Analyst Chat

Analyst Chat #98: GAIN and Reusable Identities


Annie Bailey and Matthias take a deeper look at the emerging concept of the Global Assured Identities Network (GAIN) and also seek a broader perspective on the benefits and challenges of reusable identities in general.

Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm lead advisor and senior analyst with KuppingerCole and joined again today by my colleague, Annie Bailey. She is covering emerging technologies here at KuppingerCole. Hi Annie, good to see you.
Hi, Matthias. Great to be back.
Great to have you. We want to continue covering a topic that I've touched upon with Christopher and Martin in some earlier episodes from the EIC conference in Munich a few weeks ago, but we want to dig much deeper into that topic. We want to talk about the global assured identity network gain, and we want to put that into context with verifiable, with reusable identities. So when we start with that, and it's great to have you as the expert here, what are reusable identities in general, before we look at game, what is, what is the benefit of that? How do they work?
Yeah, so reusable identities, it's getting away from the idea of onboarding an individual and identifying them at this point, and then using that identity again and again and again, through authentication, but it's moving towards the idea that you, as an individual can have a digital identity, which you could bring to different organizations in different ecosystems. They wouldn't necessarily have to onboard you with the, the cost intensive, know your customer processes, or go through such involved steps to bring you on board because you have a verified identity, which is interoperable and reusable in different contexts. So that's quite an interesting idea, and there are a lot of different technologies technology methods to get us there. So it's, it's all about maintaining a very high level of security in a user-friendly way. So always juggling this, this trade off here, but also adding in this privacy enhancing element.
So being able to share information about yourself, for example, your age, or even that you were over a certain age, not even sharing the actual age or sharing the information that you are a citizen of a particular country, but without sharing your personal identification number or your passport number, anything that so being able to share proofs that certain information is correct without actually having to divulge that information. So in summary, a reusable identity is something which the individual can bring to their service provider, whatever organization they want to interact with that organization can accept it and trust that it has been verified to the degree that they need, that it has a high enough level of assurance. And throughout that it continues to protect the individuals personal privacy.
Great. And you've mentioned that the technologies are there, they are usable. I think this is more an issue of actually doing it, of actually having the drive behind providing verifiable re-usable identities at a larger scale. And this is where gain comes in. Right?
Exactly. So that's why gain is such an interesting topic, particularly for me as I'm researching reusable identities, but it should be interesting for organizations regardless of their industry gain is a network which is being proposed that would allow organizations anywhere to benefit from the, the identity verification and the validation of that identity data to onboard individuals and so regulated industry. So financial institutions, telecommunications national frameworks who are issuing passports or identity cards. These industries are putting in the hard work of, of identifying individuals to the highest levels of assurance. So really with the highest competence that somebody has been identified correctly, that the data is valid, that it's not the data of a deceased person or that something has been fudged here or there, but it's really correct. So if we can operationalize this data in a privacy protecting way for other industries to use, this is a huge advantage and leap forward, and being able to have a reusable identity
Understood. And if we compare this with other concepts that you've been working on on recently, if we compare that with the, the self-sovereign identity, the decentralized identities where the actual identity is owned by the individual themselves, in this case, it's different, it's owned, it's owned by the organization that did the KYC process, and they are also responsible for maintaining and assuring the accuracy of these, of this information. What is different? We compare it to, to decentralized identity.
Yeah. So it's, it's there in that word, centralization or decentralization. So up until this point, some of the leading solutions here in, in bringing a reusable identity into practice have been decentralized identity solution. So something which is using a blockchain or something like a blockchain to, to remove ownership or, or change who is holding the identity records or the, the identity proofs. So the, the digital form of the identity in centralized systems, this usually sits with the organization who is onboarded and individual. So would be a corporation. And in terms of holding employee records, or, you know, in terms of being a banking customer, the financial institution would be the one holding and in a sense, owning that digital identity record. But in decentralized systems, that identity record is then held in a decentralized system. So no one organization has control over it, but there are several nodes which facilitate a decentralized ledger, which then shares the responsibility of maintaining and maintaining an agreement that the records are correct, but no one party has the power to go in and change or manipulate or D deactivate to validate any information there.
So decentralized identities to summarize this is where there's no central ownership of the identity records, but the only one who's really holding the identity is the individual. And they have the ability to share their identity with other parties. Now, where gain comes in, this is more of a descent, or excuse me, more of a centralized system. And so the ownership or the ability to hold those digital records remains with the organization who did that KYC process, or who did that identity verification process, some of the language, which is coming out in the white paper, which they have published to, to explain what gain is and how it's going to work. It does use some decentralized terminology, which you could argue it that way, that the individual has the ability to choose who their identity provider is. Would I like this bank or that national framework to be the one that I am basing my digital identity off of and sharing with. And so there is still an element of agency that the individual has in terms of deciding how to, how to interact with the rest of the world, but the, the holding and the ownership of that digital record still remains with an, a, a clear centralized institution,
Right? So it's an interesting mix between both of the concepts. We surely rely and benefit from the already executed KYC process and that that guarantees and assures the actual accuracy of the data. But on the other hand, as you've mentioned, I would be able to choose if there are more than one of identities stored for me within the game network. So I could be able to choose which to use at, for which use case for, for which, for which service provider, for which a relying party. So I think that is also really an interesting thing to consider. We have seen these, these networks of sharing this information on a national basis or within certain industry that has been yes.com. There has been it's me. There has been something like verified me, but they have always been successful within their area, but they were not as successful or even not intended to be distributed in a more global, more global scale. So an ask this game initiative is really a, a fresh and new initiative just being announced at EIC in September this year. How can, how can they make sure that this endeavor will be successful, that there is, yeah, th that there's really the drive behind that getting to a global scale and having identities available at that global scale for international relying parties. What is, what is behind that idea? How do they want to drive that?
Yeah, well, if we start at a very basic level and simply look at the business model of gain itself, it is to first put financial institutions as identity data providers, or identity information providers. And so as any relying party or any organization wanting to onboard an employee or a customer, they would be able to interact with the financial institution who has this verified identity record. And so this transaction then is what could generate revenue for financial institutions and later on for many other types of identity providers. So those national frameworks for telecommunications, for any of those industry types that already has gone through the, the know your customer checks or, or higher level of assurance identity verification. So then if we question, how will this be successful when perhaps other proposals have not been successful? This is where in a sense, we need to wait and see gain is intentionally going international from the very first day, it's meant to be a global network. Whereas some of these other initiatives have really focused on meeting the needs of one particular region or country, or perhaps collective of countries who have already agreements between each other. So that's already opening it up to far more challenges internationally when it comes to legal jurisdiction, jurisdiction to the regulations, to be a banking customer in one region compared to another. So this is much more complicated than other than other initiatives. So this is, this is a challenge that really does have to be faced here.
Let's do it. So we w if you look at this initiative and the G in gain actually means global or globally assured identity network. So when they start being global from the, from the initial starting point, that also means that they need to have a, a critical mass of identities very soon being available so that we have this functionality available so that we would end up with something like login with your bank, rather, or in addition to login with Google lock-in with apple lock-in with Amazon. So this would be another more trusted, more reliable source of authentication, especially when it comes to critical processes. As you said, onboarding to an organization, onboarding or making business that really involves large amounts of money. And I think that's the reason why banks are the starting point, because they have to go through these KYC processes anyway, because they have to do it for their own businesses. So they need to take that additional step to make sure that they provide this information through the gain network, to other relying parties, the business models that you've mentioned are they, are they viable? As of now, we just can judge the paperwork and judge the theory behind it and wait, and see, as you said, what will happen? But from, from an analyst perspective, what do you think are they are the business models are promising enough to, to make sure that these efforts could be successful.
This is from my opinion, something very, very promising. So the, the ability to streamline the onboarding process and, and really raise the competence that an organization would have at every access of the workforce of consumers. This is something that's hard to put a value on, except that it's something very valuable. Now, what becomes a little more difficult to calculate is this trade off between the, the cost of this transaction or the, the potential revenue that could be had for identity providers to the complexity of the network, and really how much management is, needs to be put here. And this is the, is a similar question for both the gain network, but also for decentralized identity system. So maintaining a blockchain or a decentralized ledger is going to require some, some governance oversight is going to need to manage the, the computational costs of transactions or writing something to the blockchain.
So there are, there are scalability questions which really come into play with the decentralized identity solution. Although the, the revenue scheme is oftentimes quite similar to what gain has proposed as well. So outweighing the, the revolutionary possibilities behind every usable identity have to be balanced with the complexity of the international, these global networks that are being proposed. So to give an answer without giving an answer, it's very promising and it's incredibly challenging to achieve what they're hoping to achieve. I think there's some hope to be had though gain has been quite transparent in saying that they anticipate a, a fuller operational launch at the end of 2022. So here we are in October of 2021, they've already done a great job of communicating very clearly how this network will look who the potential actors are and how they would benefit what the architectural will look like and what the next steps are. So the communication journey has been very, very strong, which leaves a good amount of optimism for what they'll be able to achieve in the next year.
Right? And I think from, from, from a user's perspective for you and me, if we have the chance to have our already verified and vetted identities being available around the globe for additional use cases, while preserving privacy, I can choose what to, what to disclose and what to use in which use case. And there is no no selling of my data. There is no no unwanted use of my data, but I'm really in the driver's seat whenever it comes to using these vetted identities for additional purposes. I think these benefits combined together and, and make made sure by a proper organization behind that, providing the governance and the oversight, as you've mentioned, that it's really something that we should look forward to. And from our perspective should endorse wherever possible, because this looks like something that's much better than what we have around right now with social log-ins and the use of data there. Are there any other issues that you see when it comes to this, this, this game and Devaa w w w where do you see some of the, of the, yeah. The stepping stones when it comes to, what, what could go wrong or is it legal, for example, that really true transfer of data across national and regional boundaries?
Well, this is going to be a huge question. So the more we go in the direction of selective attribute sharing, so being able to share perhaps a proof of a proof, that information is correct and true without actually sharing that information, that could be a pathway to, to more, more illegal transfers of data across different boundaries, or at least less complicated, because the, the data itself would stay within the region where it is stored or where it was collected, which makes this much, much easier judgment of if something is GDPR compliant or not as one example. So the more we go in the direction of selective attribute sharing, or sharing of proof, that information is correct rather than actually sharing that information that could really help here. Of course, that increases the amount of trust that organizations need to have for each other. If an organization needs to know that, you know, I am a legal citizen of such and such country, if they only get a yes or no answer, they have to trust that that information was again, verified at the appropriate level of assurance, that they can really have confidence that the yes or no answer was enough because then they could take the fall.
If that information was perhaps not correct. So the, the trust between organizations has to be there in order for, for selective attribute sharing to, to really take off another, perhaps a sticking point or catalyst for Massdrop adoption is for organizations to really say, yes, we will accept a gain ID and to be participating in the network. So of course, the more organizations that could hypothetically have, have, you know, login with gain button on their, on their website, along with the other social logins that actually giving a, a place for end users to use this reusable identity, that's going to really determine if users will use this or not. If they don't have a place to use this, it's not going to take off. So organizations that are interested in this, this possibility of having reusable identities, trusted between organizations, this is the time to get involved and contact the game network, see how you can participate.
Right. I, I would fully agree because this is really an, an opportunity for all of those contributing right now, as, as a, as I've said, this is a very, very fresh initiative as you've sat there as a clear timescale and, and the plan and with, with, with, with clear milestones and they have a great concept. It's not yet fully there because they are building it up over time, but the foundation, the technologies are there, they will continue with a proof of concept installation and the reference system very soon. I think it's by the end of this month and when they will execute this first real life test of this concept. And I think con contributing and making sure that organizations in each of the potential roads, being a relying party, being an identity provider, being a service provider in that context, this would be the right time to, to join forces with them.
And to make sure that this works, this work continues successfully. We will cover that topic of course, because we are really looking into the technologies and the processes behind that. And we will cover that for example, at our cybersecurity leadership summit in Berlin later in November this year, but will cover that over the next year. And we will see how things work out. And I think you will be the one also doing lots of the work around that and making sure that this information is, is transferred also to our readers and to our listeners for such an, a podcast episode, anything from your side to add when it comes to looking at the future evolution of game.
I think that staying on our toes is, is something that we need to do in the next year. And, you know, there's with this initiative with other decentralized identity solutions that are already on the market with, with pain customers, you know, that, that have moved far beyond the proof of concept concept stage reusable identities is, is much less hypothetical and much more a reality. We've kind of passed that tipping point. And so now that we're there, things are going to be changing, moving, developing quite quickly. So I'll have a lot on my plate for the next year. That's for sure. And I'm looking forward to bringing that to all of you.
Great. That's a final, a great summary for, for this episode of this podcast game network is really hopefully getting the traction and the, and the, and the publicity that it needs. And, and we will cover that in the next year and we will see how things evolve. Thank you very much any for being my guest today.
Yeah. Thank you for having me.
Always great to have you and looking forward for another episode with you together soon. Thank you. And bye-bye.
Thanks. Bye.

Video Links

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Prediction #3 - Identity Proofing & Fraud Reduction Everywhere

The pandemic has dramatically accelerated the shift to online transactions in most industries, with the financial industry as an example for a heavily regulated sector being in the forefront of a movement to establish a global standard that leverages the assurance level of online identity…

Analyst Chat

Analyst Chat #94: From Ransomware to Globally Assured Identities (EIC 2021 Special)

EIC 2021 finally took place in Munich in a hybrid format between on-site and online. Of course, Matthias took the opportunity to sit down with his analyst colleagues in person for some EIC special analyst chat episodes. In the first of three specials, Christopher Schütze talks to him about…

Webinar Recording

Identity Verification: Why It Is Needed and How It Can Benefit the Business

The COVID-19 pandemic has transformed the way customers engage with brands and led to increased digital interaction. But this has increased the incidence of fraud during the account creation process. As a result, businesses now face the challenge of verifying customer identity and verifying…

Webinar Recording

Does Increased Security Still Mean Added Complexity?

We’re all accessing more goods and services online than we ever thought possible, which has presented a huge opportunity for cyber criminals. Rapid digital transformation has left some businesses exposed, and fraudsters are looking to exploit new weaknesses. Strong digital identity…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00