KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Thank You. And we, we only have 20 minutes, so let's be at first, I'd like to introduce the third panelist, which is Dr. DK of Mimi. Who's the CTO of Mimi.
So we, in fact, three panelists, plus me as the moderate of this panel, the title disruptive role of mobile device manufacturers within the digital identity market, we probably can nail it down to the question. Will every seat in future be kept trust on our mobile device of choice? Or do we struggle with that when it comes to using multiple devices and to, to, to reuse identities, to have the required level of assurance. And so I'd like three speakers to very quickly introduce themselves. So maybe start with a thesis they have on this topic, let's go right as, as you're shown here.
So Alexei you start Matthew and Yes. So very shortly from my side Berg, my name has already mentioned shortly. I'm working at core technology. Think in Berlin, started physics in Hamburg before, and then I'm currently in, I think, four, three or four years in the identity and ion topic. You Thank you, actually, I think you did a very good job of introducing me already.
So as chairman of the Alliance, we basically launched the British standards Institute standard on digital identification and strong customer authentication last year, came out in July and it basically addresses how organizations can meet the sort of requirements of understanding how to onboard customers and basically how to authenticate them. It's a, it's a management process, primarily assessing sort of different levels of risk with different levels of onboarding and therefore authentication. You can't hear you.
Hi, this Derek I'm managing director of the German ID platform, which has had a lot of sort of shes over 10 shes from all industry sectors. And our idea is quite similar to a lot of other sort of approaches in other countries. We have cross-functional use of one single identification with a strong focus on authentication as well, and value added service like sign make sort of to provide one identity service for this Germany and maybe European countries as well. That's from my side. Okay.
So, so maybe let's quickly start with art. So you brought up this thesis of apple and Google with their ability of having secure elements and stuff to add around that in their systems might replace existing layers of identity proving and providing a strong, secure identity vis when we look at our main theme of today, the identity fabric essential for bringing in all the consumers. So why do you believe this could be that disruptive?
Yeah, I think the very first point does you ask me before? I mean, what is our entry point right now to, to the digital let's say, or to the internet, right? It's the mobile device itself. So it's quite an important to, to get in touch with the digital, to have this kind of mobile devices.
So, and the mobile devices are coming from the device manufacturers. And I think in this case of apple and Google, also, if you're looking especially to the last year, if you're just building up the components which they published last year, it looks like they're trying to focus very strictly on, let's say like an identity wallet, at least it's what apple is trying to do. Especially if you're looking to the last year, for example, they open up the NFC interface for third parties in September. They published also the crypto took it.
It's some kind of a technical tool to be able easier to build up hardware based wallets. So to save sensitive information on the secure elements, it was also announced in the, on the developer conference 2019, they have also published, I think last year in October patent for identity credential verification techniques. So very focus exactly on the identity part where they're describing how you are able to identify.
And the very important point I think, and interesting is although the Epilog in functionality, which will be mandatory from June this year for all applications will be published on the app store. So everyone who has, But, but do we then end up maybe, maybe do we then end up with a lock in, into the device. So given that, when I look at trust, what's around me, there are apple devices, there are windows devices and others. So what is your position that Well, I look at identity on a global basis and I, I like to compare it to currently let's make it slightly topical.
Let's compare it to COVID 19. So identity is a, a global issue. COVID 19 is a global issue. COVID 19 is, is interpreted completely differently in every single country. It has its own technology advisors called scientists in every different country. And every country is looking at identity in a completely different way. There is no unified approach to COVID 19 on how to solve it. And coincidentally COVID 19 is using the R for I'm assume it's reproduction, but under identity R should be risk. So globally, we need to look at identity.
That's both onboarding verification, authentication from a level of risk. And the biggest problem we've got at the moment is that there is no global standard. There's an IO ISO in, in, in development, but I believe it's sort of it's faulted because there are too many different feted interests globally.
So, so what we looked at is how can we standardize the management processes of identity and particularly strong customer authentication? Cause that's very big within the payments industry, what the big issue and the payments industry itself is basically saying we don't trust ID on the device because it's too easy to defraud. There's not enough time in a sort of a quick chat to go through all of the issues involved. And it's a, it's a five hour seminar, but basically you can't have device ID primarily under the payments directed too, because it's not secure enough for the payments industry.
So it's a question of where, how are you gonna use identity on the device? How secure it's gonna be? Is there biometrics?
I mean, as an example, I've got sort of three different, oops, sorry. I talking too long, three different devices.
You know, you can create multiple accounts on, on multiple different devices, all using different technologies. So, so you're saying this approach for now at least would not be good enough for, for certain use cases, duke you're coming from an identity provider.
Who's, who's doing it as a commercial I commercial business. You apparently have maybe a somewhat different perspective on that. What is your perspective in, in a, in a, in a short, Yeah, I, I slightly disagree with Matthew because we have one standard it's called Ida. So it was invented by the European commission somehow and they did a good job. So they have to, they tried to standardize standardize identity and authentication and authentication in one framework it's called Ida so that different identity schemes can incorporate and sort of have a so called interoperability done.
I likes it framework. It needs a bit refinement there, but the big issue is now that framework is only valid in the public sector of all the countries. And it is not mandatory sort of, we should come up with sort of an overarching ID system for all the standards, for all the regulated sectors, like daily communication or financing messages, what referring to, and either, and maybe trusted services and maybe eHealth all the big regulated sectors. They need to come up with one frame to come up with one. So proof and certifications, schemes of identity providers with different trust levels.
So we have a full standard and that's then you get all away with all the fragmented identity provided in between proxies and all the sort of risk management, lot of stuff. We should really sort of lean it up throughout all the rubbish and come up with sort of very straightforward trust levels, maybe three or four, and then it's done.
I, I, I really dream about that. Yeah.
But, but, but that sounds a little like, so, so on one hand we have, we have this mobile identity, which when you go back there's was mobile ID as something way, way, way before that. So, so will it be that we might end up with sort of an entry level ID we have on the device, which is relatively broad to use, which then maps, why other standards either to other other sectors or might require a step up authentication? Might that be the, the result of that? I think partially, yes.
I mean also me, we mentioned there will be several solutions are already a lot of solutions for, for identification and identification. I think it'll just stay the same for, for years, right? There will be no one solution for all the markets. And I think the main point, what Derek also mentioned is the interoperability, which you need to, to activate in here and some kind of decision which security levels you would like to reach for dedicated use cases. And to be honest, although this part, I think will be different from state to state, from nation to nation.
Because I mean, although there, for example, in Germany, there is just a high security level, which you need to reach also for some kind of low use cases, low security use cases. Yeah. It'll differ. I think it's more about the technical standard and how we can enter operatable communicate this identity to each other in the way that you are able to step up with, with the quality of the identity.
But, but, but maybe, maybe it is a little bit taking another code analogy over here in travel. We had the discussion was about how to construct a Corona app. And at the end, very influential was the point that apple and Google said, we will go for decentralized. And maybe the point is a little bit similar with the mobile thing that this is there. And if these two big pointers push it, everyone has with what they do has to follow.
They, do you agree with that? I think that's the best analogy of the day. Exactly. That the problem we've got with the COVID app is Google want to an apple want to do obviously a decentralized one and the, the banks or the governments would want to do a centralized one because so many different issues around it's a use case. So exactly the same within identity. If it's on the device, it's a decentralized one. And all you're basically doing is you're telling your mobile phone that I, my claimed identity that I've set up on the device is an identity. It doesn't mean it's my identity.
It could be any identity and the centralized one where it's on the server, where you can check the multiple accounts fraud for arguments sake. That's the one preferred bias organizations and governments. It's an interesting, an interesting area That also would mean we might map differently than maybe it was the Corona app.
We, we also might use the device as the decentral thing we own, which we then map at the right point to something central, enhance it, do whatever. What is your perspective here? My perspective is a personal one, but I'm here as, as a human being as well.
So the, the, the idea is that I have the mobile phone, write my wallet with all the cards, with all the money in my pocket and I lose it, then it's end. But it's, it's no one knows exactly what, how much money I have in my pocket and how many card plastic cards I have in my pocket, in my wallet. So transferred into digital world. I don't think that is the right approach.
I, I strongly believe in one I, one authentication key on the device, nothing more. I have one authentication, keep one token. And with that token, I go through all the platforms ized, or maybe, and I authentic myself. The is quite to the, to the qualified signature. When the signature was sort of launched, they say, you have to, to have your signing key on your device now on your card or in your phone. And it didn't fly at all, but qualified signature was not sort of running.
And then they said, maybe trust service providers signing the PDF, and you only have to get, get authenticate to that service provider to central service. It's called remote signature service. And now it flies. That's exactly because if you have a decentralized system, you always end up in a lot of lifecycle, lost pin, lost device stuff. And the thing is you cannot control all the devices, all the operating systems and all the software. So it's much safer to have the data on the centralized trust center somewhere who's taking care lot better regarding security, privacy.
And then, then you control all the devices and make sure that people are using the highest standard of all the security don't think. So the last last example is I lost my device. Someone is finding it. If I have only the authentication service, then I just called the hotline and say, please lock my authenticator key. But if my data and all the, my credentials on that device, I cannot block it. I cannot sort of cancel it.
So the, the, the, the find of my device has my data. That is It's interesting. I don't believe in that sort of doing all because it sounds so good. I think it's a political all discussion, but that's all my, yeah, I think it's interesting. And one of the things, so I, not that long ago, I started my colleague, Annie then worked on our market on blockchain ID and decent life identity. And then one of the questions I always brought up is, you know, if I have more than one device, what about roaming? So to speak, what about roaming identity? How can I reuse it across all my devices?
Because I don't want to be locked in. I don't want to build it new.
And, and that, that, that, from my perspective speaks to some extent for, for a split model, where you have certain things on the device, which help you to authenticate, which help you to do things, but you need to be able to, to use in all these devices you have, and in different use case scenarios. It's, it's interesting. You all are nodding.
So, so, so are we somewhat on agreement and given the time maybe we make a short round of, of sort of closing statements, closing remarks of yours, maybe go the other way around this time, duke starting then last and then art tour. Yeah. My last perspective is identity sort of is the last type against sort of the big text they take over there. They took already marketing has already from away from us. So identity is far more than any service identity goes into the civil serenity of the citizen. And we need to protect that asset.
And here should sort of, we should all put our thoughts together and don't come up with any sort of, a lot of sort of startups and different solutions. We should come up with one good framework and at least the state, or at least the society should have a share in that asset. Okay.
Matthew, It's, it's such a big subject, but I'd like to basically say, no, one's really identified what, what is identity? We're talking about identity. Like it's one thing, it's a multifaceted beast. So there are many different aspects of identity as, as he was suggesting Martin for different use cases.
I didn't get to hear the Belgium womans talk, but you know, they've got a very nice Belgium ID solution that meets the requirements of what they're trying to achieve now with IDAs the problem with the Ida is it doesn't work in the UK and it won't work in America because we don't have a national ID system. So we don't have an authorized source to access, to identify individuals. So horses for courses that we would say, so the Belgium ID system works well in the UK. We tried to create a government system like that called verify. It fell apart for complications within the UK system.
So the problem is globally, it's very complicated. There are gonna be many different technology providers for many different types of solutions, but the end of the day, you have to recognize what it is that you're trying to achieve. And if you can do that, that then it's a good starting place. And it's about framework.
Yeah, I think I can also agree with dear personally. I also think identity is very important topic, which you need to protect, but I think on the other side, we need also maybe to have a realistic look on the situation.
I mean, apple and Google came up for, for the payment sector and they just rule other part, but especially for identity, to be honest, since already so many years, they have the most digital identities on their side. It's nothing new. It could be more, it could be more sensitive, but they already have the identity. And same as on the payment market, also with, with blockchain, with Bitcoins and so on, it comes to us.
And the thing is just about, can we defend this part or do we just need at all to defend it, or do, do we just need to find a corporation model decentralized one, partially to integrate the, the colleagues all in the kind of politic discussion, how to handle it, this kind of digital situation, and try to build up the value on top of the identity because in several years, I think the identity will be just commodity without that much value behind it.
I think the value is not the identity itself is just the use cases which are built up on the identity and especially in the B2B and machine to machine market that are quite interesting topics. And I think we need to find some kind of cooperation models. I believe we could spend a lot of more time on this topic, but I think there's a very important ENCE. So that is that what, and Googled us will be influential. It will not solve all of the challenges we have.
It will play a certain role and we must work hard on into our ability to solve more identity use cases in the meanwhile for our identity fabrics, going back to our main scene, we will have to with a lot of different ID providers. And so thank you very much to you as the panelists and thank you to all the attendees for listening to this panel. Thank you. Okay. Thank you.
