Welcome. We are here to talk about the future of digital identity and how it impacts business, and to really have a bit of a forward looking type of conversation about where is this entire thing heading and where is the breakthrough innovation we may expect. So I'm here to speak with Nick Mothershaw. Nick, welcome.
Well, good to meet you today.
So maybe you give a bit of a background on yourself and what you're doing.
Absolutetly. So I'm Nick Mothershaw. I'm Chief Identity Strategist at the Open Identity Exchange. And the Open Identity Exchange is a members organization, so not for profit. And our vision is that we can all have a reusable identity that is trusted anywhere we go around the globe. Now, that's a fairly lofty vision. So in order to achieve that, we work with members on thought leadership pieces, influencing governments, education to drive that vision forward. And right now, we're doing a lot of work on the evolution of trust frameworks into frameworks for wallets and also global interoperability.
Yeah. And so I think I don't need to really ask you about what do you believe is the next really big thing that is the breakthrough innovation we will see in the space, because it looks like the breakthrough innovation at the end of the day, from your perspective, will be, sort of a reusable identity we can use globally across a wide range of business cases.
Absolutely. And that, it looks like it's going to manifest itself in, in a wallet, where my trusted identity and credentials will be in that wallet. And what we want to see is that that wallet can roam around the globe in the way that phones do today, or a bank accounts work when we, do cross-border transactions.
Yeah. And I personally believe, not only roam across the globe, but roam from device to device. So, one of the things I think a lot about is, you know, I first, I have personal devices and I have business devices. And for each ... I have three of them. I have a desktop computer, I have a smartphone, and I have some sort of a tablet in between and or a notebook. So, so it means I have a lot of devices and imagine I would apply for a bank, a loan at a bank, I probably would use the desktop. For other use cases I will use my phone. So I believe we have some very interesting things here to solve. But yes, I think I'm absolutely with you. I believe this is the vision we should have because it will change the way the digital life and the digital business, are doing. So you talked about trust frameworks. And maybe you can first a bit explain what trust framework means. It's a bit of a term that is probably not intuitive to everyone.
Absolutely. So it's... the trust framework is the set of rules that define how I don't see or and I don't think credential ecosystem will work. The rules could be legal rules. There could be rules to which parties are certified. What they do, is they bring the trust in the ecosystem so that a credential, for instance, would be issued in a consistent way. And when the credential is issued, that the user is verified to a level of assurance that's been agreed to it for that issuance of that credential. There may be rules that are attached to the credential. That's like where it can be used, what consent must be gathered when it's presented, and then other rules will apply to the wallet itself. So how does the wallet need to store that particular credential. The security rules, the privacy rules that are applied to data and recordkeeping rules. So it's beyond the tech. It includes the tech as well. But it's all the legal and operational and governance elements that go around making a successful, trusted ID ecosystem.
Could you give a concrete example of such a trust framework?
Well, eIDAS 2.0 with between the regulation and now the architecture reference framework is an example of a framework. Another one would be the Digital Identity and Attributes Trust Framework in the UK. Which again is fairly new. NIST in the US, it's more a set of standards at the moment, but version four is moving it out to a framework. so there's various different frameworks emerging around the globe.
GLEIF might be also one, the Global Legal Entity Identifier Foundation. What they are doing, also shifting into the world of decentralized identities, gradually.
And that's a framework for credential issuance. So that's, you know, that's looking at a particular credential around the LEI of business. And then attaching the principles into that. Yeah, so the frameworks exist for the for the wallet itself and then for the credentials. And that's like a good example of a credential framework.
So, so you already talked about level of assurance. And I think this is a very, very interesting thing because when I have conversations with end user organizations, they thinking about how to use digital identities in the future, then one of the first things that comes up, or is this level of assurance, so they don't need everything with a very high level of assurance, but they need to understand how trustworthy it is. So, two questions around that. The one is, what do sort of, trust frameworks concretely provide here for a level of assurance? And then when I envision that I not only have whatever name, address and maybe employer, or legal entity, but when I think about hundreds or thousands of verifiable credentials I have in my wallet. So how do trust frameworks sort of integrate and interoperate?
So, one of the key features of a digital identity trust framework is the identity assurance policy. And that's where the levels of assurance or levels of confidence for that particular framework are defined. And they all tend to work in a similar way. They use different terms sometimes they use, substantial, whereas the IL, too is probably the same level in the US, but they're not quite the same. So that identity assurance policy is a key part of the framework. That is what enables you to extend such a level of trust in the user. So it's usually through a proofing process where the user's brought into the ecosystem and they attain a level of assurance. So let’s say, you need a wallet, so that's going to need to be high. So the users attain that level of assurance. That's a level of assurance for the user itself. So we know the user is trusted. When we're looking at other credentials the user owns, we need to decide in order to allocate the credential to the user what level of assurance needs to be attached to that. So for some credentials, high might be way, you know, over what's needed. You know, for a simple credential of yeah, my my loyalty cards. You know, I don't need a high level of assurance around those. It's a much lower one. So what you can do is, you know, in each credential context, look at the level of assurance that should be associated with it. There's then the question of when you're issuing the credential, how do you determine the level of assurance, what you can do and what we're seeing emerging in some of the writing this in the off at the moment for the EU, is that, well, the person has attained an EU example, a pit, a high. So I know the users trusted. So I will now issue them a credential without rechecking their identity because they can present the identity in order to get the credential. So the proofing is done once and it doesn't then have to be done by the issuer. We need to avoid pushing the burden of re-proofing the user each time onto the issuer. The other there's a method is that you do that and you make the issuer responsible for proofing the user. So the US model around the MDL issuance, the issuers, the DMVs have to proof the user to a sufficient level before they release the credential into the wallet. And that's a big burden on issuers that we want to avoid.
MDL is mobile driver's license. Yes. And I think the important thing for me will be over time, I believe that we have, something. When I'm the verifier, so when I receive credentials that I know this is the sort of attached level of assurance, and there will be things like, also, in my wallet, I definitely will have things which are sef-issued.
Yes, absolutely.
As well, which say, okay, this is what comes from Martin. So we are making progress on that. So what do you think is the..., when you look at the business value of the work you are doing, where do you think the biggest business value come from?
So by putting a framework in place, we have to trust not just the identity but to the credentials that come with it. So the economic value is enormous in terms of being able to instantly access employment, because I can bring all my education and employment history with me, prove my age to my age restricted goods. So know the economic benefit is enormous. But one of the areas we're looking at specifically is the cross-border element of that. So how can we enable wallets to work as we roam from place to place? So how will my EUDI wallet in future, work when I go to the US or and vice versa? How will U.S. issued wallets work in the EU? And that in itself unlocks another layer of economic benefit.
And I think we need to think globally, because at the end of the day, I have a wallet. And I also want, maybe want to use it to purchase from some global e-commerce provider or so from the same wallet I use for all the other things, or from a different wallet. I would like to have to choice, to be honest. Me as the user and not someone saying it needs to be done in a certain of manner. So when do you think all this is ready? Is it that you say we can start now, and things will evolve? Or do you say it will still take a bit of time?
So today you've got wallets on your phone from Apple and Google that bound to the device or to their platform. They're not independent wallets, which is what we want to see. They're coming, people as ours, OpenWallet Foundation working hard on making sure they get it to market. And you're right, you should have choice then. And you may have several wallets in the same way as you organize your life today. You mentioned at the start, you use your personal and business. Even within those you'll put different things in different wallets for different purposes. And that's fine. And you should have that choice. What we need to do though is to make your interactions then really smart. So when credentials are required that are in different wallets because you've chosen to put them in different places, the deliverance of those from you to the acceptor, the verifier is made as simple as possible. Yeah.
I even want to be able to say, hey, I want to have this credential here and here and here. I want to shift it from here to here. Data portability in that sense.
Absolutely. Yeah.
Would be would be really great. So I think a lot of things coming, I think we already have come quite a long way here. And we are, I personally believe we are in a state where we can really start making use out of it and leveraging the incredible business value that is behind this evolution. So, Nick, thank you very much for taking the time to talk with me here about your perspectives on, on, digital identity, on the future of it and the future of digital business overall. Thank you.
Thank you very much.
