So, well, first thank you for staying until the last day of the conference and after lunch. You, you might be passionate about the topic. So first little introduction about who I am, what Polygon I is doing. Polygon ID is, well is part of Polygon. We are a blockchain company. We are in Web3, and we are building a decentralized identity solution like the complete stack.
We have, I would say our, our mission is to become infrastructure, the infrastructure layer for maybe other more specific specialized identity solutions to be on top, be built on top of it. So coming from Web3, decentralization is also a core principle. It's like a, a mantra. We assume that decentralization is a way to do many things, right? And in conferences like this, I realize that many companies are coming now to the decent, decentralized way of doing things that we have had as a, as a principle for so, so, so many times, so much time, right?
And also in, in so sovereign identity, decentralization is, is part of the deal, right? Decentralization is, is a necessary condition for the sovereignty of, of the individual. So if you read the books, if you go to the, to you, you get resources about self sovereign identity, you end up a bit radicalized or I would say you, you, you end up with a very strong ideology and that ideology somehow transpires into the technical implementation of self sovereign identity. So we can see here how it looks when we move these principles of decentralization to an implementation, right?
Usually ens up as the maxi approach to SSI, which is everything belongs to you, right? Everything is in your mobile. That means not only the app that the, the wallet, but also the keys that are used to sign or to generate your DID. The credentials that you receive are also storing your wallet, right?
So you, you are fully suffering of your data, you control it, you own it, but then also you have all the responsibility of, of keeping it, right? And we have been doing that, I would say for a year. That is polygon id.
One, 1.0. You can app is a full cell sobering identity wallet. You have your keys in your wallet, you have the credentials in your wallet. Everything is completely decentralized.
Now, how this translates into the user experience, oh, sorry, I need to skip to the next one. How that translates into the user experience for the user. That is a lot of friction. The user needs to download a wallet. And I think some, another speaker say before, people don't download their wallets just to have wallets. You don't see it in front of credentials looking how beautiful they are, right? Your first point of contact, your first interaction with a, a credential is where you need it in a real context and a real use case, right?
You are doing something.
And then in the middle of that, something you need to be verified, right? Or you need to share something. So you were renting a bike, you were onboarding in a new bank, you were doing something. And then at some point of the process, you need a credential, right? That is usually as a user, your first interaction. You didn't think about downloading the identity wallet and having ready and prepared with all your credentials just in case you would ever need it, right? That is not how it works. So suddenly we are introducing all this friction in the middle of an existing flow.
So imagine yourself doing one of these things, renting a bike, onboarding in a bank, presenting your health records, whatever, and in the middle you are asked to download an app, install it, set it up, right? You need to set up your identity, whatever that means.
You need to discover or go to the issuer that will give you the credential, right? Then you get the credential, you present it to the verifier, right? And then you're good to go. That's a lot of steps. We try to optimize that.
And in the best case scenario, a simple, sorry, h estimation credential took like 150 seconds across all these steps for a user that was, that know what they were doing. That's a lot of friction. And for the sake of what, right? For the sake of privacy and decentralization.
Well, verifiers in this case, applications don't care. Users don't care enough to to, to go through all this friction, right? And then you have the, the alternatives. Okay? The verification is a problem we need to solve. What are the alternatives? The alternatives are just connect to the issuer, integrate the issuer, SDK, into the flow like most applications do.
And that's it, right? It's simple, it's faster. You don't need to download anything. You need to do anything, et cetera, et cetera, right?
And most verifiers, most applications are deciding to do this and then throw away all the SSI principles because the communication happens between the issuer, theier, the issuer is not in the middle. There is no consent, there is no sovereignty, right? And then you also have the alternatives, the big ones, right? Signing you Google sign with, signing with Facebook, with Apple, all these providers, sooner or later we'll start adding, some of them already are doing, are adding trust signals to their accounts.
So very soon you will be able to log in with Google or with Apple or whatever, and they will tell the, the, the verifier that yeah, you're already a team, right? With all the implications for privacy and control that that has. But from a user perspective, from the very verify perspective, they are right now better alternatives than the max CSSI flow, right? So the question is, we want to stay by the principles of SSI, we want to have decent centralization, but we cannot be so bad at user experience, otherwise this won't happen, right?
We have been struggling with this for two years, and here I'm to to share with you the lessons, right?
Okay? So there are several elements that we, we can, and, and now I'm gonna go more technical, right? Many technical decisions that we need to make balancing user experience to centralization or decentralization. And now I'm thinking about the wallet, right? How we build the wallet. First of all, we have the identity client, right?
That's, we can go from a very centralized model where is privately hosted, hosted by one company. It could be hosted by a community or an association or some, somebody managing public goods, Linux Foundation, European Commission, whatever. It could be an ecosystem or API, right? Which means there is an infrastructure to build wallets on top of it, right? That is open, that is a public good. And then you have an ecosystems of wallet, right? That can talk to that API or it can be in your device, which is what we have right now, right?
Maximum decentralization is you have it in your device, but then each device will have to have a copy of that wallet and then the synchronization will lead to work somehow, right?
For the data storage.
So again, so first responsibility that we are, we need to decide if we take away or not, is do we need to install anything? Do we, do we need to set up something or can be embedded in the flow? That is the identity client. The second one is the data storage. And we go from, again, on device, everything belongs to you, even the responsibility, right? To privately hosted. But there are some in betweens, right? It can be hosted somewhere in the cloud, in a decentralized storage.
There are many decentralized storage implementations and options from decentralized web nodes to blockchain base or distributed storage. There are many imple, many implementations, right? And then there is more decentralized would be user hosted. So imagine that you could use your personal storage, Google Cloud, sorry, hosted storage, whatever storage you decide as a user, right? As long as information is encrypted in the client,
The key custody is one of the most sensitive topics. Nobody wants to the responsibility of custody in the keys.
But if we give that custody to others, then the entire model of SSI and privacy goes away. We have many options from self custody.
Again, on the device, NPC multiparty computing, there is a, I would say is the most decentralized non-custodial model, right? Because nobody really has your keys. There is charge of your keys that are distributed in the network of multi-part computing. Nobody can see your key, but you, if you present the right authenticator, you can use a network to sign on your behalf.
You have, we have cloud HSM, which is more centralized obviously because you're using Amazon or some, some provider that will provide this hardware as a service. And then you have custodial wallets that are well known.
But again, this is probably throwing away all the selfing idea.
Finally, we have the DID authenticators. So what do we use to authenticate?
What, what do we use to generate our DDS or decentralized identifiers? And what do you, what do we use to prove that we control these dds? The good thing is to go pass keys, crypto wallets, self-generated keys, et cetera, et cetera. Everything that the user generates by itself. That is the principle of SSI, you generate your keys and your identity without any third parties, right? But I think we need to consider that even that the dis identifiers are generated from a key that I control.
I can add more authenticators on top of it, or I can generate the keys from different types of authenticators. We need to think if we want to won all the battles at once, right? And I think there are some battles that are harder than others. And the battle for authenticators is a, is a very hard one. Everybody's signing with Google, everybody's signing with Apple, right? So if we are trying to change that along with all the other things, it's gonna be very difficult. I think there are ways to do a progressive onboarding, right? While we are, we are friendly with the existing infrastructures.
So
Our choice among all these options had some criteria, right? So for the identity client, we wanted to secure data portability and multiple choice, right? Data portability means that once you, if you choose a wallet, that doesn't mean that your data stays in that wallet forever. And then if you move to another wallet to another provider, you need to somehow get all your credentials back, right?
So, and that with privately hosted solutions, it's not warranted. Nobody can guarantee that they will open the data. If you are hosting your wallet on a, on a, on a server of a private company for data storage, well that, that is kind of easy actually, because if we encrypt things on the client and they can only be decrypted on the client, right? It really doesn't matter where the data is stored. It's more a matter of governance and trust in the organization that is managing that, that storage thinking things like, can they deny me service, deny service to our region for political reasons?
Will, will they be alive in 20 years? Things like that. Things that you, you need to think in long term storage and, and sovereignty for, for your data, right?
But, but in terms of the technology, the underlying technology of the storage, it's not super critical because again, you are storing encrypted blocks. And important thing is that there is no money in the middle encrypted on the encryption, but the encrypted encrypt happens on the client only. So only the end user will is able to see the credential itself for the key custody. We are only considering non-custodial solutions because custodial solutions are not SSI, it's that simple. And then for wallet authenticators, we want the maximum flexibility, right?
The authenticator shouldn't be the reason why people are not adopting the solution. So with this in mind, this is our choice.
So the, the, the topic of the, of the talk was what is the right balance?
I cannot answer what is the right balance for everyone. This is our balance, right? We are moving towards an open ecosystem.
API, we think there's gonna be, well, Europe is saying there's gonna be 27 wallets or more, right? We think there's gonna be hundreds of wallets, right? So interoperability is gonna be a massive challenge, and we think there is an opportunity in building the underlying infrastructure for, for the interoperability of these wallets, for the data storage. We think decentralized storage is the best compromise because of the reasons I mentioned before. Decentralized storage allows for more actors to join the network of storage.
So you, what, what you want to avoid is that for political reasons, your data is removed or is denied to you, right? And if you can decentralize where the storage is, right, there will be multiple actors from multiple countries and multiple interest participate in that storage.
And you can also join the network yourself if you want to secure your data to be always available as an organization. Maybe IPFS has this model, right? Where if you want to make sure that your files are gonna be always available in IPFS, you can run your own note, right?
And then you guarantee that your files are gonna be always available, right? So it's, you always have the fallback of full sovereignty of, of the data for key custody within think both HSM and MPC are feasible models in terms of user experience. They provide the same user experience, somebody signs on behalf of the user, even the authenticators. But we are favoring MPC for the same reasons of decentralization, right? And for the same reasons that if you rely on A HSM that is provided by Amazon, Amazon may decide that they're not going to do business with your country anymore, right?
Or with your organization or whatever, right? So this censorship resistance is an important property of decentralizations. And why is that? That's why we're going for, for MPC, we think it provides a very good user experience anyway. And then for the authenticators, we think, of course, past keys is probably the most promising thing in terms of self custody of keys. Crypto wallets is the biggest PKI infrastructure deploy in the world, right? That is actually working, right? So we prefer these mechanisms in the long term, but keys is just being adopted.
It's gonna be take years until we are used to to to use it, right? So in the meantime, we need to co have it and, and to work with what the users are already doing, which is social logins and, and the likes, right? And just to f finish, I would like to show you how it looks, right?
So I show you this because usually people are, are aware of what is the traditional wallet.
SSI flow, I don't, I don't share that because it's, you scan QR code, you get your credentials to go to another place. You scan QR code, you present your credentials. That is the, the flow, right? So here is a different flow, right here is a different flow where as a user, I'm interacting, I'm doing something. I never heard about identity words before. I don't have credentials. I'm just trying to do something. I'm trying to access a stream that is probably for people older than I think or something like that, right?
So yeah, this is my first interaction. And then the first thing is, okay, I don't have a wallet. I sign it in using Google or whatever, and the wallet is created for me on the fly. All the keys are created on demand.
The keys that are used for encrypting the storage are also created on the fly. Nothing is stored. Everything is created cryptographically derived from your free authenticator. The issuance, the issuer is embedded in the wallet, right? So whatever credentials you need to get, you need to get it there. You don't need to go to another website, another provider.
You get the credentials where you are, right? Because it's part of the flow. And then once you, this is the same as as if that website would have embedded an issuer, right?
If, if the, if the website would have embedded the h verification provider, the experience will be exactly the same. The difference is that the user has created an identity wallet and has claimed the credential without even knowing the next time the same user goes to another website using the same system. The credential is already there in a wallet that he doesn't even know that, that he has.
Of course, we are, we are gonna empower the users to know that the wallet is there to interact with the wallet to add more authenticators if they want, right? But the experience needs to be complete.
If we want to bring the wallets to the user flow, we need to integrate the wallets in the existing flows. We cannot just create a completely different parallel world, right? And try to embed that into the applications because the applications are not gonna accept it. And I want to, to end this with a, with a survey that I read about where, what was the criteria for different institutions, banks, and others when selecting these credential providers in this case was, I think for KYC. And if I'm not wrong, I think it was from copper and coal, but I'm, I'm not 100 for sure.
But for me, the most interesting thing is that in the reason for choosing a provider over the other one may think that price compliance, all the things that you think when you think A KYC, but the top number one by a long different was user experience, right? This is the, the, the biggest, the most powerful actor in SSI or in bringing SSI alive are the applications, right? Are the verifiers. If we manage to convince verifiers, everything will work. And the biggest concern for verifiers is the user funnel is not losing users to bad experience. Right?
And that is why I think finding the balance between decentralization and user experience is so critical. Thank you.
Thank you very much. We have a question from the audience. I'd like to ask you quickly, what are your thoughts on the GDPR compliance of current decentralized storage solutions?
That's a, that's a question.
Well, I would say when you think decentralized storage, most people think in hash river services like IPFS, file code and others, we have discarded these solutions because, precisely because the, the right to be forgiven and the fact that anything you store in this kind of networks is permanent and you can, you cannot delete it. So we are not considering that type of solutions. But there are other, there are many solutions of decentralized storage from the classical distributed storage with coach dv or there are even decentralized databases that are working with blockchain like Wilt.
There is the decentralized web node project. There are many approaches to decentralized storage that are not permanent.
Like, like the ones that people probably have in mind.
Absolutely. Thank you so much.
Thank you.
