KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
In this session, we will examine use of blockchain tech and smart contracts
In this session, we will examine use of blockchain tech and smart contracts
My name is Hans Lombardo and I'm the CMO and a director of block pass, which is a startup based in Hong Kong. That is building is developed a identity verification platform, a self sovereign identity verification platform. It's already live in apple and iOS. We've been live since early April and we're on, we're almost on version 2.0, we're at 1.8 and it essentially, it, it it's self-sovereign because the user controls the identity data, the user boards to financial services or other services using the application with their phone.
So they put their address proof of identity via photograph passport and proof of address on the phone. And they control that data, which they can deploy to any financial service that is on the platform or any service that's on the platform. And we block does not keep any data. And we require, we work with various identity verifiers and in our contracts with them, we require that they keep no data. So now to get on this is says compliant, ICO solutions. It's actually the wrong presentation, but I can still use it.
This is more and more blockchain centric audience, but it's a, what we like to call identity for a connected world. So in, in it's first iteration block pass is a KYC application as a service for really any financial service, really lower hanging fruit for us right now, our ICOs exchanges, cryptocurrency exchanges, and ICO platforms and utility tokens. But we are getting a lot of interest from mainstream financial services, banks, insurance companies, to use our application. We also have a, a utility token, which is a crypto crypto token.
That is part of our platform that is used as a discount voucher for merchants or services to use the, the platform to onboard their, their consumers or their users. And it's a KYC forward token, which means that you can buy the token in a marketplace or an exchange, but, and, or you could get sent from somebody can send it to you, but in order for you to send it forward, you have to do a KYC. So it's a compliant, fully compliant token. And what that means is they need to, when somebody wants to transfer a token to another person, they need to download block pass and do KYC service.
Now, all the users that are on our platform on block pass are anonymous to us. We don't, we don't keep any data on them. We don't know who they are and they use our platform to access other services. So ultimately our goal was when we came up with block pass was early last year, we were working on actually identity for machines or devices. So that machines and devices, if you establish identity for them, or sort of a safer world, because there's the sort of internet of, of things is a perilous universe, right? Because they can be used in, in sort of malevolent ways.
So, and we've seen that with botnet attacks all over the world, using mistreat devices, such as webcams and other things, but we felt that there was no real self sovereign identity platform out there. So we decided that, that we should build this first and then get to machine identity later.
So, and that is essential ultimately from, for moving from web 2.0 to 3.0, because web 2.0, the web that we're in today is a centralized web. It's very centralized in terms of there are large companies like Facebook and, and Google that control a lot of the data and companies like Equifax that have a lot of the data. So to move to a decentralized web or web 3.0 absolutely essential that we establish establish self sovereign identity for users or user centric, user controlled identity and identity data.
So in the case of, particularly in place, the main, the first case that blockbuster is solving is compliance. We, we believe that blockchain can change the world, but it's very early, very uncertain. There's a need for an identity protocol that also allows for compliant interactions on public permissionless, blockchain networks and compliance creates costs. So we believe that you need to have self-sovereign identity or user-centric user controlled identity, but at the same time, we live in a world which requires compliance, particularly in financial services, you need to do KYC.
You can't be anonymous investor in 200 million sort of raises in ICOs. So we believe that we need to sort of meet halfway with, with the regulators. So we create a user-centric user controlled identity system, but at the same time, it, it needs to be compliant. And there's a huge cost to doing KYC and doing compliance for users and consumers. You can ask any bank, any financial service or insurance company, or even telecoms that do KYC for their users. And the reason is it's just the cost of doing it is, is enormous for so many users.
I mean, one example is there's a wallet called TNG. It's a TNG wallet and they're onboarding 20 million users a quarter. So if it's one buck, a user cost, that's $20 million a quarter. So if you think about that, that's a huge cost. So the cost of compliance for blockchain business is extremely high Coinbase, which is the largest, one of the largest cryptocurrency exchanges. It's estimated a couple years ago. It's more now that about 25, 20% of their cost is in compliance doing KYC 20% of their budget.
So, and as I said, the problem with ICOs is ICOs are initial coin offerings, they're token selling tokens to raise money for a project. There have been LA most of them last year were anonymous raises. So people were raising tons of money from anonymous investors or anonymous backers. So that's another reason why block pass is, is very useful in actually creating it and more compliant platform for token offerings. So it's essentially K Y block pass is sort of an effective human identity application.
It allows for KYC for regulated services and transactions and distributed applications for merchants and service buyers, providers. It dis reduces the cost of onboarding users because it's a shared platform for the user. So like if you're signing up the block pass to, to use a particular financial service, you do KYC for that service the first time.
And then you can use any other service on the platform without having to do KYC again, cuz your KYC data is in your app and you can basically click a button and then send the data to the next service or next financial service next retail or next, whoever it is. Also, we have a system which is sort of service providers, providers that provide services to our application. We offer a proof of verification rewards, which means they actually earn the token, which they can exchange for Fiat on the, when they provide a service such as identity verification. So that could be any, any kind of service.
It could be a notary that is connected to the platform and then notary notarizes documents of the user. And then they're provided a reward which is past token. So just to sort of give you an idea, what sort of back, you know, background we're dealing with is, is that we need to look at the evolution of identity on the web and why we're still pretty much in a centralized federated web atmosphere. I mean most of, most of ID data on the web is centralized. Most internet ID centralized, not controlled by the user.
So most, most people who have their identity data on the internet, it's not controlled by them. It's not even owned by them. And then we have another level which is federated identity, which ultimately is like when you sign up for Google and Facebook and then you, you use that, that, that, that profile to sign up for other services.
So, you know, it could be any service on the, on the internet, right? You go to the, go to sign up and they say, use your Facebook profile or use your Google profile. This is federated identity because you're basically allowing Google and Facebook to own your identity profile. And then your identity profile is totally linked to those networks for all these services. So if Google goes down or Facebook goes down, you lose all your access to any service that you signed up for that was Google or, or, or Facebook.
Then there's also user-centric or open source, portable user-centric platforms like open ID and oof and Vito. But ultimately you're still reliant on identity service providers who actually set up these open source platforms. And it's not far enough. We need to go move further towards full self sovereign identity where user centric, user control fully portable, secure and sovereign identity is achievable. And it's ultimately, as I said, the pathway to a truly decentralized web, we cannot achieve web 3.0, all this sort of fantasizing about web 3.0 is, is not gonna happen.
It's not gonna happen without self sovereign or user-centric identity. As I said today, internet-based industry is highly centralized goods and services are detained by through third parties, such as Amazon, Uber, Airbnb are also Facebook. And as I said, Facebook and Google control our identity. And this has led to a very perilous world because you just look at Equifax hack, you know, half a million, half the population, the us had their data hacked and they didn't even know it. They didn't even know their data was there.
So I mean, and then we have Facebook and Cambridge analytical situations and abuses of, of people's identity and abuses of their data. So we need to work away from that by decentralizing. And that's the way to do is decentralizing with the user through a, a more decentralized identity system. Users can access more decentralized applications.
What we call DAPs in the blockchain ecosystem, DAPs are decentralized applications that use smart contracts and block blockchains to achieve this vision, public blockchains and their ecosystems require compliance tools though, to be compliant and compatible with mainstream regulated industries. So that's, so at the same time, we're trying to make things more decentralized. We need to also make sure those applications can fit in this world that we requires regulation, particularly in financial services. So that's where block pass is sort of the middle is sort of the middle ground for it.
So, and in a sense, just to, just to, to simplify it, it's an ideal, the blockchain is an ideal sort of registry or white list for, for anything for users for, for, it could be for land. It could be for ships. It could be because it's immutable and also we can use smart contracts, smart contracts, really key to it. So it's simp simply blockchain block past this position as a pathway for web 3.0 vision users join the identity management app, upload personal data and control who is distributed to, when I say upload personal data, it's uploaded to the phone.
We do not keep any personal data of the users. No identity data is kept on our platform. The ultimate goal we seek to achieve is eventually implementing what we call zero knowledge, proof technology. So establishing a sort of anonymous, hashed based zero knowledge proof, white list model with user data. So the block block passes benefits for you for businesses in, and, and this is in the business business to consumer context.
So B2C, is it more rapid user onboarding, lower cost of pre and also preed compliance. So there's users that are already pre verified. And if a service joins our platform, they'll access to pre verified users.
And there's all kinds of new applications that are, have potential being implemented from anything from, you know, sort of verified wallet addresses, where, where there's verification involved, where and compliance involved, and the block benefits for users, including speedy sort of gateway from compliance services, allowing users to use all kinds of services because they've already, they're already KYC that the users own their data. They can, they own and control their data and who they send, who you send it to. Not only that they can monetize that data if they feel like it.
And it's a shared identity white list, the end of the multiple KYC identity checks block pass enables users get approved and whitelisted once for near immediate access to multiple merchants and service providers. So we're, it's basically KYC onboarding user-centric identity. You download the block pass S from the app store, set up a profile with multifactor authentication in your phone, enter personal details, like name, data, birth address, phone number, and you scan your passport. You scan a proof of address, which is usually a utility bill that has your address on it.
You take a selfie, holding your passport, you select and send information to the verifier. We can, we can integrate any, almost any verifier where right now we're integrating on fi oh, comply advantage, and fully, fully verified, which is a video verification platform that we invested in. You can accept your, your, your sort of application to be accepted or declined based on the verification certificate. And you might get declined because a user might get declined if they're on a, like a P P list or a, you know, a AML list. So we check basically KYC, AML, and P E P and various levels.
We can do that. And some users get, there is a potentially some error in the P P check check, but it's some, some service providers, some financial service required.
Anyway, you select a service provider by basically using the app or, or scan to scan a QR code on the merchant's website. And then you're immediately verify you get the verification and you're, you're, you're getting acknowledgement. So this is the app on the phone it's available right now. If you can see, see here, there's a pro a profile, which has your name, address, phone number, photo provided scans, photo scans, your, your passport.
It has a selfie, and it provides information on whether passport's been authenticated, the status, whether it's pending, et cetera, not only that you have a backup system, which basically when you, once you do your identity verification, it's, you can back it up by sending an email. It sends an email with a file. You keep the file somewhere.
And if, for example, you lose your phone or you delete the app accidentally, you can load the app again, and it, it, and you basically upload the, the, that that backup file. And it puts your profile back in. So you can use it for various services such as we used it for activating our, our past tokens, which we, we started our token offering at the end of may. And we used our app to basically verify all of all the people that bought our past tokens.
In addition to that, you can, there's a, a service where you can basically send your passport from the app, rather than store it in your passport and gallery or whatever, and photographs on your phone. You can send it in a more secure way from your app over WhatsApp messenger or WeChat, or over email. You see off on the right here. There's an a how we, you can actually send that on.
So, and also you, when, when you do do the verification, you get a certificate on the phone. So for every verification that you use, you can use it for different kinds of verification, and it will store a certificate on the phone, in the app, and you have that in your app, and those certificates become a market in themselves. So they're very significant going forward, cuz you could all kinds of services. You can have the certificate certificates for. So current pop process we're progress. We're based in Hong Kong.
We have offices in Hong Kong, Singapore, London, and we have a dev team, a large dev team in Vietnam. So as, as I indicated, sort of summarize immediate outcomes include reduced cost of C compliance, safe and compliant. It allows for development of com compliant, decentralized applications. It makes compliant, attract compliance, attractive to users, protects their personal data. And it's seamless. I won't go into the, I, we also have an ICO platform that's not relevant for here. Our past utility token, as I said, is a discount voucher for KYC identity.
It's proof of verification rewards for it's a reward for identity verifiers, and You can buy a token of various places. We are also building a developing a identity lab. It's the first of its kind, it's a blockchain identity lab and nap university in Scotland. We partnered with them. We're launching the lab at the end of this month and we'll be developing various identity tech technologies, including zero knowledge, proof technology, as well as proof of data deletion, which is very key. Because as you know, there are issues with large companies like Facebook.
When you let's say you cancel your account, proving that your data's been deleted. So is this is impossible. So we're working on technology to, to basically make that possible. So ultimately we're setting up the identity lab to create these new technologies to make web 3.0 more attainable. Our future development path also includes building identity for companies and devices. And our next product is coming out is a business identity application, which allows there to be K Y B know your businesses that you deal with.
So it'll basically provide a profile of, of businesses, you know, their actual shareholders directors, etcetera using, but basically same technology. And also we're working. Our eventual plan is still to build identity for devices because devices, companies and people need, we need, you need identities for these in order to have a trust trustworthy or trustless sort of commercial eCommerce environment. So that's all I'm gonna talk about today. Should we move on to the panel or have any questions or take some questions? Okay. Anybody have any questions? I do. Yeah.
So it seems like if you have a white list of users that companies use that any of those companies could use that To track any of those users across all of the companies, how do you prevent that? Well, so the, the white list is a hashed white list, right?
It's a, it's hashed to identify encrypted. Yeah. Hashed with the same.
No, but only the companies that have access to, to the list. So a user provides, provides the, the data and the, a company needs to have a hash to actually be able to, they need, they need a, a sort of an Explorer to be able to hash that, to see what that data is. They need the key. So if they don't have the key, they can't track the data. They can't, but after they Have the key, they can't track It. They can track it because they have access to that user cuz the user's given them permission.
So one of the features of like, for example, ID tech is make it clear wise identifier with each company So that companies Can't work together to track you. No, it Sounds like that that attack wouldn't be prevented by this system. Is that correct?
No, it would it be prevent it because they would need, they would need, I don't think that's possible with, with our smart contract model. So they need to have access to that smart contract and they'd have to, it'd be very complicated for them to be able to work together, to, to work out one particular hash for one particular user Complicated.
What, sorry To compare a hash in a white list. That doesn't sound complicated. Do you have the hash that I have? Let's track this. Yeah. I don't think it's gonna be that easy. Why Not? Sorry. It's just not Okay, Thanks. Yeah. Hi. Okay. You mentioned that you can download a file and then if you lost your phone, you can just basically upload it again and have the data back at which part comes like the blockchain in your solution. Like where's the blockchain part of the offering Right now. We're not hashing it on the blockchain.
So it, So basically it's just like that this data package would be basically hashed and put on the chain. Right. That's the only thing.
So, so basically at the moment you don't use blockchain for Now? No, not, not for storing the data For what? Anything else We're using the token, the token to basically access the, the service. Okay. So right now GDPR will prevents us from hashing, anything on the blockchain. So let's question. Yeah. So are you Okay. Sovereign foundation, decentralized identity foundation, any memberships There? Yeah. We're members of dif just like Newport and also we're members of the trusted T Alliance as well.
So some of the challenges of blockchain is that the fundamental architectural principles that blockchain's oriented around tend to actually be completely at odds with what we actually wanna achieve in most of our identity systems. And it seems to be spend most of our time trying to like do back flips in order to like overcome them. One of the standard ones that is kind of important here is that you pointed out, which is mutability, right? In most of our identity systems, we'd like to increase the ability to provide the right to be forgotten.
So like, so this seems to be a fundamental conflict between like the architectural models and requirements. So how do you think about that?
No, that's true. And I'm, I gave the example GDPR, and even though the data's hashed, it's a hash root of the data. GDPR would European sort community would be still at, you know, the European Brussels, you know, European authorities will still have issues with hashing sort of hashing data of per purse, private data on a public blockchain. So there's a belief that we can use side chains or plasma chains as, as a way with the thing with a plasma chain or side chain is that it's peer it's like peer-to-peer.
So you can, as a user, you can cut that once you shut that down, the connection with, with a merchant, then the data's gone. So that's peer tope, that's off chain.
So that's, that's sort of the sorry to get too complicated, but that's sort of the, and the other issue is with, with block block, blockchain is obviously scalability and speed transaction speed issues as well. So yeah. Any other questions In your system? Who's the person who's asserting the verification of that user's identities that ending up being you or No, we don't someone else. We don't do the verification.
We use other parties like on, on Fido comply advantage for so on Fido for KYC, for passport authentication, comply advantage for am L P P and there's other, Fido's not going to ne Fido's a standard On, on Fido. Yeah. On Fido. I see. Okay. On pH on Fido.
And, and so the next question then is, are the terms of service associated with those kinds of identity vetting systems and vendors carry over? You know, typically those assertions are provided in the context of a specific commercial transaction with some limitations as to what is being asserted, what it's good for, what the liability mechanisms are, how do you guys handle that?
Well, contractor contractually, we have that with those providers, whatever service provider is. And not only that, the data in terms of transmission of data, they need to delete the data on a monthly basis. We have monthly check, which can be audited.
And, and so is the, are the terms of service even across the multiple verifiers that exist in your system? Or, or is it a unique contract with each one of these guys?
Well, right now it's that the contracts is same, but it could potentially be different for different types of verifiers. For example, we just invested in a video verifier called fully, fully verified, and then the contract might be different for them because the type of technology that they're using, Right.
I mean, I saw that the, the, you know, in my experience, the commercial aspects of this are the party that's relying on. Those wants to be comfortable, that the terms are right and that that data can be reused and they have someone to go liable in case of something going wrong. So do you see yourself as an adjudication system for disputes like that? Or are you, Don't not necessarily, but we, one principle that we insist on is that data is not, not kept so on.
Like say if their verifier keeps data like passport data, stuff like that, you know, on their, on their platform, on their system, we are opposed to that. So we make sure that that, that doesn't happen ourselves.
We clear, clear all the data. Right. So thank you.
