KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
The debate on Customer External Digital Identity has reached fever pitch. This session takes a step back and looks at how Customer External Digital Identity can enable Trust between individuals and organisations in many sectors, what that allows organisations and individuals to do and also looks at the different roles that you might choose for your organisation.
The debate on Customer External Digital Identity has reached fever pitch. This session takes a step back and looks at how Customer External Digital Identity can enable Trust between individuals and organisations in many sectors, what that allows organisations and individuals to do and also looks at the different roles that you might choose for your organisation.
Brilliant. Thank you very much. Thank you.
Can, can you hear me? Yes, we can. Yes. And the is yours, That's Our actually, Yeah, it's, it's an interesting area, but, but first off I'm I'm Martin and Graham I'm I'm product owner for identity for, for NA west group, which is a large financial in UK. I do need to say at this point, though, I'm speaking as a, a private individual, so don't confuse anything I say here for a, an official statement of, from that west group. I get a lot of questions about the picture on this, this opening slide and fundamentally what it is. It's a snail turning into a box.
And I think there's a, there's a metaphor there for us in terms of the changes and the rate change. We're seeing an identity at the moment and the overall the journey we're on as we turn identity from being a necessary evil within organizations to being an enabler for business. So what I want to do today is look at identity from a, a couple of different dimensions and, and then compare that with what we, what I see in customer additional identity at the moment, and, and hopefully answer those three questions. What is it? What can you use it for?
And, and should you play so first off identity, what do we mean by identity? Do we mean that we're keeping the, the bad guys out? And certainly that was what identity was principally used for in the old days, the arrival of digital transformation means that we're now encouraged to about it as, as letting the good guys in, as well as keeping the bad guys out. But fundamentally it's, it's far more than that. It's about trust quite simply. It's about who do we trust and what do we trust them to do trust actually quite a complex area.
And there's all sorts of fascinating, almost philosophical research papers that you can read that looks at, you know, how trust is established and what is fundamentally means. But from our perspective, I think that the key to realize is that trust isn't absolute. Some things are higher, trusted are more trusted than others. Other things are less trusted. And what we we're fundamentally doing with identity in general is we're making sure that we have sufficient trust for what the individual is, is looking to. At that point in time.
We've also come from the point of view of, if you start from the point of keeping the bag guys out, it's all about access, but fundamentally it's become more than that. It's not just about keeping the bad guys out or letting the good guys in it's about how, what the user can do. So the authorization journey and the management of risk within the applications and we've access to data for our organization. And that becomes a completely different story.
As we, as we look at at risk and assessing risk in, in the story. But let's step forward and look at a, a slightly different dimension of identity.
As, as organizations, particularly financials, identity's really been about creating a Citadel, a castle, an isolated world. And there's a number of reasons why we did that. One of the key ones is that we all introduced digital banking or digital access to our services around about the same sort of time.
And so we, there wasn't an obvious standard. There wasn't an obvious service we could pick up because it was all new. So we all created mechanisms to authenticate and authorize. We did identity verification in a number of different ways, which harmonized over time, but fundamentally it's all about isolation.
And if you look at a castle, there's one way in and one way out and, and similar for most of the journeys we've supported for identity in, in large organizations, commercials and financials, and such like that means that we tended to develop these systems separately without a, an idea of standardization. And they've all been about the needs of an individual organization. It becomes slightly restricted because that's the model we look to. Do we look to make sure there's one way in one way out very much about control. We've followed fashions slowly.
You know, I don't think any of us would argue that we, we hung on for passwords maybe 20, 30 years longer than we should have done. Fundamentally we've moved forward slowly. And at the moment, we're seeing an awful lot of change in identity, fundamentally because we haven't changed it enough in the past.
But if you look at this model of isolation, what it leads to is it leads to duplication because if we, as an organization stand back and go, okay, we're creating an identity for, for Martin at this point, then that user, that person goes off and has to do the same thing in other organizations as they go forward. And actually the processes while not being identified are pretty similar. So if you go and try and get a mobile network contract, for instance, then a lot of the proofs that you're asked for in finance will duplicated.
You'll be asked for a government issued ID, an identity card, or a passport or a driving license. And you'll be asked for a utility bill to approve your address. Now COVID shown us that people's appetite to actually go in and provide a government issued ID is, is lower. And utility bill as a proof of address is incredibly brief because nobody gets utility people anymore. It's all online. And fundamentally what they're asking you to do is print out something that's online. And at that point, then you go, okay.
So is it really beyond the width of the school child to create their own utility if they say chose and, and the answer? No. So what's the strength in that? Why are we putting customers through that friction for a level of trust? That's actually not that good, but if you look at a service that has frequent customer use say banking or a number of different areas, then not only have you got that initial identification verification, you've got the history of use over time. And so the level of trust builds up and you get to a point where you go, does it make sense to repeat this operation each time?
Why can't we start using the trust? That's been built up in one organization to smooth the way for the user in consuming other services with user control. So users getting into consent, that information, their, their identity is shared, but fundamentally why repeat this stuff? If we can use it to make the journey smoother and better. And that's really where customer digital identity takes us to it's that idea of sharing trust between recipient parties pick an individual example here. So here's an example of digital identity.
I pick new south Wales driving licenses, really because it's, it's a different model than we typically think about as we're thinking about more general digital identity, and also to show the, the international nature that digital identity is taking at this stage. So fundamentally our digital identity, actually that customers use their identity, use that trust to access services from financial services, mobile operators, airline, whatever they choose to use it for. And in the process we as organizations, we get to reduce our risk from things like fraud and financial crime.
And cus we get better customer journeys that reduce dropout rate, which, which helps us. So customers benefit organizations benefit to, but that's overly simplistic. That's overly simplistic because if we start to think about identity in a more macro sense, then it, it's not, it's not just about proving who you are. The idea V space, it's about a wide range of attributes that potentially could be attached to your identity.
And the simple stuff that people come into this thinking about is, you know, okay, so your identity could share perhaps your, your name, address, phone number, email address, stuff like that. And that's fine. And actually, most organizations that become identity providers probably have that information because they needed it to establish the identity in the first place. But actually that's not the whole that can be transferred.
So if you start to think beyond that, then you realize actually there's a huge number of different attributes that can be attached to an identity and which increase its utility for the user. And that's important because we need to drive option for this. And that'll be on the basis of the use to which users can, can make of it and the frequency with which they need to perform those actions. So what sorts of things could, you can, can be attributes in digital identity, things like qualifications and entitlement.
So everything from, do you have a driving license through, have you got a medical qualification? Are you a certified electrician? Are you a qualified contractor? What is it that you need to be able to prove in order to, to get on with your life?
And, and some of them end up being quite frivolous. But I think back to the point of it's about frequent use to drive adoption, if it becomes a place where infrequently use qualifications, like say a sub certification that, that you may not use from one year to the next, but when you're on holiday or vacation and you want go diving, then you need to be able to prove that you have the qualifications and being able to have that in a form to hand allows you to do that ends up becoming critical.
So the, I suppose takeaway from this is that being restrictive about the information that's passed, the information that makes up an individual's identity, which can be extended by them, doesn't help. And fundamentally what we need in a additional identity is an extensible data model. So that anything that needs to be carried can be carried and that the user can choose what they attach their identity, where it comes from and who they share it with.
So we need the, an extensible data model and other examples and things that I'm seeing, being created at the moment are things like property ownership. So, you know, if you look at say a, a remortgage journey with a financial one aspect of that is sure you gotta approve the identity and sure you've got approve earning, which you could reasonably do in a simple identity, but actually being able to have proof from a, a trusted body that the applicant actually owns the property that they're looking to remortgage takes a lower friction.
After that journey, it takes a lot of risk after the journey. So you get faster and you get easier. So having many attributes, being able to share trusted attributes is, is critical. And I I'm gonna pedal that trust term again because no data in large organizations, a hundred percent reliable, everything comes with risk. And what does trust mean in this instance? What it means is that the, from the relying party, the receiving organization's perspective, the quality of the data, the risk associated with it is within their risk appetite.
And so actually it's it, it's in the hands of the receiver, the recipient judges, whether the quality is, is, is good enough. And the key thing here is that the quality of the data being provided needs to be provided with the data so that we know, is this a, a strong example of a passport, or is it just a, so snap of the front page of a passport? And that matters a lot, depending upon what the journey is. If you're looking at ski rental, then actually a selfie snap of the passport's probably good enough, but if you are looking for large mortgages, then the story's somewhat different.
You need a higher quality in the data. So we need many attributes. And with that comes a, another dimension, which is many potential journeys. And one of the challenges I think we've had in thinking about digital identity is going okay, so, and the user's going to use it for X. And as soon as you start thinking about this, a single journey for it, then you start to restrict what you're building the system for. And that ends up driving digital identity into a corner. So at the point where you, we make those restrictions, we increase the decrease, its utility, it's down to the relying parties.
It's down to the market to work out what pieces of information that could be passed identity. You could ask the users to share and which would help in those journeys. So there's a lot that we need to do to make sure that we're not restricting to a particular journey, but fundamentally what we're looking at here is a way to deliver trustable individual data. That could be quite broad with consent, wherever it's needed to deliver the journeys that that help customers and help digital identity become prevalent.
And, and I suppose that's is for what is, and how can you use it for digital identity? Is, is that sharing of trustable data, wherever it's needed, moving on really as many parties in digital identity. And as we start thinking, should you play, then I'm gonna turn the question around and go, okay. So how would you play for people aren't familiar with it? This is an image that represents the musicians of Braman, a a grim fairy. That's fundamentally about a group of creatures that get together, defeats some THS and the happily ever after.
And I think that's, that's quite relevant for what we're looking at here, because as we look at the, the groups that come together to make digital identity a reality, so identity providers actually providers standards, bodies for helping those parties work together and underlying support from government. It needs, it needs all those parties to work together. So if you provide trusted identities, you know, as part of your business, you're creating identities that can be trusted. Then there's a role in, in digital identity.
And you can choose to become a, a deliver identities to which attributes can be attached. And you might provide some of those attributes too, but then we get into, okay, are you an owner of trusted attributes? Are you creating certifications or creating information about a user that might be useful for others? And as a relying party, if you're an organization that's where you have a problem that could be addressed. If the user provided you a particular piece of information, then you have an opportunity in digital identity to, to take advantage of that.
And a lot of the conversations I have with business are about, okay, so where are your problems? And if you could know a single piece of information or multiple pieces of information, how would that change your business? How would that make things either easier for the customer or reduce a risk and reduce a risk? Find really means breaks the chain. How do you create a kill the chain? That means that you are now mitigating a risk. So if you are in any of those groups, then there's a role in digital identity.
But as an organization you can choose to play in, I'm gonna mention two other part of the, the animals here as well, which is that the work of standard, and there's a number of them out I'd call. So things like the open identity exchange, and you'll see the launch of paper manifesto by G game during this conference on, on how internationally identities might work together. Then there's a lot that standards bodies can do to provide a, a national cross-national and multi-sector view of how digital identity happens and also government.
And, you know, if you look at the I in Europe and work that separately by UK government, then there's a lot of work being done to establish digital identity. So fundamentally, and in conclusion, customer digital identity gives better customer journeys under the control of the user organizations get to manage risk and also get to play in these various aspects of identity.
And, and ultimately this is part of that journey, turn identity from a necessary evil, into a business enabler. Thank you very much.
