Andre Kudra, KuppingerCole Analysts, cyberevolution 2024, Dr. Andre Kudra, TeleTrust, Brave New Wallet Intro for Muggles I thought it would be an easy sell, but it has been marathon after marathon, so let's take stock where we are. I'm one of the board members of TeleTrust, the IT security association in Germany, representing more than 400 companies in the field of IT security, and one of our core topics is digital identity. I also do this in my day job as CIO of Esatos AG.
And I think as we are at a cyber evolution conference, I think it's worth taking a look at what has been done in this field of digital identity and decentralized identity over the time. And this is what I would like to bring to you here.
Actually, I want to start with a little bit of a primer on wallets and verified credentials, but I think as you have already listened to John's presentation, it's probably not so much an intense thing we want to discuss. But we want to take a look into the EIDOS regulation and what is planned here, what is it that we can expect from a regulatory framework. And obviously, we are at a cyber security conference, so what is the impact of wallets on cyber security in your organizations? And I want to close, and I think I want to also have a more lively discussion in the end.
What are merits and what are pitfalls if we introduce the wallets? And a part of this has already been presented by John as well. So maybe let's start. What are these wallets anyway? So I think the best analogy is always we want to move these into this. So that's easy, actually.
I mean, that's basically it. We want to transport all the physical artifacts that have some kind of trust anchor in the physical world into the digital world. So we want to have all these cards, all these documents that represent a part of our identity from trusted issuers into the digital domain. And we want to have them easily at our fingertips in a digital wallet in the form of verified credentials, which is the new age term for a certificate that has some cryptographic properties. So you may have seen it, probably you already have heard about it in very different conferences.
This is the self-sovereign identity paradigm or decentralized identity, as it's now often called paradigm. It's basically the trust triangle. We have someone, we call them an issuer, who says something about me. We call the subjects holders. And someone else, a verifier, has some interest to learn about this data about me from the issuer.
However, I am the holder. I am completely in control of the data flows. And it's still trustworthy in the verifier when he gets it. So that's basically it. That's the whole paradigm. That's all there is. But the change of things is the holder has actually the data physically in their own devices and has the control of the data flows. And I think this is kind of a game changer in this whole paradigm. So this has been an evolution already. We come from centralized identity, federated identity, which is basically still at large all over the world.
We have user-centric identity because now it's more about us and external data providers assert our identity. And now we are moving finally into the decentralized and self-sovereign identity space.
However, this takes still time. So I mentioned I have been in this field since 2015. And I thought it would be an easy sell. It's so obvious that everyone needs it and we're still not there. But now from early advocacy, we have now regulatory attention on the topic and everyone wants to make it happen. So let's see if we can be successful this time. So the most part of the discussion is always focused on natural person identity. And this is only a very actually small part of the equation. So the most important thing is that organizations overall adopt the wallets and do stuff with it.
And we come to that later what that could be. And not just center it around government-issued identity that you can use in online directions. So organizations need to have this wallet attitude in thinking about their processes and introduce it into their own thinking. And the greatest lever could come with machine identities with wallets. Because this is billions out there. And this could be a main lever.
However, not so many people talk about it yet and so it's not solved. So all this has been recognized by the regulators, particularly in the EU. So we have the EIDAS regulation, which is the regulation that asserts about trust services in the EU and digital identity. So this has been around for a while. So all of you who are EU citizens more or less have an ID card that is based on the EIDAS regulation. And you could use it in digital interactions. So in Germany, we have that as well, but it's not so much adopted.
So this has been something that has been around for more than 10 years and it's not so much used. We have heard from John in Norway it's different. We have bank ID, it's a centralized system, but it's heavily used and everyone uses it every day basically. So the EIDAS regulation is now under revision. So there is a 2.0 version being issued. It's already been passed and now the implementing acts are coming. And these regulations state there must be such a thing like an EU digital identity wallet that every citizen in the EU can have and use.
And I don't want to bore you with all these details, but it's been a cumbersome and complex process to come even to that law. So we have different roles in this wallet ecosystem. So it's not just the wallet, it's a whole ecosystem of things and different organizations and bodies regulating this and operating it. And a couple of statements here, maybe just to illustrate what we are coming to. This will be certified under EU governance bodies. So that means we cannot just have a random wallet arbitrary in the app stores and we can use it and call it EU digital identity wallet.
No, it has to pass certain requirements, certain tests and has to be tested and certified by the government governance bodies. And this is another complex task. So not everyone wants to issue an EU digital identity wallet because it's cumbersome to actually do it. So there is the notion that there will be government issued wallets and particularly also in Germany, much to the surprise of many, private sector wallets will be allowed.
However, they have to undergo the certification. And I think this is an important thing to note. So we will maybe have a plurality of different wallets. And this is the wallet roles ecosystem that all governs it. You can look it up. All this is very transparent and openly published. That's a specification called architecture and reference framework of the EU, the URL is in there. And you can look all the details up if you are interested. Going on. This is the reference architecture model. So I don't want to go into all the gory details here.
But it has been very well thought through how to balance the components that are required in this field. And also many security considerations have gone into it. So you talked in the previous sessions about security attack factors and vulnerabilities, impersonation attacks and so on. So the community who has developed this architecture and reference framework has gone into great lengths to make it as secure as possible.
However, member states can have a deviating implementation, but still they need to follow the architecture and reference framework. So if you want to call it an EU digital identity wallet, it has to adhere to certain standards and properties and you have to do it. And there's two things that may be interesting. It is not just one protocol that is spoken with such an EU digital identity wallet. There's two different ones. One is the driver's license standard ISO 18013-5, which is like a globally renowned ISO standard that is part of the wallet. So the wallet will support this standard.
And it will also support a newer standard called OpenID for Verifiable Credentials and Selective Disclosure JSON Web Tokens, which is the other standard. So we know that there will be different things already happening on the EU digital identity wallet. This will have some meaning, as you will learn in a couple of slides down the line. And also there is a trust model, which anchors why you can trust this whole thing. And the considerations are based on the EIDAS 1.0 thinking.
So there are always qualified or trust service providers who basically attest to the facts that you have in your wallet about yourself. But this is like a mechanism that has been known in the EIDAS 1.0 world already, but it's now transformed also into the wallet world. This all takes time. I already mentioned it. This is a slide that was taken from a presentation of the EU Commission in September on a conference where this was only focused on trust services and CA topics in September, as I said. So the EU plans to have wallets widely available to EU citizens in 2026.
This means the member states of the EU have to issue their wallets per the state. So for this, we have to understand how the EU process works. So it's not just passing a law and then everyone does it because we have technical implementations as well. So there's the law first, which is giving you the guidelines on what you can do and what you can trust.
However, to make it applicable to the member states, you need something called implementing acts, and they are still in the making. And only when these implementing acts are final, there is a period running of two years until which the member states have to actually have a production wallet in the field. So this timeline may shift because the implementing acts are not final yet. So maybe we will have a shift in this space, so not 2026, but maybe later. But this obviously also depends on how the member states take this law and make it into practice in the world.
So if you want to learn more about the German incarnation of this wallet, there is a very strong project being driven by the German innovation agency for disruptive innovation. This is called Sprint, and they actually built the German version of the wallet, not only from an architectural perspective, but they are in fact tasked to create the German government issued version of that wallet. And they have in their plan to have like a beta version ready next year in Q3 so that you can already check it and use it in your own settings.
Obviously, we have a bit of a political turmoil these days in Germany, so maybe this also shifts a bit, but we don't know. So the assumption is that next year we will have something to work with in the sense of a German wallet. A very strong team culminating at Sprint. They are very interactive internationally and banging their heads against the other professionals in the world to make the best possible wallet. And I think they are doing a fantastic job.
However, having all that said, the eWallet is a great thing. However, is the whole world now waiting for the eWallet?
Well, I think there is a thunderstorm above the bubble bath, and I will give some meaning to that in the next slide. So the global context is there is a broad plurality of different standards fighting for this field of decentralized identity. So in the world all over, we have different technology streams converging around the same topic. So everyone wants to solve this digital trusted interactions problem. And there are obviously different technological ways how you can do this. And this is in fact happening. So we have different tracks trying to solve this with different technical means.
This is just an illustration that we have other technology ideas being driven by the United States in the Asia-Pacific region. And even if we look into our EU neighbor landscape, the Swiss people, for example, they will be designing maybe something completely different. So if you correlate all this, it's a difficult situation that we are in because there will not be one standard to solve it. As I mentioned earlier, you already have two different standards in the eWallet alone. So it's a complex trust ecosystem bubble bath.
And sometimes I call it, it's like a techno religious battle that's going on for ages. And this is also one of the obstacles why it didn't work out easily in the beginning. So what is good about this? People know that we need some convergence. So there are different organizations all over the world, different conferences, particularly tackling these topics. Trying to have like a more uniform approach on digital trust ecosystems and making that work. And this has been very fruitful also in the past years, even though we had these battles around technologies.
We see some major trends coming out of this discussion. And people are very interested in seeing what's happening in the EU because this is a major force at this point. So how can we use wallets in cybersecurity settings? So obviously, we all know, you have heard in many sessions here, sophisticated AI is a better attack vector for everything that you do. So we will have deep fake videos, we have impersonation attacks with any means. You may have seen this video, which is like an early one, which is not as good as it's possible now.
So we have very convincing deep fake videos and deep fake video generated content and content overall. That is an attack vector that is as strong as we had never experienced before. So what we need is, we need like an authentication mechanism that is very strong in all our digital interactions. From organization to organization, but also from person to organization and vice versa. We need strong authentication in everything we do in online interactions.
Otherwise, we will be just suffering from the effects that we are seeing already. So my postulate is always, we could very well integrate wallets and the strong authentication that come with them into identity and access management. You all know, we have a billion dollar industry in the identity and access management field. So we could leverage the benefits of wallets in this field particularly. Because we can now use the attributes that people carry around with them to make decisions about the access level. So this is something that can be easily integrated.
And if you look at the self-sovereign identity paradigm, it matches very well with the principle of least privilege. Because you only disclose what you actually need for this interaction. And this is baked into all that we see in the wallet space. So it also helps, and this is something I want to point out. It helps to cross organizational boundaries. Because it's not your own enterprise landscape. You can now consider artifacts that are coming from other parts that people have in their wallets.
And I think this is a very strong opportunity for integrating with your peers and with your delivery chain. Why are the wallets that people have and that organizations will have at some point. So I think this is a great opportunity. We will look at the opportunities now. So I'm very opinionated in this field. I'm probably also very biased because I've been doing it for a while. And I think this is something that will help us.
However, I'm also considerate about the challenges that we have. And let's look into those at the end of the session here. So I think an EU wallet can be a big driver for digitalization efforts. And I'm a big fan of that because we are here in a country that is very much behind on digitalization. So I think the EU wallet can be a great chance of resolving that. So this is something that I really hope will take fruit and multiply. Because I think with the EU wallet we can optimize and bring efficiency into processes very much in very different situations.
And we will have trusted data and online interactions much stronger than we had the possibility before. It will be a tool for countering online fraud. And we know from the talks with banks that we have, this is the biggest problem that they have today. And I think with a wallet and a stronger trust ecosystem, we can facilitate more trustful interactions. We will have regulatory certainty. And this is the good and bad. And I will come to the bad in the next moment. Because we can now rely on the terms that the EU sets with the EU law, the EIDAS2O.
And this will help us to build reliable, strong interactions with wallets by default. Because if we take the wallet ecosystem and apply it to our business process, we know that we are compliant and fulfilling any other regulations that are coming underneath. Now I would like to spend the last couple of minutes on looking at the pitfalls of the EU digital identity wallet. Because this is something that we have high hopes into it. But there are many things that can still go wrong. And I want to point out a couple. And this is not an exhaustive list.
So some already perceive this as a total regulatory overkill. So you have seen the charts before. There's tons of pages that go aside with them. So it is a complex topic. And the EU tends to regulate it all. So this is a very strong point where you have to convince your potential customers that you are taking this regulatory complexity away from them if they want to interact with the wallet. So they buy your solution or you adopt your standard and you will comply to your wallet. Because your clients will not want to do this on their own.
So this regulatory overkill is something that you have to manage. We could have poor user experience. Because we have the trade-off of security and convenience. So if it is very secure, it may be too cumbersome to use. We will have to see how that plays out. We could have even too many wallets. So those of you who already have these, probably you know, if you choose one, maybe there is something that you're missing out on the other one. So this could be a problem. And big tech might have already solved it for you. So you're used to your Android and iOS phones and operating systems.
You know they already have a wallet. So selling that you need another wallet is a hard sell in fact. So the assumption is that the big tech players, if they recognize the value of a new digital identity wallet, will go for the certification of these wallets as well. So let's see. E-government, as I said, we are behind on that in Germany. So if e-government is not playing ball, and you cannot do anything with your wallet, it will be very slow in adoption. And private sector use cases, I think, are the critical driver for it.
So if we do not find good private sector use cases that are happening in the new digital identity wallet, I think it will be a no-show, non-starter. Organization identity, I already mentioned, this has to be represented in the field. So natural person identity is discussed most, but that's something that I think will come. It's already happening. And let's face the fact, not so many people care about privacy. So if you're using all these services that are coming from the big tech world, are you really caring about privacy? So this is a strong opposition point.
So if there is a more privacy-preserving solution, will you adopt it? I don't know. And on the other way, the strong opposition say it can be perceived as a tracking device. So now the EU wallet is tracking all my activities. So there's a multitude of different things happening in that field. I want to close off with this one slide. I think we have very many industries who could benefit from something like a wallet. It goes across the board. It's not just about personal identification. And I'm staying tuned for out of the bubble, into the field of the digital identity wallet.
If it's coming, we will have to see what all the stakeholders will have to say about it. Thanks for listening. And we're looking forward to questions and continuing. Thanks.
Thank you, Andrei. Unfortunately, we've got time for questions now. But I'm sure you can grab Andrei outside somewhere. Thank you so much.
