Analyst Chat

Analyst Chat #139: Verified Identity Providers

Verified identity refers to digital identities that have been verified to describe a real-world identity in digital form. A growing range of service providers support organizations to achieve this for customers, citizens and employees alike. Annie Bailey rejoins Matthias and gives an overview of what "Providers of verified identity" are and which types of services and benefits beyond mere verification should be considered.

The Leadership Compass is available here.

Welcome to the KuppingerCole Analyst Chat. I'm your host, my name is Matthias Reinwarth, I'm Lead Advisor and Senior Analyst with KuppingerCole Analysts. My guest today is Research Strategy Director and Senior Analyst Annie Bailey. Hi. Annie, good to see you.

Hi. Nice to be back.

Good to have you. First time with this new title that you've just earned and you've deserved it and earned it. We are here today to talk about some research work that you just completed, a work that is in an area that is really as you've always been working in emerging technologies. This is an emerging market. You've completed a Leadership Compass on Providers of Verified Identity. And that is really a long term, a mouthful of a name. What does Providers of Verified Identity mean?

Yeah, well, it's a concept which is best understood when you break it down into two parts. So you have the verified identity part and then you have the providers of that verified identity part. So if we start by looking at the verified identity we're looking at the idea of a digital identity, but not just any digital identity, but it's something which has been verified to describe a real world identity in that digital format and that the verification can remain valid throughout the identity lifecycle. So it's more than going through a one time identity verification, but it's really transitioning a physical document like a passport or a national ID card into a digital format that can be used in many more other functional ways. And that is really connected to a real world human. So you can think of this at an oversimplified level. So if you think about bringing your physical passport into a digital version. But this is really at the first level because in a digital version, you can really do so much more, such as you could share the individual attributes on that document, like your name or your birth date or your citizenship. You could share each of those individually without having to share your entire passport. So that's just a snapshot on why the verified identity part becomes really interesting in a digital format.

So if you're talking about the providers of verified identity, you've explained the concept. So there are organizations which do this as a business. What is their business? What are they doing with these verified identities along the process of providing them?

Exactly. So, as you can imagine, it's not always accessible for an individual to get a digital identity. So there are providers of those. And so this research is looking at who is making it possible for an end user to get access to a verified digital identity. But especially which providers are making it possible to use that within an enterprise setting? And this is really looking at a wide range of capabilities here. So going through the original identity verification, the registration and authentication, all using a verified digital identity. You could have additional services thrown in there, there's a lot of times fraud reduction, which is thrown into the mix. Doing additional attribute verification on other types of documents, not just government issued documents, doing digital signing, orchestration of various technology partners and the workflows here. So it's going far beyond just the identity verification part, but really how a verified identity could be used in the enterprise setting to lift the security of those access as an account throughout the user experience.

Right. So when we're talking about this topic, why are we talking about this right now? Why is this an important topic and why in 2022?

Well, there's a lot of different reasons. We could spend a lot of time talking about it, but maybe let's just pick one or two main reasons and focus on those for the moment. You could think about user experience as one of those. So you mentioned the year 2022. Here we are still recovering after all of the excitement we had in 2020, 2021, where it really became evident that we need to conduct very important transactions often from afar, where it's difficult to be in person to do a identity verification, as we've always done it, with no technology, where you stand in front of somebody who's qualified to check identity documents and they confirm that you are indeed the person who is described in your identity document and you are holding a valid identity document that wasn't expired, that hasn't been counterfeit. And that's a situation we are in now. We need an option that is not simply in person. And we need that for all sorts of transactions and in many different roles. So you can imagine, for example, opening a bank account or if you're a new employee, being employed and onboarded with your employer, but you can't be there in person. Or if a contractor is being granted access to a facility for a short amount of time, you to make sure that that individual is really the person who they say they are and who you expect them to be.

Right. I've been talking to John Tolbert about the FRIP platforms, the Fraud Reduction Intelligence Platforms. And I remember that fraud prevention and also the use of verified identities is something that is of importance. So when you talk about these providers of verified identities, is this also a key capability that they provide there as well? You've mentioned that earlier shortly.

Absolutely. So fraud is the other angle that I would want to talk about here. And identity verification in general is absolutely a part of fraud reduction platforms. And if we bring that extension over to verified identity, there's a very, very clear connection. When we think about particular types of fraud, account takeover fraud and new account opening fraud are both really large issues that using a verified identity can contend to reduce risk for this. So when we think about account takeover fraud, for example, this is, of course, when a bad actor is using a valid user's account through a variety of ways. Sometimes they have stolen credentials or with a brute force attack or social engineering are able to use a valid user's account. But this sort of fraud can be reduced with things like multi-factor authentication, particularly risk based, or when you're able to evaluate device or credential intelligence using behavioral biometrics and so on. And these sorts of capabilities are often accompanying a verified identity. Usually the means that it takes to initially verify that identity are able to collect some of those biometrics and then check those again during your authentication, bringing that confidence in being able to collect credential or device intelligence. These sort of things typically travel together. We could also consider new account opening fraud, and this is perhaps even more closely related to verified identities. If you think about a new account being opened by a malicious user, they could either be using credentials of a real person or synthetic credentials that don't belong to any real human at all. And if they're successful in doing that, that causes, of course, a very huge problem. And so this risk can be lowered by increasing the identity assurance level during onboarding, and then likewise raising the authentication assurance level during authentication, which is both really the goal of using a verified identity, is boosting those assurance levels.

Right. You've mentioned another use case. This was the business part of preventing fraud. But very interesting, you've mentioned briefly that that is also usable and can be used and should be used when it comes to enterprise use cases, for onboarding, especially large numbers of new employees for creating a helpdesk or for staffing large projects. When we think of such a use case and some of our audience might be interested in achieving that, what do they get when they look at these verified identity solutions? What is what is in there? What are the capabilities that would come into play when they want to onboard an employee into their organization? What are the key capabilities here?

Yeah, it's a complicated process, I hate to say it. So, there are several steps. And then underneath each step, there could be several different technology methods that would be used to reach the next step. So if we break it down, and we look at step one. That's for identity verification, collecting the evidence. So that would be collecting the identity document. That's really just the intake of information before any analysis really happens. There are a lot of different ways to do this. Again, when we talk about our zero technology method that is going into in an office where there is a physical person standing there who looks at your document But you can also have other digital methods. You could be taking a picture of that document and sending it. It's not necessarily secure, but that is an option that you could use. You could be using optical character recognition, the scan and then pulling that information could use video capture. There's the machine readable zone on most identity documents, which then transfers the information in a machine readable format. You could use near field communication if there's an embedded chip in that document, you could also use digital certificates for national registry lookups. So that's step one and all the options that you could use to collect the evidence from that document. Step two is the verifying part. So once you've collected the evidence, you need to check that that evidence is valid and accurate, that the authenticity of the issuer can be verified, that the document has all the appropriate security features, and that the information itself has not been falsified in any way. So again, there are a huge range of technological methods to do this, ranging from highly qualified individuals to machine learning algorithms who are checking for these different falsifications. And then third, the last step in the verification process would be binding and completing the verification. And so this binding process is really confirming that the document and the attributes in that document do describe a unique person and that unique person is actually the same person who's presenting them, that it's not somebody else who grabbed a passport that doesn't belong to them and is presenting it. This is again done in several different ways. More and more, we're using biometric verification here, which is then a 1 to 1 facial match. For example, using the template of the document. So either the photo on your photo ID or the biometric template, which is embedded in the document, if there's a chip there and matching that against the real time person who is presenting it. Sometimes this includes liveness detection, or this could be using something like video identification where there is a synchronous video with a human operator, a trained professional to look at this. So that's a long list. There's a lot packed in here and it's really a collection of a lot of best in breed technology providers to even get through the identity verification process. And that's nothing to say about all the other steps that you integrate with, into registration, into authentication, additional fraud reduction controls, signatures. So this is really a densely packed solution or service that providers are able to give.

Right. So in the end, in many of these aspects that you mentioned, the technology aims to replace or to mimic the functionality of this carbon based technology, when you walk into that office that does the verification process and tries to make sure that this person is really the person that he or she claims to be. And as an analyst, I know you looked at this topic within your research just right now, as an analyst I try to do a self-test with many of the aspects that are available for us to make sure how does this look in real life? And I actually, a few months ago, applied for what we in Germany call "elektronische Patientenakte", the electronic health care file. And you need to install an app and you get a new registration. And I really thought, because I've never done that with a bank account, that they would check that with me waving my ID card and all this liveness detection with a video and all this. And that was really prepared for that. And I was looking forward to doing this. But in the end, the guy from the postal services did the check at my door. So they they really requested him to do this as an in-person check. And he was not really liking that process because this really adds to the complexity of their daily routine. I mentioned that already in that podcast in an earlier episode. But what I really want to know is why don't we see that too much in real life? Because these technologies could really make lives easier for us and for our counterparts in business, as citizens, as customers, and governments or organizations. Why don't we see that? And where can verified identity solutions then still improve? Because they're not visible for many of us right now.

Yeah, well I think you hit on a on a good point. The reason why we don't see a lot of it yet is because this is really an emerging space. Identity verification is not new, using digital identities for the rest of these processes for registration and authentication is not new, but bringing these two together, so using a verified identity for these other processes and holding on to that verified status for a longer period of time is really hard and it's becoming possible. We've hit the technology sweet spot here where it's becoming possible and it's getting more accurate and better quite regularly, quite quickly. So what I can say is there are a huge number of vendors on the market which are providing some part of this aspect. They are somewhat limited who really provide this whole full service spectrum that we've been talking about today and that I cover in my report. But on top of that, there are so many vendors who do the biometric side of the verification or who do the document onboarding side or who provide a user held wallet. And this is another aspect here that where I'd like to transition into how verified identity solutions can still improve, there's yet to be an agreement on what the future model of this will look like, and a big part of that has to do with user held wallets. And you can think of that in exactly as your physical, your real world wallet, which is holding all of your different types of identities. It could hold your passport, but also your bank card and also your health card and really everything from many different issuers. And you have it with you all the time. The idea is becoming very interesting to have a digital wallet as well. And this is being discussed at various levels, but perhaps most notably at the EU level, looking at making available a digital wallet for citizens, for their digital identities, which could be used in their nation state, in their their member state or in other member states where they are not residents. So this is a big deal for both public and private use of digital identities. However, it's not clear yet what exactly that will look like if this will be decentralized or not. And both models are possible and in the market at the moment. And so this does cause hesitancy to adopt because it's not clear which one will win out, if any, or if there will be a multitude of solutions that people are able to choose and use for a long time. So agreement on how this will look in the future and how this will continue to evolve may be a reason why you're not seeing this in use yet, but you will likely see more of it in the next year to a couple of years. Another reason or another way that this could improve is that we're still holding on to perhaps older technologies or more familiar ways of doing things simply because they're familiar and they're known. An example of that is video identification, where you, as the person needing to be verified, you sit in front of your computer with a webcam, you join a secure call with a trained agent, and you show them your passport, what you're holding in your hands. Just on August 10th of this year, just last week, Gematik, which is the Agency for Digital Medicine in Germany, actually removed VideoIdent as an option for their health insurers for onboarding patients to this ePA, the electronic patient file. Now, they have decent amount of influence in this space to say that they don't recommend this anymore because it was demonstrated that it's possible and also repeatable to pass a verification using invalid credentials, which of course puts several million people registered for health insurance in Germany at risk of fraud. So this is there has been a tendency in Germany, sometimes in other countries as well, to hold on to older technology and not fully consider more automated versions for identity verification. This certainly needs to be done with care. This transition is nothing to be made light of and really needs to be fully tested, fully considered for the risks. But it's also clear that options like video identification is not up to the use cases, and the high value use cases that we're needing it for.

Okay. Understood. And I'm really looking forward to testing these wallet applications that you just mentioned. So they would at least a bit feel like all these authenticator apps that we have where we just scan another QR code and have a new additional factor for one or another service. If we have something comparable for containing and carrying these verified identities, I think then we're really one step further when it comes to interoperability and to opening up this ecosystem. Thank you very much Annie for explaining this. And are there any developments that you've learned of apart from the wallet and the standardization part that you would like to highlight before we close down?

Yeah, I think the comparison of a digital wallet with an authenticator app is actually quite good. There are at least a couple vendors on the market who are repurposing their authenticator app to function also as a digital wallet. So I think that bridge is probably a good one to hold on to. Yeah.

Yeah. Great. Thank you very much, Annie. And this Leadership Compass Providers of Verified Identity, it is available. You can go to our website and download your copy and a subscription is required. But there's a test subscription and it's really affordable. If you go for one year, it's really affordable. So if you're interested in this work and if you are looking into better and, and yeah, more secure onboarding of employees or customers, then this is the right document to check out to find potential providers that could serve your needs. Thanks again, Annie, and I'm looking forward to talking to you again soon. And not to forget to mention the CSLS event that will take place in Berlin in November. We have mentioned that in earlier episodes as well. So if you're interested in cybersecurity and verified identities are a part of that, please head over also and check whether you want to join us in Berlin for the Cyber Security Leadership Summit, either in-person or virtually remote. Thanks again, Annie and bye bye.

Thank you. Bye bye.