Thank you.
Thank you everyone. As we go forward, I'd like to make sure that we leave enough time at the end for q and a. This is very loud. Is it too loud for everyone or? It's okay. It's perfect. Alright. And then as we talk through it, you know one thing that we want to recognize for the group is that I think we're all evolving as we go forward. And you know, Yaron has been someone that we've engaged with, not so much as just a customer, but a partner in this journey.
So consider a lot of what we share with you and a lot of the lessons learned we're gonna be around this journey that he's on. So at some point we're gonna ask him, how far are you on the journey? And I'll ask you to be thinking about that one. 'cause I think that it's fairly in the beginning, right?
So as you jump in, I'm gonna give you a little bit of context. This show has been great to help set context to what decentralized identity is.
So I'm gonna go quickly through those slides, turn the time over to yarn to give you some context or background as far as what the bank is and some of the challenges. And then our model is gonna be somewhat of a fireside chat as we go forward.
Alright, so just to set context, I think many of us would agree today's world is kind of unmanageable speci specifically with credentials and how you go forward. I personally have an example of how I have a twin brother and he and I, our social security numbers are close enough. We've lived in the same addresses, we kinda look the same. And so what happens, what's happened is our data has been commingled.
And so you talk about these third party intermediaries and you look at the kind of data that they use and it's funny, I'm just like, well that's not my data, but the intermediary thinks it is. And so how do you really overcome that problem?
So again, it's hard to manage today if we could actually remove that trusted intermediary that inter the person in the middle of it, we actually remove one of the most, I think, complicated and difficult to manage areas. And so to be able to do that, it really is saying, let's take the, you know, the trusted intermediary, take it from a third party that we have to trust and essentially give it back to the user. And that notion I think is important if you understand it, if the user can own their data, I can choose what to share, I can choose what I consent to share and go forward.
And how we do that is we really leverage the, the phone as the device, the place to store to have the credentials presented and to ultimately then change to where the identity provider is the user to what used to be the third party provider now becomes the trusted registry. The place that you can actually reference store, manage and manage the credentials going forward. And last is, I just wanna reiterate again, where does decentralized identity fit in the overall ecosystem?
Quite often, especially at this conference we've talked about, DCI is an answer for everything you heard on the panel they talked about, it's gonna take a little bit of time to get there. And in the context that we're talking about, it really is, it's part of the how do you go from unknown to known and providing that verification step. And then how do you actually become that credential registry to be able to manage profiles and some of the data to then participate in the existing authentication and authorization flows.
Alright, hopefully it was some context setting. I'm gonna turn the time over to yarn. Thank you. I'll even give you the clicker. Can
You Oh, that's wonderful. Can we do something about the echo? This is a bit,
I think it's fun. You get used to it. After a while
I'll do my best. I feel like I'm at a football game, you know, announcing the players.
It's fun. Right?
Perfect.
Okay, so a little bit context about where we come from. So RFIs and Bank International goes back more than 150 years and as a very decentralized organization. So the origins were here in Germany, actually we come from from Vienna. But our founder was male of a town that was very poor and he was trying to find different solutions, different enterprises to help the community. Something things like soup kitchen and, and cloves and things for the community. And one of the ideas was how can they get credit? How can they support lending in order to develop initiatives?
They were such a small pool town, no one in the big cities counted them or would lend them money. And so they came upon the idea of cooperative lending. And so they started saying, okay, we can support each other. We know the community, we can manage the risks best.
We care about each other.
This, this was really successful. It, it was so successful that similar banks in a very decentralized way were created in other towns. And as they grew in the success, they bought banks in the major cities. Then they formed a, a national bank in Austria. And rolled forward to the 1990s end of the Cold War opening of economic relations, they were thinking, we are in Austria, we can expand to central and Eastern Europe and bought banks in in those countries.
And this, this brings us to our challenges because they were very much different in what they were doing for 30 years until 2020, each of these banks operated completely on their own, separate IT organizations, separate systems, separate science systems. And in 2020 around when I joined, they were thinking, this is really expensive. This really doesn't scale. What can we do?
Can we maybe increase reuse? So can we create applications once and deploy them across all of our countries? What do we need? So we definitely need APIs that are standardized.
We need to organize our data the same way we need events. And when I joined, I was asking how do we do login?
And said, well, we don't know. And we came upon how that we're gonna solve web, web application login with federation. So open Id connect standardization because the underlying IDPs that all of them use, and those are just somes are very different. So let's find the basis for harmonization, let's find the basis in standards and, and move forward. I think that's when the question comes up.
You're good.
Okay. So how does, how does Indeed decentralized identity, what we've been talking about so much these days? How does this come into the story?
So what I showed you before works wonderful for the web once we talk about mobile applications. So maybe we have a mobile application and the users already authenticated and we want to go to the web and continue in, in an SSO session. So how do we do that? Or maybe we have a a, an application that we build once and it's a mobile app and we want to do this s SSO experience. OpenID Connect is very much web-based, very much redirect based together with banking, which PSD two sessions need to idle out very quickly in order to protect user security and privacy.
That means you start on a mobile use case, you do open ID connect and you end up in a, in a web login.
It's not, it's not the right experience for the users, it's not the experience business wants to have. And so we were looking at decentralized identity, not the full sc scale and scope that is discussing with UDI wallet, but we are looking at as a foundational technology. So we were very interested in the interoperability that the wallet SDK can offer us. So wallets, once they talk open ID for verifiable presentations, s iop. So this capability that the wallet can be the IDP, right?
The wallet can be an open ID provider. So that means that the mobile app can suddenly participate in the journey as as, as an IDPA fully capable IDP of of one user, right? The user that's using that app. So that allowed us to also disconnect from the very diverse backend and, and tech stack that they were using. So I don't care if they use Azure, a, a d, key cloak, Nimbus and so on, because the moment that we meet that wallet and the credential in the format that we harmonize on, it's good to go.
So it was a great enabler for us to achieve passwordless authentication SSO taking the experiences we had in web and going with them to, to the mobile. So basically we said, okay, we, we know who the customers are. So we have all the, all the data of KYC to meet an ID token. We know the entitlements, which channels can the customer use, which applications can the customer use? We can express that information as credentials inside the wallet. So in our case, if you think about the whole ecosystem of, of issuer and holder and verify, we control the full ecosystem.
We were just interested in the, in the foundational technology. So we issue the credentials and we also verify them. And the wallet is an SDK in our mobile app. So unlike the use cases of PID across the EU where the user needs to go through some education and needs to understand what's happening, in our case, the wallet is under the water line. It just an enabling piece of technology that if we put into our mobile apps across the 12 countries, then these apps can become open, I connect enabled, and we can do those, those mobile flows.
That's great. Keep coming.
File
Side check.
I have one more slide and then
File side check with no file. But yeah, one, once we, once we stepped onto, once we entered the technology Yeah.
And, and we hear about all the work happening across Europe and, and the US and the A RF and the possibilities and especially now that the e IIDA two regulation passed, this brings about the question, okay, you are identity architects, what does this mean to the organization on other flows? What else is possible? What else is gonna happen? So of course we understand that in the EU identification, onboarding, once UDI wallet is out there, it's not even an option.
It's a, it's a mandated compliance method to onboard customers. Also. This way we can also issue there at the stations. So this opens the thinking, maybe we can issue a payment method into the wallet. Maybe we can issue an account confirmation, maybe we can come together with other banks that we want to enable customers to go to another country and open a bank account.
Have you, have you tried that? Go into another country and then you need to prove you have a bank account, you bring a PDF document. We all understand how easily this can be forged and manipulated.
So there is some value in, in also credentials that are not just the identity credentials. So you can prove account existence, you can prove funds that are legitimate, that have gone through customer due diligence and, and are not linked to to money laundering or, or anything. So really opens the thinking to additional use cases. Of course e-signatures, cross-border banking as we said. And and also organizational id, I, I'll talk about that a bit more. So we have also corporate customers, of course I suppose many of us here are employees of companies.
So if this corporate customer that manages accounts with us, you know, the company is not a living entity.
The work is done by, by people just like us, by employees. How do we as a bank know who works for a certain company and does he have the right entitlement? Maybe he left the job, maybe he now moved into accounting, maybe she's now CFO. We need to know those things in order to establish access. So if you are dealing with IGA, we we're really supporting you, we really would be happy to see the day when employee card is not a physical card, but a credential.
And then if the industry could standardize and, and say, okay, departments, yeah, I'd like to see when you learn SQL accounting, et cetera, it would be very valuable for us as a bank to know who's in the accounting department of our customers to know who's A CFO. So that could be the basis of knowing if we should provide access to our systems. Currently those are very manual, very risky processes and as, as a lot of funds are in corporate accounts are also high targets for, for fraud.
So yarn, I mean as we talked, I mean you've said a few things around harmonization. You've said a few things around how do you essentially almost templatize these different organizations? And I know it's been how many years since the bank's, you know, grown? You're in a lot of different geographies. I mean if there was like three things that got you to harmonization, what would've that been? What sort of got you there?
Yeah, and then, and then it didn't brings us to, to the lessons we've had. So because we started through federation and we we, we are kind of like a small ecosystem that is like a lab environment Wow. To connect very different organizations. So in the beginning we were thinking, do we need to take all the customer SI systems and put everything together? And also we operate across so many regions with so many languages and maybe also slight time zone differences.
And we, the realization was, you know what, we don't have to move anything and move anyone anywhere. So through federation and through credentials, through establishing of trust harmonizing was, was a great big pattern for us. So basically to be able to say to people in the organizations what you do and how you do it, so authentication, we did not have to open up authentication. We all do MFA, maybe we do it in slightly different ways. Maybe one of our subsidiary banks wants to adopt new ways along the way.
We, we don't care, we do the federation or we do the credentialing and we harmonize on on the data schemes and on the structures. And that was a very, a very big factor. Bring us forward in a short time.
Not, you don't have to move a lot of moving parts. You can, you can connect them.
That's interesting.
Yeah, we often are asked, you know, do I have to, you know, lift and shift everything to something else? And I think one of the lessons was just harmonize, just actually use standards there. Next lesson I think we wanted to talk about then is if it really is harmonizing using federation, harmonizing using some standards, I mean what would you recommend is that the right path forward is the two standards and is there any recommendations you would make there?
Well, standards were our yellow brick road. You know, we would be, we would be lost. We had a lot of great ideas of how we're gonna solve things with custom parameters in different ways and we threw all of these out of the window because a lot of people can have great ideas, but then how do you get 12 vendor products to support that and how do you agree on that and how do you do the threat modeling and how are you sure that you're not doing something that in some edge case might be vulnerable? So standards were an absolute recommendation.
They enabled us to be sure that we are doing things that are safe and secure. They enabled us to move quickly. They enabled us to achieve internal consent and also to make sure that what we are relying on exists in the products. And if it doesn't exist, it's much easy to go to a vendor and say, Hey we need this feature. This has been out for a year or so and is it in your roadmap? Please provide it.
Yes, it's in this version, install it. So really was was a great way supporting us.
Oh, interesting. I mean it's almost like it's a common language for you as an organization to align to. But it's funny, even at this conference and you know, when you and I were chatting about it, there are a lot more than just SAML or OIDC and maybe some of the OIDC extensions. I mean with standards closed
Please
Or close the door would be great. No thank you. But you take some of the standards and I mean is it stopping there? Is it getting more complex?
What, what would you say?
It's, it's out the roof. So everyone here who's involved in the standards communities can tell you that the rate of change and the rate of innovation I think in the last three or four years is really mind blowing.
So, and, and our lesson is, is take part in this 'cause things that you were doing as an identity architect three years ago, there are totally new solution patterns. You can do it differently, you can do it simpler and, and we, we are very happy that we get the management support also to do that. 'cause it takes time and effort. Yeah.
But being involved with all the wonderful people who are here, who work on these things and asking what they're working on and finding out new solution patterns, even sometimes trying to give something back from our feedback and our use cases has been very beneficial.
That's good.
I mean, participation I think is important. If you consider, you know, the kind of standards that are emerging, those ones that are, are existing, you know, these are identifying just the ones that ping participates in. We see a lot of motion not just in one organization, but all of them to achieve this. And so I think this gives you a good reference point of that kind of standardization. Now the next thing is just should you wait, and I think that's been an interesting conversation.
I remember sitting down at another analyst show about a year ago and talk to a customer and they said, Lauren, I'm waiting, we're gonna wait for those standards to be done. So should we wait, should you wait for standards to be complete before you jump in?
Well it, it's a totally different discussion after the regulation has passed and before, right now there's a call to action with some deadlines that are clear along the way. But I think the standards are changing. But a lot has been accepted as implemented drafts. A lot has been out there in the products. So absolutely, if you have a use case, you don't have to have all of the parts. What I think was true in our example is we managed to close some of the, of the variables and say, you know what, we can be the issuer and the verify.
We can agree on the credential format, we can anchor down the trust framework. And so the technology is definitely out there tested, validated, threat modeled. So we found that if you have a valid use case, no reason to go for it.
Of course, everyone in the eu everyone impacted, regulated. It's a compliance matter. So according to the schedules published, it, it's a non-question.
And I think we are out of time. We have a two down here, but we were like, we're done, done, done. Or do we have two? We we
Might have time for, we might have time for a question.
Just one more question. That's cool.
Yeah, we have one more slide and maybe the question could be if someone wants to ask about, you know, what other applications of DCI do you see and then we could be done.
Yeah. The the final question is, or the final Sorry.
Thanks
Thought that that we coming up with this is, is interoperability. So we are talking so much in the EUDI wallet, but the basic first credential that's gonna be there is the PID. But we need more credentials. There are more use cases that can benefit from this. So if you think about food allergies for example, there's not so many food allergies out there.
You might be traveling to a country you don't speak. The language would be very valuable if the people in the food industry, people in the health industry, just as an example, would've this discussion and standardize.
Yeah, could you present in a restaurant, what are your food allergies? And without knowing the language, they would know what you can be served or not. Same thing for academia.
We in, in the financial, financial services industry. So employment, if you are, if you're an employer or if you're in IGA, we're really waiting for this to be a use case. It's very relevant for us salaries. Yeah. All the salary slips. When you want on onboard with a bank, you need to show certain pieces of information. So salaries, having them credentials would also be very valuable.
But there, there are many other use cases and this is, this is a call to action. So these can happen when the people from the industry come together and have this conversation.
That's great. All right. I think we're outta time. We will end. And just to summarize, if you don't mind clicking through, just so we have the visual is just you remember, you know, standardize and harmonize based on existing standards.
You know, participate in standards to help drive them forward. And then last is really just we see industries really owning a lot of the credentials that come about. And so the more we can do to bring industries together to find specific regulations, that would be great. So thank you and find us if you have other questions. Thank you.