20 minutes for that 30. Oh, that's cool. When we have 30 minutes, that's that's even better because I think it's a topic which easily can be discussed for an hour or two or a day or so. So what, what I wanna ask you first to do is maybe give a very quick introduction for yourself. So 20 seconds, Kari, do you wanna start and give it a try,
Should stop by saying, how
Is this on? Yes, it's on already. Hi everyone. My name's Katrina Dow and I'm the founder and CEO of Meco. And we focus on infrastructure and tools to enable end customers to be able to access control or exchange their identity and personal data. So that can be decentralized or cloud solutions or a hybrid of both.
Okay, Patrick.
Hello, I'm Patrick Parker. I'm the CEO and co-founder of empower ID and we focus on IGA, Pam and access management.
Okay. My name is Annie Richard. I'm working as chief architect at, in BW, which is a large German energy provider. And further on, I'm doing some lectures on identity and access management at university of flu Sam,
Heather
I'm, Heather doll, I'm CEO co-founder of Indico. We help our customers build trusted digital ecosystems using decentralized identity and verifiable credentials.
Okay. If,
Hey, everybody Eve mailer with, for Dr. I am the CTO, I head up our innovation labs for Dr. Specializes in helping people safely and simply access the connected world. I have a history of helping birth, I suppose, federated identity once upon a time Sam Liberty Alliance and contributed to its second wave in the AEC.
And finally, Michael,
Hi. Yeah, Mike Engle. Co-founder at one cosmos. And as you mentioned, a partner at the 14, 14 ventures identity fund, you know, one cosmos focuses on better ways to identify somebody remotely and get them into any system. And it's in line with our topic today, right. We have a centralized and a distributed model. So looking forward to the discussion. Yeah.
Okay. So let, let's, let's kick this conversation off. And I think one of, one of the interesting things is we, we see decentralized identities emerging, which I think raises the question and the concern of organizations about how does this fit into my ecosystem? Do I need to do everything new right now? Or is it just something which fits in seamlessly? You're looking at as like, as we want to start with the answer,
Right? No, it actually extends your business and enhances the identity solutions. However, you're storing your data now. And it actually allows you to grow your business and exchange data with parties that you may not have been able to until now. And we see examples where we're supporting centralized data repositories using decentralized identity and verifiable credentials to exchange that data and provide it into another centralized type database. And so it can be used in a variety of ways. It's not an either or situation
Who wants next.
I think this hybrid approach is, is, is optimal in terms of where we are right now from an evolutionary point of view. And, and I agree, and I think part of the reason why the decentralized aspect is really interesting in terms of extending commercial opportunities business is because there are so many decentralized things. If we start to think about customers as a point of integration and then the things they're wearing and then the things in their, their home that, that could also be creating data and intelligence, then finding a way to connect those things in an efficient way. And then potentially bringing that back in to do something that may be centralized in terms of the service provision. I think it's this balance between those things. And it's gonna vary case by case use case by use case. Yeah.
Melanie, you you're one of the
Things, yeah, it's just, we are enlarging the business opportunities by involving decentralized identities, but we are also, we should not forget. We are also enlarging on a profitable factor, the attacks office, and there will be still some work to be done. And there's quite a problem. If you accept decentralized identities somewhere in your ecosystem, it means you've got to accept decentralized quality of identities. And there's not much around that you can say, okay, I'm, I'm pretty sure that this identity is got all this identity is bad or this identity has a good enough quality to reach this area or not.
But, but, but isn't it. And maybe also to, to Michael then and, and leave isn't it that we, we have way more opportunities to, to verify and to come up with strong proofs. So, so when, when I take verifiable credential and I say, I have strong proof in my wallet and I do it once. Good. Isn't it? That we get better if, and then Michael.
Yeah. So I think the, it, the motivations for getting better at federated attribute exchange, if you will, are overdetermined, there's lots and lots of reasons why it seems like a really good idea. And honestly, you know, having been there in the beginning, we were pretty successful at some things around Federation, mainly authentication. We weren't very successful at wide ecosystem sharing exchange of attributes. The thing is it's still today cheaper and faster and higher quality for services to collect data themselves. Like the, the use case I think about is, you know, if you have to go to emergency medical services, do they retrieve your blood type from third party services, which requires a lot of infrastructure? Or do they just go ahead and test you all over again? Because it's cheaper to do that. And it's, and it's known high quality. So I, I almost think that's the standard that we have to achieve.
Okay. Michael, what's your point on that?
Yeah. It's, it's coming, you know, especially post COVID. Now we're trying to find the, the combination of proving somebody remotely. So what El, or I'm sorry, I'm getting your name wrong, but said about the tax surface growing decentralized, right? It means pushing the keys out in control of the user, or maybe having a Coinbase via custodian, but now we're seeing every week another breach, right? So we still need to have centralized services and control and security and augmenting the decentralization with identity. That's the missing piece, right? Go to open C and buy an NFT and try to verify the authenticity of the person on the other end. Oh no, no, no, no. The, the defi world's all about anonymity. Well, no, it's not right. You don't wanna do a transaction with somebody you don't trust. So it has to be a hybrid and we're gonna see a layer of all these service providers and now Facebook and Instagram are letting you do NFTs for a quote free, right. Just last this week, they announced that. So we're definitely gonna see a hybrid. There's no path where it just goes decentralized because it's still too hard.
Patrick,
I would say staying away from the, the idea of the primary authentication, I think organizations are gonna find lots of very interesting use cases for their company or for their industry, just based on the concept of the verifiable credentials or sharing this attribute information, recent, you know, sharing your allergies, sharing other personal preferences from between applications. So it, I think it'll factor into the way that organizations develop applications and, you know, leaving out the whole question of the primary authentication, which raises everyone's tackles. Yeah.
Yeah. But, but, but even there I'm, that's so pessimistic, but, but I think what is behind the part of that conversation is also, I believe it's important that we, we distinguish between two use cases, maybe more even, but primarily it's, there's an registration or onboarding flow and there's an recurring authentication flow. And I think we need to, to, to a wide mixing this up into, to one thing, because for, for onboarding, the advantage might be that we say, okay, we have, we have someone who has a proof by whatever the passport, the E I D. So it's Martin and proof by the employer is working at Analyst and together it's quite some good proof for someone onboarding me as a partner in a bro trick or something like that. So, so I think when we, this would be my perspective, maybe you have different, different perspectives on that, but I believe the first step is that we distinguish between onboarding registration and between recurring authentication.
But, but you're also talking about layering, these attributes and the source of them. So some of these things may make sense to be constant from a central place for instance, employer. But for instance, it's to do with a travel use case and COVID status is a good example. So the constant is employee. I can verify as the employer, we have that in a central HR system, but Martin's status to be able to fly today could be completely different in 24 hours. And he is the best decentralized integration point for that latest piece of information. So I think this layering of, and connecting of attributes in a context, and then the ability for it to be real time and in context for personalization. And I think that travel thing is a, is a great example of that.
Who wants to add here?
Yeah. What you said, Martin, you know, how do we prove who somebody is? We're all here to talk about identity, right? There's E IC, right? The identity in the middle of the name. And, you know, we haven't talked much about that yet, but how do you prove who somebody is remotely and do it in a way that's fair and equitable. That is such a huge challenge. And I think not only about people like my parents who can barely type in, you know, as eight digit character password into their apple ID, but people who don't have a, a really good smartphone, you can't, you know, don't have a good place to keep a credential or use a biometric. And that's one of the real challenges as that gets solved, right? There's, there's two ways to prove who you are remotely. You know, if you disregard user user names and passwords, which we all know sucks, it's a private key and a biometric, right?
There's the kind of the, the other factors getting ready of knowledge base. So we have to figure out a way to let literally billions of people do it. And you're seeing a trend in that direction with what Fido announced last week, right now, your Fido credential, which is very strong. They're putting in a little bit more flexibility and security risk with the key being able to go and be stored by apple, Google, and Microsoft. That's gonna start to create more inclusion. And so if we can prove who somebody is and give 'em a credential, now you just ask 'em for it every time, no matter what they're doing, and the doors will start to open, it has to be easy. Otherwise, you know, if you're trying to do meta mask, right, it's just not a way forward for decentralization. And
I wanna put a, I was gonna say, I was gonna pick up on that thread is I suspect your parents might wanna go to a place like Aruba for vacation. And that's exactly the use case is working with C a and the government of Aruba where your regular traveler could share their passport information and not know that they were doing that because enable to enter the island in the past year, just because it was easy and built into the regular check-in system that they already use at the airline.
Yeah. Yeah. The happy, happy flow. Yeah.
If
So, yeah. Thank you. Yeah. The happy flow of, I think has been being improved. It's the unhappy paths that, you know, sort of get us into trouble. And I, you know, we see some work being done there. I kind of wanna put a marker down about how we get from the disruptive world of the centralized identity to the world as it exists today and, and really make it ubiquitous in, in wide ecosystem form, which I think is, you know, what, what people seem to think is the best expression of it. I think it needs three things. It needs a killer app, reusable credential. I, I, I don't think COVID status is actually it, I don't think it's reusable in enough context for things, you know, is, is not low level enough. I actually think proving that you're simply human is a really good one. So that's number one.
Number two, we need guarantees, not just assertions that privacy writ large has been improved by putting in place quite a lot of new infrastructure. So for regular use for multiple purposes, we're really gonna need that. And I think it still needs to be proven out because of the nature of the, the kind of swing back to centralization that happens so naturally in technology. And then third, I think we do need efficient, scalable, attractive means to bridge to current systems, cuz there's just, I mean, there's so much legacy is not funny. We saw all those headlines about, you know, looking for Cobal programmers in the beginning of the, of the COVID pandemic. So it nothing ever leaves us in terms of technology. It's all still there.
Yeah. But, but, but, but are aren't they sufficient use cases. So if I take my, my life as a consumer, not registering at every e-commerce website would be really a big improvement for me as, as a very simple example. And when, when I take, for instance, B2B relations, when you look at many of the partner onboarding processes, the cost associated with this, the complexity, you know, sometimes queuing for, for a while in, in an office to get whatever a batch for, for somewhere a company you're working on, all these things could be things we can easily, easily I believe to do, do with today's state of decentralized technology. And I think there's really not, not that there is disruption. I wanna a minute have a question from the audience, but I wanna bring up one more point. So, so I think cat Katrina, you brought up this, some data is probably something which you better keep on your own records in the organization.
Others, you keep decentralized. One of the other things I think about a lot is deconstructing the user journey, not only sort of horizontally in or vertically in the sense of onboarding and registration, but also the authenticator like the fingerprint reader on iPhone is different than the device is different than whatever the, the, the IDP is different than the directory entry is different than the rec. The record in the system of records is different than records in some line of business applications. And if we deconstruct this, I think we also can, my perspective easily understand which data we better bring into central systems during onboarding and which others we trust, keep outside and verify during our indication. That would be my idea on that. Any, any agreements or disagreements? Yeah, I would. I would E yeah,
I think I can agree if we are looking at, in our company, you said you, we had one central HR system I've got to disagree. We got about 20 HR systems and some of them are, I assume paper based. I'm not sure they're very small companies, but still working for us. They got an onboarding process and I've got to import them. So I've got a decentralized situation, even in the onboarding process, even for employees which belong to my company. And I didn't add the external staff on the partners in the B2B sector, we got about, I don't know, 200,000, 2000 B2B partners we are working with. And I've got to manage those identities, but they're skipped very small portions. I mean, there are partners which have only 10 people and I've got to onboard them and to group them together, that's quite a decentralized situation for me and we're group of company.
That means I don't have one identity provider or one central directory. Of course, I've got many companies in this group and they have their own identities. They have their own office, 365, and I've got to put them together because I want to work at the whole picture. And if I continue, I got about 2000 applications, which I have to serve. And the cloud applications on top, I, I would say, this is a completely decentralized situation. I have explicit exact of, except of IBM, which is my group we are doing with, we're dealing with, that's the only part which is central. And we really are sorting out what we are going to process centralize and what we keep outside. Cause there's also a, it again, the more you centralize, the more complex it gets and the more costs you have, and that's also to consider in this part. And
I think it goes back to proof. So if, if you have to prove everyone, yourself, it's more expensive than when you can rely when I'm proof.
Yep.
So I have one question from the audience maybe in between a very, very simple one. And I think you all have immediately great answers on that decentralized identities and zero trust. Is this a contradiction or a good combination? What do you have to take care of? So who wants to start
Zero? Trust is never trust. Always verify. Okay, well, you have to verify how are you gonna verify? And that's where decentralized identity steps in.
Yeah.
Yes. And you've got to reach a, when you verify, you've got to reach a trust level, which is adequate to your use case or your application you're going to access. And maybe you'll just keep out some of those decentralized identity piece. Cause you'll say, oh God, they got poor quality to some topic and minor critical applications are gain them access. But to the critical applications, I won't accept this low quality identities.
It's okay. And I started working in decentralized identity, actually having started almost 10 years ago on zero trust and worked on the zero trust architecture. And that's how I moved into this space to solve that.
If you look like you want to add something,
Did I, you know, I, I, I think they're entirely compatible actually for the reasons expressed. I, I, you know, I, I'm thinking back to the early days of Uma, when we, we characterize what what's possible is claims based access control. And so, you know, sourcing the information that you need to make an access decision as dynamically and as it fine grained fashion, and as contextually as possible. I, I think that they, they are probably inherently very compatible. We we've done some work on, you know, scenarios in this area. It, it requires some enterprise commitment to doing things a little bit differently than they often do, which is that the, almost the degraded use of the traditional technologies internally, where you're sending attributes to your relying parties, which maybe in the thousands as Ellen was sort of pointing out instead, you really have to be sharing entitlements out in your access token.
Okay,
Michael, I, I think there's there when you talk about zero trust and identity, right? There's six pillars, there's device and network and segmentation and authorization, but the identity one is the most important. And there's only one way in my opinion, to prove who the person is, that's about to access the resource. And that's what a real biometric, right? If you can give a credential to somebody else, even a token, a UBI key, whatever it is, and they put their thumb or have your pin, it's not zero trust. And so the marrying of, of a real biometric that's compared to a, an enrolled source really ties back to what you were saying earlier. Martin, do you decouple the enrollment and the authentication? I think the answer's no, if you trust the binding of the credential with a real biometric and then use that biometric before they get into your domain controllers or perform a account, you know, routing number change, you know, now, right. It, I mean, obviously you could do Tom crew's mission impossible, you know, some really edge cases, but the level comes way up here. If, if you can do that. And, and those two, in my opinion go very well together with decentralized identity.
I was gonna say, I think to pick up on Eve's point of entitlements, entitlements has a business motivator as well, because with entitlements, you can start to look at business models that are more effective and efficient. You are wrapping in an entitlement, maybe some reduction around data collection, data processing, data risk, you haven't over collected information. So you've minimized maybe for a maximum outcome. And if that data has been, if it's an entitlement that also has some kind of verification or relevant history, then the value of that is exponentially higher than if you had just taken the raw data. So I think there's a whole business layer to consider in, in that efficiency. So it's a combination of the technology and, or also the commercial uplift that you get as a result of that.
Okay. Patrick,
I'd say, I mean, as long as you're trusting the source, of course, and it's verified, but this could be a good source of information for dynamic real time authorization, but then we're gonna have to build some new capabilities into the products where we have visibility over that at its auditable about how that data could drive access decisions.
I think at the end, it's we need to have as one part of the context of information, we need to have the, the assurance level, which type or however we phrase the assurance level. But we need to, to understand what is the assurance level of an attribute, especially in, in the world where we have different proofs for different attributes, all of them will have the same level, the same strengths. And so we probably need to be able to, to understand how, how to, to which extent can we use this for, for a verification and bring down our risk level. I think this is, is the point, but I think when I, when I take what we discussed right now, before we come to the closing statements, then it's very important to understand it's not a, or, or it's a, you can integrate and you, you need to integrate.
So don't understand decentralized identity as something which is disruptive to what you have, it's complement to what you have. I think the other point is we need to, to spend quite some time in conceptual work. I think this will be something which becomes more Cove over time. But I think we, as the industry, as the Analyst, as, as the end user organizations, will I call the deconstructing, we need to understand how do things cryp together? What are the protocols in between what it information to exchange in between? I think this will be the exercise to, to be done by the pioneers, especially in mixed use cases, but it can be done. And I think these are for me to, to choose a very important points. What I'd do I'd like to do or ask you to do right now is coming up with a short, concise recommendation of your sort of main takeaway you want to give to the audience. So, so one sentence, so to speak about what is, what is your main takeaway, your main recommendation, if do you wanna start and then Michael, and then we continue here.
Yeah. So for the, I'm sorry, you said you've Serg. Go ahead.
No, it's okay. You know, I, I think that there's opportunities in this area, the bridging and the hybridity that we've been talking about is absolutely critical, which means really understanding systems that go back in time, decades. I do think that the carrier technologies that will help adoption, you know, really at the edge among end users are passwordless and cryptocurrency wallets. Okay. So, yeah,
Mike.
Yeah. I think, I think a great place for organizations to get started today, right? You're a global 5,000 company is there's a missing component that is kind of in there in the co your coal identity fabric, right? It's, it's an identity almost like your identity assurance thing, right. Could be something provided by one cosmos or, or any entity, but you can ask it, the question is this person who I think they are, and then allow that to be shared with a, a, a company that you do business. With an example, I'll give is a brokerage. Here does business with a brokerage here today. They have two options federate their active directories or issue, secure ID, tokens, use names and passwords. Imagine if you use the principles of decentralized identity between the two, all you need is the business relationship. The technology's already there, and that's an easy place to get started.
Okay, Michael, thank you. And by the way, in our new IM reference architecture version, there's identity, issuance, and acceptance in because it's part of what we should think about in identity management now. So we go Katrina Patrick, and on short statements, we have two minutes left.
I, I think this is a universal approach for every problem. What's the outcome you want. What's the job to be done. Someone wakes up in the morning, there's an outcome that wants to be achieved. These technologies are tools, and it will be use case dependent to the degree that you dial up one tool or you dial up another, or you connect these, but being really clear on how you may be able to get a better outcome, a faster outcome, a more trusted outcome will then help shape those decisions.
Okay. Thank you, Patrick. Cool.
I'd say it's a good time. Right now, the toolkits are being developed by the vendors to start. If you're a large organization developing some type of core competencies, so your teams has this competency, they can merge it into their long term application roadmap about how you're developing applications, and then you'll be ready for the business cases that come from your organization.
Okay, Melanie?
Yes. And we, shouldn't not only focus on technology because the technical part might be the easier one. We have also to put a trust part on the organization or on the contracting part. And that might be the really difficult one.
Heather
Start now, the code is available for you to develop a very simple proof of concept for, to solve a very simple project. And if you need, wanna know where the open source codes are for you to use, let me know. I'm happy to point you in the direction, but start building because a lot of other organizations already are.
Yeah. Okay. And I think if we are at a point where we start discussing about how to merge decentralized with our existing world, then it's about decentralized entity getting real. So I think we are definitely making brokers in this field. Thank you very much to the panelists. Thank you to the audience. Raise your hand, please hands please.
Thanks everybody.
Speaker 11 00:29:49 Thank you very much. Also from my side, this was a great panel.
