Welcome to the KuppingerCole Analyst Chat. My name is Matthias Reinwarth. I'm your host. I'm an Advisor and Analyst with KuppingerCole Analysts. My guest today, and it's been a while, is again Annie Bailey. She's a Senior Analyst with KuppingerCole. Hi, Annie. Good to see you.
Hi, Matthias, it's great to be back.
Great to have you back. As I said, it's really been a while. We want to do an episode today, which is really an episode to lay the foundation for maybe also an audience who is joining this podcast and wants to learn more about the basics. This is really called Identity and Decentralized Identity. We are at episode 204, starting again with explaining what identity is, I think it's a good idea. So when... and you are focusing on very specific types of identities. So that's the part after the "and", after the ampersand, it's the decentralized identity. But to start out, first question for you, what is a digital identity?
Yeah, so it is helpful to go back to the basics from time to time, especially as we spend more and more of our time in a split reality in our physical world, of course, but also in a digital world. And so what does this mean to have a digital identity as we interact in a digital world? And it's at its most simple, it's a electronic representation of your individual identity, but that falls on a spectrum of how closely that is correlated with your real world identity. So think of it at the very far left side of the spectrum where you're not really connected with your real world identity. It's like having a screen name that's something totally random but connected to your interests like basketball-superstar58. There's no connection to myself, a individual with a legal name and an identification number or something like that. Or you could have it on the totally other side of the spectrum where you are clearly identified as a single person with that legal name, with that government issued identity number or social security number or whatever schema is used.
Right, so you already hinted at that. So that does mean that me as a carbon-based life form have one real life identity, but I could have much more than just one digital identity. So how do I create one? Do I have to create one or is there something for me provided? And how does that work? How do I get to a digital ID?
Yeah, it's always different. So to start out with, there's billions, probably now trillions of digital identities out there. And each individual person has multiple. But these identities are also out there for things in the IoT space or for services. But when we focus just on people, you've probably created digital identities when you go to interact with an organization. If you go to make an account with a business, that is a digital identity. And that is what the organization uses to communicate with you, to track your interests, your payment records, things like that. And that is a centralized model of working with digital identities. And there are other models, too, which we can get into more later.
Right. So now that we have covered those digital identities that I might create myself by logging into my favorite retailers website, going to the more reliable part, to the legal ID, to an identity card, and maybe that digital representation thereof. What is the role here and how do you get to such an ID? And maybe as an additional question following up on that. What if there is no institution in my country that issues me such a reliable legal identity? How does that work?
Mm hmm. So we talked already about the relationship between individuals, consumers and businesses. And that's based mostly on self attested data, maybe besides payment information or things which can be verified in other ways. But essentially, the individual is saying, my name is this, my contact information is this, and the business accepts that. But as a foundation to really identify and correlate data with the existence of a person. We have governments there that are the organizational foundation for that. So think of it, if someone is born, they are issued a identification that can be in the form of a social security number, which then is used to apply for a passport. Some form of identification is issued by the government and everything else is built upon that. But that becomes the base form of being able to verify who that individual is at a level that can be trusted by anybody. Yeah, it becomes a quite complicated situation if the government is not strong enough in a region or if you're a displaced person, if you're a refugee or if somebody's lost documents or if they've been destroyed in a flood or a fire. Actually from the World Bank, is that 850 million people do not have an official ID in the world, which is a really surprisingly large number. And that, of course, prevents access to many, many different services like banking and healthcare voting. Yes.
Yeah, you've mentioned it already. So that's the use case that we are using it for. So the question, why do I need an ID is more straightforward to answer. But there are still people that say, okay, I don't have to deal with that digital stuff. I don't need a digital ID. But it's really difficult to achieve that. So there are good use cases where digital identity is more or less the only way to get access to services, right?
Yes, or at least a national ID and it's moving in that direction that a digital form of those national IDs becomes a really helpful and more efficient way to access those services. And that's an interesting direction that we're going. And so if we think about the role that a government plays in providing access to those services, having a really well-working national identity service is very helpful. If we think about the modern economy and the business side of things, those same efficiencies are still really important because every interaction is now based on going from being an unknown customer to being a known customer that is all about identity. And in a digital journey, that's all about digital identity. So that is your means to interacting.
Right, right. And I think a nice crossover also to the other topic that we want to cover today. We talked about digital identity. Now we want to talk about decentralized identity. That is something that just happened to me earlier today. LinkedIn asked me to verify my identity. So to derive my identity to prove that I'm Matthias on LinkedIn. And they asked me to register my passport, my travel document. And I failed dramatically in the end because my passport is that old, still valid, but that old that it does not have an NFC chip, so I couldn't derive my digital identity from my passport document. So, decentralized identity. What is a decentralized identity? Does this have to do anything with that what I just described?
It's often a part, what you described is more about providing the trust. Can LinkedIn really trust that you are who you say you are? It's not good enough in a sense for you just to type your name into the name field and for the whole world to believe that you are really who you said you were. But it's being able to go back and validate that against something which most everybody trusts, which is a government issued identity, which, as you said, sometimes doesn't work. And that's an indicator that we still have quite a ways to go on making this easy for everybody. If we who are analysts in the identity space have issues with it, then many people will also have trouble. To come back to your original question, what is decentralized identity? It is about you, Matthias, having control over your data and your identity. So instead of you presenting your passport and biometric information to LinkedIn or whatever organization it is, and they keeping a copy of that, so to speak, in their system of records. It's you who keeps the information, you present it to them, and it's validated. What the organization receives is a proof that they can trust that that information is correct, but they don't receive the actual information itself.
And the relationship to digital identity, is it somewhat different? Is it just a different type? How does that relate to what we discussed earlier?
Exactly as you said, it's a different type of digital identity. So digital identity is a large umbrella term and decentralized identity sits underneath that umbrella. But it is following a totally different structure. We talked earlier about a centralized model where organizations, be it businesses or governments or universities, employers have their records on customers, on employees, on students. And those are centralized hubs of information. When we think about decentralized identity, we lose those centralized piles of information and it really sits with the individual spread out. It's broken into three different actors. So you have an issuer, a holder and a verifier. So the issuer is the the actor, the organization or person who issues the holder a credential. The holder is you, the person holding the credential. So a university could issue a degree to you, the student. And a verifier would be a different organization that needs that information, perhaps a potential employer who needs to verify that you indeed have the right credentials to do that job, and you are able to present the credential issued by the issuer, the university to the verifier, the organization.
Right, and we will be talking about this decentralized identity as one important and one really upcoming trend also at EIC 2024 in June. So this is a topic that is really of importance. The question is, why? Why now? What are the benefits? Why are we doing that? We do have a passport. We might have even a digital version of our ID card, of our passport. What makes... decentralized IDs are special when it comes to benefits?
It's, um... It's about enabling the business. It's removing a lot of duplicate effort between a lot of different businesses, but also within a single organization itself. So if we think about the digital journey that we mentioned before, it's all about going from having an unknown customer or employee or partner or supplier to having a known actor there. When that digital identity sits with that actor, but you as the organization have a way to verify that credential to a very high degree where you can trust it, you have no doubt that you know who issued it, that it's valid for this long, and it's really describing the person who is holding it and presenting it to you. That saves a lot of work and process and costs on your end. It brings advantages in terms of privacy, both on the organizational side of not needing to hold PII, personal information. It's a benefit for the user who knows that they're in control of that. The user experience is better than what you just experienced because you don't have to do that for every individual organization. You do that once theoretically to bring your credentials into your own wallet, which you hold. And after that, you just present them. And ideally, and we're moving into the ideal phase here because this is still a work in progress, it's portable. So you are able to share your credentials with many different types of organizations and many different types of use cases and in many different roles as an individual or as an employee or as a student. Yes, you have much more flexibility.
You mentioned some of the benefits that are often mentioned when it comes to decentralized identity, so privacy friendly, portable. And the other term that usually goes with decentralized identity is disruptive. Is it disruptive? Does it change things?
Mm-hmm. Yes, but it's disruptive in the positive sense. It can be, it's changing the model entirely of how we as organizations primarily have consumed identity, but it doesn't have to break everything. It's been a huge priority from day one that interoperability and flexibility is part of a decentralized identity system. And it's been designed to work with what is already existing without having to rip everything out and build something from the ground up. And so it's designed to be a gradual shift. And that comes with use cases as well that small use cases or easier to manage use cases can be first, but then the architecture is in place to shift to more complex use cases, kind of spreading out the benefits over a long period of time and spreading out the change as well.
So you've mentioned that it's work in progress, but on the other hand, there are lots of efforts already going on. So if you are an organization that wants to deal with these decentralized identities, either support them in issuing them or just in accepting them as a new means of identifying third parties to communicate, what are the challenges for organizations? What do they need to prepare for? What do they need to overcome to achieve this?
Mm-hmm, a lot of it is knowledge-based. It's important to be aware of what your own requirements are, what requirements are coming to you in the next couple years, eIDAS 2.0, which is working quite a bit with identity wallets for individuals, for government purposes, but also for businesses and the private industry being aware of what benefits and what potential use cases will work for you is the beginning here. Being aware of a flexible architecture, pulling out those use cases to do first, use cases to think about later, helps makes this more manageable. That can be done also on the split between consumer-facing use cases and enterprise and internal -facing IAM use cases. Yeah, another thing to point out in terms of challenges to overcome is, or rather things to be aware of, is matching the level of security to the use case. When it comes to these sorts of applications, there's a tendency to be too heavy on the security for use cases that don't necessarily need it. That you have a range of assurance levels which can be achieved. And so it's important to match the highest security, highest level of assurance for use cases like onboarding a partner virtually. It needs to go with very high security in those processes. But if a customer that you already know is making a purchase that they have already done before in a non-regulated industry, you probably don't need to go to the very highest level of assurance. So keeping that in mind and keeping that match that the user experience matches the level of security that fits that situation.
Right, and when you say we are carrying these identities with us, the means is the wallet. I think this is still a market segment that's still in flux. So which wallet will be the one to use? Will there be more than one? And I think that there is still a lot of discussion to be made, am I right?
Yes, that is correct. It will be a multi-wallet future. And you may have different wallets for different use cases, but the ones which will prevail are the ones that are really serving the needs of their users. So it has to work, and it has to work well. As you said, this is still a developing space. There's a lot of action here from different vendors, different government actors. So definitely come to EIC. The conversation will continue there and we will keep you updated.
Absolutely. While the traditional digital identity is not solved, but it's in use, the decentralized identity is still in development. And EIC, as you've mentioned, is the right place to discuss about that with you, with me, and our team, and all the peers that are dealing with that technology. Thank you, Annie, for being my guest today. It's great to have you back and great to, again, talk about digital identity, decentralized identity, also at EIC. And looking forward to having you soon for another episode and maybe also start again basics around topics that are at the core of KuppingerCole Thanks again for being my guest today.
Yeah, thank you, Matthias.
Thank you. Bye bye.
Bye.
