welcome to the KuppingerCole Analyst chat. I'm your host. My name is Matthias Reinwarth, I'm an analyst at adviser at KuppingerCole analysts. And my guest today is Annie Bailey. She's an analyst working with KuppingerCole out of stood guard, and she is focusing on what we call emerging technologies. And we will talk about such an emerging technology just right now. Hi Annie.
Hi Mathias. Thanks for having me back. Great to have
You again, it's always a pleasure to talk to you, and it's always a pleasure to learn more from you when it comes to talking about these upcoming emerging technologies. And we are talking today about verified digital identity. I am an identity guy for years now, so, um, this is really something new. I really want to learn more about that. So why is verified identity, identity verification? So interesting. Why is it on the radar?
Yeah, so as you know, having been in this space for a while, that identity is a really challenging thing to really pin down when we're in digital interactions. And so this topic, what we're calling verified identity is really forward-looking in the next few years of how we will interact online. So looking at a new way of sharing identity and being able to trust that identity, um, but it's also really, really relevant to the current challenges that we face with a COVID world and the disruptions that that's brought to daily life. Considering the future, we have a couple of assumptions of what we will see more of, which is that enterprises will have an increased number of digital interactions with a lot of different entities. So consumers employees, their organizational partners, things even, and those interactions will have to be grounded in some sort of reality.
So, so some sort of confirmation that the entity that you're interacting with is who they say they are. So this is the typical identity question, but how do we confirm that? And so there's of course already processes in place. You know, if you need to open a bank account, something like that, um, a lot of industries are subject to KYC to know your customer. And these are really regulated areas that prescribe ways to verify somebody's identity for a certain interaction. But this is a process that no one likes going through. So it's expensive. It costs a lot of time and to an end user or whoever is being identified, it may feel very intrusive. So on both sides of this interaction, it can be uncomfortable or just a hassle. And so now comes the next big assumption that we have for the future, which is that digital identities should be reusable.
That if you go through this process of verifying a certain aspect of your identity, that should be at a level that could be trusted by many different entities so that you don't have to keep doing it again. So that's, you know, looking towards the future at a, at a slightly different system of interacting online, but we could also imagine a lot of interesting use cases for right now where in our current state of the world, we need to keep a little more distance between people. Um, and so having contactless processes where you could hand over documents, metaphorically, and do that in a way that is trusted, it's not simply a PDF of some important document, but it is a digital and digitally verified proof that that information is correct. So kind of moving towards situations where you could onboard to a, to a service remotely where before it would require you to be there in person. So there's some really interesting use cases that, that open up from being able to have a digital verified identity,
Right? When I think of the way that we usually verify our identity, it really does not feel like 20, 20 or 2021 upcoming. We still present an ID card or a driver's license to prove who we are when opening a bank account. We do the digital analogy when it, when we do, um, opening up a bank account online just right now with, with showing the passport and the camera and showing your face and all this does not really feel as appropriate for the time we're living in and the systems we're using. Um, so how do you really verify an identity that is in a manner that is adequate for, for today, for these processes that you just described?
So it is still an emerging area. So this is going to be under construction. You could say for the next couple of years, but the, the system that is fairly common now is to have a combination of document verification and biometric verification. And so what that does is connect and identity document, for example, a passport with the person who is holding it. So confirming that whoever the individual is, who is trying to access some service digitally is the person who is represented in the passport. And so making a verifiable and affirm bull connection between the document and the person holding it. So that comes down to, um, you know, scanning an identity document using optical character recognition, um, being able to process, um, the different barcodes, the machine readable zones on these documents, even being able to collect the biometric info, if you have a biometric passport using NFC and then confirming that this information is valid, and then you would move on to the next step of collecting some biometric information.
This is most often done with face matching and matching this to the photo and the ID document doing some lifeness checks, and then being able to use this data and package it for later authentications too. And so this, again, connects the document with the person it's able to really confirm that it's not, uh, for example, me holding my sister's passport, but it's able to confirm that I am holding my own identity document. And so wrapped up in all of this is a lot of fraud detection, um, there as well, making sure that there are no changes, adjustments, um, improvements made to any, uh, documents. The fraud detection is, is wrapped up in this identity section.
Not that somebody has gone through this tedious long process, providing all the information that you've mentioned, that all this OCR, NFC biometrics and all this information is now available. Uh, now we come to the point that we are now actually just scratches that onboarded into one system onto one identity system. So you've mentioned that before the fun starts, when we come to, um, reuse of these information, so how can reuse work in the answer, but it needs to trust the information that this identity provider then has in store. And so how would you describe how this reuse can work now?
Yeah, you've hit on a really important point, which is that trust is the key to reuse. If you don't trust the verification that has already happened, then there's no point in using it again. And so the steps that I described before of going through document scanning and biometric scanning, these have existed. These are somewhat standard though. They are still developing and being refined, but they're typically used only once. And they're only really useful in real time where you can make that connection between the document and the who is claiming to own that document. And so in order to get to a place where we can reuse that there has to be a way of storing it and recognizing that that identity has been verified and there haven't been significant changes to that. And so this is where it's really getting to the emerging part. This market is really still developing.
So there are a lot of different ways to do that. And so at the moment, I'll list a few of them. Um, but this certainly isn't, isn't a full list. So one way that this could be achieved is using bank IDs. And in certain regions, these are an established part of online interactions where you could use your, your identification for your online banking and use that, um, to authenticate to another online ecosystem like an online retailer. And to that brings a certain level of trust and confidence that you are, who you say you are because the bank trusts you. And so the bank here is this, this trust provider. If you trust the bank, then you trust, um, the identity that they've sent along with it. So another option is to use what, um, some vendors call and identity hub to call lighter versions of verification.
Um, and this could be used for authentication, could be used to simply prove an attribute. Um, and this would be done using API APIs as one option. And so this could be used for those scenarios where, um, you need to only prove your age, but it's not totally necessary to, um, display all of your identity attributes, like your name, your address, the other information pieces that would be on your typical identity document. And so this identity hub could be connected to municipal authorities who would be able to verify, yes, this individual exists, but the information that would be sent to the entity requesting the information who needs the proof that a person is over 21, for example, um, would only receive that information, um, regarding the individual's age,
Right? So limiting the amount of data that is disclosed to the party that is requesting this information is I think in today's world really of importance when it comes to data protection to data privacy, just to make sure only the information is really provided that is required for a specific transaction for a specific use case. I think that it's really important that we see that also in real life coming up already, when it comes to proving that you are of legal age, as you said, that you are a disabled person, that you are living in a specific municipality to make sure that you get access to citizen services and et cetera, for all this only a limited amount of data is required. What other use cases do you see that are relevant when it comes to using these, uh, verified identities?
Yeah, so we've mentioned just briefly this selective sharing of identity attributes, and this can be useful as an American. This is always coming up in restrictions to alcohol. Um, and so you can imagine this at a very day to day basis, uh, of being able to share only a select amount of information instead of showing your entire identity card, which, uh, can be very good for the data privacy, as you mentioned, other use cases that verifiable identity could be used for is in the gaming and gambling context, which are obliged to follow KYC regulations. This can be used to really speed up processes, not only onboarding, but for returning customers, KYC and financial institutions could enable a lot of processes to be done completely online, still with a very high level of assurance. Um, so you could, um, go through your mortgage application without it feeling like a, like it's a shady deal when it's all online, um, that could be done, um, with complete confidence, thinking about other different use cases.
This can move us towards doing remote employee onboarding. If somebody is being hired in this time of home office, then that can pose a lot of challenges to going through the normal onboarding. But if there are ways to, uh, verify their identity digitally and remotely, and trust that for a longer period of time than just real time that can make this remote employee onboarding possible on a larger scale, we could move closer to a digital identity scheme that is more user controlled, where an end user can choose which identity attributes to share with different parties. For example, like sharing your educational diploma with an employer beyond just the PDF, but a verified version of that diploma that can be trusted, that it is, has not been falsified in some way. So we wonder if this is the direction that digital identity is going less complicated in terms of verifying your identity, less dependence on physical documents, which many people in the world either are lost, damaged, unable to be replaced, or for other parts of the world, simply annoying to carry a physical wallet full of real documents, but yet be restricted in where you can physically go to present those.
Um, so moving towards more digital processes with higher confidence in who you're dealing with,
Right, whoever has been in the situation to hectically searching for their passport two hours before going to the airport, um, knows what you're talking about. But on the other hand, as you said, um, I think this really moves us away from traditional identity for online services, all banking services, but this example that you had with the educational diploma, this is some type of information which is usually not present within a digital identity, but, um, this verified identity could then lead to an enrichment of identity profiles, maybe specific for specific use cases, so that you end up with a set of attributes for various areas where you then can decide what to present to which partner you're dealing with. So it's a larger, more interconnected set of attributes for one identity, for different use cases under the control of the individual person. And I think that is really something that we should be looking forward to that I think really will help us in protecting our own privacy. Um, you you've mentioned you are working on that area right now at the time that we are recording this podcast episode with close to Christmas, 2020, um, you are working on research. What can we expect to be published soon?
Yeah, you could expect in, um, early 20, 21 a report on this topic. So stay tuned. There'll be more on this. This is really just scratching the surface.
Okay, great. So I expect that we will have a discussion around these topics soon again, when the document is published, but also with this development going on and getting more traction when it comes to the real life, our individual personal life, when we see solutions coming up that really leverage these possibilities. And I think that will really make life online and when it comes to protecting our personal assets, um, much better. So thank you very much, Annie, for, uh, being here today for sharing your, uh, current research around verified identity. Any final words you want to add?
Yeah, it's um, as you've mentioned, several times for the podcast, privacy is really, really closely connected to this, which is true, but there are so many other intersections that verified identity has with our lives and, you know, considering all different aspects of what makes up an individual, it's not simply a government issued identity and then an employment identity, and then a login information for a site that you frequent. You know, we, we are complete individuals. And so it's really interesting to see identity in an enterprise sense as well, move more towards seen individuals as a holistic person, which does have privacy, which does have other aspects of their life and still can interact in an enterprise ecosystem with all professionality. So this is really interesting to see how the digital self is gaining facets as we have in the real world.
Right. Craig, thank you for pointing that out. Privacy is very close to me from, from my daily work, but it's completely correct what you said. There are so much more aspects to take into account here. So that will be an interesting discussion coming out of this. So really looking forward to talking to you about this again, and for all of the audience who are interested in verified identity in the work that Annie is doing in this area, please go to KuppingerCole dot com just to the right upper corner. There is a search engine type in verified identity, or just Bailey to get to research by any, and you will get much more around these topics and especially when this document is out there. Thanks again, Andy, for being my guest today. And I'm looking forward to talking to you soon.
Thank you. I look forward to it as well. Thank you. Bye bye. Bye
