Panel | Reusable Identity and Bootstrapping Decentralized Identity Ecosystems

The topic today, Reusable Identity and Bootstrapping Decentralized Identity Ecosystems. So Self-Sovereign Identity, Reusable Identity, Decentralized Identity. Maybe we should start first by saying what we're talking about. So tell us about, hi Riley, welcome. He's in the KitKat room. Can you hear me? Yes. Thank you for joining us. So we actually just started. I wanted to tee up the discussion by saying the title relates to Reusable Identity and Bootstrapping Decentralized Identity Ecosystems. We wanted to start by asking what is this?

What is Reusable Identity and how does it relate to the other terms that we're using here? And I'll actually start with Riley. Sure.

Well, thanks a lot for having me. Wish I could be there in person with everybody. Sure. Hi everyone. Hi. Nice to meet you. I'm Kim Hamilton-Duffy, Executive Director of Decentralized Identity Foundation. And actually first we should go around and ask the panelists to introduce themselves. Sam? Sam Kern. I'm an architect and a deputy CTO within DCO. So I have two hats today, the Accountable Digital Identity Association plus the OASIS Identity Trust member section. And Riley.

Oh, yes. I think it was adjusted back. Yeah. So this is Abby with two hats today. I am with the Accountable Digital Identity Association and OASIS Identity Trust member section.

And Riley, over to you. Hey, everybody. I'm Riley. I'm a co-founder and CEO of Trinsic. Great. Thank you. And welcome, everyone.

So, okay. After much delay, and I apologize for that. So we do want to start by talking about what is reusable identity? Is there a common consensus around what this is? Is it a vibe?

Riley, why don't you get us kicked off? Yeah.

Yeah, I think reusable identity is a conceptual term to talk about the value proposition that a lot of folks see in things like decentralized identity, which I view as more of a technology term. So reusable identity is just the idea that I can have some persistent representation of my identity that I can use in multiple places, which is portable and controlled by me. Great.

Sam, can you, do you have anything to add to that? No, that's pretty good. I think there's some terms associated. KYC is the know your customer process. Everyone desires to lower KYC cost and friction. And so this is one of those applications where reusable identity has an obvious application. I feel some discrimination, guys. Not exactly sure what you're doing with these microphones. You put them in their head and they stop working. We need accountability. And this is why the name and the idea. So we agree on what reusability means. The $64 million question is how.

So you cannot just take a credential and use it. Or you cannot just take some assertion from a wallet that this is Abby. The question becomes how can you prove that Abby is a presenter of this credential and if this credential issued to me by some entity that I do trust. And this is where the idea comes to the equation. So provide the framework between regions. So it's basically we follow like what the DNS system is. It's a system of systems. Your identity is uniquely resolvable within a system with a given assurance level across the whole participants in the ecosystem. The issuer is onboarded.

The user is onboarded. And we provide an overlay that do all this stuff that John, where is John? Did John run away? That talk about, okay, someone need to do translation and someone need to do resolution and including protocol and data. So what this led us to, to the work that we're doing in Oasis, is that at the end of the day, there should be a core enabler of a credential with a known schema and known assurance level. And this is needed at least at the core minimum to bootstrap. Why we need to do that?

Because a verifier need to know before the transaction start, if you want to go with some entity, that I have all the attributes to create an account for you or not. If not, it's going to lead into conflict.

Thank you, Abby. And I did want to spend a little more time on the sort of problem or what is reusable identity and talking about, in fact, why it's valuable. I wanted to call attention to Abby's recording is not showing on the video. So I'm just kidding. To the microphone. I had this. No. Okay.

So, yeah, well, just sticking a little bit more on reusable identity, why is it valuable and where are you seeing it used? And I'm going to go back to you, Riley.

So, yes, reusable identity. What's the value? Where are you seeing it play out in Trinsic? Yeah. As Trinsic, just background for people who don't know, Trinsic has been around for five years. And for four of those years, we were really a general purpose platform for verifiable credentials, which people would use for reusable identities of various kinds, right, physicians licenses, education credentials, and so forth.

And the place where we saw the most reusability, the most sort of consistency in terms of the adoption, was in just a basic identity credential, right, a sort of identity verification that was completed. And instead of taking the result of the identity verification and throwing it away or just keeping it in your own database, you allow the user to take control of the results of the identity verification. And as Abby said, you associate it with some way for them to prove that it's really them when they're representing it and things like that.

And then, so anyway, that's the number one place where we see reusable identity right now is basically a substitute for identity verification. Interesting.

Sam, are you seeing, does that resonate? Are you seeing use cases like that? Others?

It does, but I want to talk about why. Why it's useful. And specifically why decentralized identity plays a role here. The general model of sort of undecentralized identity, if you will, centralized identity, is that you often trust the data because of where it came from, meaning a relying party will get it directly from the source of the data, and that's why they trust it. The use of verifiable credentials makes that trust portable. And so the source of the data can issue a signed verifiable credential to the individual.

And the data can still be trusted because of the signature validation and, of course, checking the issuer and all the stuff that John was talking about. But that makes the trusted data portable in a way that we haven't really had in an organized way before. There's other methods that have done it, but this is sort of the largest, most recent effort to make that occur. And that's why it's valuable is that it changes how the information flows in a way that makes it very regulation compliant. You require consent from the user for their information to be passed.

If you provide them the information and then they provide it to the party that wants it, then they are, by their action, supplying the consent for their information to be provided. So it makes it architectural and automatic to be compliant with regulation, which is very useful. And from a privacy perspective, lots of companies are realizing they don't want to hold on to everyone's data, and there's a liability there. And so it's the architecture of how that works that makes this particularly useful in decentralized identity through verifiable credentials.

So a little bit of agreement and disagreement. Okay. So the agreement is on the way, the convenience of sharing data and how you change the trust. But the good benefit will come from, at least for KYC, is where you, as a relying party or a verifier, where you go to get the data about the user.

Today, because you want to reduce the friction with the consumer, you end to go to third-party data aggregators, which means that data is conducted behind the consumer and the consumer is not involved. So if you come in with one least common benefit, is the user presenting the data, they have control now on their data as opposed to filling or trying to take a test, an exam, about data collected behind their back because they were profiled. And this changed the game because now you have more trusted data as a verifier, number one. Number two, you can correct the data that's wrong about you.

In the older days, you could not do that without big expense. So if you had identity theft in the older days and you have to answer KBA questions, you have to answer the questions based on who stole your data because this is what's collected behind. One question I wanted to get to because it sounds like you two are violently agreeing and not disagreeing. So I was hoping for a little controversy for a spicy panel. Just curious to just follow up on that. Are you seeing, Sam, any aspects of that that I missed out on?

No, I think I agree, but, you know, we have to, you know. Sometimes manufactured controversy is better than no controversy.

Okay, excellent. So I think let's go next to, okay, so we talked about reusable identity and what are the benefits of it. And in Riley's case, for example, it sounds really easy, right? So a verification event is happening and you're recording it and reusing it. But I imagine there's a lot more to it. What else is needed to get there?

Yeah, there's a lot. I think the answer is it depends on the context, right? And somebody mentioned levels of assurance just a minute ago, but I think that that's an important point is that, you know, businesses are always trying to find this balance between, you know, as Abby says, friction, right? And as Sam says, fees. And I'll add one more, which is fraud risk, right? Those are the three Fs we think about at Trinsic.

Fraud, friction, fees associated with identity verification. And, you know, you can dial certain things up and down depending on your, you know, level of, depending on your requirements along those three dimensions. So things like, you know, other things like corroborating data with third-party data sources like Abby alluded to, which is maybe not ideal for certain reasons but is helpful for other reasons. Things like real-time liveness verification and proof of human type of stuff, right?

And then associating it with some authentication that is suitable for the relying party's level of assurance. For example, from a mobile app or using pass keys or something like that. Great.

Sam, what do you have to add? Let's go to Abby first and then I'll follow up. Okay. That sounds great.

Well, I think for this to work, we should have the proper ecosystem where the issuers get compensated. And I think it's still missing out, you know. So an issuer is going to assume liability, is going to do. So any deployment model should take into account that the issuer gets compensated. And I don't think we have a solution for that today. It's either the verifier has to pay the issuer or have a relationship between them and the issuer.

Meaning, quote-unquote, the choice on the holder, which is the user, gets minimal. Because, you know, it's another way of controlling who gets to be the center of gravity. For this to work as decentralization, the consumer should have a choice. And the choice should be based on what transaction is done and what the context of the interaction should be. And it should be separation. So this also applies to which wallet you want to use. So you will have some wallet that holds some reader documents because you need high-assurance live transactions. That's fine.

But you can have also other wallets that allow you to be a human. Meaning, quote-unquote, I don't want the other wallets to know. So I think this will be one thing that we need to really solve it and make sure there is an ecosystem for it. Just to bring in maybe a question here. I think there are situations where an issuer requires a compensation. When you issue something which is based on a strong type of identity verification. But I also envision that when we have a huge amount of verifiable credentials, many of these are issued because someone wants to issue them.

So Coupang Call may want to issue something that says Martin is working at Coupang Call Analysts and has a certain role. And so I think, yes, we have use cases where it's super important to pay for that. So to compensate for that. And others where I hopefully see that we probably have most. We won't need this, but where the issuer just wants to issue. Let me intercept for a second because we have a first in decentralized identity that we've made it this far. And no one said the G word, which is governance. And we haven't talked about trust frameworks.

I think the economic models are still evolving. I imagine that, you know, maybe before.

Well, so I would like to come back to what you're saying. It is it does get tied to governance. It's sort of what comes first. It does. And I don't disagree with the fact that some ecosystems will need payment models to make them work. But I want to highlight the fact that the thing that makes reusability work is that it's all under the reusability is understood within a context. I like to call that an ecosystem. And I want to highlight that some ecosystems are enormous. Abby is working on very large ecosystems.

And some of them are tiny, like a single company that's going to issue credentials to their employees. And the nature of the economic model depends substantially on the size and the nature of the ecosystem itself. The governance thing, though, and I want to be really specific since governance is used a lot to mean a lot of different things, is that an ecosystem has to have unambiguous declarations of which issuers should be trusted for which credentials and possibly also verifiers, although not required, in order to sort of set the rules of the ecosystem. There's usually an ecosystem authority.

In existing ecosystems, there's already an organization that should serve in that role because they're the existing authority. And if they can express those opinions about who's authorized to do what, then all of the players in the ecosystem understand exactly how that works. Many ecosystems, particularly early ones, the main issuer of credentials in the ecosystem will be the authority. And they state who's authorized to issue them. And it will be themselves, more or less. And then who perhaps the authorized verifiers are or what the schemas are in use for the different types of credentials.

So, a country that issues its own passports is an authority on who or at least the offices within the government that are authorized to issue passports for that country, as an example of what I mean by an ecosystem authority. And so, that governance piece, the coordinating piece so that everyone understands the rules of how that works is really incredibly important. And every ecosystem of every size is going to need it. Very large ones, very small ones to make that work. And if I can slide in one more comment, and then I'll give Abby the mic.

The having published governance for ecosystems that are not intended to be closed, and some are useful to be closed, allows the ecosystem to expand in use. If it's possible to discover the governance that an ecosystem is running under, then you can validate according to the rules of that ecosystem in a really useful way. And this allows someone to verify another ecosystem's credentials or join that ecosystem as a verifier of those credentials in a really powerful way.

And so, this is a mechanism, I believe, to not only make it run, but help it expand. Yeah, I mean, in general, I agree. It works. Yeah.

It works, by the way. With Martin, every issuer will issue me a credential, but at the end of the day, like in my wallet, I have a few credit cards that I always use, and some as a backup.

So, the value of the credential to the end user is determined by the whole ecosystem. So, you know, if it's no value to me, you can issue me a credential and it stays, right?

So, the trick here is to enable the economics of issuing a credential where you have a business model that comes out of it. And what this means is that within a category of what you want to do, like finance, health care, social, whatever, there will be different issuers that are trusted with the category of what needs to be done, because people aggregate. Okay?

And, you know, and this changes, it's not fixed, you know? Fantastic. And actually, I'm going to, so I enjoyed Martin's question, and I also want to leave some time for questions from the audience.

So, before we do that, I want to just go around and see, ask for one last parting statement or anything that hasn't been addressed yet before we turn over to Q&A, and while the panelists think about theirs, I'll add mine. It's that reusable identity, I think, yeah, who knows exactly what it means yet? But I think part of where we're seeing the benefits of it and where it's catching on in financial use cases, travel, things like that, is that it's not necessarily meaning that the issuer is issuing a credential that the relying party uses in whole to take their word for it.

It might just be about shaving off margins that at scale really add up. So, that's what I want to call out. We'll turn to Riley to see if he has any closing thoughts. I do. Thank you so much. That was a great comment, Kim. And I think, you know, if governance is the thing that always, you know, needs to come up on a panel like this, I think the thing that we often don't talk about enough is product.

So, we talked about economic models, governance. I think the really, really important and missing conversation is product. As we looked at Trinsic across our hundreds of companies that have used our platform to try to build something and tried to deduce what is the common denominator for the ones that succeed and get adoption, the most predictable thing is not whether they have governance or whether they have business model or whether they have good technology or whether they have whatever. It's product. It's building good product.

It's building a product that the issuers want to use because it adds value to them, maybe because they're getting paid, maybe not. It's a product that is easy for consumers to adopt. It's a product that integrates well with relying parties' existing systems. And it really, really, really all comes down to – well, I shouldn't say all, but I would say the largest determinant of the success of a reusable identity product or offering or ecosystem is really the quality of the product that is distributed into that ecosystem to enable the players. I love that.

And generally, your passionate advocacy for the user and focus on that and really delivering value. Sam? I want to highlight that there's a lot of attention on very large identity efforts. The European Digital Wallet is one of them. And there will be a lot of value provided by those, but they're unlikely to replace the value that you can gain now by using verifiable credentials in your own ecosystems within companies or industry verticals or other things that happen.

When the national – the large projects, not just national, but large project digital identities will help, particularly with onboarding, but it's unlikely to completely solve your problem. And my encouragement is to look now at the value you can get by using verifiable credentials and begin now and then add the value that comes when large-scale identity projects bring additional credentials to the table because you're unlikely to see a full replacement of your business value by the national projects.

And so leverage the ecosystems you have now and get going and don't wait to reap the value that's available. So keep it simple, interoperable. Do it one step at a time. You cannot do it up and replace. So this is complementary and a replacement. And user interface is the key. If the user rejects it, it does not really matter what it solves. It has to work. The common user should be able to use it with no difficulty. Fantastic. Thank you to all the panelists, and thank you, everyone. We do have a few minutes for audience questions, and Martin or any remote attendees.

I think we don't have remote yet, but we should take this question down. Thanks very much, everyone.

Kim, I always find myself asking questions at your panels. I think that's a good sign. You run very inspiring ones. I work at a company called Civic. We actually have almost the opposite trajectory to Riley Attrinsic in that we've been working on reusable identity for something like eight years. We found ourselves having to add some new strings to our bow in the last couple of years. And the main reason for that is that what we found is that relying parties tend to not want to experiment when it comes to KYC.

They want to take an off-the-shelf solution, even if it's more expensive than an innovative one, because they want to make sure that they're regulation compliant, et cetera. A qualifier, just really quickly, is that I'm in engineering. I'm not in sales. And our experience even then is a couple of years old in this and based in the U.S. So I'd be interested to hear from the panel whether things have changed in the last few years and whether things like the EIDAS and other kind of more self-sovereign-facing regulations are making this now a more lucrative and potentially interesting area.

Great question. Abhi or anyone who – I can tell you from what we're seeing from the EIDAS side, the appetite to experiment, it's getting there. And the reason for that is the old out-of-the-box solutions, they really do not work anymore. Accounting offer becoming so sophisticated and the call center cost for most companies are high. So I think the time is ripe, but you need to do it where it's easy, not 180 degrees switch. But I think there is room for adoption. I think there's this high desire for someone else to solve their problem.

Like if government could come along with a magic paintbrush and just fix it, and everyone says, great, now I don't have to think about it. There's this kind of desire, and it's a little bit frustrating for people when they realize that that's likely not going to happen, even with a very successful government project. And I don't mean to knock the value that these large projects provide, because they do, except that the great potential is so much larger than just what's focused on there that I think people are there.

So we have some customers that are stuck on that, and we have some customers that have just decided to move way beyond and let it catch up. And so we see a spectrum of options there. Okay. I would say that. Okay.

Oh, sorry. Yeah, I think we pick one more question. So better have one answer on one question instead of losing questions.

So, Phil. So, Sam said, you know, I think there may be some value for payments within credential ecosystems. So I'm just curious what the panelists think the lack of payments in current credential systems is doing to adoptability in and development of ecosystems. Okay. Who of the panel wants to take the question? Riley?

Riley, okay. Is that you? Okay.

Yeah, I tend to think, Phil, that it may hamper it at scale. I don't necessarily see the lack of good interoperability between all the verifiable credential space or whatever being a blocker to creating initial ecosystems like the ones that Sam is talking about. And I would say the same thing about payments, right? I think within those initially sort of constrained ecosystems, the providers of the software and the product to those ecosystems generally step in to solve that somehow. Some use crypto. Some use just whatever, Stripe, Stripe's API. But I think that's totally doable for now.

I think when you start to think about, like, fully decentralized, fully transitive trust, I show up, you know, in Japan with my credential from Germany, and it's like I expect it to work and the payments just work. Then you'll need something that is much more scalable, like an interoperable payment associated with interoperable credentials. Okay. From my perspective. So thank you very much. I think we are running a bit out of time now. Thank you very much to the panelists. Raise your hands. Thank you. Thank you. Thank you.