Webinar Recording

Verifiable Credentials: A Fresh Approach to Identity in the Digital Era

Log in and watch the full video!

Establishing a verified digital identity is crucial to successful business collaboration and customer engagement in the digital economy. Verifiable Credentials provide a highly secure way of establishing digital identity. However, knowing exactly how to begin using this approach can be challenging.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Hello everyone. And welcome to today's webinar. I'm really pleased to have a full house of experts here with me today, all coming from a slightly different perspective on the verifiable credentials ecosystem here. So our topic today and our goal behind this conversation is to take a look at this fresh approach to identity in the digital era. So my name is Annie Bailey. I'm an Analyst with Cole focusing primarily on digital identity for the present and the future, but I'm also joined by ed Ackerman of Ono by Jonathan Distler OFIA of ANCO Patel of Microsoft and Kristi sniper of Lexus nexus. So everyone here will get a more full introduction from each of these speakers as we get a bit farther into the webinar, but I have a few housekeeping notes to get through first.
So first, if you are interested in more content like this, talking about blockchain or industry 4.0 or cybersecurity, you can join our virtual events or our hybrid event in Berlin in November. So we look forward to seeing you the air. I have some information also about this particular webinar. You can be at ease you're muted centrally, and you do not need to control this function at all. So that is taken care of for you. However, we do encourage participation throughout the webinar. You can do that by participating in a few polls that we will show throughout the webinar that's to get the heart rate of our audience members and kinda work with your responses directly. We'll take a look at those results at the end of this webinar. So feel free to participate. We also want to be welcoming of your questions at any time throughout the webinar, you can go to the go to webinar panel and there's a questions field.
Just enter your questions there. They will come to me and I'll be able to field those to our panelists at the end of the webinar. And finally, you will have access to this recording and you'll also have access to the slides and those will be made available in the next day or so. So you can look forward to that now, right on topic. Here is our first poll question. So since we are tackling the, the topic of verifiable credentials, we want to get an idea of what your background knowledge is. We can tailor this conversation a bit more towards what you know, and what you would like to know. So feel free to select an option, which best meets your experience level. I'll here to allow everybody enough time to submit their answers.
Great. So with that taking care of, think of, thank you for your participation. Again, we'll look at those responses in a little bit. Let's take a look at the scope of this webinar today. So as I mentioned before, we're gonna go through the introductions of each of the panelists and participants here today and go into the view that each person and the organization that they're representing, how they view the world of verified identity and how they fit into this ecosystem and support each other. So this is, will be the points one and two combined in a bit. And then after that, we'll move into a round table discussion. We'll talk about everything ranging from business model of verifiable credentials, to security, benefits, and questions. So that will be the bulk of our conversation, but of course we do welcome your questions. So at any point, send those in and we'll have a chance to tackle those at the end of the webinar.
So with that, let's jump into this concept of verified identity and how each of us see the world when it comes to this. So as again, my name is Annie Bailey. I'm an Analyst with co or Cole, and my research has been centering around digital identity. But through that research, what we've noticed is that there's often a gap here, an anchor to reality is missing in many digital identity solutions. So what I'd like to do today is, is set the stage very briefly on why a verified identity is something really essential as we move forward to relying more on digital identities, which will then hopefully set the stage for verifiable credentials. So to do that, I want to take a look at this missing link, this identity verification step, which is often missing or lacking for most digital identity solutions. We can look at that in the perspective of digital onboarding, whether we're talking about consumer identity or employees, partners, contractors, we have a range here.
Of course, one extreme is simply self attesting where this information being presented by the individual has no basis for verification. And then on the other extreme, we have individuals going through a one time verification, be it, know your customer, be it a background check, but as we rely more and more on digital identities, we need repeated access. We need this verification to be able to last over a duration of time. And we don't necessarily mean authentication here. We mean a repeated access to the same organization or across organizations and employees of course need to be able to access anywhere from any device. Somehow, this also has to match our zero trust goals here of never trusting and always verifying. So how do we match up this need to continually verify while not making individuals go through the same verification steps over and over and over again. Now this becomes even more exaggerated. When you talk about bringing this across parameters, when you have an employee of course, verified and trusted by their own organization, but who is maybe subcontracted with another organization, why can't this identity be onboarded with the other organization? How do we move this trusted identity across parameters?
And then we bring in the concept of privacy, whether you're interacting as an individual or as an employee, you don't need to be sharing information at the same level of detail in each scenario. And so we should be moving more towards selectively disclosing information, not necessarily presenting that information, but presenting that a credential, that that information is valid and can be trusted. So with this context, we can then see over on the right, we need to be moving towards a verified identity solution, which is trusted within the organization and across organizations. It is reusable across organizations without having to go through a lengthy identity verification step at each point of access and for security that the entity can be securely stored and securely shared.
Now, of course I could talk all day about identity verification and that's one of the two requirements that we have. The second requirement, which I'd like to focus on here is to make a verification valid over time. And that's everything in this process, which is highlighted in blue. And this is where we can invite in the concept of verifiable credentials. We can of course verify and an identity. And this is normally a snapshot in time, but in order to make this last, over duration of time, we can create a proof of verification inviting in standardized protocols, like decentralized identity, like verifiable credentials, which are then stored on a registry. You can think of this like a database. It often brings in a decentralized architecture, a blockchain or blockchain like architecture. And then you can share this using open standards. So integrating into those services and the infrastructure that enterprises are already using. So with this, I hope to set the stage for the continued conversation, the continued introductions from the rest of our panelists. So with that, I'd love to invite ANCO to introduce himself and to present how Microsoft is fitting into this. So thank you with that over to you.
Thank you, Annie. Hello everyone. My name's Tel, I'm a program manager with the identity team at Microsoft identity at Microsoft. For those who may not be familiar is account systems for using our consumer facing services, which is things like Xbox windows. HoloLens outlook is about 890 million monthly active users of those services. And there's the enterprise, any systems, which is Azure active directory, 600,000 large companies and organizations, several nation states, federal and state agencies leverage this service as the front door and managing at Indian access management for, for their respective organizations. And between is LinkedIn as a professional identity system. So consumer professional and at work, but in all of those cases, these are accounts that are being used to manage access to services. It's not our true digital identity as Annie was describing, anchored on some foundational attributes and something that we can use beyond these application boundaries.
Sure. You can single sign on across, but that's different than having control over who I share my attributes with when I share it, et cetera, solely under our control. So in that spirit, we started an incubation effort five years ago, and we've been participating with a growing community of participants in the decent price identity foundation. More than 200 companies are part of it. Microsoft is just one of them and we are thrilled with the progress of the community and happy to share some of the discussions we've had as part of this panel discussion. Thank you for having me in
Of course. And thank you for being here Jonathan, over to you. Can you give a brief introduction?
Absolutely. Thank you again, Annie. Good morning. Good afternoon. Wherever you are. My name is Jonathan Distler. I'm the director of solutions engineering for IIA here in north America. Hi, Deia is a global identity software company and we see a world that largely aligns with the landscape that Annie has laid out. Our design philosophy. We call identity on the edge and it entails some key pillars, privacy first. So data should either reside with issuing authorities or, or reside with the user. And our business model is actually not based off of aggregating or exploiting any data that we get from users. Consent driven. Workflows is something that, that Annie mentioned as well, very important for, for us as is global interoperability to be aligned with international standards. Second, we believe the world is in a lengthy transition from, from digital physical to digital. So much like cash continues to be present in the payment world even today.
And today's interactions are largely hybrid. A lot of folks start transactions online, but then go into a physical location, travel being a really important example of that. So customers really value identity companies that have the operational expertise, the products and services that can capably address this reality. Third, we strongly agree that companies should be addressing facial recognition bias. And Annie did mention that in the landscape, but in the, but in the white paper, it's an important part of making sure you have a system that is not only accurate, but also minimizes bias for things like ethnicity and gender N the national Institute for standards and technology actually publishes a facial recognition test that measures both of these things, accuracy and gender and ethnicity bias. And we've been able to add value in the market as a vertically integrated provider of our own algorithms scoring very, very high in accuracy and N called us out for being undetectable actually in terms of bias. And then the last thing I would point point to would be what Annie was talking about earlier about anchoring for us anchoring is really key it'll N and other international bodies talk about and give guidance on how to produce secure IDs and anchoring back to that to a government credential system of record gives you the highest levels of assurance. And so that's another value that we've been able to provide, especially here in the us. So again, thank you, Annie. That's looking forward to the discussion.
Fantastic. Thank you. And then ed over to you.
Yeah. Hi folks. I'm ed Ackerman, head of global partnerships at Ono. We're an identity verification company. So we help customers access services online and provide businesses. The assurance required to onboard and authenticate and ultimately interact on a daily basis with their customers. So for us, proof of identity is a fairly straightforward process. It's as simple as capturing your government issued identity document, snapping, a photo or video of your face. And that's it. We then use those two things to build a high degree of confidence around the person behind the phone or computer screen. And it's these types of services that allow banks, telcos, transportation companies, and many more to, to seek and, and, and gain the assurance needed to build trust with their customers. We're excited to be working with Microsoft as one of the fellow founding partners to bring verifiable credentials to market. We see a number of consumer and business benefits to the model, and I'm very much looking forward to engaging in a discussion today to expose some of those ideas and, and, and hear from you in terms of some of the questions you might have. Thanks very much, Annie.
Yeah. Thank you for being here and Chris over to you.
Great. Thanks Annie. And certainly appreciate everybody's attendance today. My name is Chris paper. I'm a director of market planning with Lexus nexus risk solutions. Our vision is really to inspire insightful decisions across a world of, of many risks and opportunities and our mission of providing insight in, in order to help advance and protect people, industries and society. We work across a number of different industries, including financial services, retail, gaming, telecom, government, healthcare, and so forth. And we have a number of different capabilities, including fraud and identity, financial crime, credit, risk assessment, small business risk, and so forth. So we, we very much see a very broad spectrum of, of challenges that organizations have. And then we, as an organization, we're able to dive very deep with our, with our individual subject matter expertise and, and solutions and products in order to help solve those challenges very much.
We see from a fraud and identity perspective, very much see the world as a spectrum of risk. And we advocate what we call a risk based multilayered approach to those, to those risk controls, where organizations are able to pivot very quickly in order to adapt to new challenges in the marketplace while being able to create a great customer experience. Because I think that when organizations abstract, whatever solution they have from the customer experience, it can be very detrimental to their, to their business model. Certainly like the rest of the panelists. Very, very much look forward to the discussion today. You know, we're certainly very excited about the, around this notion of verifiable credentials. We certainly have been in the verifying identities for quite some time and certainly believe that there's gonna be a number of both evolutionary as well as revolutionary technologies and capabilities in terms of technology protocols and so forth. And certainly having the ability to protect that ecosystem around both, both the, the physical identity, the digital identity, as well as the overall ecosystem is gonna be vital to, to how well these technologies are able to support organizations in the future. Thanks, Annie.
Fantastic. Thank you, Chris. And with that, we're ready to head into our round table discussion. So really here we're, we're looking towards the role that verified identity and also verifiable credentials can play for the enterprise. So to kick that off, I've got a question here just to make sure that we're all on the same page as we're moving forward. So what do we exactly mean by a digital identity? Ancor was wondering if you could kick it off.
Thanks Annie. When we were doing the prep work for this conversation, I was thinking about this, that today we operate one of the world's largest identity service. But what we realize is that it's not actual digital identity as we've been talking about it, but it's been accounts that we operate for users and users use those accounts to access many different types of applications and services or devices for that matter. But our true digital identity, as you were describing, consists of not only attributes associated with those accounts and applications and activities, we're performing with those accounts, but foundational identity beyond the digital world as Jonathan and Chris were describing as things happening in our everyday life, it's stitching all these together as a person and understanding your digital footprint makes up our digital identity. Unfortunately, we don't have really good tools as individuals to understand what that footprint looks like globally, unless we go to every service door to door to try and figure out what that would look like, or for that matter for an organization to understand everything that their employees and partners and devices and service are doing across the internet, in their name for that matter.
So in fact, we think we are at this cusp for the beginning of helping establish a true digital identity for individuals and organizations, so that we can truly understand the global footprint of our interactions digitally compared to these silo ones that exist tied to an account and an application. What does the rest of the panel think about it?
So Encore, when I think about identity in general, I think about identity like a human human beings have a life cycle, identities have a life cycle. So we're born, we undergo changes milestones, and eventually we, we, we deregister, we, we die. Right. And some of those attributes, as you said, to be foundational, ideally should be tied to a government credential, right? So that the, you establish this sort of chain of trust that, you know, you're not just inventing an identity to me. I think that chain of trust should extend to digital. It's just that now the, the, the, the power has shifted with technologies like verifiable credentials to the holder who can, who can then decide how and where to, to reveal that identity. And in what context, so the, the short answer for me about digital identity is its hyper context, right? Your ability to, to be the person or the, or the attributes you will, that only you need, you need to be right in that particular moment while still maintaining that sort of invisible chain of trust behind it.
One thing if I add quickly is yes, the government based attributes are essential, but I think there are other issuers of the data station as well, such as your workplace or your family or your network or your community that you're part of. And I don't know you, you're a great coach at soccer. These are all at the stations that make up our identity. And it's a matter of how well can we collect these attributes, present these attributes. And as you point out where fiber credentials gives us a means to have a virus, a vast array of issuers and verifiers now participate in addition to the government or foundational identity attributes being important.
You know, I, I, I agree on. Sure. I think also sometimes folks in the industry almost converge this notion of digitizing your physical identity and a digital identity. And, and certainly we, we look at it from the standpoint of, of you have to have both, you have gotta have your digital aspects. And Jonathan, I certainly agree with you a hundred percent, that, that you start as like a date of birth. You start as your first name. Now you can certainly change your first name, change your last name. There are elements of your identity that can change over time. And also, I think there are a lot of, I'll just say, you know, societal type of changes that happened over time, maybe 15, 20 years ago, people couldn't imagine not having a driver's license today. You could have a number of people who don't bother with a driver's license because they live in an urban society and, or sorry, an urban environment.
And they don't, and Uber's great, good enough in walking or they want to minimize their carbon footprint. And so, you know, a, a bike is, is cool for them. And however, they have a, they may not have a strong government credential a footprint, but they may have a very strong, let's say rental footprint, as well as a strong digital interaction with a number of different or different organizations. And let's say a long tenure email and by leveraging a number of those capabilities together, based on the risk of what they're trying to do, I'm trying to open up an account in a, in a regulated industry, or I'm opening up a, let's say a loyalty account in a, in a non-regulated industry. I think a lot of that needs to come into play to be able to understand what level do I need to drive to in order to ascertain the identity of this individual.
Yeah. Completely agree with those points made. And, and, and maybe just to extend that, I think one of the things that we are seeing at the moment is that timing is really, really important. So you mentioned sort of 20 years ago, not having a, a government issued ID, like a driving license might be crazy. Even 24 months ago. We were not accessing goods and services online as, as, as much as we are today, we very much had a crash course in going online as part of COVID 19 and, and that's for users and for businesses. And for, for us as consumers, we expect more and more of our lives to be available to us online and to be feature rich and to, if anything, be more inspiring than, than going into a branch or going into a physical store, because we've come to expect that.
And likewise businesses, whether regulated or unregulated essential non-essential, they've had to develop and build on their digital solutions to improve engagement. It's no good. Just having a, you know, very basic web storefront. You have to have some means to, to engage consumers and attract them to your, your storefront and, and keep them there. And digital identity has been absolutely foundational to, to helping companies achieve that and for consumers to actually buy into that process. So, you know, with this sense of moving our lives more and more online, both private organizations and governments are seeing that digital identities hold, hold the key. So just last week, we saw a large transaction in, in Canada with interact and security key in, in Europe, the European government ultimately is, is looking at releasing an identity wallet. And these things are tied to a growing acknowledgement that we want to live our lives more and more aligned, and we have to do so with the digital identity that works for us as consumers is, is privacy oriented. But most of all allows us to live our, our day to day lives in a way that is consistent with, with, with what we are looking to do. So I think the stage is set for, for digital identity and regular identity to move much closer together. And, and like, this is perfectly timed to capitalize on that movement.
So if I could add one point, I wanna build on what Chris said about different levels. I think that's probably the, probably the baseline for a lot of the people on the, on the attending, the webinar is the username and password, right? You know, we have a million of them, you go out and you use them. They are, they are as non nuanced. And as binary as you can get in a digital identity is nuanced. Right? You can go, there's a place for anonymity. If you wanna post on a blog, right? You don't, you shouldn't have to identify who you are presenting the attributes all the way up to a bank account or, or a passport, right? So those having, having a framework in, in which the, the digital identity can operate right from extremely privacy concentric to I'm, I want that user experience ed was talking about, and I'm willing to share more data to get it to me is very, very key and characteristic of digital identity.
Fantastic. Thanks for giving all of your perspectives on this. And so I think it's time to bring this a step further and consider then the scenario of a verifiable identity and using also verifiable credentials. What we've seen mostly is that regulated industries and financial institutions fintechs have been some of the first adopters, and sometimes of course, under obligation to use identity verification to bolster their, their identities and their digital identities. So how do we start to bring this to other industries? Because regulated industries and financial institutions are not the only industries that are going to benefit here. Ed, why don't you kick this off?
Yeah, thanks, Annie. You you're absolutely right. A lot of this movement has been spearheaded in the financial services sector, because as you mentioned, they are regulated to, to, to meet their know your customer needs. And that includes a proof of identity aspect so that they truly know who they're doing business with. So that has meant that they have had to build bank grade ways of, of doing that. And if you think about this in more simple terms, sort of, I think about James Bond, as you've been released, when you enter somewhere secure, like a vault, you will scan your retina. You will do something that, that lives up to that level of assurance to gain access. And that's essentially what, what we've built and, and, and, you know, it's accessible anywhere via a smartphone. The reason perhaps why, why banks and innovative fintechs are looking for these types of, of solutions is regulatory, but it's also a differentiation point for them.
In terms of user experience. We saw a huge amount of competition and innovation very quickly, particularly here in the UK, where FinTech is a, is a really huge and hot industry. We saw lots of, of, of startup and scale up organizations stealing a March on the incumbent and the incumbent financial institutions, then looking to, to, to win back Mindshare and, and, and customers, and ultimately to release something which was more in, in keeping with their brand. Now that this, this has been solved and very much kind of features in, in many, many financial services onboarding and, and the in life identity, user journeys, it can be something that other industries start to pick up on. And I just wanna give you one example that we've been working on this year, which is with Microsoft and with, with a pharmaceutical company. And they are looking to reimagine access management for contractors and for partners.
And so by using IDV backed verified credentials, third party users can access company resources and, you know, high sensitivity apps in a way that does a way really with the need for passwords and provides access for the intended person rather than a bot or fraudster, for instance. And actually if you dispense with the, the, the sector altogether, this scenario, and, and a wider set of use cases can be applicable to almost any industry. So, you know, think about account recovery, use cases from chemical manufacturers to, to telcos. We've seen interest in verifiable credentials to support with just this type of how do I recover someone's account without having them to, to call up and speak on the phone and potentially waiting queue to, to talk to someone and have that, that real life interaction. Is there not a better way to do this? And so we think this is, this is highly extensible. And key to that for us is the biometric element that comes with it. It means it's, it's highly suited to sensitive use cases. So you can think of accessing your healthcare records or preventing your, your educational attainment, or even e-voting as some of the extensions further out for just this type of technology.
Yeah. And any comments from, from the rest of the panel on that?
I certainly go ahead.
No, please.
Yeah. You know, I certainly agree with you a hundred percent around this notion that it's, it's not just the capability in and of itself. It's, it's also, how can you extend that, that capability for the convenience of the, the, the consumer and the individual in, in financial services, if you, if you think about, you know, broader, I'd say blockchain capabilities, the decentralized capabilities where individuals now, instead of having to go through market makers and a number of different straight through processing, that they can actually trade in between individuals that they can interact safely and conveniently with other individuals. And in some cases they may wanna go through a centralized process. In other cases, they may not, they want to, they may wanna be able to trade directly. And I, I think that notion, I agree as, as we extend that out, organizations are going to be looking at that where, you know, are individuals able to ride share conveniently and safely, you know, amongst, amongst other peers, amongst their neighbors, amongst people in, in the same area. And really being able to, to extend that, you know, that, that, that capability really, to be able to provide that, that convenience and safety without an Encore. I think you made that point earlier without having to make that trade off, which, which I think is gonna be really exciting to see how this evolves over time.
I think that's where our role comes in is that we are one of those technology providers as infrastructure service. And so far, we've been focused on ease of use and security with things like passwordless or file credentials, for example, and the next set of innovation that is our customers are demanding for scenarios like ed motivated around digitization verifiability. As people work from home, it becomes more important to bring in verifiability and privacy. So the new dimensions of trade off we as a community are trying to address is not only easy to use and convenient, or as well as secure, but also verifiable and privacy respecting. So any two businesses can collaborate. Any two individuals representing in companies can collaborate. Two community members can collaborate as, and when they see fit. And so our role here has been about providing these tools so that the utility of such interactions can go beyond financial industries or healthcare or public sector related scenarios. As Chris points out, this is we feel this will be fairly ubiquitous, and it's good for everyone involved regulators, individuals, as well as businesses to move towards a direction, which helps individuals make a choice on that balance between how much to disclose to whom to disclose what purpose to disclose and do it. So in an informed manner, as opposed to turning some enterprise knobs, if you will. So we are thrilled about the start of it and the demand that's coming well beyond regulated industries now.
So the panel covered it very well. Chris, in particular, I like your, your peer-to-peer call out that that's a really important use case. I, Annie, I would only add one, which is retail. I think retail right now is really undergoing a transformation and they are looking to differentiate based on user experience more than anything else. So you think in this day and age where contactless is really important, I can go online. I can register once I can have the, the biometrics, and then I can go into, I can either decide to go park at a curbside, right, and interact with someone without getting out of the car and, and, and scanning with consent, right? To pick up my goods. I can go into a store and interface with a kiosk or a machine, again, not having to deal with a person, or if I still really do wanna go in line with a person, I don't have to hand my physical ID over, right. For things like age verification or other things like that. So I get this really portable consent driven workflow, and especially for loyalty programs, I think we're gonna see, that's kind of an, a really good frontier for, for verifiable credentials. And eventually I think you're gonna see something in the social media area right now, if you're famous and rich, you have a verified social media account, I think increasingly there's utility and, and, and having those interactions be broader.
Jonathan, I, I think you mentioned this earlier, like this hybrid notion, and, and certainly it's not just retail, you know, of course, across a number of different industries. But I think this notion of, of hybrid models is gonna be vital to organizations because consumers, when they interact with their trusted brands, if they're on the phone and then they switch to retail or in person or digital, their expectation is you still know who I am. You have just because you're a call center. You haven't forgotten who I am when I interact with my, my mobile device or my laptop. And so I think that's gonna be vital now, unfortunately, when you get that, that, that cross channel interaction, it's where a lot of, a lot of fraudsters in the Ferris activity can step in. And that's where organizations have to be a bit more mindful of how do you create these, these systems to, to secure that, that, that cross channel interaction. But, but, but I agree, I think that's, that's gonna become, you know, certainly table stakes in terms of being able to, to have that ubiquitous in intra organizational identity, where the organization knows exactly that, Hey, you know, I'm showing up on the phone and now, you know, either minutes or days, or weeks later, I'm showing up on my mobile device and I have that same experience and you know who I am and what I've done.
Fantastic. Thanks for those perspectives there. And yeah, bringing up this, this concept of UBI, ubiquitous experience across devices. So that's a really interesting concept that we can then bring up when talking specifically about the verifiable credentials and the business model behind this, Jonathan, maybe I can throw this to you and you can take it away.
Sure. So this is an area that I think we're in the early days of, and I'll be curious to, to explore with the, with the panel in my experience, business model always follows value, who is getting the value out of the system. And so I have personally in EMIA, we have seen use cases where the holders pay. So if you think about an example, so the holder just to kind of refresh for everybody is the person with the wallet, holding the verifiable credential. If you think about something like driver's license renewal, how many of us really get excited every five years to go into the DMV and in person and renew our driver's license? We, you know, we would gladly pay, you know, 1, 2, 3, whatever the dollar amount is to be able to do that online, assuming that we're able to do that. And so there are models like that where the, where the holder will pay.
Similarly, I, I do think there, there are some models where the verifiers will, will absolutely pay. And in many cases, the verifiers being sometimes they're called relying parties or service providers. So that could be the retail organizations. It could be whoever's value who obtaining the value from not having to set up that anchoring system that Annie mentioned at the very beginning. So if you think about a situation where an employer needs to verify that ed or Encore, or Chris actually graduated from the university that they graduated from, you know, if they are able to pay a per a transaction fee to do that with a high level of assurance, you know, we think there's, we there's gonna be value there, and there are willingness to pay in that regard.
So there may also be, and we've seen some governments who also are particularly willing to fund an ecosystem, get something up and running perhaps in the, in the short term, right. To, to jumpstart things. And then you could put with governments, you could also put NGOs or multi lateral institutions. Some of some parts of the world don't have that physical identity foundation that the developing world does. And they're actually leapfrogging right into the digital world without having a good base. And so I, I can see a situation where seed funding may come from an organization, you know, from one set of stakeholders. And then after that, with the notion that the, that the business model shifts to either the holders or the, or the relying parties. So generally speaking, and I'd be curious to get Ed's as view on this, the, the issuers tend to be the ones who are, who are adding a lot of value in terms of making those high level attestations, same thing with you, Chris. Right? So in many cases they are being compensated for, for that, for that service. So I don't know, just going around the verifiable credential horn, that those are my initial thoughts. Annie. I don't know what the rest of the panel thinks.
Fantastic. Thank you. Yeah. Does anybody else wanna jump in?
Sure. Thanks, Jonathan. Really nice sort of setup for that. I, I'm sort of thinking more about how we get to this place of, of some of those different models that you spoke about. Cause right now we have the technology and we have the, the sort of early examples of, of how this can work. But for this to be truly ubiquitous, as we've spoken about lots of different organizations need to accept and, and lots need to be able to verify it needs to be a true marketplace. And so verifiable credentials is very much benefits from network effects. You know, the more providers who accept verified credentials, the more useful the marketplace, the more likely customers will, will adopt, and then maybe they'll pay where they see value, or maybe the Verifi will pay where they extract the most value to your point there. But I think the marketplace piece is, is the tricky bit.
How do you start that, that demand and supply element, and first movers really need to see a payback, assuming almost zero network effects. You know, if I'm able to onboard this type of capability right now, here and today. And, and I don't assume anyone else has this because there maybe aren't in other early adopters like me, what is the, what is the sort of barrier to doing that? And, and, and is it too great for me to take that leap, particularly if I have an existing solution or I have incremental cost to consider, we, we recently commissioned a report to determine the economic impact of deploying identity verification. And the research showed that companies achieve a, a pretty substantial payoff of 261% of their investment and a payback period, typically within six months. And so that suggests to me that companies can take advantage of this capability today with a solid return on investment story. And then as, and when that network grows and those effects start to play out more and more organizations follow suit, and more and more consumers will be able to hold as, as you say, will be able to have these wallets to allow them to enable this type of capability, but it starts from having for me some kind of marketplace and the model then follows.
Yeah, thank you, ed. Anyone else wanna jump in here?
I'll add to it. We could play as Microsoft is bringing those issuers and verifiers together with a large audience space. And many of our customers are asking for this, that look, I need to do employee onboarding vendor or customer onboarding, but I do it for my own self today. And I have to pay for that cost time. And again, not only in terms of money and effort, but also the risk on data being collected and verified. Now, certain regulations require you to hold that data, but what's really important is it it's done in a manner that reduces your risk and liability that goes with it. So how do we do it such that the user is the one who's holding the source of truth to present and be verified? You can go directly the source of issuance to see who has issued it. And are these at station still true, such as your driver's license or passport, or do you still work here or what your education is?
And so our aim is to make it easy for such issuers and verifiers to issues, credentials in this open format, using the Microsoft stack, but anybody else in the ecosystem for that matter so that we can make it convenient for organizations and applications to request and verify such credentials and the user to have a number of wallets and applications they can use where they can hold these credentials, present these credentials at which point new business models can emerge based on value exchange, taking place. Sometimes there could be one time issue once fees like Jonathan described for a driver's license, some of them could be per transaction, depending on how often you're verifying certain states like education or skills or your in-game achievements that you have unlocked, et cetera. But the first part is ed points out is a jumpstart. How do we make it convenient for all these stakeholders to leverage this in a reusable manner for something they're already doing, just make it such that it could be repeatable as any described at the beginning of the conversation.
Fantastic. Then let's jump right ahead. We've got a second poll question here for all of you in the audience. So take a moment here and consider what we've been discussing with verifiable credentials and also a verifiable identity, which can be then reused. How does this match with the, your needs as an organization? So take a moment and select the answer, which best fits you. I'll wait a moment for everybody to have time. All right. So let's move ahead to our next question. And let's consider privacy here. This is a huge topic when it comes to digital identity and of course, how we share this with other organizations. And so I think each of you here, all of our panelists have a role to play here. So Encore, why don't you kick this off? And then we'll hear from everybody here
Earlier, we touched on this briefly that so far organizations like us as Azure active director or Microsoft account have been doing a lot of work around making things more convenient to access and make them secure. However, as new scenarios emerge, such as ed mentioned, COVID 19 credentials, for example, or your workplace credentials, as Jonathan mentioned on replying to a comment on a blog, do you really need to know all my account details to do that? Or do you just need to know I'm a verified professional? Who's speaking about this subject authoritatively. We don't have convenient tools to do such things today. So we have convenience around security, but not necessarily around preserving privacy. And that goes into three areas, right? Linkability how easy is it to correlate the same accounts? If you, if you're like me, I use my Gmail account all over the internet, and it's pretty easy to keep track of all the things that I'm doing across the internet today.
The second one is around selective disclosures, been talking about being able to prove my age or my residency status, or my professional affiliations is fine without having to disclose necessarily where I work or give my entire driving license to someone just to prove my age. For example, that I'm allowed to drive for example, is selective disclosure. And then the final one is around masking, where sometimes you don't even need to release all of that source data. You just need to sign at station that says I'm healthy. For example, from an author source, all of those mechanisms are today. Disparate. They're not standard based and not interoperable, which results in trading off between security, ease of use and privacy. And we think we can do better. And so someone like us is implementing these as foundational attributes in our identity systems earlier this week or last week. Yeah, we published a public statement around five principles of decentralized identity, where we are pledging to live up to these values. And these kind of features in our products that are upcoming and starting to make changes so that we can deliver these outcomes as baseline for identity experiences for our part.
Fantastic. Thanks for that. Does anybody else wanna weigh in here?
So I, I mentioned this in my intro. I, I think one of the areas where Idia really adds value, I think is in the, the biometric space we've been around for a very long time, have some of the most accurate algorithms. And again, have a, in this day and age where, where bias can be a real challenge with facial recognition, that we have some of the most accurate and low bias items. And why is that important? Because when you're issuing, when you're issuing a verifiable credential and, and you're doing so remotely tying, tying your understanding that the owner of that credential is who, who, or he is, who he or she says he is in terms of tying them to the attributes is done by biometrics in most cases with issuers. And so there are definitely parts of parts of the world that are very sensitive, right, to make sure that there isn't a bias against certain ethnic and user gender.
So I would say that then the other piece of it, just to, to kind of piggyback on what Encore said, getting away from usernames and passwords, you know, we're, we're a long way from, from that, at this stage about storing PII or sensitive data in a centralized hub. To me that has, and we'll talk a little bit more about this in, in later, but that, to me leads a huge vulnerability in terms of nefarious actors, we've talked, talked a lot about, you know, legitimate users who are going in and the happy path of using it, but there are a lot of nefarious actors that are out there. You've we, we hear about data breaches and other sophisticated types of identity fraud, and decentralizing. That identity is a huge, huge step forward to mitigating risk there.
Yeah. Also, Annie, you know, fantastic.
Thanks for weighing in, especially on the, sorry. Yeah. Chris, please continue.
Sorry, Annie. You know, it's interesting. We earlier we were talking about different business models, certainly one of the business models that that's been, that's been, you know, contemplated has business notion that you, that, that individuals now have control over their data and organizations effectively have to pay individuals for the use of that data. So if you wanna use more of my, either, either my cookie history or, or attributes about myself or my preferences, then, then somehow that that has to be monetized. And, and that leads into this notion, which, which, you know, control and privacy does of effectively self sovereign, you know, how much control should, or does somebody have over their, their, their identity, which, which then leads into notion of how, how, how do you, how do you then protect it? And, and, and certainly, I, I think that, that, you know, eventually you're gonna have this, this greater level of privacy as I'll just say the risk is appropriate.
So in a highly, in a highly regulated industry, let's say financial services, an individual doesn't have the choice to disclose either let's say age or social security number, however, they can do it in a claim based. So instead of exposing a, an actual number, very similar to what they did with account numbers and, and, and credit card numbers many, many years ago, trying to obviscate one from the other, you, you, you can eventually create this environment where people can choose and say, well, I choose to use in, in such a case, a claim against an assertion versus the actual, you know, the actual PII or the actual identity itself. And so I think that there's gonna be a lot of direct effect where individuals will have a greater level of control over, over what they feel is privacy, because I may not care about what pronoun I use versus, you know, ed cares about his, you know, I don't know, data birth or whatever.
And so we'll be able to choose accordingly what, what we feel is appropriate for how we go about exposing that. And I think there's gonna be a lot of downstream effect. It was mentioned that, you know, while you have to store some data, you'll be able to leverage yes. Less of that. We certainly in our digital identity network have a privacy by design. So, you know, everything's hashed as it comes in. I think that ability to link across in a, in a manner that that really dis ABIs me from my PII is gonna be something that that's very vital and it'll take time, obviously for these systems to, to come into place.
Fantastic. Yeah. Thank you so much, Chris, for weigh in on that, in the interest of time. Let's jump ahead to the next question, which is then bringing in security. So consider how do verified identities also verifiable credentials increase the security posture of an organization? Ancor do you wanna kick this off?
Sure. I think today we focus a lot on zero trust around verify all the attributes inside a domain boundary, whether it's usernames and passwords, your group, access your policies to access something on an ongoing basis, your device being domain joined and having the right level of software on it, et cetera. However, all of that happens after you have joined an organization, and we have verified who you are such as you work for this company, or that you're joining as an employee or a vendor, or as a consumer for that matter, that you're the appropriate educate things. All of these today are disparate processes requiring unique solutions for each company we're looking to standardize that make it part of that control plane for an enterprise or an application so that they can have a consistent way to verify such attributes beyond their domain boundary. And that's how we are partnering with Idia Lexus nexus on Fido and others, so that our customers can have a consistent way to ask for these kinds of attributes, which they are experts in providing while ensuring privacy, while providing the same level of security assurance that they're used to, but doing so based on the standard set of rails,
Any, you know, one, one thing we, we have some internal research that we do, we make, we make a public call, our two cross the fraud study. And one thing we found was that as organizations increase the amount of capabilities that they have in order to provide appropriate identity verification and authentication the lower, the actual cost of fraud that they have. And I think from a security perspective, certainly having more of these capabilities to be able to pivot quickly to, to, to new fraud, you know, fraud modalities, because unfortunately, I don't think that that, that there's much we can do to, to, to stop the wave of nefarious activities fr in terms of new modality. But certainly what organizations can do is utilize these type of capabilities to provide a broader set of capabilities, to be able to manage the risk controls that they have to stop fraud, to stop nefarious activities with the convenience that that consumers expect.
Just a quick point, Annie, I think fantastic using a, a decentralized ledger that's immutable and having transactions that require consent. Those are strong countermeasures in the event that there's a, is a account takeover, things that, you know, to, to Encore and Chris's point don't exist in many identity systems today. So there are some real benefits to the actual building blocks of VCs, right? That, that strongly mitigate the risk that things like passwords just, you know, are completely out classed, right? In terms of what, what you can do.
Fantastic. Thanks for those points here and those considerations. And then to wrap things up before we go to audience questions, I'd love a rapid fire statement from each of you, where do we go next? Let's begin with you.
We have a lot of work ahead of us. As a lot of our colleagues have pointed out while we're off the good start from a technology perspective, we need to do a lot more work around integration and compatible with existing systems, regulatory processes, and concerns. People have an education for just normal people to understand even what all these things mean and how they feel familiar is convenient as presenting a driver's license. And it's like trying to compete with paper or whiteboard. It's an almost impossible task. We are often a good start. And I think through partnerships and dialogue like this, and maybe the community members were on the call participating in helping us solve these problems, we could actually make this real. So for Microsoft side, these services are in public preview. Now we're working towards making them generally available based on partner and customer feedback. So we would love to continue engaging with everyone on the call to make sure we get this right. This is one of those problems where it's super, it's even more important to get it right, as important as it is to get it working quickly. So let's make sure we do our part at least
Fantastic ed over to you.
Yeah. Thanks Annie. So digital has a, a ratchet effect. The more we do online, the more we're willing to do online and the more we expect to do so businesses really need to continue that digital transformation journey to keep up with our expectations and make sure that user experiences have touched on a number of times is very much front of mind, biometric and verifiable credential technology means experience and security. Aren't really in, in a trade off anymore. I think that's one of the key things that, that this process and this program is looking to to address. And that's a trade off that that is diminished for, for customers, businesses and employees. So I would just echo on call's point. Let's, you know, if, if you're interested in finding out more let's, let's talk because now Steve, the right time.
Fantastic Jonathan to you.
Thank you, Annie. So we are at Idia are very bullish on verifiable credentials and agreed with what was said earlier it's early days. So we'd like to see an effort to standardize the verifiable credential model, to mature the ecosystem and advance some of these business models that we've been talking about. Having said that we'd be happy to talk to customers. We believe at the end of the day, if we're solving a business problem, all of the things being equal, some a lot of our customers don't buy technology. They buy solutions to problems. And so the more we can get out and talk about problems that we're solving for them, along with that education, we thinkable credentials will have an absolute place in the ecosystem. So thank you for that.
Great. And Chris, can you wrap it up?
You bet. Thanks, Annie. Certainly at Lexus nexus risk solutions, we have been on an incredible journey with, with all of our customers in order to help advocate for, for change. And certainly we've seen some wonderful, you know, examples of embracing change through looking at, at new lenses for their voice of, of, of their voice of their customers. And then, and then leveraging different type of, of, of proof of value, proof of effort in order to experiment and by embracing that, that, that change. And certainly we, we look forward to having more conversations with, with anybody who's, who's watching this in order to understand, you know, what are the trade offs and, and, and how can they, you know, increase the security of their, of their ecosystem while being able to provide a, a great customer experience.
Great, thank you so much to all of our panelists. We're now at the top of the hour, we had such a great discussion that we are now at the end of our time, but we have also many questions from the audience. So a big thank you to audience members for, for submitting those. So let's take a few extra minutes and I'll bring those to our panelists. So the first question, what are your thoughts on the role of custodians with digital identity and how mature are the capabilities associated with it? Does anybody wanna tackle that question
On the technology side, that scenario super important, right? Custodial roles show up in scenarios, such as parent and children, a company and or employees or banks and their customers or governments and their citizens in some context. So there exist many reasons for such scenarios and being vital. The technology work for supporting such scenarios is in its infancy. While we are working on enabling such CAPA this a person to have the ability to represent themselves thereafter, we could think about Del that person being able to delegate such authority to a third party. So first we need foundational identity for two actors to establish strong identity for each other first. So we are at a good start of it. But as Jonathan pointed out, we need to do more work around standardization of such technologies and protocols such that they do not trade off again, rigorous, if you will, in terms of privacy or security, when you want to achieve such custodian and, and delegation capabilities. So it's a vital scenario. There's a whole bunch of people in the community working on it. And we are hopeful that there will be some early prototypes and pilots around it for broad community review in the coming months.
Just one fantastic point there, it, it aligns also not just with parent child, but inclusivity. So you've got people who are disabled, who are techno technologically unable to participate and getting, getting those folks into the digital worlds really important. So it could actually be an accelerator right to, for verifiable credentials.
Fantastic. Thanks for that comment as well, Jonathan. So our next question is this, while a lot of standardization is still going on in the fields of verifiable credentials, SSI, we see many trust networks and ecosystems popping up using proprietary and incompatible building blocks, such as, you know, a ledger, a wallet, different agents, which criteria should, ah, and here begins the question, which criteria should early adopters use to select technology or to join initiatives?
I don't think it's, I think it's a false trade off to choose between different blocks of technology. It's like trying to cook a recipe and asking which one of these ingredients do I really need. It will be a different dish at the end of the conversation. So you do need an anchoring layer that you can trust. You do need a wallet by which you can manage the life cycle of such credentials and identifiers, and you do need protocols and formats that are interoperable. So these are the essential pieces of a stack. Now they give you different outcomes. If you choose to anchor on a blockchain or not, or a database or in just a device, for example, or a web service, they give you different trust, outcomes, different risk outcomes as Chris talks about it, but these are all essential ingredients. So the question to rather ask is what are the outcomes that your system gives you as it relates to convenience, security, privacy, verifiability, autonomy, and control. These are the things by which we should consider. Then there are side effects on things like latency, performance, availability, resiliency, et cetera, but these are all the essential things you need. They're just different varieties of it that you may consider depending on your scenario, highly regulated scenarios have different set of concerns than if you wanna build. I don't know, a personal note taking app, for example.
Fantastic. Thank you for that response. And Chris, a brief response from you, and then we'll,
As you look across history, sort of this notion of interoperability, everything from light bulb to, you know, wall sockets has, has always been there. And certainly there will be a convergence and I agree a hundred percent sure that organizations need to start with. And I, and I believe Jonathan mentioned this also earlier, need to start with, what challenge are you solving for? Because if you start off with the technology in terms of, oh, is this gonna be interoperable? You'll completely lose sight of, Hey, I have a, I have a consumer or a business or whatever. My, my, my, my area is that has a challenge. Here's how I'm trying to solve it. You know? H how do I make that system work? And then from there, I think over time as technology changes, you'll be able to, to pull in and out the right capabilities for it. But without starting with what, you know, what problem I'm solving for and how does it help my clients? I, I, I, I, I think it, I, I do agree it becomes a false, false argument.
Fantastic. So once again, a huge thank you to all of the panelists here for bringing such a fruitful discussion. Thank you for the audience members for sending such insightful questions. Here, we look forward to seeing how verifiable credentials will continue in the next year. It's going to be a, a, an action packed year. I have the feeling. So thank you once again, for all of your participation here. Again, if you're interested in more events, you know where to find them, we have plenty of other content such as tools, choice master classes, and of course the range of reports and advisory. And with that, a huge thank you to everybody who participated today and everyone see you again.
Thanks everyone. Take care.

Stay Connected

KuppingerCole on social media

Related Videos

Event Recording

The Future of Access Management: The Role of Contextual Intelligence, Verifiable Credentials, Decentralized Identity and Beyond

Event Recording

The Killer Credential - Spotting Verifiable Credentials That Are Absolute Must-Haves for Every Party in an Ecosystem

Digital identity has already changed the world in positive ways over the years, and yet many of our security and privacy aims are at risk and under more pressure than ever. Building new ecosystems is very difficult. If the future is full of wallets, as we’ve heard, what will –…

Frontier Talk

Identity, Company Building and the Metaverse | Frontier Talk #10 - Lasse Andresen

In this milestone episode, Raj Hegde sits with Lasse Andresen – Founder and CEO of IndyKite to explore company building, the metaverse, and identity applications beyond security. Tune in to this episode to learn about Lasse’s inspiring journey since founding ForgeRock, his…

Analyst Chat

Analyst Chat #139: Verified Identity Providers

Verified identity refers to digital identities that have been verified to describe a real-world identity in digital form. A growing range of service providers support organizations to achieve this for customers, citizens and employees alike. Annie Bailey rejoins Matthias and gives an…

Analyst Chat

Analyst Chat #116: Putting GAIN to the Test

GAIN (the Global Assured Identities Network) is entering a new phase. On March 2, the technical proof-of-concept group was launched to actually test the concepts. Annie Bailey and Matthias have a look at the list of participants, the agenda, and the potential outcomes of this PoC. And…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00