Event Recording

Anne Bailey: Market Compass: What does the Future Require of Identity?


There are several external drivers that are putting pressure on the way we manage identity, made especially clear over the last year: digitalization, privacy, user-centricity, and reuse.

Rather than resist the change, let us consider what would happen to identity if we translated these pressures into requirements. Which capabilities are accelerated from the sidelines to being star players? What approaches best fit these future requirements? And how does decentralized identity come into play?

In this talk, Anne Bailey will pull from the insights of the upcoming Market Compass Providers of Verified Identity and consider where identity is going in 2021 and beyond.

So with that, we're going to be diving into this basic question. What does the future require of identity? And so I will start out with describing the requirements that we can predict the identity of the future is going to be based upon, but doing that, we're going to find that there's a gap between, of course, the systems that we have in place today, and this identity that we envisioned for the future, I would argue that that gap would be filled by identity verification. And I'll take you through the logic on that. We'll then compare the compatible approaches to actually bringing identity verification to some of these onboarding processes, integrating it with identity, and then we have to acknowledge, okay, we're here at a decentralized identity conference. Let's dive deeper into what decentralized solutions have to offer here. So to dive right in what are the requirements that we need for a future identity? The first off it barely needs mentioning, but the future of identity will be digital. So if this trend wasn't already clear, you can probably find a very tangible example by reflecting on the past year, if you went through any sort of bureaucratic process, which in normal times would require you to go into an office, present some paperwork in person, perhaps provide a signature and you had to do that remotely. Then enough said the future of identity must be digital.
Next step. The future of identity will be privacy forward. And now we consider any identity transaction data is necessary here, but of course we have some learnings from the 10 plus years of doing these transactions online. And we know a few things we know, of course, that data can be weaponized through hacks with data breaches, or of course data can be commercialized sometimes against the interests of the individuals that data is describing, or perhaps most often data can be collected simply to collect dust, never actually be used for something purposeful. So we can of course take many different perspectives on the privacy. And if we consider the individual, they have been without digital privacy for long enough to demand that the future be private and of course have the weight of regulators behind them. And many of the interests of enterprises also line up with this.
So this dovetails with the next principle of the future of identity, it will be user centric. And now take you through a incredibly simple example to make this abundantly clear. Of course, we have a user and the user turns to one service provider for retail purchase. And then the user goes to another financial services provider to apply for a loan. So the common denominator here is of course the user. And now this is the opportunity for enterprises to change their perspective here, and really be able to open up cost savings, get away from silos of data and enable the users to carry their data and be portable, moving from service provider to service provider. So this sounds wonderful and great, but how on earth is any enterprise going to trust this data as it is moving from place to place, perhaps validated by a competitor, another service provider outside their industry, where there is no relationship, how can this be possible?
And so finally, I hope to present an idea to you that is maybe less familiar, and that is that the future of identity will be reusable. And so let's strip away all of our assumptions about the way identity systems have been working traditionally and just think about ourselves and our identities, our basic identity attributes rarely change our name, address passport number, tax ID, number payment info. Of course, these do change during the course of our lives, but not very often. And so why on earth are they onboarding the same information ad nauseum? So if we start to pick up each of these pieces, these principles that I've described along the way, when data resides with the user, when it is truly user centric, and it can be shared securely with competence, when it is in a digital format with privacy at its center, then reuse is really the only option that makes sense.
So here we are, we have our vision of the future of identity, and we're standing here squarely in the present. How do we get there? And this is where I would argue that ID verification is the thing that provides the trust, enables an identity to be reusable from one party to the next, which is how we will get to this future of identity. So we start out thinking about the individuals, attributes, name, passport, number, some of these basic identity things. Now they could store them in a digital format, perhaps in a digital wallet, but at this point it is only self attested, which is not very trustworthy at all. And so we need to base that on some reliable source. And so matching government issued identities against public sources, black lists, things like that. This becomes a very foundational way to build credibility of a digital identity.
So this verification step is what can deliver a credential into a user wallet, which would then enable a user to go to different service providers, perhaps a bank, an employer, health provider, each of these different use cases becomes a reason why user centric verified identity could be really useful. So for many of you in the audience, hopefully this looks familiar. This is a typical diagram of a, self-sovereign a decentralized identity wallet, and that's great, but that's not the only way that identity verification takes place. And we do need to assess the approaches for giving an identity verification to really see what is compatible with this future vision we have of identity. So let's start at the beginning, we have in-person verification. So this of course requires a physical meeting between a person who needs to be identified and a trained personnel who can identify the many different identity document types, their varieties. Of course, if they've been falsified in some way. Yeah.
So this
Is in no way digital, but it does typically have some of the highest security reliability still in the regulations to this day. So this is still a heavy hitter. It's also not a reusable identity yet, or supporting a reusable digital identity. And that's because this verification is only valid really for the time that the individuals in the presence of the trained professional for the transaction that is at hand, as soon as that individual leaves the presence of the identity checker, they could get mug the passport and that identity verification is no longer valid. So if we plunge into the next step, we are now edging on digital and being able to enable virtual identity verification, but we're not quite yet at a digital identity. These are video call verifications, where you still need an interaction with a trained individual. You start to have some technology requirements such as a webcam on your device, adequate connection, sound lighting, as we've all experienced over the past year. This is not as easy as it sounds and of course presenting your documents. So again, this has the same issues as in-person verification, where it does not facilitate a reusable verified identity. This verification is really only good for one transaction.
Now we can move forward into automation using biometric and document checks. So you could have a fully automated ID verification system where an individual could scan their ID document with their smartphone. And this is automatically checked against authoritative sources. At the same time that individual would then collect biometric information, usually a video selfie, which would then compare against their photo ID document. Make sure that is a one-to-one match while also checking to make sure the individual is indeed alive and present. It's not a spoofing attack. It's not a video submission, many anti-fraud checks mixed in at the same time. So the big question here is how does this compare security wise against in-person verification or a video call verification, where there is a trained professional?
The question hangs over us. We do have guidance of course, from regulatory documents and specifications. So the NIST 863 3 is relevant here for the identity assertions levels. And the language here is ambiguous enough that this does fit, but it's not specific enough to particularly name this method. So as usual, the technology has moved faster than the language supporting the regulatory regulations and recommendations. So we need to stay tuned about this. If we move forward, we didn't have decentralized verification. And this is very exciting because we then move into having a re-usable identity. I know this can happen with the help of some familiar words or familiar standards like verifiable credentials and decentralized IDs. And what this does is it takes the fully automated process that we saw number three, and generates a proof, which is then stored in the decentralized ledger, the blockchain, which correlates the biometric information with that identity document so that when the individual presents their biometric info, it is as if they're also producing their identity document. And so this proof, this which is not actually their identity information, is what can be shared from party to party to party.
And we should also acknowledge that there are digital ecosystems out there that are working really hard for a digital reusable, verified identity. So we have electronic IDs, we have bank IDs, which are being federated for other services, and we of course have the decentralized verifiable credentials that we just spoke about. And so for awhile, these are going to be at large in the world, all working to identify and move individuals and give them access to different services, employees, companies, and much more. So what we really need is an interoperability layer, of course, to most likely brought through identity hubs, being very active.
So these are the approaches, but let's hone in on decentralized verification. How does this really hold up against our vision of the future of identity? So let's go through these four principles again, it's digital. So decentralized identity verification typically secured with PKI, the credentials, the identity information is typically stored on the user's own mobile device while to approve. So not the identity information, but a proof that it has been verified by authoritative sources is stored on the ledger, which then enables digital transactions with whoever the user is. So is it privacy forward? Do user could selectively share data with, with those they are transacting with, and this is only one look at the many different facets of privacy, but this is a really meaningful one in actually living out data minimization. And so a user could, for example, state authoritatively that they are over 21 without actually giving their date of birth.
If we consider the user centricity of it, it is the user who is holding their identity data and issuing consent for any transaction, any request to view that data. And now that user can access all of their accounts essentially from one wallet. And so that gives the user a really great overview of the different identity transactions that they have done, who has seen their data, who is holding their data. And that's all found in one place centered around the user and a capability that we hope to see coming up in the next few years is more user delegation for access rights. So in peer to peer relationships or in guardianship, a parent over a child, or if somebody has experienced a health issue or health decline, then they can delegate their access rights to a spouse or a trusted party.
So finally, let's consider the reuse aspect. And this is where some really interesting use cases come up that I'd like to start. And a few of our quickly dwindling time on things like authentication, bringing remote accessibility to high value transactions or moving between identity ecosystems.
And so considering these use cases, you could think about a new employee onboarding situation or a new partner. And if this new employee or new partner were able to verify their identity remotely, you would never need to see them face to face. This is a great COVID-19 and use case here. Then you would be able to issue access rights or provision their, their identity without ever having to have that face-to-face meeting with high security and trust in their credentials. So we could also think of this as K Y X. So not only know your customer, but also know your vendor, know your supplier, know your partner. So it's an uplift to any account to go through the due diligence checks as needed. So we could use verified identity as an authentication factor. And so this isn't simply throwing in biometrics as a second factor, but it would be using biometrics which have been verified to correlate with your identity document. So it's an additional layer of security here for authentication. And then something we expect that you'll hear much more of in the coming months, perhaps under different, but we call it life management platforms. And so this is the architecture that would allow an individual to own control and share their own data safely.
So I have been talking at you rapid fire, but if you miss something, here are the highlights. I want you to remember that the future of identity is digital. It will be private user centric and reusable, but however, there's a gap between where we are now and this vision that we have. And I would argue that identity verification should fill that gap. You can, of course disagree with me and happy to have that conversation, but there are going to be multiple compatible approaches to bringing this to be and decentralized solutions are a really promising one. So with that, I I'm so humbled to be here as the opening speaker today, I'm really thankful for your attention and I welcome your questions. So with that back to you, Raj,

Video Links

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00