Welcome to today's webinar, Leveraging Reusable Identities in Your Organization. This is part of our webinar series, Road to EIC, the European Identity and Cloud Conference. And we will have a very interesting panel today with five speakers, which are Sam Curren, Kim Hamilton Duffy, Riley Hughes, Ramesh Kesanupalli, and me, Martin Kuppinger. We will introduce ourselves in a minute.
And with this webinar being part of a serious Road to EIC, I just want to quickly highlight the upcoming European Identity and Cloud Conference, which will run from June 4th to 7th in Berlin, which is the leading conference for digital identity cybersecurity, with six parallel streams, a lot of keynotes, a lot of interesting sessions, panels, presentations, everything from down-to-earth IAM challenges and best practices to where the future is, AI and identity, a lot about decentralized identity, about EIS and all the other things that are happening these days.
So we will have a ton of things to talk about at EIC. And to give you a sort of first impression of some of the things that will be discussed, we will look at the topic of reusable identities specifically for the use of the enterprise, so more the enterprise, less of the consumer use cases. Even while there will be some consumer and customer aspects as well. And this will be the topic of today, as I've said.
So again, welcome to our panelists. And let me quickly stop sharing so that we see everyone.
Well, then I would say let's start with a round of introductions. And everyone, please quickly introduce yourself and your role in your organization, et cetera. Ladies first.
Kim, do you want to start? Sure. Hello. Thanks for joining. I'm Kim Hamilton Duffy. And I'm executive director of the Decentralized Identity Foundation. Sam? Sam Curren, a deputy CTO with the DCO. I'm also involved, have been involved for a long time with the Hyperledger Areas Project. And the DIF did come working group at the DIF as well. OK. Riley?
Hi, I'm Riley Hughes. I'm one of the co-founders of Trinsic. We're a reusable identity infrastructure company. So this topic is right up my alley. I'm excited to dive in. OK.
Last one, Liz Ramesh. Hi, this is Ramesh Kesanupalli. I am the co-founder of ADA Association. And prior to that, I was founder of FIDO Alliance. OK.
It's me, Martin Kuppinger. I'm one of the founders and principal analyst at KuppingerCole Analysts. And as an analyst that is focusing on identity management, digital identity, since we have been founded for two decades right now, we are very closely following all the evolution around decentralized identities, reusable identities, and all the stuff that is currently happening. So when we look at our theme of reusable identities for the enterprise, what is the first thing that comes to your mind when thinking about that? Maybe Riley, you want to start? Yeah.
Yeah, the first thing that comes to my mind is just, you know, the way the world works today is that people go throughout their lives and they get, you know, in person. When you need to prove who you are, you pull out a card and you prove who you are anywhere you need to. But online, with every different organization you go to, you need to get re-verified from scratch over and over and over. So when I think of reusable identity, it is the sort of solution to the from-scratch problem.
Right, it's that I can bring my own identity and prove who I am, you know, in a way that your business can interpret. Okay, Ramesh? So reusable identity, I agree with what Riley has mentioned. And I would also think that, you know, the validity of the client, somebody trustworthy should also attest for that. So it's a combination of technology and some kind of governance-related issue. Sam? I think a core technology here is, of course, verifiable credentials, and they enable you to trust the data without having to get it from the source.
So lots of times you can only trust the data if you get it from someone that you trust. Verifiable credentials allows that to be portable so that you can verify that it has not been tampered with cryptographically.
And also, as Ramesh spoke of, that the issuer of the credential themselves is someone that you should consider authorized to say such things. And it's that portability of data with trust that I think is the most powerful aspect of this. Kim?
Yeah, I think all the sort of substance has been handled, so I'll focus more on the framing of it. It's like a digital concierge. So right now, and to Riley's point about all the identity verification, uploading documents, videos, selfies, whatever you have to do. So you as a business, instead of greeting people with generic forms where they have to upload all this data, you can tailor it and customize based on data that the customer securely and consensually shared with you. So it now enables fast-tracked personalized experiences.
Yeah, so the first thing that comes to my mind with this project, due to a lot of conversations I had over the past couple of years, is there's a huge potential for improving processes for innovation by reusable identities. But innovation is not disruption. So it doesn't break what you have. And I hope that we can touch this today. It can work neatly with what you have in your infrastructure, but it can make it much better and help evolving that to the next level.
So it's, in that sense, innovation without breaking things, without disruption, that negative sense of the term. So before we dive into our conversation of today, just for the audience, a hint. There's the, on the right-hand side of the events application, there's the chat, but more importantly, there's the Q&A. So if you have any questions, anything that you'd like to throw into the conversation, just enter it into the Q&A and we can pick it. And the more we have of your input, your questions, the more lively and interactive and interesting, truly, our conversation will be.
With that, I'd like to start with a perspective on, and as I said, it's really enterprise perspective. So it's not the sort of the peer-to-peer individual conversation we have, but really more enterprising. Then again, we have the customer side of things and we have the employee side of things. And we will touch both because I believe both are relevant and probably we don't put enough emphasis currently on the potential for, on the workforce and business partner side, where I see a huge potential.
Anyway, I'd like to start with looking at how decentralized identity standards could help us in optimizing the customer onboarding. And rightly, you touched on onboarding already from, more from a workforce perspective, but isn't it exactly the same for customers and consumers?
Yeah, absolutely. And in fact, people, I don't know how often they change jobs or whatever, but it's not, I would guess nearly as frequently as customers going to different merchants or vendors or whatever.
So yeah, I think the opportunity on the customer side is probably in terms of volume higher, but to your point, I think maybe in terms of sort of near-term adoptability, there are some advantages of looking at the workforce side. Nick, Kim?
Yeah, there's that in the idea that, I think it touches on the volume aspect. There are cases where say, if you're a major consulting, your employees have to end up doing repeated background checks. And so if you can do anything to sort of shave off these margins, then at scale, and not saying this can necessarily take the place of the full background check, but if there are parts of the package that you can start shaving off. So I think that there's a lot of kind of low-hanging fruit to reuse claims.
Maybe you wanna perform, it has some expiration like every 30 days or something like that, but to the extent that you can avoid all this redundant work and repeated collection, it can make a large difference at scale. Sam? My sister-in-law started a new job recently and spent more than a day and a half just doing paperwork, right? And this is, of course, something that ideally you don't do too often, but she's also in the medical space. And there are times, particularly in times of crisis, where you actually, the hospitals need to share staff and other things in order to meet needs.
And the amount of just sheer wasted, moving information around is really stark. On the personal side, it still happens, but it tends to be a little bit smaller, but more frequent. And so the problem still exists. And just any progress that we can make there has huge economic benefits and productivity benefits for everyone involved.
Yeah, and I think this is a point I really like because I think this benefit, the productivity benefit, the process cost, you could also name it, this is something we probably underestimate sometimes as a benefit for what you're talking about. I remember being in advisory projects and queuing at the end for hours to get a batch. And when you're paying as a company, you're paying the consultants and they spent hours in not working, but queuing or waiting or going through cumbersome processes. It doesn't make sense.
But I think when we go back to the consumer part as well, the one thing we must not underestimate from my perspective is that we also have this challenge currently still of drop-off rates and churn rates. So people not ending up with, so they come to the site, they start maybe purchasing process, and then they are obliged to register. And they say, okay, come on, let's go to some, let's go somewhere else where I'm already registered or not coming back because they need to re-enter username and password and can't remember it anymore. So I think there are both angles here.
Ramesh, how do you look at this? Actually, I think what Kim mentioned and what Sam touched upon is extremely valid, that enterprise is both low-hanging fruit and as well as in this latest dynamic of work environment where majority of us are working from homes and 35 to 40% of the workforce for any enterprise, a decent enterprise, is actually outsourced. They are an external workforce. How do you onboard them? How do you actually make sure, like you're mentioning repeatedly entering user ID as password? Asserting the identity is one thing when you onboard.
How could you use that on an ongoing basis to make sure it is the same person? I have come across situations where one person takes the interview and somebody else will come and join the job, purely because it is virtual, you know? And how do you carry, not just the initial onboarding, you must carry that towards, how do you authenticate the user after that? And like Sam was mentioning, it is just not about identity, particularly in the case of healthcare, for instance. A doctor from Stanford goes to UCSF. When he goes as a visitor, onboarding him probably will take one week.
It is just not identity. It is also the educational qualifications, the registrations and credentials. All those things also have to be carried and they fall into the category of, you know, verifiable credentials and stuff. So decentralized identity, verifiable credentials actually gives a very unique way how we bring all those things together. And if you do this correctly, it's just not the digital world.
Even in the real world, this is a powerful tool because when you walk into a bank and give a driver's license, like Riley was mentioning, yeah, they can verify looking at my driver's license, but how did the person know if it is a real driver's license or a fake one? Yeah, and I think there are a ton of things you can do, potentially, even in this intersectional, physical and virtual world, so to speak. So you're going to a club and you prove that you're above 18 via your phone without unwilling who you are, without unwilling how old you are exactly. So most believe me that I'm above 18.
It's not a problem for me anymore, surely, but I think we all know these use cases and that also can be done at the intersection. And I think, or verifying your physical access when you use your phone to open doors. And you bring up, I believe, a very important point. It's not just about the identity and not just about the onboarding. It's about all the other credentials we have. And it's interesting, I had a talk with Andre de Rolf being at Identity a while ago, and he talked about thousands and tens of thousands of verified credentials we will have.
And I think this is the way we should think about it. We should not think about it's Martin and the driver's license or something like that. It's way more. It's all my professional certificates and all the other stuff. A lot of things, which insurance do I contract? So I have all that stuff which comes into play. So it looks like a lot of you want to say something. Let's start with Sam and then Kim. I think there's this thought, that's still very pervasive in enterprise IT in particular, that it's all about just authentication.
And the zero trust model has really emerged as a way to rethink how that actually happens to the point where you don't just check them on the way into the building, metaphorically speaking, but you verify credentials whenever necessary. In order to do that though, you've got to be efficient and clean and have a great user experience about it. And I think those technologies are coming together in a way that really lets us verify and have a trusted relationship over a period of time instead of just at the point of authentication. Yeah. Or the point of onboarding, as has been mentioned. Kim.
Yeah, one other aspect, and it's not the physical part, but it's all the channels that are digital or remote that introduce risks. So when you're on a browser, when you're on a website, you get the secure browser padlocks, so you know at least that that's some expected entity that you're working with. But in any other channel, like your phone or email, things like this, and with increasingly good deep fakes, voice impersonations of people, we're already starting to see fraud in those sorts of channels within the company.
And then for customers, basically customers not knowing who they're interacting with in all those channels, not necessarily having reliable, consistent ways to mutually authenticate. And so that's where a lot of these new threat, or a lot of the sort of new threats are coming from. And so that's where the sort of dids and bcs part can be useful, no matter what channel you're trying to engage on to establish I'm who you expect. Riley.
Yeah, this is a really interesting conversation. I, it's one that I sort of struggle with sometimes, maybe I'll take the other end of the sort of opinion spectrum here, Martin, where, or maybe not the other end, it's just, when I hear us talking about, having a thousand verifiable credentials or something, or tens of thousands of different credentials or something, my mind immediately jumps to, well, we've got to get people their first verifiable credential first, right?
I mean, the vast majority, I mean, if we're talking about verifiable credentials, the vast, vast majority of people don't have them or use them on a regular basis yet. And I think most of us on this panel will believe that they, people will. If you zoom out from just verifiable credentials into the broader reusable identity landscape, and you look at mobile driver's licenses or other EIDs in Europe, which act as effectively reusable digital identities, then there's a lot more adoption. But it's still not anything close to 100% of people.
And so, and it's, we're a long ways away from the thousands or tens of thousands. So I think where I would, where I tend to kind of try to anchor the conversations in a, what's the first use case type of a mentality. So that's where my mind goes in this conversation. I could argue this bears the risk of focusing on very few use cases. And if you say, oh, that's not mine, you say, okay, it doesn't fit. On the other hand, if you unwheel a big umbrella, a big range of different use cases, it may foster innovation.
So I think we can look at it from both sides, but yes, we need a critical mass on both ends, as usual with this technology. We need enough people using and having wallets as your reusable identities. And we need this all to be based on standards and on a lot of other things. We could talk about levels of assurance and understanding when we do, we need which level of assurance, all that stuff. And we need enough, so to speak, areas to use it. Because if you can use your wallet and your credentials only in a very narrow area, it doesn't work.
So I want something I can use wherever I want it based on standards. Ramesh, how do you see us standing with standards? So it has to be open standards because when we start offering services around this technology, if they don't interoperate, nothing works. So standards are very, very critical. But I also come from somewhat different perspective that is little overlaps with what Riley was mentioning. Any user or any company that we go, if we start talking, I mean, there is a different way to present these things. We don't have to say decentralized identity.
We don't have to say verifiable credentials. This can be completely camouflaged. If I'm using today, let's give an example, like Sam was mentioning how to use, anytime when you want to challenge the user after he walks into the office, you'll be able to. How will you do that? You do that by challenging him through an MFA or some other stuff. The aspect of challenging with MFA, the user says as behind the scenes, what gets exchanged is a verifiable credential that user does not need to know, enterprise does not need to know.
You know, a company which is actually making this happen can tell that, hey, this is trustworthy because I have done all the underpinnings of making sure that credential is right. That enterprise does not need to know that, user does not need to know that. So what I feel is anytime when you are introducing some complex technology, which is actually, it's implemented, it's very easy to use and very strong.
The important thing is not to put technology in the front, but camouflage in a simple use cases where, you know, 10 years ago when I started FIDO, when I said, I want to eliminate passwords, people used to say, huh? That was the immediate response I used to get. Now with this decentralized identity and verifiable credential that you camouflage, there is a unique way, not only the passwords, you can actually transition user IDs too.
You know, internally in enterprise, we are in the world of predictable user IDs and reused passwords. That's what we are. It is so easy if I'm working for Cisco, Sam can guess my user ID right away, right? It will be RKS Anupalli or Ramesh RKS Anupalli, one of the three combinations and passwords are social engineered. So it is not difficult to guess those user IDs and passwords, but what is identity oriented infrastructure that can be possible with decentralized identity? You can actually transition, there won't be user ID password login screen anymore.
Yes, I think that is something I also envision. So at the end, we unlock our wallet. Yeah. Basically that's it. So if you camouflage it from the user standpoint, he doesn't have to type in user ID password anymore. There will be a QR code asking him to log in. When he logs in, you prove the identity and submit the credential. What goes into Cisco is RKS Anupalli, just giving an example as Cisco. What goes into Cisco is RKS Anupalli. Yes. They don't have to change any of the existing infrastructure.
I think that that's a point I'd like to touch a bit later, but I think you bring up an aspect that is about complex technology and we have a few questions already here. Again, to the audience, if you have any questions, et cetera, you'd want to raise, bring it in, edit, enter it into the Q&A tool of the UN's applications or that we have a lot of questions. The one I have here is, and I think there's a bit of the complexity thing. So the concept of decentralized identity or self-serving identity introduces a third party.
The question is called a trust system provider while current identity systems only have two parties, including maybe federation as well. So if you have three parties, we have one more failure point in the ecosystem. So what are your thoughts about that? Who wants to start? Sam? I want to highlight that sometimes the three parties are really two. There's a lot of value to be found by using credentials, for example, inside of a single organization where the same organization is the issuer and the verifier of the credential.
That's particularly powerful if you have a merging company scenarios where you have disparate backend systems, but you are using the verifiable credentials and the portable trust that they enable in order to solve the bridging problem without relying on those complex database integrations to pull that off. And so I wanted to just quickly highlight that three is important and we need to talk about that, but sometimes the three is really two. Yeah.
And I have a bit of the impression that sometimes the three-legged things in our world tend to be better and more flexible than the only two-legged things, so to speak. I think there are a couple of scenarios and this is surely one. Maybe Kim and then Riley.
Yeah, I think there are a couple of things touched on. This third party in this case really corresponds to the ability to bring in trust across organizations. So that's an entirely new thing. And I think it's just making explicit this idea that was already there. So say when you, or maybe not there even.
So the example I would give right now would be, so when you share your academic credentials or your skills, background and everything, say when you're applying for a job, you can't necessarily assume that it's in a format where the consumer of that data knows how to machine, parse it in a machine readable way and make some kind of decision.
Now there's a lot of work to get up to there, but the idea of this relying party who can take this information and know that it came from this organization, it hasn't been tampered with, it came directly from the recipient of the data or the holder or subject, without having to introduce this sort of back channel, whether it's directly to the issuer or to the third party, that was already happening, right?
So I think this is a way that allows that to be performed a lot more, how do you say, explicitly in a reusable way, much more efficient way and basically unlock some new use cases that just weren't possible before. All right.
Yeah, very well said. I'll say two things. The first is that the concern is valid, but I think that the reason that you should wonder about it is not necessarily because of an additional point of failure, but it's really because when you've got to get three people or three parties involved, the adoption and coordination questions and the business model questions all get way harder. And so that's the reason in my view why it's challenging.
Martin, you mentioned the getting into a club, approving your 18 example. Unfortunately, I still get questioned about that. Maybe you don't, but I still do. So that's something that... But in that scenario, right, it seems like there's two parties. It seems like it's me and the club, but in reality, it's me and the club and the Department of Motor Vehicles of Utah in the form of my driver's license. And what we're talking about with verifiable credentials, it's really just the same thing, but online, as Kim said, right? There's not a back channel.
It's not like the DMV needs to create a bespoke integration with the club or something like that to do this digitally. It's really just the DMV gives me a token or what we're calling a verifiable credential to be able to transmit trust from that source through me. Right? The club trusts it because they trust the DMV, not because they trust me. And that same model applies in this world of verifiable credentials.
Yeah, we even can transfer this to a digital physical converged world where whatever they have a reader, you put your smartphone on and the reader accepts, okay, above 18 based on a proof from the Utah Department of Motor Vehicles or whoever would work as well. I think that there's one interesting point, but that probably would go well beyond that conversation, which is when you present the physical driver's license, then the liability of a correct check basically is more on the club side.
When you do it electronically, the club trusts that the proof is done correctly by the Department of Motor Vehicles. So there's some shift in that and there's something we need to understand. We need to elaborate to figure out. And this brings us back my point about, for instance, the levels of assurance that we need to understand how good is something and also find a good balance between where do we need sort of things like self-issued credentials and where do we need something which is government sort of proven where you need another factor for authentication and stuff like that.
I think that that is then really something which is also probably part of the learning curve. But going back maybe to the initial question, I'd like to submit two talking points. The one is a bit about, we started with the customer onboarding, looked at process already, and then also took some questions. But I think one point, which also relates to a question which came here in, I think that's true. The world of verified credentials and decertified identity, it's not simple. It's a complex world.
So to Ramesh's point, yes, at the end of the day, we are introducing another complex technology here. And are we already good enough regarding interoperability in that landscape? Because I think this is the key success factor.
Kim, you're speaking on behalf of the Decentralized Identity Foundation, so you surely can give us that information. Yeah, so the question is, are we good enough in terms of interoperability in the decentralized identity space now, just to make sure I'm answering the right question?
No, and we have a lot farther to go. I think a lot of it right now, just it's inevitable due to having new standards. And you would probably not be surprised anyone in this panel, but more broadly, you take the same specification, people are gonna interpret it very differently, even if it's the most well-written, perfectly tested or laid out kind of spec. So I think it really comes down to where we are now.
We have a lot of companies and organizations working on taking this standard and that standard and putting them together, adding a set of requirements, getting, establishing the real interoperability. Even if every leg of the standard and all the protocols were covered, you'll still have different interpretations until you start having, people call them different things, interoperathons, test suites is the next layers, even conformance criteria. So that's an area where in diff, we really focus on that and what we call profiles.
So it's where people take a sort of stack, a layer cake of standards, try to package that with some additional requirements, see if they can actually talk to each other in the end of it. And so you always learn some new things. And I think it's sort of part of the process that people want to be more restrictive early on just so they can minimize the amount of new technologies or in standards they're having to bring in. But the idea is to sort of build up around some use case for getting a set of participants to talk to each other and just continue to build and refine that as you go.
Yeah, and I see a growing number of use cases in different areas where we see more and more use of these concepts and this technology, not only mobile driver licenses, but definitely also a couple of others here. Honestly, I'm overall very positive on that. Maybe let me go back a bit to the business benefits. So we touched on some of the business benefits. We talked about process costs. And I think there's also this option of reducing drop-off rates, churn rates. It's a very obvious potential. Why or how do you believe it will also enhance security? Sam.
I spoke about Zero Trust already, but I want to talk about one of the applications of this technology in the sense that you have verifiable credentials, and we've talked a lot about that today. The effect of using verifiable credentials is that you end up having a more secure, trusted relationship with the other party. That relationship might be in person, for example, at a restaurant where you're facilitating payment. It might be online. But the ability to now leverage the trusted relationship that you have with people changes the nature of how you interact with them.
For example, if I interact with a website right now, and then I leave the website, and I'm off and I'm doing something else, they have limited secure options to communicate with me. They can send me an email or maybe a text if they have my phone number. And that's more or less what they have. I think we can do better with the technologies that we have and extend that outside of the realms that it currently lives. So that when I leave the website, they still have a secure channel in which to communicate with me, to confirm things, or to like second-factor style authorizations.
I walk away from my computer, they receive via the website, a request to transfer $10,000, and that's hit a threshold for a secondary confirmation. Using an out-of-band secure channel in order to communicate and verify that that is in fact what I want is a great way to enhance that type of security that I don't believe we're really leveraging today. So it's not directly verifiable credentials that caused that to happen, but it's an effective using verifiable credentials to gain the trust in the digital relationships that we have. Anyone else wants to add to this? Kim?
Yeah, I think that was a really good way to frame it. And I think to the other angle, so there's the security aspect, there's the convenience aspect for consumers. So the idea of if you can have this direct ability to notify, update, some use cases that come up in travel and hospitality, for example, and sorry, is my video frozen? There we go, we're back.
Yeah, so some examples that come up in travel and hospitality would be disrupted travel experiences where you had all these plans and then something happened, you missed your flight, then you have to send out all these updates all at once. Right now, you are the person sort of manually engaged in a lot of these transactions. And so the idea of if you could have these sort of direct secure channels with businesses, and you can sort of more easily kick off some sort of event that then initiates these and does things on your behalf in a secure way.
I think that's a really exciting kind of use case. Getting back on the cruise ship as we read in the news sometimes these days where some people miss their cruise ship and spend a couple of days in Africa trying to get back on the ship. A lot of things we can probably rearrange.
Riley, what's your point on that? I think I just have a short point. And it is that a lot of things that today are done using probabilistic mechanisms or means and also things that are done using third parties like data brokers can be done more effectively and more securely using verifiable credentials. And I'd like to throw in one thought and I think this is one which is probably not discussed often enough. If we have, if you think about not only one credential we use in a certain use case, but multiple. So proofs from different areas.
So it's Martin, we are EID, working at Core Analysts and so on. So then we have a combination of multiple. And I think the interesting point is, so if the one has, I'll make it very simple, very coarse grained. If one has sort of a 10% error rate and the next one also has 10% of error rate, but if you combine them, then that rate of error goes down, it doesn't go up. So if you combine five, six, eight, 10, you come to a relatively low risk. So even relatively weak credentials, if you have many of these, will lead to a pretty high assurance.
And I think this is something we must not underestimate that we can also use way more, in that sense, way more factors, context factors, information, whatever you'd like to name it for this process. And this is what will make this approach very strong over time. Then we still can say, okay, if certain of them are suspicious, we still can ask for others, we can do more. So this is, I think, a very, very cool and underestimated potential of that.
So, but in the interest of time, we already spent 40 minutes of that. So first there's one question which is tricky, but I bring it up here. Maybe someone has a great answer to that.
Otherwise, I think it's probably something for the standards bodies to think about it. And that is back to the liability thing I mentioned. We see presentation protocols enabled a verifier to prove they correctly verified a credential, for instance, during a police investigation or an audit. So who wants to respond?
No one, it looks, I think it's a tricky question. Okay, Ramesh, you first. This is where I feel the, there are two aspects to it. I think with respect to how can we make the world secure? Obviously the place where we are is not working, as you know, I mean, if you see the disinformation, misinformation, deep fakes, and this is not a good place to be. And adding to that, unfortunately, the aspects of even verifiable credentials is geocentric.
The way, even within 50 states of United States, each state has a different landscape and different way of presenting their driver's license. So, you know, a driver's license of California looks different than a driver's license from Detroit. So one of the things I feel while we are tackling this complex problem, security and privacy are good. One of the things I feel personally for the last three, four years I've been evangelizing is there is an aspect that is accountability. What we have, what we don't have in the digital world is accountability.
So ask me, tying that back to your question of liability, I will not want to take a liability if there is no upside to me. It's as simple as that. So when we are coming up with these models and stuff, it is just not a technology problem. This is not just a technology problem.
It is, it's a business problem. How do you motivate the ecosystem where everybody feels part of it? From user standpoint, he wants to be secure. He wants to be identity protected and he wants it extremely easy to use. Enterprises want to make sure the clients that are coming are accurate that they can trust. And issuers who is providing, they just don't want to sit there and sit idle. And after doing all this work, not get benefit out of that. So all these things have to come together. There needs to be proper economic models within the ecosystem for every player.
That way they all feel the upside. And if there is liability, they will take it. And the user feels his life is easy, easy to use and his identity is not stolen. And enterprises feel whatever they're getting, it is accurate and they can completely trust. So this is the delicate balance that we need to bring to the table and also need to be sensitive. Each geo is different. The regulations are different. What is allowed is different.
In India, I mean, they were able to capture for 1.4 billion people, your iris, your face, your 10 fingers, they got everything that's humanly possible from you. In United States, if somebody asked my iris and then any commercial organization asked for my entire biometrics, and I said, no, hell no. How do you capture these things? How do you capture these things? That's why we are doing some work in the ADA Association, Accountable Digital Identity. If you bring accountability into the picture, then the rest of the things automatically fall into place.
If I'm issuing a COVID credential, there are places during COVID, people who are getting both positive and negative credentials because they want to show positive credential in the office, negative credential in when they go to a movie theater in the mall. So how do you trust those credentials? So that's where the accountability part has to come together. That is going to come together. I'm absolutely convinced. I think we are on the track.
Again, I think it's also, what is the use case? Not every use case has the same requirements. I think this is also very important to keep in mind. And so there are some things that we do a lot of things. When we look at how we do payment today, et cetera, which is about money, we do a lot of things there. So we are already, I think, in a not that bad situation if we transfer this to the world or beyond sort of payments into other areas. We know a lot about how to do it in a way that works well. And it's not that we are starting from scratch, but back to the next topic or next part.
We touched it already, but maybe again. So we talked about, we all seem to have to believe that this works quite well with our existing business systems, our existing processes. So maybe we can elaborate a bit more on why doesn't it break what we have? Sam?
Yeah, can I answer that? I think all credentials are going to exist within a context. The word I like for that is an ecosystem. You've mentioned that not all use cases are the same. And so the actual requirements, the understanding what liability applies and everything else will apply to that. The reason why I don't think this breaks what we have, but enhances it, is that most ecosystems already have their participants involved.
There's certainly advantages for growth, but there are partnerships between companies, for example, that already exist that can benefit from leveraging this technology to do what they already do, but better. And in this case, you're not necessarily establishing brand new trusted, brand new relationships with other parties. You're just leveraging the existing relationships that you have, but with better technology. And I think that's one of the reasons. And Riley mentioned, what's the first credential?
I think a lot of people's first credentials are going to be from existing ecosystems that the people already have a relationship with and that businesses already have relationships with each other. A quick example is my employer has relationships with healthcare providers and insurance and other sort of benefits management companies. And that's a little ecosystem right there that is likely going to be the origin of some people's first credentials.
Yeah, and it's interesting. I just read today on LinkedIn about a company saying, okay, so to speak, our wallets which we have built for very specific use cases right now, so to speak, are already ready for EIDAS too. So for the world of, the upcoming world, so to speak. And I think we will see a lot of this conversion here, Riley. I think it's really hard to answer that question in absence of a concrete use case, right? Because I think there are cases where a verifiable credential or a reusable identity could be a substitute for something that's already happening and could improve upon it.
I also think that there are areas where it could be a compliment to what's already happening and strengthen it. And it just really depends on, you just really got to zoom into the specifics there to make that call. I will say that we still have checks. And sometimes when I look at how airtight some of the specifications are that Kim and Sam and others are working on, and then I look at my credit card and I think, geez, this thing is one of the most widely adopted universal things out there. And look how bad it is, relatively speaking, from a security standpoint or whatever.
But it's used all day, every day by people all over. So I guess, I think, I don't expect this is gonna just disrupt and drop a bomb into the existing world of technology that we're already using. I expect that it will layer on top, it will find its place and it will add value where it does. Don't you feel that putting a three digit number on the backside of the credit card is sufficient as a security approach?
Yeah, I think I got what you mean. There surely are better ways to do that. I wanna take a bit of a different angle. So I think there's, we probably can integrate reusable advantages, decentralized advantages very well into a lot of things we are doing. I think it's much harder to leverage the full potential of it. I think this is the other side. So when we look at more the customer side, we added a couple of years ago, companies started adding sign-in with Facebook. Right now it's not Facebook anymore as the primary means, but this sign-in is what you have, so to speak.
And when we can do that, we can also do it not only sign-in but onboard register with your reusable identity. So this is basically just another way to do it. And one that has a strong promise, also more usability and not being backed by one party, but coming from an open ecosystem.
So, but when I then take, for instance, the employee use case, at the end of the day, also there we have interfaces where people come in onboarding, we type it into a system, we do it, we can support an onboarding process, I believe very well with decentralized identities. And I could envision, I'm Martin Kubinger, I have my government ID, I used it to onboard a call analyst, got a call analyst, there's a credential, it says Martin is a call, and another one which says he's principal analyst.
I do a project at company X, the company says, oh, this is Martin, the call principal analyst, he's in this project in that role. And based on that, I get the SharePoint access. The tricky part then is the access. Until then, it's relatively straightforward. It doesn't really fundamentally change anything in the process, it just makes it better, cheaper, faster, everything. So when we then say, okay, right now we want to have an authorization in our systems based on different credentials, then we need to move to a dynamic authorization, policy-based authorization approach.
That is where things change. But we can do a lot. I think with relatively low impact on the existing infrastructure, you still have an IGA system for onboarding, for providing entitlements, just that you don't come in via the HR or you come into the HR via another process. So it's not changing here. But to leverage the full potential, then we will need more innovation, my point. What do you think, Sam? I think it's very true. People sometimes ask me what I do for work, and I live in a place that is not tech-focused. And so I usually give them a little bit of a light answer.
And those light answers usually touch on the basics of what you talked about. For example, we can do a better job with login. We can do a better job with onboarding. What I'm most excited about, and I know this is not immediate, and this will take a little time to realize, but what I'm most excited about is what happens after that, is the new types of interactions, the new types of trust, the new types of things that we now feel safe doing that we haven't before because of the technology that we've adopted.
And so I think when companies are looking at this, they need to understand that this can definitely help them with their current processes, and they don't have to change necessarily very much. But it's the what comes after that actually I think is going to be the real benefit. There is savings and benefit now. But the real stuff comes after you're leveraging that into the future processes and doing things that we're not really imagining even very well today. We've got ideas. I think it's going to be better than our ideas.
Imagine you get your monthly salary statement from your employer into your wallet, and you have your government issued credential, you have a lot of other proofs, and you apply for a loan at a bank. How this process from a KYC, from a loan processing and approval will fundamentally change and save incredible amounts of money. I think there are so many things we can look at.
But again, the clock is ticking, so to speak. What should an organization do to leverage the potential of reusable identities in its own existing ecosystem? That's my question now. Please short, concise answers on that.
Ramesh, you start, then Riley, then Kim, then Sam. Yeah, I think Sam touched it briefly. I think every existing use cases, whether it is government or healthcare or a financial organization or enterprise, this technology can be deployed to address the current use cases and current user behaviors. And that would be a great point to start and a great starting point. And ecosystem will come together when three or four parties are already there and they want to cooperate. So that's my take. Riley?
Well, I am a little biased because we're working on this stuff. And I've spent a lot of time trying to think about where is the best places to start? What's the best first credential, so to speak? Right? And so I'm about to sort of share a bit about where we landed, which is also what I'm working on at Trinsic. So keep that in mind that I'm a little biased So keep that in mind that I'm a little biased on that. But it is that I think that the best place for this to start is on the identity verification and onboarding steps of a process.
I think after hundreds of use cases built on the Trinsic platform, that's the one that I've seen get the most adoption, most success and really create the biggest delta between the sort of old way versus the new way and the biggest ROI on that. So, you know, that's what I would say. And I guess I'll leave it there. Kim?
Yeah, I think some ones I'll add have to do with the ability to provide personalization and these kinds of experiences that you can't even imagine with online interactions right now. Just personalizations from the start that are based on reliable data versus some that might come from more unreliable sources. And then the ability to just, you know, again, at scale, the ability to shave off aspects of the costly, difficult verification that you have to do right now. If you can start taking any part of that away, that can really add up.
Okay, and Sam? My advice is to start. It's tempting to assume that governments or very large institutions are gonna solve all of our identity problems and they will help, but they will not, in fact, solve the problems that you can leverage for your main primary gain. And so my biggest advice is to start with a project that realizes real results today in your organization and those are possible and not sweat the alignment necessarily or making sure that you wait for the big players to move in order to get involved.
That's going to be a long process and getting started now will realize benefits and gain you the experience of working with this technology sooner. And what I would add is, put a little bit of brain into your own software architecture so that you can adjust when standards evolve, when standards change, when technologies change. So make it built in a way that you can adapt to the ongoing change we are facing in the world. So final question, that good one is the question is you can respond with yes or no. It's a question from the audience.
Do you see a world where a person can visit an online store, add something to the cart, purchase with just one authentication event and in the background, the store verifies the email, the delivery address and sets up the account for return visit. Yes or no, Sam? Absolutely, yes. Ramesh? Yes. Kim? Yes. Kim?
Oh, I want to add nuance, but I'll say yes. Riley? I would not still be working on this problem if I thought the answer was no.
So yes, definitely. Yes. And I think we all agree on these are the things which will work and I hope sooner than later. So if you want to learn much more about it then we could cover in that hour. Don't miss attending European Identity Conference in Berlin in June. It's a fully hybrid conference so you can attend in Berlin or you can join in virtually. So we have everything and I think it's really the must attend event in this space and there will be so much talk about decentralized identity but everything else around digital identity and I am.
So I hope to see you in Berlin soon and thank you very much to the four of you for sharing all your insights. Thank you very much to the audience for asking all the questions. We probably will pick up some of the questions we couldn't touch in a separate blog post. So thank you very much and see you in June.
