KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
To conduct online business, users need to be able to identify themselves remotely and reliably. In most cases, however, it is not sufficient for the user to simply assert "I am who I say I am - believe me." When doing digital business, you will never meet your customers face-to-face, and there is a need to establish certainty and proof of the customers' identity. Digital on-boarding must be simple for the user, while at the same time give the business enough information to ensure trust.
To conduct online business, users need to be able to identify themselves remotely and reliably. In most cases, however, it is not sufficient for the user to simply assert "I am who I say I am - believe me." When doing digital business, you will never meet your customers face-to-face, and there is a need to establish certainty and proof of the customers' identity. Digital on-boarding must be simple for the user, while at the same time give the business enough information to ensure trust.
Good afternoon, ladies and gentlemen, welcome to our equipping. A cold webinar identity assurance the art of knowing your customers. How do you get identity assurance data from the end customer, we private person or legal entity. This webinar is supported by sign. The speakers today are me Martin clip, I'm CEO, founder, and principal Analyst at and Tron. Eric sets us who identity architect that's before we started some information about keeping a call and some housekeeping information for the webinar.
And then we'll dive directly into the topic, a Kohls, an Analyst company we're founded back in 2004, working on a global scale, providing neutral advice, expertise, sole leadership, and practical relevance on a variety of topics, including information, security, identity, access management, and governance and other areas. Particularly the ones concerning the digital transformation. We provide research in various types, events and advisory. Have a look at our website to learn more about these services.
The upcoming ones, we provide our digital finance world, which will be held in Frankfurt in March 1st and second next year, and our European identity and cloud conference, which is our leading went so to speak master 10 conference in Europe, you shouldn't miss the very early bird rate, which is still available. The conference will be held May 9th to 12th in Munich. Don't miss to attend there. Some guidelines for the webinar. You are mute centrally, so you don't have to mute UN mute yourself via controlling. These features.
We will record the webinar and the podcast recording will be available tomorrow. And the Q and a session we will do will be at the end, but you can add the questions at any time using the questions feature in the go-to webinar control panel. The go-to webinar control panel usually is at the right side of your screen. There's an area questions where you can enter your questions then. So having said this let's directly start was the webinar and have a look at the agenda. So our agenda for today is split as usual into three parts.
The first part, I will talk about the importance of identity assurance and KYC. I will particularly talk about how she used it without losing the balance between usability and bullet assurance.
So I, in that part, I also will look very much at why some of the strong application mechanisms such as special E I D cards in some cases failed in other cases succeeded, cuz I think this is a very important aspect for successfully implementing identity assurance. And the second part, Eric sets us, we'll talk about the mic methods for identity assurance. He will provide an overview here and he will talk about how to implement adequate levels of assurance. As I've said, we will then have a third part, which is our Q and a session. Okay. Let's proceed from here.
And where I wanna start is with a view on, I call it the circles of change and of digital transformation. They putting this to a little bit larger topic. And as part of that, then also look at why or where does do the topics of identity of privacy security and KYC know your customer or consumer identity measures. So every single related customer comment to play. So when we look at the digital transformation, we have a number of external drivers, which are affecting organizations and there are various such drivers amongst these drivers. We have competitive landscape.
So automative, traditional automotive vendors have to compete with, for instance, Tesla, we have the rapid innovation we see in many fields. We have transition of, of business models from products to services. We have what I would call the which connectivity, everything becomes connected. We have changes, regulations ever increasing attack was everything becoming unconnected. And so on. This requires organization to be more at agile, to be more innovative and to be more flexible than ever before. These are key capabilities.
And when we have these, I would say three overarching or key topics, which are smart manufacturing on one hand or in Germany, it's called industry for, we have this internet of things thing, and we have the KYC or know your customer area. So KYC in a, in a, in a meaning, which goes beyond the regulatory traditional perspective, which was very much about, you need to know your customer in the context of any anti money laundering regulations. But right now it's really about understanding your customer, knowing what your customer wants, serving them perfectly.
So probably this should be better new and serve your customer here. And we have a number of key enabling technologies on the seven key technologies from our perspective are again, be good to sensors, robotics, big data, cognitive and AI blockchain. And when we look at this, we have identity as a very relevant topic here. So how do we manage the identity of all of the people of the organizations, of the services of the devices involved in the digital transformation and security and privacy. So how do we maintain security? How do we enforce privacy?
And this is very much related to the know your customer part. So knowing your customers very much about managing his identity, authenticating him, finding ways to, to proving that he's rule the customer. Once we started doing value, high value transac transactions within, we have to find ways for well sought out identity assurance. And this is what, where identity assurance and the customers are the two main topics of today's webinar coming to play. When we look at the digital transformation. So as I've said, everything, and everyone become connected.
And so we have this view right now, we have the people, we have organizations that are part of uming on behalf of their working with in some way or another, they have devices, they have things, all of this is connected and particularly also devices and things increasingly coming to blame when it's about identity assurance. But to do that, we need to understand how all this is related. So if we want to build our identity assurance on a device or thing or a set of devices and things, which we believe are owned by a certain person, then we need to manage these relationships.
We need to understand when something is changing, et cetera, all this is with the identity becoming more and more important. The identity of people, devices, things. I think one of the main trends we are facing these days and while ago I wrote together a set of fundamentals, the seven fundamentals for future identity and access management. And I highlighted some of these in read because there are of, of the highest importance here. So let's service the first one, so fundamental and one is, it's more about modern humans. So we have to look at identities of things, the device services I have.
And also particularly in the context of assurance, it's important. So knowing that I own a certain smartphone and I always use that smartphone for my bank transaction helps me in the assurance. It's a part of it. It's not everything, but it's a part of it. The second fundamentalist, we will have multiple identity providers. This is something very important when we talk about assurance, because we might not be the one who is the identity provider, there might be others customers want to come in with other types of logins.
So multiple also attribute providers where we see there will no longer be a single source of truth. So, and information ID, the more it'll be a set of the multiple identities, many users will use different identities and personas and flexibility between again, interesting from a customer perspective. So we need to understand is just the same person. So we need to understand Martin Cooper is our customer, even when he comes on with whatever Facebook login that day and the LinkedIn login or the whatever else login the other day.
So that's, that's one part of it. The other part of it is we also have limitations.
So we, there might be, or there are situations where we, that we are not allowed to map these so interesting questions. Some of them around assurance, some of them around privacy and regulations.
So on, we have multiple authentics. So there's no single authentic works for all. People want to use certain types of false indicators, people. And that's something I'll talk a little bit more in detail in, in a couple of minutes. But also when we, for instance, look at, in, in, at the bank ID and the Nordics or, or national ID cards, they might be the challenge of going global. So how do these things work? When we go beyond our broader identity relationships, we must map.
So I talked about it in context, as well as important and context is also important for the assurance because at the end we only need a higher level of assurance for certain types of transactions. On the other hand, the context influences which level of assurance we need. So if there's a risk from the context, because someone is working with an unsecure device in an unsecure environment, we might need to find other ways to increase the level of assurance here. So in this entire context, this is something which happens into this KYC part.
And I just wanna make a quick step out to, to identity management, consumer identity KYC. So IMS identity, access management, cm is consumer identity and access management, which is primarily about the identity and KYC is just no and ideally serve your customer well. So if we want to, to compare it on a, on high level, then CMS, I am at scale plus customer experience while KYC brings in governance and customer interaction as well. So the evolution is, and we see this as a very, very strong evolution that we are looking more and more of the customer journey.
So the life side success service adaptive, authentic dedication when we talk with consumers and this is where, where the assurance part comes into play. And the assurance part on the other hand, when we look at it from a K YC perspective is very much driven clearly from both a business risk perspective and a privacy and information protection perspective, it was a regulatory requirement perspective. So we need to understand that the way we interact with our customers is fundamental changing and customer identity assurance is a key success factor for our business.
If we are not able to, to have this assurance, we taking a far higher business risk. On the other hand, a lot of things are changing when we look at consumer versus enterprise entities. And so also the need for adaptive authentication or flex loss indication. So I started the right hand side with the enterprise identities for enterprise identities. The primary focus is security. And the second secondary focus is right now ever more supporting the mobile workforce. So convenience comes into play, but it's more about adequately protecting ed resources while enabling access from all devices.
And also to some extent, getting rid of the single laws and capably. When we look at the consumer identity part, the primary focus is convenience from a consumer perspective, it's convenience because if we do too much, then we might end on in a situation where the customer just says, or the consumer says, I don't do business with you. I look for someone else. They might just drop off during their purchasing process. And so convenience is important and we have to balance it with the requirements we have from our business perspective, both business risk and regulatory aspects.
The secondary focus clearly is security and also compliance. But at the end, we need to find ways which allow the customers to use what they want as far as we can. Sometimes they need to use specific things either for legal requirements or for, for, for risk mitigation aspects. But we also need to understand, they might choose a different authenticator sometime they want the flexibility. They want to use the fingerprint reader in their smartphone or whatever. Else's the smartphone that might change over time.
So we don't know what is the hype thing for years from now, but we need the security us for higher value at higher sensitivity transactions. And so at the end, our success depends on balancing trust.
So, so something we can trust usability, the alternatives we have. So if we want to have a high trust level or high level of assurance, still, still, it depends on is it usable or are there alternatives and alternatives can be very broad. It can be the alternative for the customer to do something in a different way, trust sending the paper form or, and it can be also the alternative of saying someone just uses another authenticator. And that one single thing we want to push through in the market doesn't succeed.
And right now for the next two or three slides, I will just look at primarily at some historical stories. So to speak from, from national ID approaches, because I think this also helps understanding the challenges we are facing when we look at identity assurance in a business from a business perspective. So when you look at, at some of the national idea approaches, the one of the, I think most important lessons to learn where the trust and usability must be good enough for replacing alternatives.
So from the perspective of the citizen, or if you take it to the business side, from the perspective of the customer, it must be better. If the customer feels this is not secure enough, or if the citizen feels I don't trust my government, because the only advantage I have is that they will learn far more about me or they can far easier sent me things I don't want to receive. Then it's hard, hard to use. So everything needs to be easy to understand or to use.
So every approach you use for identity assurance for authentication, for everything round, that everything in that field needs to be convenient. Otherwise there will be always the search for alternatives. So if you need like in Germany for a long time, right now, it's changing, but still not where it should be. If you need a spec specialized reader for your E I D card, then you're dealing losers streak, because this is too complex to inconvenient and you need product option. You always need a critical mass.
If you want to push something strong through otherwise, alternatives will win trust for itself, not sufficient. So saying, okay, this is the trust versus saying, I think from a government perspective, and we look at it from, from debt perspective, we, we shouldn't governments being that trusted anymore. So we're still just speaking a post Snowden area where we learned a lot about what nation states do with data and side of that national ID cards are not the only solution because many states, many nations never had one.
So when we look at also for instance, a more success and a failure story, so Estonia brought a support of E I D and governmental services available to foreigners. They had a start program from scratch. So very well sought out program and it became dressed and it was very usable, very convenient use compared to other things Germany on the other hand. So I'm from Germany, I've, I've gone through that story, very limited supporting governmental services.
So, so I think there's out for eight or nine years or so, something like that right now. And, and trust recently, I read about another pretty important government service, which became available. It's difficult to use. So from a reader reader's availability perspective, and you need a reader right now, you can use NFCS through your smartphone and an app it's a little bit better. There was a price tag as another inhibitor on.
And I think what, what is very important to understand is, and this was more for natural Eids, but I think it's also very relevant to all central idea approaches, so broad support. And ideally you look at it from a perspective of customer customer wants to use the way he is moved in assurance. Not only once he wants to use it for many services, if he has to do a lot of efforts for single service, difficult there's support for, for non-governmental use cases and broad support for them or support for many use cases.
So every authenticator, every also way of doing assurance, which is restricted to a single purpose, is pretty likely to fail and sort of broader use the better it is. It needs to be well, well communicated. It should work not only in a restricted geography, it should be cheap and it should be beneficial to everyone. So when we then move back to the business perspective from, from a business perspective, and we look at a challenges, clearly, that's the challenge of security. That's the, you need the use case.
You have to look at a cost and the cost also is, is related to usability and logistics. So a lot of the cost is not only the initial cost of something. If you have to implement it, it's also about how do you make it? How do you handle logistics? How do you handle resets or whatever other part you have in your process? It depends on the growing use of population. So trends we see is, is clearly bring your own identity and social login.
So allowing to use different things such as, from an identity assurance perspective, quite challenging thing, versatility or adaptiveness in the sense of multiple IDs, bringing in risk and context and Federation. So when do businesses spend for, for such projects they want to spend, if they only want to spend, when they see clear business values, so new business opportunities, retaining customer relations or optimization.
So efficiency, business process, that's when they want to spend, they must spend sometimes for compliance, for information security reasons, which in some ways related to the RFI, right? Their return of, of a business case. But if you look at reality, there are a lot of ways to do things. Despite all the regulations, some of them were some less legal, but some business always found, found their way. So what we at the end also need to achieve is we need to balance convenience. And that's another aspect also with ownership in customer relations.
So right now I talk more about convenience versus security, right? And the other aspect is convenience versus ownership. And from a business perspective, which is clearly always a, a major challenge. So the customer wants to use something he uses for many other businesses, but for a business perspective, I want to maintain relationship to my customer, quote us. So the ownership that they, they may always include us using other authentics is a risk.
So if you, if you, if you let someone in using a Facebook login, then the first one who learns about this is Facebook and the Facebook business model at the end of the day is using that information to sell for instance, advertising services. So at the end, you help your competitor.
Clearly, if you own it, your own technology or assurance might be simple, at least at first glance and some scenarios. On the other hand, if you have someone on provider who does assurance for you is a clear to, in that. So when we look at it from a higher level perspective, I would say there are five approaches on identity assurance or on the way identities on their, their yeah. And the identities are, are managed.
So we have self issued, which is to self registration, e-commerce websites or other things where, where in organization does online banking for only that one single bank variety of a OUS limited on a one specific use case or very few use cases. The assurance level depends on the issuing process and the assurance process you have in place. There's the, the, the concept of social networks based Facebook, LinkedIn, etcetera, where use these identifiers, the reusability is good depending on the market share of their social network. Clearly.
However, the assurance depends very much on the social network time and the simplicity of fake. So if you have something which where, where, so a network, so for LinkedIn building your relationships over a long period of time gives you at the end of day, higher assurance and in Facebook where it's rather simple to fake a profile government based. This is the third level where we, for instance, I have to term national E I D card. So ID cards issued by national governments. That's a Porwal of indication, signatures, etcetera.
They have a high assurance level, but unless interoperability is supported and we see these trends towards your interoperability, it might still be somewhat limited to specific countries. And also it depends on do all the countries you need to deal with support such protest. Then we have to concertia based approaches such as UK verify or bank ID in Sweden issued by a group of organizations restricted to the network Analyst, interoperability support. So usually it's then restricted to the banks, or maybe some others. Some of these things go down beyond and support.
Other industries, assurance level is commonly high. And then we see the trend towards blockchain based approaches such as ever, which is a mix of a self identity. But usually then based on a, not only ideally, but mandatory at the end of the day on a strong initially identification. So if you combine the fifth approach with a strong assurance process at the beginning, there's a lot of potential in that. I don't want to dive too deep into that. It's an emerging topic, but definitely a highly interesting one. So I gave you some ideas around the importance and, and some, some other thoughts.
And right now with that, I will hand over to John who will do the second part of the presentation and talk about a message for identity assurance and how to implement etiquette levels of assurance. Sure. It's your term. Thank you for the introduction there, Martin and I hope my screen is shared. Okay. Now? Yes. Perfect. Okay. So I'll be talking about more details into the actual knowing your customers.
I mean, Martin touched on some of this. This is about onboarding new customers. And as an organization, you want to have easy way in for customers. You want to have a low cost. You don't wanna spend a lot of money because you don't know at that time, what you're gonna get back from the customers you wanted to be fast while the customer is in the moon and ready to, to, to do it secure of course, and more and more businesses are not based in a given geography. So you want to be able to reach customer also far away. It needs to be simple for the user or else is gonna go away.
And as you mentioned, you want to achieve a reasonable assurance of this identity. You want to have a reasonable degree of assurance that this person needs to be claims to be the user expectation. He wants this to be simple, expects this to be a fully digital registration. You can do everything wherever you are from any device. You sit on a mobile tablet, whatever, and you don't expect any human interaction and no waiting time. You want to be able to instantly sign up and start doing whatever you want to do in, in that business.
However, if we look at a financial institution and that's where we do our main business, it's very difficult to become a financial customers. Customers will have to provide a lot of information. They have to maybe upload a passport. Maybe they need to send in something by paper. Maybe they need to visit a branch office. And lot of end user, they don't really understand why is it so difficult to sign up at financial institutions when you sign up somewhere else, you just hit a button in Facebook, say, sign me up using my Facebook account.
We did a survey earlier this year, which shows actually 40% of the people had abandoned some kind of application. That's, that's a high number. That's meaning losing a lot of business. This report by the way, is available from our website. So just go to significant.com and you can find that report. If you want to look into that. So identity assurance needs to be simplified. Martin already touched on some of these challenges. It is a complex process. It is the balance between regulation and convenience. And it is how to verify the person who really is.
And you have the regulatory requirements to know your customer requirement, which plays a strong role, especially in the banking industry, which is under the AML as well. And often for banks. This means it's very costly. So it's costly to get new customers going. One challenge that's important to be aware of, especially when you work in, in multiple geographies, multiple countries is the differences in culture, difference in how people will perceive using a video into you, how people will perceive using a voice recognition technique and things like that.
As well as the digital maturity population, how used are people to using the new technologies as compared to, you know, going visiting a branch office and, and talking to someone in person. So these are important things to remember when working in a bigger market. Another parameter is the trust parameter. The trust is very important. And Martin briefly touched on this, something, the trust in the government, the trust in organizations. And it's actually quite interesting to see how trust differs between different countries.
Some I, I come from Norway and the Nordics. The trust in general is very high. One example was given that our tax report is done automatically. The government collects all the information automatically and issue, you know, if you're gonna pay some, some extra tax, they just send that out to you. And it turned out last year, almost half a million people didn't even check. They didn't even go and look on this, which means that trust level is very high.
So, but there are countries where trust levels are lower, and that means people are more reluctant to use the digital identity they're skeptical. And as already mentioned by Martin, the, the, the snow and incident of course, made it very clear what the data can be used for KYC is being talked about a lot.
And, and we use that term as well. It's important to realize that KYC is more than the actual onboarding. A KYC is an ongoing process for determining the risk, establishing the trust in the identity and determining the risk. So the initial parts collecting and analyze the information and looking up information about the person. That's what we call the identity assurance. After that is done. The organization, the bank, whatever will do a continuous process to determine the risk pro monitor the behavior. See if there are any odd behavioral of logins, things like that as part of the KC process.
But when I use the term KYC, talk about that. I mean, the identity assurance part, how you onboard the user. I also use the term reasonable assurance. It's some people tend to think, you know, the, the assurance is an absolute parameter.
I mean, either, you know, or you not, but of course it's not. It's about the reasonable assurance that the user he, who he or she claims to be. And what is reasonable depends on the organization. It depends on the laws. It often depends on the risk and the consequences, the resources you want to spend and the technology.
But I think the reasonable assurance is very important to keep that in mind, when we're working with identity assurance, if you look at the Eid regulation operates with three levels of assurance, low, substantial, and high, and these blue labs that taken directly from the text in the I regulation. And it says, it's the degree of confidence. And the regulation itself does not consider that technology technology neutral, but as we can see, EI operate with three levels of assurance, which means, depending on, for example, the risk, you will choose one or the other of these levels as a user.
When, when going to sign up somewhere, what, what can I do to prove my identity? Well, proof of address is, is one that's commonly used. It's used in one or two ways. Typically either you upload some sort of utility bill, you scan it and upload it. Or a letter is sent to the address with a one time code that you enter.
Of course, the last one takes a lot of time and it's really inconvenient, but it gives a fairly strong proof of your address while scanning and utility bill, while that can easily be faked. And also the ID paper scanning takes some time, and it's not very convenient. You can upload a self portrait.
Well, I'm coming back to that one actually, but that will, you know, give a picture of yourself that can be compared to something possession of the phone is easy to prove. You send a text message to the phone, with a password, and then you, you respond with a password. At least then you've proven that you are in procession of that specific phone number that can be used then as part of your identity, we have the commercial identity.
It's the Facebook, LinkedIn that was already mentioned, Google, Microsoft, cetera, using these as part of your assurance process to proving your identity and faking some of it's maybe actually very difficult, much more difficult than you would think. Of course, it's easy for me to create a Facebook account right now and name it, anything I like, but the age of that Facebook account will also be a parameter to know how much you can trust it.
If I have my Facebook account, which is, you know, five or 10 years old, I have a lot of friends, a lot of activity, or even better Martin mentioned on a LinkedIn. You will have references. You will have recommendations and things like that. It actually gives a fairly high degree of assurance. Uploading ID paper is another one. You scan your passport, you scan your ID paper, or you take a photo of this. And that's being analyzed to see, you know, as proof of identity.
Of course, this can be forged. It's difficult when you scan it to get all the metadata in that. Although our techniques for doing that as well, then we have the derive entities where you're actually asking someone else to use that identity. So you could use in Norway, you could use the bank ID to establish identity. The banks already did the assurance, and we can ask, you know, please log in using bank ID. And that can be verified. I've indicated some others and said, well, of course, it's Sweden. There's strict regulations on using the right identity.
And then of course the physical or virtual meeting, a lot of regulation says it has to be meeting. You have to meet in person.
But again, if you same with technology neutral, wouldn't that also cover doing a virtual meeting, using a webcam to, to see each other, which is actually now being done in, in Germany for the, for the part of the assurance process. On top of that, again, I'm using bank as an example, but that's would be any organization you would do could do some automatic check checking the social media. I mentioned already the account creation date and a number of friends on the activity level will give some sort of indication of what is the, how much can we trust this account?
The ratings on the social media recommendations, OCRing the ID paper getting valuable information from that. Then of course, looking up in, in existing registries, checking against the registries credit rating can be checked business roles in national registries, and also actually doing general web search for a person's name could be valuable. And a lot of this can be done automatically. And of course, that's the goal you want to do as much automat as possible. You want to avoid manual checks. I put on the, on the writer, we actually do a visual check of information.
You visually compare the ID paper versus photo that's necessary. You could do a phone call or a video conference, but of course all this is increasing the cost as well as the time and the convenience. And maybe if you start going into that, you have already lost the customer because it doesn't have the attention span to continue. It's important to get the relationship going when the user says he wants to sign up. That means he's motivated to get in. And it's important then to don't put up this big wall he has to climb to get in customer is maybe it's just curious.
I want to check out what's your banking app. You know, what does look like if you take the analog to, to the physical bank branches, of course, anybody's free to walk into a branch, look around, see how the bank looks, et cetera, while on the digital bank, while you have to pass this really huge barrier, just to look around. So while the customer is motivated, it should be a simple assurance.
And then of course, if the use customer, you know, the user signs up and decides to stay here and wants to buy a house and, and take up a loan, of course, then the motivation for the user is a lot higher to do, to provide more information, because then there's something in it for the user. So balancing this, make it simple, to get a relationship going then as time goes along, well, then require more information. Maybe.
I mean, there are regulations on this, but maybe even think in the way of giving the user a bank account, but limiting the number or the assets you can actually have. And if more money comes in, it's actually frozen until you then do more KYC checks. So I will give a couple of examples of showing this gradual approach. So in this example, we have John on the left and we have the bank again, I'm using the bank. It could be an organization and the bank needs a reasonable degree of assurance. And it's up to the bank then to define, what does this mean? What are these levels?
The bar at the bottom will through these slides increase as we get more and more information about John, and we can trust him more. Maybe at one time, these thresholds will be coordinated with the Eid levels, low, substantial, and high.
Of course, that would simplify the world a lot. If we could agree on that. But as of right now, you're not really there. It's up to the bank to, to decide this. And John goes to the website and the first thing he does is fill the form.
This is, you know, my name is John DOE and my phone number and my data birth. And of course at the bottom, now the assurance bar hasn't moved at all. Cause this is a form. There is no way to validate anything. Any of this information that John filled in to a four, the next step would be to send a one time password to his cell phone, to the number he provider. And he enters this password into the, the webpage. And now we have a verified phone number. At least we know something, not a lot, but we do know something about John. So this is a start.
Then we request John to take a photo on himself, upload a self portrait. We get a photo it's may give us some more information. We could check the, the date of the photo and some metadata in the photo itself, but not a lot really. Once the photo would be to send a one time password again to his cell phone, John would then write this down on a piece of paper and tell, take a photo himself with this number. And it would only have, you know, limited time to do that. That would actually increase the trust in that photo a lot, because it would be very hard to fake doing that.
So maybe at this time we have passed the first threshold and now say, Hey, John, now we can give you account. It has limited funds or limited assets you can can have in that account, but at least now we're letting you in easy and simple. And then as time goes, John wants to do some more. We need to, to get some more information from John.
So we say, well, you know what? To get more, to get access to more funds, you will need to upload your passport so well, okay. At this time, John is, is maybe motivated. He sees this diversified. He takes a photo of his passport to upload that. But of course that may not be enough, even though the password is checked automatically, there, maybe something that pops off. And this is the time where we go to the manual check.
So at this time some employee at the bank or call center will look at information, look at the photo, compare that photo with a passport photo, which of course also was done during the automatic check. But there could be something there that didn't quite match or something. So now we take it to the manual check, which again, increases the assurance level even further. And this person may say, well, we're good. This is sufficient. We have reasonable assurance for John right now. Or we could say, well, you know what? I'm still not satisfied with this. So we'll schedule a video conference.
So we'll do it to video conference with John. Of course, this is even more complex. We need to schedule a specific time to do this. We need people, et cetera, but now we're increasing the assurance even more. So all this is about using the various components, putting them together to get the reasonable assurance. We can look at a completely different example, the social media approach. You notice in this first example, I didn't use social media at all.
So if we look at the social media, we have, the bank will have a button, you know, become customer using Facebook, which is these days, very normal using Facebook or Google. You just press the button and you are in, you don't have to provide any information because that's pitched directly from the social media. So step one would then be to re use this, the user wouldn't already logged in. And we have some information. We could also check the, the social media for the quality of this. It may even have a verified telephone number, regardless.
We could send a text message to that phone number we got from Facebook in this example, and have John respond to it. And this would in itself give a fairly high assurance, reasonable assurance again, the bar at the bottom it's of course not absolute. This is an example in this case. So in this case, we saw that this was an old account, a lot of activity, and that gave us a certain degree of assurance. Okay. So now we have a verified Facebook account. We have a verified telephone number, and then we could do a general web verification.
You could do an automatic search on the web search towards a number of different social media, do pep checks. And so on. All this could be automated to verify John even more in a very simple way.
And again, the levels of assurance that the reasonable assurance depends on what the bank has defined. It needs for the certain levels. So that was two examples, just showing different ways of getting the relationship going gradually, onboarding John, gradually getting more information about John as time goes and make sure you get started when he's motivated to get in. Don't stop him by cutting up this big wall that he can't get over. So from this perspective, the important thing is to, to think in terms of reasonable assurance and what does reasonable assurance means for your organization?
What are the levels define several levels, make the first level as low as possible just to get the user in, get the relationship code, then look at which means of assurance do we want to use and how to combine? It's a, it's a number of different ways you can do this. And the combination is the important part here, combination of this, and then make it simple for the end user. The user wants to is motivated. He wants a very simple way to get in and to become a customer. And bottom line is then make it easy to get the relationship going.
So Martin, that concludes my presentation of identity assurance and, and the reasonable assurance levels. John, thank you very much. And with that, it's time that we go move over to the Q and a session. I have a long list of questions here, so we will not be able to pick, to answer all the questions I have in the remaining time, I think, but there, there are many questions we, we, we, we can touch.
So, so do you think one question is, do you think that the level of assurance four is possible globally, maybe in that context you could quickly touch on which levels of assurance are there and which ones are required for which type of, of use case? Well, the Ida operates with a three levels, low, substantial, and high, and from the existing laws in general around high would be required to even become a bank customer. This is because of the anti money laundering.
Eid is of course, a way of trying to harmonize these levels across Europe, which, which is a very good start to, to get a harmonized set of levels. The highest level in general requires some sort of physical meeting in most laws, even though E Iris doesn't say that, but it's based on the, the national regulations, which in general requires some sort of physical meeting, which is of course not very convenient. Okay.
So I, I touched quickly upon that there's a, an app as a reader for the national E I card, which then works through NFC with, with the device. I think from what day to day it's, it's very well sought out. It's also certified by the governor. It's one of the questions we we had here was NFC secure enough. I think in the way they did it, it provides a very reasonable level of security, but maybe you also have, have your thoughts on that, Trump.
Well, I mean, one thing, I mean it's horn side, it's a good idea. You have the national ID card, right. With an NFC and you hold that up to your phone and together you have, then these two things you hold together and that proves your identity. I think from my perspective, one of the challenges that most people like me, I mean, I keep my credit cards in my phone holder.
And if you keep that national identity card in the same holder as your phone, if you lose one, you're gonna lose both, which means you don't really achieve the security that was originally thought of where you have two devices, you need to bring together and to educate the population that well, you know, to be secure enough, you need to keep this card in your wallet and then pull it out every time you need to authenticate, think that's gonna be difficult because it's so convenient to keep it with your phone and you don't, you know, don't even have to, to do anything it's just there. Okay.
That's, that's an argument. So another point that came up in, in one of the, the questions is the management seems to have a short side ion on saving money and can see beyond today.
So, so how, how do you sort of justified in investments you need to make for a well sort out authentication assurance process for your customers. So what are the arguments you see here?
Well, I say most of our customers are in the finance sector, so they are driven by regulations, which means they, they are used to spending a lot on there. They know they have to spend a lot on the onboarding. So from that perspective, my take is that as I shown an example, to make a simple way in a cheaper way to get the relationship going, to make it simpler and cheaper, actually to get the customer in the door, of course there are some regulatory issues that, you know, may be challenged to be able to do that.
But it's also about the risk the bank is taking on this by just letting the, the users get in the door and for any organization, it's about the risk and the consequences. How much do you spend need to spend? What's the, what's the risk if this turns out not to be the right person.
So, so that's the, the, you know, what organization needs to look at the, the risk benefit of investing in the identity assurance? How much do I need to know about the user compared to what's the risk I'm taking? If this person is not you, who he claims to be, Okay, you brought up an example of one board to a bank and the question came up. So how can tr trust this bank, or how can tr trust that this bank will not lose or be hacked versus PII information? It should be mutual authentication. So rogue bank websites as an issue.
So, so when do you look at bank to think about some of your last slides? Look at an example. What about this aspect of sort of mutualized education in such processes?
I mean, that's also an interesting point and it's one is the trust issue. How do, how much do you trust bank, which has been given a bank permit by the government, you know, this bank by name and, and so on. So how much can you trust that they really take care of your personal information?
Well, we have the GDPR coming in the general data protective regulation, which puts a lot of, of requirements on this. But of course that doesn't mean that the bank does everything that's necessary to do this.
I mean, again, since it's about money, they might make cut corners to save money and then be open for, for that. So it's of course, a very interesting point. How do I know who the, the service provider is? How do I know how much I can trust them? And I think that's, that will be more from a societal point of view.
I mean, is this a brand you have heard about, can anybody vote for it? Yeah. Which is fun part of it, but the other part of it is, you know, you, you might say, okay, I, I, I try to, to register, I try to set my identity at that bank. And I end up about a rope website of this bank. I've got I've I've, you know, I've, I've got a male fake mail, ended up fishing, sort of a fishing mail ended up at the wrong side. So this is, I think also part of the story. Yeah.
And, and I mean that, that's very complex and that's about population education. I think, to be aware of these indicators you have in the web browsers and that's, you know, from, from us in the industry, how do we educate the users that, Hey, now you are at a fake website and now we are at the real one.
I mean, that's why fishing works because there are so many people that are not aware of those indicators of, of that part Starting with too many typos in the mail. Exactly. So speak. Okay. Another so, but I think the comment is also, that's interesting from the one who asked the question, the common bag is, so now you are putting the responsibility on the new user, which is another best way to do it, isn't it?
Well, I mean, as, as a user, I, I need to pro present some claims, right. I, I need to somehow prove who I am or at least provide some claims that I'm generic set source. Yes. And we can get around that, can't show up anonymous and say, Hey, prove who I am. I need to provide the claims. Yeah. But it was in the context of the mutual stuff.
So, so in that case, if you say the user is responsible for identifying that it's whatever the, the, the browser bar is in green, or so then, then I think we can argue that it's, it's oversimplifying. So maybe it's about thinking what could be the way to, to sort of also proof or have an identity assurance of the organization. So the bank you're connecting to, or the vendor you're connecting to or whatever, but maybe get, get away from that topic.
I, I think another aspect is the, the global use and you already touched on S which was also when you look at level of assurance and again, somewhat different and maybe stuff in. So commonly, we had sort, historically model fall level assurance S comes with three levels of assurance. We probably will not have something which works globally, but what do you see around global interactions? So which standards maybe beyond S or maybe also, which role for S do you see in the, the future?
I mean, it, it would, of course be very nice if everybody got a digital identity at birth, and there was a full proof way of binding that digital identity to a physical person at any time to, to do your proving. I mean, that would be a very nice scenario.
And it's, I mean, it's that binding, that is the challenge all the way it's having a digital record is easy, but how do you bind a digital record to a physical person? And there is a lot of work going on to trying to achieve that.
I mean, blockchain, you mentioned already is, is one technology that may be part of the, the puzzle to, to solve this. And I think, I mean, EI is good from a perspective of trying to harmonize this. And also there are mappings between the four level of assurance towards the I levels. So hopefully we will at some time be able to harmonize this, but it will take time. Okay. So maybe one or two questions before we end. So how often do you need to update the identity assurance data?
I mean, that, that's also interesting. We think of this identity assurances as a one time thing. We do it once and, and we're done with it, but remember your passport has an expire date.
So you, you need to renew your password of this Norway every 10 years. I need to get a new password, sorry, passport. And I think for digital identities as well, there will be a need to, to periodically go back and, and check some. I mentioned the KYC is also an ongoing thing, but also I think going back to the actual assurance of the identity that either periodically you go back and you say, well, we just need to reassure that you're still John or looking at, you know, okay, sorry, John, your passport expires.
We need to see your new one to, to show that you are still you and haven't passed away and somebody is impersonating you. So I think yes, there is a need for also the, the periodic reassurance of the identity. Okay. So let's look, what will, what is the final question we talk?
Yeah, I think the, the last question where, where has gone, I just scrolled up. Oh yeah. One question we also came up is, so if you have this registration process, so on one hand, yes, you want to make these for people to register. But particularly if you look at it, for instance, for a bank perspective, maybe you don't want certain people as customers. How do you deal the status in this context? Because filtering out is people would require even more information. So make it even more complex. Any thoughts on that?
Well, I think if, I mean, it's, it's a balance. I mean, it's something, I mean, people you don't want, or probably maybe are not allowed to due to regulations.
I mean, as a bank, you will have to check. For example, the pep is the political exposed persons list to, to verify that people are on there.
You could, of course also use a bad credit rating for this, but to, to check the credit rating, you will first need to know who the person is at a certain reasonable assurance. So that could also be part of this getting relationship, going, getting the person in there with, you know, limited assets. And then while he's onboarding, then you can perform a credit check, which may take a few days, but it doesn't matter. You already let him in. So if this is one of let's put it that way, one of the good guys, well, it doesn't matter terms in the background. It doesn't have any consequences.
If this turns out to be someone with a very bad credit rating and you, you really wouldn't want him on board. Well, you will know that within a few days.
And, and I think that will balance the, the ease for the, the users you want to, to get in while at the same time catching people you do not want. Okay, perfect. So I think we are anyway at the end of the time for this webinar. So thank you very much to the attend is for participating in this call webinar. Thank you tr for your presentation and looking forward to see you at some of our upcoming conferences or in the webinars we will do next year. Thank you. And have a nice day or nice evening, depending on the time soon you're in. Yes. Thank you everybody. And thank you every morning.
