I know I'm realizing this is like the very last session on the very last day. So clearly they did save the best for last, which is fantastic.
Anyway, I chose my topic here. It takes a village because it reinforces one of the biggest challenges that we all know so well in, in the identity world, which is it for better identity to work. It does take a community of like-minded shareholders to participate. A and that's just the truth of it. And that's been, you know, a stumbling block for all of us going forward.
So what I'd like to do in my pitch is not tax your brains with all kinds of additional new information, but spend this session as a way to give you the means to take the information you've learned over the last three days and take it home with you and do some homework, take it to your work, take it to your home.
Actually take some actions. You've gotten an awful lot of fantastic knowledge from the last three days from experts from around the world, but it's not so meaningful unless actually we do something with it when we go home. So hopefully this will help you do that.
So what is the village at a macro level? It's the, the usual three suspects, isn't it it's relying parties who are providing products and services to either consumers or businesses or both it's identity service providers who are providing assurance so that those relying parties can qualify to the extent that they need to their clients, whether they're consumers or businesses.
And obviously it's the consumers or businesses who would welcome the opportunity to interact in the digital marketplace without having to sacrifice their security and privacy, which obviously today, all stakeholders interact in that marketplace at their own peril. We're used to it, but that's not necessarily a good thing.
So why do you wanna go home and try to participate in the ecosystem? I think foundationally, there are three primary drivers for all of us to go back and do some homework and actually try to make a step in the right direction.
The first one, given the rise of cyber crime in the years of coronavirus has accelerated an interest in digital identity. So to a tipping point, and I actually think that's a positive thing that we can take away from the whole Corona era, so that the first one becomes self-evident.
I'm not gonna say anything more about security and to any of you who went to Nick's pitch just a couple hours ago from the open ID exchange, did a fantastic job with all kinds of data about what's been happening on the fraud front and how important digital identity is to, to as one of the measures to tackle that the second one, all of us today also interact in that marketplace, putting our private data at risk.
So what does that mean? It means if I'm an individual on the consumer, I risk identity fraud at every single interaction.
If I'm a business, I not only risk fraud and money laundering, but I'm also exposing myself to be burdened by those rather onerous legislative and regulatory rules around handling privacy data. Right? So all of those things are, are, are very hard to do, makes me wanna participate here. And the other thing is simplicity. I wanna participate cuz it's, it's gotta be simple because if it isn't simple, it's not gonna get any traction.
So the allure of an ecosystem is it provides security and privacy without sacrificing what we've all had to sacrifice here to, for, to participate now, ecosystems aren't new, right? They're they've been around on the planet for longer than we'd like to admit given the state of affairs currently in the globe.
And I'm gonna say that the first iteration of these systems, I'm gonna call first generation systems. And they've been basically pioneered by governments and or bank coalitions.
And therefore guess what the use cases have been focused primarily around public services and financial services, nonetheless, a great beginning, but there was a wide variety of adoption as well. So what we found is in places in certain countries and jurisdictions where enrollment was required for basic necessities like education and healthcare, guess what traction was ridiculously high, who knew, right? But it varied quite a bit in some of the other areas and was frankly a bit lackluster more than not across the board.
And to me, the good news in that is it's now generated a pivot in the next generation of these ecosystems that is ushering in a new era of collaboration between private and public partnerships.
So I'm gonna call these the next generation of ecosystems because they're all revisiting how they work today to be in this next generation. And one of the greatest outcomes in my mind for the next generation is that the, the playing field is being leveled. So now you don't have to be a government or a financial service.
Any public or private entity can play any role as long as they're willing to sign up for the obligations of that role. I think that's fantastic and exactly what the world needs today because the world and the digital marketplace is a lot more than the constraints of the public and financial service use cases that are out there today.
So next generation, in addition to all of the fantastic work in the, the standard organizations to make things simpler and more straightforward and easier to implement is now gonna be much more broadly adopted and, and a much more level playing field, which is why I can, can challenge everyone to go back and, and do some work and figure out how do you play a role here?
Because it isn't just governments and financial services. So it's anyone, what does that mean? So if I wanna be an identity service provider, what does that oblige me to do?
Well, of course, it's gonna oblige me to assure one or more attributes of digital identity. Now I might do that just in a verification mode of yes or no. Or I could do that in the whole sharing mode when it's appropriate and relevant for the relying party use case. That would be my, my choice. But the key thing is in doing that, I also need to do it in a privacy preserving and a control preserving way, right? So that's gonna be key to my obligation as identity service provider.
Now, why would I want to do that? It's extra work, right?
Well, maybe that's a new business line for me, a new way of generating revenue.
Maybe that's a way to get my brand recognition up or to maybe up the trust in my existing brand. Maybe I need that or, or maybe I think that will give me a competitive edge in the marketplace. Maybe I want more market share. Maybe I want more footprint, right? Any of those reasons might drive me to, I might even wanna address some of the problems of inclusion in the digital marketplace. Those are all things that might motivate me to play in this market. What about relying parties?
Obviously, if you're gonna play an ecosystem, I'm gonna wanna use one or more of these identity service providers, but even most important, more importantly, I think what relying parties are gonna need to do is they're gonna go through a very detailed self examination of how they work today. Do they really need all the data that they're asking for today from their clients, whether they're businesses or consumers and in a lot, lot of cases, the answer is gonna be no.
So guess what, if you only need to know that someone is older than 21 to get onto your gambling website, you need a simple verification service. You don't need any information shared. So in addition to making sharing more safe when it is required, I think this got down dramatically on the cases where in fact it is gonna be required going forward. And I think that's just absolutely gigantic. And why do I wanna participate as a relying party?
Well, obviously for some of the same reasons as anyone would wanna be an ecosystem for reduced fraud and money laundering and all that kind of good stuff, but again, to, to get back to the private data side of it, the less I'm exposed to those onerous regulations and laws, you know, the more efficient my businesses, the less onerous all the software is that have to build around all those compliance and legal and legislative initiatives that are going on today.
It just makes my whole world a lot easier to do.
It can increase my through pro it can reduce my abandon rates and it can do the same things as what's done for an IDP. It increase my market, share the trust of my brand, give me a new revenue stream, et cetera, cetera. Right? Imagine let's hope Facebook is in the audience there.
You know, we, we are have some brands who let's say have some upside opportunity on the trust front. This is a way to, to go forward in that space.
If, if someone wants to feel free, anyone from Facebook to reach out to me after the session, okay, the good news is the digital identity ecosystem exists. And you guys know that, cuz you've heard about all the great stuff going on for three days, right?
It's, it's no mystery, it's there. And to talk about three pillars in particular, you know, first I would just open up with the obvious, you know, fantastic movement in the open ID foundation and the open ID exchange.
They truly have built a foundation that will, will enhance interoperability all around the world and work with the existing jurisdictional frameworks. And I think that's exactly what is needed now. And the other thing is they are intimately involved in everything going on with the, the public legislative movements, as well as the regulatory bodies.
They're on those forums, they're shaping the outcomes. And that just is a way to both have the great greatest and latest standards have the open source available to you. You that's associated with those standards and also keep current with all of those, with those regulations and laws, you know, it's a no brainer to me that that's a great place to start.
And of course the second layer, what what's become interesting of last two years, which really hasn't happened before is those regulatory bodies in the government seem to, seems to have finally dawned on them that really they have a huge part to play in helping to stimulate that adoption and that traction.
And guess what, you know, I, I was a very happy girl to see the European commission come out with a proposal that said that they'd like to propose to mandate that certain industries must accept digital IDs. Can you imagine what impact that would be in the market?
You must accept it and guess what it was across five different industries, including, but not limited to financial services, you know, happy days that would make a gigantic difference. I'd love to see every jurisdiction do something like that. I think that's fantastic news because it says they're being more involved. They're realizing the impact that they can have in adoption. And finally, I would say that over the last couple of years, I've seen a dramatic change, which again, I, I totally embrace and welcome from a series of paper, tigers and publications.
And I've certainly helped author too many of them to, to wanna think about, but they're papers, you know, they're, they're two dimensional, black and white. Some people read them, some people don't. These are now moving toward pilots, pilots between public and private sector between private and private sector. But they're actually putting to, to use all of these great standards groups, all of these, you know, open identity exchange, industry groups, groups coming together to make sure that this stuff actually works fantastic. That just is a gigantic, gigantic difference.
And we also be taking advantage of that if it makes sense.
So, okay. I've just told you it's all there. You know what what's but why isn't it there today? Why don't we all have great global digital identity?
Well, obviously it's, it's not as easy as, as all that. And I would put it down to, from a barrier to entry perspective. I think of three foundational principles. The first one is acceptance of the status quo and I'm as guilty as this is. Anybody else, guess what? I've long accepted that I'm giving up my security and privacy to order from Amazon, at least every day, sometimes multiple times a day.
I, I just accept that. And I live in Manhattan. Convenience is king. That just is everything to me. So there is that, and that's a huge difference, right? If we were in a world where that was available and we didn't have to get used to it, it would be a different story.
Two is detraction and adoption. As I just went through these things have been around forever, right? And guess what? The history of traction is not so great other than unless you enroll, you won't get healthcare, right?
So, you know, people as they go to second gen or third, is it really gonna work this time? What's different, right? So there's, there's a bit of hesitation and pause on the market.
But again, you know, you, you've got to temper that with what's happening at the moment, but it's a, it's been a problem. And thirdly, you know, one of the scariest unknowns out there in the universe is this whole question of liabilities while nobody expects that fraud will completely disappear off the map when we have good digital identity. And Nick touched upon this in his, his feel as well.
There's a lot of concern on once there's an ecosystem and you agree to certain obligations, you know, are the, the punitive results of participating gonna be worse than they are today when those fraud events do occur. So to me, those are three things that have hampered this becoming a reality already.
Now I would also say, and I'm gonna, I'm going to, I'm gonna say that everyone in this room virtually and physically are market movers, but I'm gonna say for market movers and leaders, this is the opportunity that you've been waiting for. This is the opportunity to lead.
And guess what, as soon as there's an alternative where I can have my convenience and not give up my privacy and security, people are gonna latch onto that. It's not gonna be a question I think of in my own experience, what happened when PayPal came on the map and I didn't have to enter my credit card details every bloody time I tried to do anything, I, I was, I was an early adopter of that and I, I still use it. And in fact, an early mover knows that and they know that if I move to PayPal, there could be 12 more.
I don't bloody care. I've got PayPal, right?
I'm not gonna wanna just sign up for 12 of them. Market movers are gonna have a gigantic advantage in this space. And people are smart. Businesses are smart who want that security and privacy, as soon as it's there and you have a choice, bloody hell, you're gonna drive them to it. All right. In terms of traction, you know, that's tough.
That's, that's always gonna be a bit tougher, but I would say the changes of foot are, are making already making dents in that. And one of the ways that's happening in these, these public private collaborations and partnerships, they're really mitigating those risks and, and averting them completely in some cases. And the other thing that's happening that I referred to before is if regulatory and government step in and say, you must accept digital identity.
You know, guess what?
That totally changes the whole story of, of how this markets can take off. So I'm actually not worried about adoption or traction either for market movers, again for this audience only unknown liabilities. So that's a really interesting one. And I'll say, I'll say a couple things about that. One is even though the details of that were, would still be worked out. I think there's precedent all around the world. If you look at every one of these existing frameworks, what do they say about liability?
I think they they're very, very intelligently say, look, it depends on the use cases. It's up to the relying party. The relying party who's providing that service are good needs to figure out if they have sufficient assurance to provide that service. And it's gonna be different if it's an insurance company or a bank versus a gambling website. So they need to ultimately decide they can choose to use one IDP or three.
They can use different assurance levels. They need to get the information and the evidence for the assurance that they're being given back.
But ultimately it's their business they're under could be under some regulation or oversight. It's gonna be up to them and they need to be given the information.
And again, since these are still under debate, they could still all go terribly wrong. So the other point here is participate. And one of the problems of liability is you get into room and there's endless philosophical debates and talking heads. To the extent that you in this room are market movers and you start this and you have real live examples and production pilots. That's gonna go a long way, way to help shape what's going on in these conversations versus talking heads and philosophy, but definitely the jurisdictional stance on relying party, given the right information.
And it's there.
I mean, I think it thought to a good start from there because we nothing will kill this sooner than making it punitive for identity service providers to participate. Right? It's it's got it. Obviously it's gonna make things better, but it really does take a village, even in terms of who's responsible for what here and it's, it's not all simple, but the right things are happening and you guys can make a big difference as market movers. Now I'll also say that you lot are very realistic. No one thinks you're gonna wake up tomorrow and oh, there's an ecosystem. Hell lovely.
What a great day is this? It's just not gonna happen overnight. So guess what? It's a journey. You accept it to journey.
You know, you're on a journey and you're taking that first step and it's not gonna be, you know, the perfect set of all the defined schema that are still under discussion.
The trust marks and the certifications of those being are still being rolled out by the UK.
And Ida, the point is don't wait, take a step in the right direction, cuz it is a journey. So what can you do?
All right, let's say you're an IDP or an RP or a partner of one of those pick a partner or three. If you're an RP, who would you trust to verify identity for you reach out to them, create a partnership, start a pilot, start working on it, get your brand out there and say, Hey we're we are proceeding on this. We're following the standards and we're helping to form the next bits of it. That aren't yet. And then as other things come along, you, you can take advantage of those. And if enough folks do that, you start with the use cases that are meaningful to you.
The ones in the world today tend to be high value, high security use cases. And it's gonna be the schema that are relevant to your use cases. And then over time that will grow. You don't have to give a menu list of you have to have five choice of five IDPs and you have to have every RP signing up for your service. Start with one, start with three, go ahead and start. Whether you're an IDP or RP, that's your, your homework for me, I'm throwing down the gauntlet. Okay. Over time. Of course there will be that choice.
Choices of IDPs choices of RPS and choices of all of those great interactions that go well beyond those original pioneers of government and banks who started what I'm calling the first generation ecosystems with all the broad based schema coverage that comes with it. So the last couple of slides, especially tuned into this audience who are the market leaders in this space.
It does take a village. Let's start with all of us and simply stated, go home your homework, start with scope and objectives and define what you're gonna go after. What's your client profile.
If you're a relying party, if you're an identity service provider, you know, who are your relying party clients potentially, if you're relying party, who would be your IDPs, create those profiles, define and prioritize your use cases. Clarify what outcomes you want out of participating in, in bootstrapping your own tiny ecosystem here. And then once you have that, you've got your scope and objectives, then figure out a roadmap, right? Assess your execution readiness, engage in whatever partnerships you need, public private open standards. And then seize those first to market advantages.
Be the PayPal. The PayPal is to me and you have stickiness. That's gonna worth its weight and gold. Even if behind the scenes, you changing your protocols and getting better schema over time.
So since the devil obviously is always in the details, let's go at least one level further and talk about what we mean by that. So in defining scope, where do you start?
Who are, who are your clients, right? Are they consumers? Are they businesses? Are they businesses who serve consumers? Are there businesses who serve other businesses, right? Figure out how you're going after what jurisdictions and, and what, what you're trying to do with that audience. Is it existing? Is it a new revenue stream is a new business. Is it really answer all of those questions for yourselves because you won't be successful if you, you don't know where you're trying to go and then define and prioritize your use cases.
So maybe you care about onboarding and account opening, or maybe you care about payments or maybe you care about just the authentication process and making that more robust or, or ID Federation.
You wanna make Federation happen in your context, whatever it is, define what that is for you. It could be a combination of these as well, of course. And then clarify what outcomes you're looking for.
You know, what, what are you seeking? Just, just less fraud, you know, greater throughput for your business, reduced abandonment rates, more revenue stream, be clear in your own minds of what you're seeking, which is why you just separate out how you're gonna do it.
Like, what do you want? Because you really can decide what you want your destiny to be here. And then you can talk about your roadmap, right? So starting with your readiness, do you, you know, do you have gaps in the data? You need to do this, or the technology, identify what those are. Seek out. The partnerships, work with standards. Organizations look at what sorts of protections you need from a compliance standpoint.
If you don't already have those covered, because in some cases, if you're a new business's IDP, how you register yourself, what obligations you're under, all of that may change. You need to think about your readiness for that. And of course, to the extent you do your own engineering, what's your agility. What's your flexibility. Cuz keep in mind, some of these things are still changing. You're gonna go out there as a leader and get your brand in the market. But you have to know that these things are also changing a need to be flexible and agile. To keep up with those things.
Again, the partnerships are gonna be Uber important. I would of course start. And I've said this probably three times with the open ID foundation and open identity exchange, cuz they've been particularly focused and particularly successful on making all of this subject much simpler and helping to figure out ways to interoperate across these jurisdictional networks.
Because now you're gonna be able to say, use support us, medium security, N low security.
You know, you're gonna be able to communicate between networks, what you're able to support and what jurisdictions gigantic. This is absolutely gigantic. This is gonna open up the way for the world. Maybe you decide as part of your scope. You're gonna be one of these players that sit in between the jurisdictional networks and you're gonna provide this value add, and then seize those first to market advantages. Be my PayPal that I'm never gonna move from.
Unless having said that I have an alternative that uses something strong in the password, but, and as an early adopter take advantage of the new things that we know are coming down the pike, be the first UK. Trustmark the first Eid.
Trustmark, they're both using Trustmark for some reason. And then, you know, now you're gonna get free marketing headlines.
You know, the first batch of Trustmark firms and all of this can happen in the background, right? You're doing, it's a journey. You're doing this in progress. Don't wait anymore. Really is the message here.
And don't, don't keep it in the, in the folds of government only or financial services, cuz it just isn't that anymore. And that was part of the purpose of the gain paper that you've heard several of us talk about throughout the conference and seized those advantages. And guess what's gonna happen. I know this is gonna shock you, but once clients and consumers see that they can have convenient without sacrificing privacy and security. You're not gonna have to beg people to join. You're gonna have the opposite problem, right? This is gonna be fantastic. Give people that choice.
This is not rocket science. Even if I don't understand what's happening behind it, I'm a consumer of business. I'm nothing about technology.
You say, this is safer than what I have today. I'm probably gonna try it.
And again, just to reemphasize the importance of staying with regulation legislation, especially given that they seem to be, wanna be taking a media role here. One of the ways you could several ways to do this, you can directly participate. You can actually subscribe to the websites for the European commission and UK and all that sort of stuff.
You can do it through some of these groups, whether it's an industry group or the open ID foundation or open identity exchange or industry groups, cuz they collect our comments together and provide them an aggregate to these groups. And you should also be aware that there is also a cognizant in the jurisdictional network that they need to interate. And actually that's one of the positive things of Brexit. For example, UK have on their roadmap.
You know, they need to figure out now how to interoperate with Europe.
They, they, they don't wanna be disconnected from the rest of the world because of Brexit.
So again, it's putting more urgency that even the jurisdictions themselves, in addition to the underlying foundation, that's available with open ID foundation, open identity exchange, they are working directly together to try to simplify interoperability capitalize on the new public sources. So you see things like the UK document verification service, which is digital verification of passport. There's a similar thing in the us for electronic verification of social security number and notice that these public services are just verifications. It's a yes or no. Right?
So keep track of what's coming down, but they become the government services themselves become identity service providers. They also could be relying parties. I've had conversations with the us government where they're happy to have that kind of a dialogue where one could log in with a different ID and look at their pension services.
Us are open to that. UK may not be and that's okay. Right? So different things are happening, different jurisdictions, but there is movement and there is opportunity with that movement. Sorry. I think I'm getting people. I must be getting light.
I think I just have one more slide and amplify your voice through real live experience. Just to leave you with one last thing. It isn't magic. This obviously is some hard work involved and you know, call me out on it, contact me after this. I'm also by the way, co-leader of the proof of concepts work being done associated with the gain paper. So if you have any interest in participating in that we're soliciting actively IDPs and RPS, you can contact me directly at donna@oidf.org. That's Donna O idf.org. And I would welcome that.
It's just another way to get your feet on the ground to actually get some real experience with the current standards. Thank you so very much for your time at the very end of the conference. I appreciate it.
