Decentralized Identity: The Way Forward

Next session we have a panel. So please welcome Russian Barra from interest, Andrew Bird from ipro Darl from Ping Identity and KRA from Linley, from woman in identity and Eve emailer from. So topic for today's panel is Decentralized Identity way forward. Please help, please Grab that one. So thank you for joining us for the panel. Let's jump right into some use cases. Can you provide some specific examples of why existing architectures are deficient as compared to decentralized identity? I can start, if you take a look at Web 1.0, web 2.0, and now it is Web 3.0.

So Web 1.0 was very centralized. Each application has its own credentials. Web 2.0 came in, Sam, I'll open, ID Connect Federation. So a little bit better.

But still, user doesn't have control of their data. And if you take a look at now, web 3.0 with decentralized identity, user has control of their own data. It's not spread into some database in Facebook and then Google. And then I can track you from place to place to place with decentralized identity. I hold my identity and my credentials, whether it's my driver license, whether it's my frequent flyer, miles card, everything, that information is in my wallet. And I am able to share, depending upon who the US verifier is and say, Hey, can you gimme your driver license? Yes I can.

But with regulations and governance in place, only those people who are actually allowed to seek your driver license will be asking you for that. So that's the difference. I think in one case, you have to give everything and data is controlled by issuer, verifier, and they each other verify against verifier. Verify is against the issuer, whereas in decentralized identity, the user is who's who's holder of the credentials. Okay.

Emma, you have, Yeah, so I do have a role at Women and Identity, but I also have a full-time job as managing director of an organization, identity organization called calf.io and CALF started out in 2019 in Brazil. I'm looking after all of the international expansion side of things. What's been really interesting about the Brazilian market to do is some of the challenges around decentralization is in Brazil they used a identifier, which was the cps, which is their tax identifier pretty much, I mean, everybody's got one and that's what they were using to prove their identity in Brazil.

Now in 2021, the entire CPF database was breached. And what's happened in Brazil since then is they've moved to being biometric driven for identity. Now one of the challenges that they have in Brazil is that they're doing that in a dec in a centralized way. Again.

So, you know, if your CPF database has been breached as a centralized model, you can now look at biometrics as a, as a centralized model and there's a lot of risk there. So we have been looking at, you know, how you could take identity in Brazil and and decentralize it because I think unless we do something different and we are gonna continue having the same issues that we have with centralized models, they're efficient from an identity perspective, but there are so many risks. So as usual, I find myself agreeing with Emma on this.

Look, the challenge we've got today, it's four o'clock in the afternoon, you've, it is been a long day. We've gotta find ways of making verifiable credentials interesting enough that you're not looking at your phones. And we should be able to do that. I first got interested in verifiable credentials in, in 20 20, 21 when it was all about covid.

I got on the front page of the Financial Times for the first time ever talking about how verifiable credentials combined with strong biometrics could actually be both privacy preserving in an area that people were incredibly sensitive about, but also very secure, which it turned out nobody cared about at all. We assure the genuine presence I prove as a company that assures the genuine presence of people. So we do face verification.

We are the people who bind the human being to the wallet full of credentials to make sure that you can't, that you don't have a beautiful wallet full, full of, full, full of interesting facts about you, which somebody else can hijack and, and use the I agree completely with Emma. The key, there's a lot of messaging about verifiable credentials that this is all about user control. And I'm sorry, I'm gonna disagree with you.

I don't think users care, I don't think roll, trying to roll out technology that preserves their privacy when they give away all of their data every day to Facebook and Google quite freely is gonna appeal to them. The key issue is verifiable credentials are incredibly scalable. And at a time when we can see people identity becoming a part of critical national infrastructure, it produces a uniquely secure and highly resilient infras mechanism for the basis for our future digital life.

It's much harder for a hostile attacker, be they criminals or nation states to attack a decentralized identity architecture than it is a traditional centralized, I'm gonna build on that. It's gonna Succeed because I I love that you're thinking outside the box and challenging things.

I, I hope it's the case that this decentralized architecture remains decentralized. We know that there's, there's a lot of unknowns in the picture about how things will be deployed. I hope they're resilient. I hope they're even anti-fragile. The thing that intrigues me the most, and it's something we haven't really examined in our industry closely Enough yet, but I hope we will, is it's not just that there's a decoupling between the issuer and the verifier. It's that it's an asynchronous experience that potentially gives the user more control.

I'm, I was just sort of saying, you know, nobody wakes up and says, I think I'll log in today. Nobody asked for an identity and nobody asks for most credentials and nobody probably will want most credentials.

However, the ability to separate those things in their experience is two completely different journeys or one and then maybe many. That's sort of the ideas, the reusability. There will be power in that asynchronicity and I'm a big fan of asynchronicity. If I may, I will just add to that because I totally resonate with, with what you're saying.

So my, my, my biggest point of love with verifiable credentials and decentralized identity is actually you can let data flow. Why are the control of the data subject, if you want to use the GDPR term or the individual, the user, the citizen, whatever customer, so they can basically decide where they want to give the data and create value on the recipient side and also for them. So I think this is a really cool trait of the, the means of letting data flow wire the people who are, who basically are subject to the data.

And I think this is where, and we had a little pre-chat behind the scene just now. So whereas the business model and that, so I think my key vision would be that we have an interoperable trust architecture that's similar to tcp ip will be just baked into every single online transaction that you basically have the means of strong authentication in the hyperconnected world. Meaning basically this should be a standardized protocol where you can interact between agents, people and software systems, whatever, in a very secure and trustable way.

And I'm also a founding member of trust IP and the steering committee member, this is what we are working on at there. But this is the key thing. We built the building blocks which talk the standard protocol to do this. And this will be a game for vendors for everywhere because in the end, your customers will expect that you talk the standard protocol in your pro, in your product suite. And I think this is the key we have to all work towards as an industry.

I think the federation has reached its end because we have for example, one top five bank that has requests for 300 open ID cadet connections a month to be added to their network. Why? Because of all the FinTech companies and business affiliates and business partners and the business managers are the ones driving this and they're saying, no, you will do this. And they're like, we can't do this. We don't have enough people to do this, to manage the, all these backend connections.

And by decentralizing the identity, it's not about issuers not storing data anymore, it's about getting the data into a transportable mechanism by which the integration point is the person that gives you choice, consent, control and those privacy models. But more importantly for the business, it gives you scalability. Now you can empower business partners very rapidly with a simple mou and you don't need to build anything in the sky. You don't need to build any integration on the backend. And that gives the user much more capability as they move around and interact.

O Oftentimes though, the thing that is preventing those relationships from scaling higher is not, I mean it's easy to mint client IDs for example. You can mint client IDs a lot faster than you can establish whether a merchant is really good for the money and vetting them. Like you know, I mean back in the day I worked for a bank like object where, you know, it was a human workflow and I wonder how easy it will be to give that up. Business trust may still be a gating factor by choice. But it's interesting cuz exactly what you just said is one of the driving forces behind a use case.

Cause we've asked about about use cases, the state of California is now issuing its core driving license and other state credentials in the form of W three C verifiable credentials. And they chose to do that for exactly the reasons that you just said. Any other solution would be nightmarish to scale, nightmarish to build a nightmarish to operate and would probably lead to tr tremendous cybersecurity threats. Yeah. Yeah. So they've gone for verifiable credentials. That's one of the big first use cases for, for VCs. Just one other point, we were talking about business models.

One of the big concerns, and you said quite rightly, we've built a trust, a data flow model in for, for verifiable credentials that keeps everything nice and segregated, makes the whole system resilient. Unfortunately, nobody's paid any attention whatsoever to how value is gonna flow along this and how anyone's gonna get paid. And the real risk is that we solved that problem by completely subverting the privacy model in here and building an overlay network for payments that gives total transparency to everybody and very, and and removes all the privacy and security advantages.

That is a big concern. Insidious centralization, it's everywhere. And that that, that ties into interoperability side of things. Yes. So state of California very well did W three C. Now government of Canada might not accept those because they, they're not interoperable similarly, BC go may not have that. So that those kinds of problems is, is what we have to solve. And another, another thing about scalability is that although decentralized identities are supposed to be scalable when it comes to DLTs and underlying blockchain technologies, the scalability is still a challenge.

Who said You had to use blockchains? You don't capitalize, you don't. Totally Them are, most of them are Not ours. Fair. It's Drinks who Could have just drunk And so does e bsi.

So, so, so most of the, the the, the citizen ID players, like for example, European blockchain infrastructure, they are using Ethereum. We'll see, We'll see if the Want to know that the paragraph about the EBS I style type of verifi verifiable data registries has been striked out from the draft of the adas. Yeah. So there is no real reliability that the EU regulators will have some kind of a paragraph in that allows or even recommends the application of blockchain type application.

Putting, putting the issuer credential, signing key, you know, the public key on the ledger and also a status list, revocation list on the ledger. Yeah, that's fine. I think it's a great idea. Yep. But anything beyond that gets very dicey.

Right, that's fair. And that's why Europe loves pki and we, We need to move towards that scalable solution because there are governments and institutions who are already investing heavily into the blockchain infrastructure underlying for that, like Ebsi has invested and Ebsi EU is mandating governments around to say, join ebsi, start issuing identities, digital identities to your citizens. So given that we need to definitely have some solutions which are scalable and interoperable, What, wouldn't it be ironic if L A P turned out to be the perfect BDR fright occasionally read a lot of times.

Yeah. I think One of the biggest questions for me and like adoption of decentralized identity is the user and is user's understanding of how these technologies work? Cuz they start to get rolled out and I don't know, I'm kind of interested if anyone's got any perspectives on, on the user and like how we're going to, how we're going to explain some of this stuff to the user. You Won't Explaining doesn't work any technology.

If we, if we, If we have to start explaining it, we are failing. That's right. Exactly. If you're explaining you're losing Have to educate The user if you're incentivizing.

So, so, but then, so how, how do we incentivize, how do we, how do we get user adoption? I'm really interested to get perspective.

You, you set up a way that they, they have to have it in order to pay their taxes. Well this is, that's not popularity, that's pressure.

That's, I'm sorry to say. Yeah, so I think in, in, in, well Germany has a interesting track record of not getting citizens really useful digital identity. So the the point is it has to be useful and if you have to excerpt pressure to make it useful for people because they need it so that they can do a certain thing, which is what they're trying with a thing called BUN ID currently in in Germany. So it's annoying people. So I think you have to make it terribly easy to use and terribly useful to people so that they like having it. Yeah. And I think that's the key Point. Agreed. Yeah.

The issuers we're working with, we have live projects tomorrow we're gonna present RFIs and a bank for example, yarns gonna speak. So in our projects, we're working towards an ability to use that credential in many more places and that's gonna drive adoption. Absolutely. The more utility it has, even within a closed ecosystem, by the way, if it's omnichannel and you have the exact same user experience both in brick and mortar as you do online, it's a no-brainer. Right? So that's the key.

And, and it, I think it will be transparent. The verifier will drive what data you need out of that credential. The user just consents to it and they're done. And that's it. And completely agree. But then I, I certainly believe that there has to be a governance framework which says, you know, you, you don't just because how do you trust the verifier? If I go to x, y, z site, which is an e-commerce website and they say, gimme all the information about your passport, I shouldn't be giving that because it's not valid. Yeah.

But but going back to the point that you were saying about what the u user in the center, I think passwordless is the simplest use case that you can think about using decentralized identity. I've forgotten my passwords multiple times. This I don't understand. There is no relationship between passwordless and verifiable credentials. I'm sorry. It can be Strongly a About authentication. Cred is about attributes. If a private key is all you need, that's It.

That's, that's depends on your use case. But then you talking about using device based authentication, I mean that's, no, It's a little bit more than that. There's a device binding and there's a private, It's I and a there you go with a good experience. And I think that has the good prospects. And in my previous talk, you know, I basically, my analysis found, you know, not a bot is, is really good. And that could be easily tied to that.

And also gaming, flex gaming achievements would be a really interesting one because it's entirely upside for the user and it has prospects for upside for everybody else. The Biggest, the biggest driver for the consumption of verifiable credentials in the United States is about to be alcohol purchases.

There is, it's, it's not, there's not a lot of noise about it. Sure, sure. But a huge system is being rolled out now in the associa, in the American Association of Convenience stores, 29,000 stores I think in California alone, where a dedicated verifiable credential will be created and used and presented in the form of a QR code that will enable over 20 ones to buy alcohol. And they won't even know, will they say to the users, Hey, you're getting a verifiable credential. Of course they won't.

But people are gonna adopt it because it makes their lives simpler and anything it makes lives simpler will be adopted. It's same thing, right? In closed Ecosystems, we have one very large fast food chain, global fast food chain. Yeah. They're going to only keep, they're an issuer but they're also gonna be a verifier and consumer in a closed ecosystem model. They're gonna get rid of all the PII except for the email address for marketing purposes. And that's really, they're gonna make the account in the credential right at that point.

Now they're gonna enable these v i p experiences when you walk into brick and mortar, they're gonna know what your favorite things that you order, they're gonna be able to present those on the kiosk. Exactly what you always buy, click you're done. They're gonna greet you by name. So there's a lot of, even enclosed ecosystems, there's a huge benefit to this by enabling omnichannel and VIP and concierge experiences, right? Yep. Yeah. Just that alone for closed ecosystems can be very powerful.

Much less going beyond like ripens doing with banks all over the, you know, multiple banks in multiple countries and doing cross-border banking that's even way beyond, that's effectively More user experience, ease of doing business, you can make the better it is. That's right. But that's interesting cuz that's gonna play a role in the standards battle because we are in front, we are, we have before a standards battle, it reminds me of Windows NT versus Linux over 25, 25 years ago.

Because on the one hand, the closed user model, and it's gonna favor the use of verifi, of sta open standard verifiable credentials. Why would you do anything else? On the other hand, quite a lot of company organiz of state organizations are slowly being bounced into the use of ISO standard mobile driving license 18,000 and whatever the hell, whatever it is. And we're starting to see a, a real standards battle building up. Is it gonna be mobile driving licenses or is it gonna be verifiable credentials? It's Federation, it'll be many. We had A cool Session. Someday they'll come together.

We Had a cool session about that just two hours ago. Yeah. So we have, we have created a big matrix of comparing all the different data formats that are possible. And some of this work has actually flown into what has now been carved in.

No, not stolen, well carved, brought to the arf. So actually I think to, to get to this privacy point, I think it's, it's not, we cannot solve it all at once with the, with the users. So they have to have some basic understanding what's going on. So they don't want to be encouraged to share all the details of the, all their credentials just for this free cappuccino. So I think this is a little bit of give and take at the same time as an industry need to build in some kind of recommendation models in the agents that the users use, that they understand what they're doing.

You are disclosing all of your high value credentials to this dubious actor that you have just scanned the oracle, you want to warn them. So we as industry have to build that in somehow. Yep.

And, and probably have machinery governance framework for that too. One, one point, and then I'll let you go. The thing is, from a regulatory standpoint, it's brilliant to have verified credentials because you can do exactly what you said Darrell, turn it around, get the data risk to the, to the consumers, to the people. They Carry it across The board, they carry it and, and you can just consume it at the instant you need.

That's, and this is great for GDPR as well, right? You're not sitting on the data risk. No more data control. Come on.

Sorry, I have to interrupt you. We are just towards the end of the session, we will now open the panel to the floor. If there are any questions in the audience, we will take them. Let's see whether we kept them awake or not.

No, they want us to put the gloves on. Now We let you get one question in we were on.

Yeah, we have Question. There's a hand, there's A, there's one question. Yeah. Here.

Oh, Oh. So inspired by, by Eve's talk on, you know, what's the killer verifiable credential?

Maybe we, we identity nerds, maybe we are overthinking this, making it too complex. I mean, I was thinking what if I could in my wallet, add my allergies, my dietary requirements. I go to restaurant, I will get a customized menu, I go to an online store, they will only, you know, show things that I can can buy. I mean that's a really simple, you don't really need to trust infrastructure because it's gonna be self asserted. Why would I lie on stuff like that? Any thoughts around, you know, that kind of simplicity?

Yeah, there'll be schema galleries available and those schema galleries will be also instant instantiated in your wallet or in your authenticator. So you'll know all where you can go with your credential, right? That's the goal in the future. So we'll be able to have a menu, a la carte system and say, where can I use my credential today? And if you don't have the right one, we can drive you to go get the right one and come back. Right. Or we can convert from one flavor to another credential. Who cares?

You show up with one flavor and the service provider requires another, we'll just migrate it on the fly. That'll be, It'll be a bit, bit like an app today. If you've got the credential, you can use it. And if you haven't got the credential, then it'll politely ask you to go and download it. The way that today, if you wanna do something and you haven't got the app installed, it says go and download it from the play store.

That'll, it's, it's use and convenience that will drive it. But I think the key thing though is thinking smaller. There's one more question for us. Sorry.

Sorry, That's Rob important. Speaker 10 00:22:33 So I'm gonna ask a question for you. Daryl is somebody who definitely does not work for the same organization as you. Anybody here know? So I found the, the comment about improving customer experience and brick and mortar type interactions. Interesting.

I, and I'm, I'm like a little bit skeptical about Speaker 10 00:22:52 The fact that it's decentralized identity that suddenly makes this stuff possible. I have done more demos than I can think of, of how you can improve in-person experiences by using lots of other techniques such as, you know, just good old device binding and fighter and all the, the rest of it. Where it seems to fall down is just a lack of ambition in terms of, of organizations actually wanting to invest in, in providing those experiences. So I just wonder, again, devil's advocate kind of question, right.

What do you see about decentralized specifically that that's going to change that? Yeah, we have two specific use cases. One is dimension, the fast food chain. The other one is a company that does credentialing of employees, workers in the construction industry. And I know you're working on that as well. And it's a great example where in-person experiences are gonna happen. Construction site, there may be no internet, right? So you're gonna need proximity communications, right? And we've already shown in the TSA checkpoint in the United States, it's working very well. People love it.

They love being able to just scan their phone and look into a camera and match and they're done and they go through security. So I think you're right that companies have to be convinced in the benefit and the roi. But let's face it, user experience is the, is the king right now. And if you can discriminate your brand against another by adding a, a Bluetooth beacon in your store and creating some kind of experience, I think it's gonna happen.

But I, I think Your, your point is, your point is valid. I mean we are providing, we are providing access, access, fast flow, passenger access to some pancreas station for Eurostar based upon pre-enrollment, followed by a walkthrough Porwal. And that is not using verified credentials, it's using a sort of intermediate thing. You don't need verifiable credentials to do it.

The great advantage of it is that when you are rolling out these large scale applications, yes you can do them in a centralized way, but it works an awful lot better because it's more scalable and more secure and your insurance costs are far lower. If you do it using a decentralized technology. I mean just, just the insurance premiums alone Will, will drive, will drive service providers to use decentralized identity rather than traditional architectures because the cost of ensuring all those centralized records is going through the roof. Perfect. Thank you so much. Thank you so much.

We just finished with the time limit as well. So thank you everyone for your insights and we could be good to go on for another 30 minutes. One hour. I can see that. Yes. But I think it's time for coffee. So we'll see outside.