Hello everybody, if you could start to take seats and we'll begin. So thank you for joining us early for this pre-conference workshop on, and I'll just skip back to the start catching the wave in government and financial services around decentralized identity. My name's David Luna. I work as a senior product architect at Ping Identity and I've been involved in decentralized identity since prior to the merger between ForgeRock and Ping for a number of years. Researching the topic in the CTO team back there and now working with the NEO team in Ping.
Today we're gonna focus on specific use cases, stakeholder benefits, user experiences in the, in the sectors of government and financial services. Look at some work that's been undertaken and we are obviously starting a little bit late, for which I apologize as our selection of esteemed speakers. We will obviously, we've skipped the first 15 minutes introduction. This is what you're getting instead. So we'll realign with the schedule by 10, 10 30. So it may extend slightly into the first break, which I apologize. But then for 10 35, we'll continue as planned.
We do have audience interaction and would appreciate it if you grab your phones or grab your laptops. Scan the QR code or head to slido.com and enter in the code just to get a little bit of familiarity and understanding with our audience. So if you go there right now, you should see an open q and a. We'll collect those questions throughout both this session and the session after the break. And we'll address them with a panel in an open discussion format where the audience can participate as well. In the last 45 minutes or so, as you see on the Slido, you'll also have a poll that's available.
And the current question that's being asked is, what's your organization's familiarity with decentralized identity? There's a couple more questions coming after that. This is just to help us gauge your current level of understanding of this technology and to help our speakers pitch their presentations to the right level.
So I'll just leave the QR on screen for a moment, but it's also on every slide subsequent to this for those that will be joining after us. So thank you to those in the room for joining us.
I know it's been hard to get in this morning and thank you for those that are watching live. And what I'll do now is close this poll. We're getting some interesting results. We're seeing nobody with the first four answers to what's your current familiarity with decentralized entity. So everybody in the room is, you know, five through 10 in their knowledge of the technology, which is excellent. We have a very educated in this space audience, which we're expecting, given that we are diving straight into realized use cases here.
So next question I'm going to open up is what does your, what role does your organization play or expect to play in decentralized entity?
Now there's a, a number of answers here, academia consulting, credential provider and consumer credential, consumer only vendor whether you're still evaluating, adopting, or whether you've already made a decision that this technology is not for you and you're just gonna sit at the sidelines and let it go.
So again, I'll just let those answers come in for a second. I think I can bring up the results from the first slide from the first question there. And we're seeing the second question come in. You also get a sneak peek as to the third here, which is a, what pace does your organization expect adoption of this technology? But I'll leave this poll question open just for the moment.
Cool. So it looks like the majority of our audience here, or at least those that are actively engaged in the cyto poll, are working on consulting and services to support decentralized identity adoption.
So take a look around the room notes and faces and go catch up with them during the break. So finally I'll start the third interaction, the third interaction of what pace does your organization anticipate adoption of decentralized identity. There are organizations that already have it adopted and deployed organizations that are building up within the next 12 months to get that out. And then Horizons coming one to two years, two to five and five to 10, which takes us all the way to 2035 at this point.
So again, we are seeing already adopted coming up and within the next 12 months I'll just get the results coming up live for those that wish to see them have a quick glance at the, oops, if I've lost my cursor. Quick glance at the previous answer and pace of adoption. This is spectacular. We're seeing good number already adopted or planning to adopt within the next 12 months. So thank you for that, the real purpose of the Slido. Thank I appreciate you, you getting there and, and, and jumping on these is to get those questions coming in.
As I say, I will collate those throughout and as we address those and we'll address those questions at the, at the end.
So let's jump straight to our first, hello, I've lost my speaker notes there.
They're, let's jump first straight to our first session of the day. We'll cut the time down ever so slightly so you'll lose five minutes or so.
Darryl, you'll lose five minutes as well. So this is decentralized identity business value. Decentralized identity continues to be presented as a transformational technology in technical terms. So let's understand it above the water line. Let's not talk deeply about protocols, you know, different formats for your credentials, different wallet implementations. Let's look at this tactical and strategic implementation implications and value to our lives.
And this will be given by Jamie Smith, Jamie er, founder of customer futures.com, a leading online community focused on the future of digital customer engagement. And he's also the co-founder of Mission. The world's first consultancy focused entirely on empowerment tech, which includes decentralized identity, digital wallets, and personal ai.
He spent the last 15 years helping businesses all over the world seize the opportunity around empowerment tech, including decentralized ID at ENY and Gen Digital.
And Frank Cardello is an executive with extensive experience in security, identity management, artificial intelligence and machine learning messaging and media entertainment industries. And his current role as an executive advisor at Ping Frank is responsible for the strategic development and launch of Ping one, Neo ping's decentralized identity solution. So with that, I'd invite Jamie and Frank to come and take the stage and to kick us off with our opening talk on decentral identity business value above the water line.
Thank you, David. Just
Get that plugged in for you.
Oh, there it goes. Oh,
Pingy,
Poor Pingy.
Oh, the real work. There we go. Hello everyone. I'm Frank Cardello and I thought I'd start this part of the conversation. My screen would stop Jittering telling a little bit of a story. I was with Andre Duran, founder of paying very early at paying.
In fact, we built a company called Jabber together and there were just a handful of us. And I don't think many people know that the original, you know, name of Ping was the Ping identity Network. And the reason why Andre formed the company was to capitalize on a world where individuals would be carrying around their identities on their devices and sharing them. And we were gonna build this network and we actually hired people from Visa in the ATM debit, the plus networks 'cause we're gonna monetize transactions, identity transactions.
And we had taken a page outta Jabber and had developed a number of the toolkits, open source toolkits for federation.
We had Sam 1 0 1, 1 Shi Ws Federation, Liberty Alliance and, and the like. And the world was magically going to embed these toolkits and, and then we were gonna be there and, and create this network in transactions and, and all was gonna be great. And we raised venture capital money on that premise. And then we got into the market and it was crickets. And the only revenue we could generate was professional services on freely available toolkits.
And I remember going into Andre's office and by office, I mean there were maybe a handful of us in one office. We had desk pushed together and I said, buddy, we're gonna, we're gonna miss our number for the month.
And, and he said, well, what do you mean how bad? I'm like, well, zero, you know, and, and he said, well, what are we gonna do? And I said, well, for starters I could use a product.
I don't really have anything to sell.
You know, because we were selling ProServe. And so Andre stood up on the whiteboard, if you know Andre at all, and he listed out all the toolkits. He drew a box around them and he said, and we'll call it ping federate. And that's how the product was born.
And, and, you know, over a billion dollars in revenue later, that's, that's how PingFederate was born, was literally in that moment. But the point being is that it's been 22 years since that moment, and now the time has, has finally arrived where we talk about identity portability in, in, in the ways that, that, that are manifest today, you know, with different terms.
So, you know, we're talking about catching a wave, showing a wave, you know, you surf when the waves are up. But I think what we're trying to say here is that there's a certain inevitability to DCI or to digital identity that we, that we talk about.
And, and the time is now, we chose the word digital identity for a specific reason. We could've used words like personal identity and if we really wanted to make people upset, we could've used self sovereign or even verifiable credentials. But we did that intentionally because what we're really talking about is establishing identity first and, and enabling us to behave in a way that we can online as we do with our physical IDs today.
So, but I think it's important for us now as we, as we think about like, what are we talking about? This is the, the European Identity and Cloud conference identity is why most of us are here. It's what we feel like we have a responsibility to protect. It's getting people access to the right things, you know, at the right time. We have to do identity well because at a societal level, we don't think of identity as a cradle to grave thing. Our our physical bodies, our cradle to grave. But our digital bodies exist in, in fragmentation.
You know, if you think about it today, I'm not an individual online, I'm a user. Our systems are designed to manage users, not to manage identities. There's a big difference between managing an identity and managing a user. When I manage an identity, it means that I can show up and prove who I am in a millisecond at that moment in time. We can't do that today. There's no way to prove who we are digitally. And as a result, all of our, our users, all of our data, it's fragmented and, and it's distributed and we engage in more services than ever. And how we engage is really kind of troubling.
We, we start from a position of zero trust and we have to reestablish trust with every single engagement that we embark on. And it's a frustrating experience. But when we're forced to engage in things like progressive profiling and we just keep going and keep repeating this cycle again and again and again,
You know, but there's hope.
You know, and the time is now, you know, we're, we're on the cusp
And through verifiable credentials, you know, we're able to take all the appropriate facets of our past, our interactions, we've had all the trust that we've earned and packaged up and put them into a credential and, and put 'em on the phone. And then when we engage with new parties, now we can go from zero trust to effectively, you know, a much higher level of trust in that millisecond. And that's a game changer for us.
It's gonna change how we engage, you know, how we're introduced, how quickly we can access services, how often we can access services, how secure those services are. But like so many things, this is a journey we never would've thought this would be a 22 year journey. And I don't know where we are on, on the step, but I think it's important to note that if we're gonna transition from a world where we're managing users online to managing identities, this is by its very definition a transformation.
And, and I think it's important to contextualize, you know, transformations and, and compare them to the experience that we have with our physical credentials today. Like, why has this not happened as yet?
You know, why aren't we able to, to behave in a way online as we can in person. So when we think about transformation, we can actually, you know, think about it in terms of, you know, some of the historic traditional transformations and just take music by way of one example.
We initially digitized our music, we enabled our, our, our engineers to manipulate it digitally instead of analog.
Then we, you know, digitally stored it on a cd. But the transformation didn't really happen until we started streaming music. And because then we enabled much different and much more exciting things to happen that changed how music was released.
In fact, it fundamentally changed the economics of an entire industry. And so this physical to digital transformation is what we're in the midst of. It's the journey that we're on and it's worth it.
But, but rest assured, you know, I hope it doesn't take another 22 years. It, it is a journey, but it is a transformation. And when we're done, this transformation is gonna change how we interact online. And we're gonna talk a lot about that today.
So, you know, so here we are today and, and I, I wrote this and I just thought it was kind of interesting, you know, while paying's a fairly large company, what we're really talking about today is that the digital transformation of identity will, will vastly improve services for global citizens, meaning everyone and change how value is created in the global financial services industry.
And that's a pretty bold statement.
And, but if you're sitting in this room, I think, you know, and at some level it's true. If you're like me, you believe that there's a certain inevitability. Now we may have questions about timing and I've never come across anyone in this context that has disagreed that when digital identity is transformed, that it, that it will be transformative and it will change industries. But you know, we're all struggling with, you know, when, when do we have enough and how do we get started?
How do we, how do we embark on that? And then hopefully what we talk about today as we build the foundation and, and what's happening in government globally as well as what's happening in use cases, you know, probably the, the one thing that we spend our most time doing is helping people understand and connect to whether or not this technology is an opportunity to their business where it's a threat and form a thesis and then born outta that thesis, help them figure out, you know, how to get started.
So this new paradigm, it's going to change a lot and enable us to manage our identities in a, in a very different way. But I think one of the things that's also gonna enable us to do is, is change how we think about our reputation, our aggregate reputation, and to bring that reputation to bear much sooner than we could have in the past. We have to establish our reputation from zero today and do it over and over and over again. And the time is now, the time is now for us to, you know, proof ourselves once, establish our identity and then leverage that identity in ways to carry it forward.
So that's reusability, you know, can improve security but improve convenience and user experience at the same time. So I'm gonna turn it over now to Jamie from Mission and I thank you for your time.
Okay. Hello everyone. So as David kindly said at the beginning, my name's Jamie Smith and I've been working on these problems for about 15 years, working with banks and retailers and telcos and governments to think about not just identity, but what does identity that's under the control of the individual feel like.
And so I write@customerfutures.com and mission as a consultancy focused on just on that.
And the title of this session was Catching the Wave. But I wanna torture the metaphor a bit further in this idea of the waterline because all breakthrough disruptions often start with the technology and that means they start with technologists and they start with how things are gonna change and how it's going to work. But as Frank said, that's all below the waterline. The question is what can we do? Not just how it works, it's how it works is fundamental.
'cause it gets the questions of security, privacy, scalability, and all those trade offs that we're making about do we have it at the edge? Do we have it at the center? Do we enable selective disclosure or not? All those kind of really juicy questions that we're getting into at the moment at this conference. But they are how it works, not what you can do.
And the analogy is with the web, right? In the nineties we had this incredible new technology, a new set of protocols, a new way of publishing information peer to peer.
And so we got clumsy websites that were kind of by technologists and for technologists and we know that because it was developed by people like this, right? And how do we know it was developed by people like this? Because they called themselves webmaster, right? They played Dungeons and Dragons, they were, you know, real nerds who changed the world, but they were obsessed with how it worked, not what it could do. And so I wanna make the point that with all the incredible advances of what started the internet and then later the web was still below the, below the watling, right?
And what did we get above the WA line? We kind of got cat pictures, you know, we got the ability to publish information in a way that has not been possible before. The way to have the early chat rooms like this was genuinely transformative the way we communicated, the way we published information, the way we shared memes as they became known. But this was all kind of citizen consumer users.
We then a second transformation when businesses could start to take part. Yes I could book a restaurant reservation online but could also start moving money around.
And then in late nineties we got enough security that we could do online banking. So we're starting to get towards that transformation. So my question is, or my, my logic is how do we explain this and get out the technology? How do we start to peek above the waterline and think about value? I'm gonna ask the guys at the back to play this very short video with David Letterman in 1995.
I,
Is there something now beyond what we understand about computers that like 20 years ago we didn't fully understand computers. Is there now another level of something, maybe we haven't even thought of it. Maybe it's not even possible, maybe you know, a whole different mechanism, a whole different software and hardware or is this gonna be it now through the end of time?
Well, mostly what we're working on now is the computer being a tool, a tool to help us learn or find other people with the same interests. Eventually we may figure out how to make the computer think, but that's turns out to be a very tough problem.
In fact, there's been almost no progress made on it. So nobody knows when that'll happen. Some people think it'll never happen.
Yeah, we
Don't want 'em to think, do we? Not really. I wouldn't think.
Well it's, it's a scary thought.
Yeah,
It's too bad there's no money in this too, isn't it? It's a shame
Right now. So what
About this internet thing? Do you
So in fact play this video just very briefly 'cause this is
Hell is that exactly?
Well it's, it's become a place where people are publishing information, right? So everybody can have their own homepage. Companies are there the latest information. It's
Wild.
Alright, so, so the the point is that we have technologists explaining what's possible and he's saying, look, computer's gonna think. And it's like, I don't really understand that. And he goes on about a minute or two later to say, Hey I could listen to a baseball game on the internet. And David Letterman says, yeah but I've got a radio for that. And then he says, well no, but you can, bill Gates says, but you can listen to that baseball game anytime you want. And David Letterman says, well I've got a tape recorder.
And that's where it feels like right now we've got these tools, we're trying to explain how credentials and digital wallets are gonna be valuable. But we're using the framing of today to say, Hey, you can have, you can have tickets and I can log in. And everyone's saying, well I've kind of got some of that already today. And I want us to think about how do we get above the water line. Oh can you put the slides back up? Thank you so much.
So this week is gonna be a very exciting conversation about the progression from identity and access management to digital wallets, E-I-D-A-S, maybe some deep technical conversations about zero knowledge proofs.
But what are the cat pictures and online banking for decentralized identity? That's the question. 'cause that's the stuff that people talk about at home with their uncles at Christmas in the pub. They don't talk about selective disclosure in digital wallets. That's the conversation for us. And I want to press on the point that Frank just made.
We took an analog music and we turned into CDs but that was digitizing. We turned it digital but we digitized it, which meant I'd still had to go to shop and buy a thing and stick it to a machine. And I had some new features and that was great. But the real transformation happened when we started streaming. So what is the CD equivalent for decentralized identity And what is the Netflix that we can't yet see? 'cause that's when the transformation's gonna happen. That is when the unit economics change. I'm gonna point very briefly to three elements of customer value.
The first is that the best customer experience might just be no customer experience. I mean like that sink in for a second. We're so busy digitizing our paper forms, putting them online, getting 'em on the mobile. What if it's a tap? What if it's a swipe?
What if I could say to the airline 24 hours before I fly, just respond And I've got a cryptographic record of everything that's been asked and what I've shared. No experience, just, just check me in. This picture's only gonna make sense for people over the age of about 40.
But they turned the Batman comic in the seventies and eighties into a TV series with Adam West. The point of this picture is that Batman had a red telephone and when it rang, the only person it could be was Commissioner Gordon. The only person it could be was the police department. And when Batman rang the the police department, it could only ever be Batman. 'cause there was only one phone. And I wanna say or suggest that digital wallets aren't about data. They're not about identity. They're about a new connection with people and businesses.
We're gonna have our own backbones for every single organization. And I've said radical trust quite deliberately there. 'cause when I call the bank it can only be me. And when the bank calls me it can only be the bank, right? This is radical trust. It's going to fundamentally transform the unit economics of fraud.
It's gonna change. We're gonna smooth all the fraud to the edge. 'cause in my trusted channel it can only be me and with that customer channel I can now be recognized and remembered in any channel, right?
Businesses have been talking about omnichannel for what, three decades, two decades. And it's kind of a myth, right? We build this fictional 360 degree view of the customer that doesn't exist that we chase trying to get an ever better view of the customer so they can be recognized wherever they show up. With my bat phone, with my private peer to peer end-to-end encrypted, secure permission channel. I can now show up in store and tap. Have you stayed with us before sir?
Yes, of course I've stayed with you. I was here last week and you have no idea, right? Suddenly we can transform experiences. I can be remembered in any channel. But back to my cat pictures and online banking thing, that was all customer value. What about the business value? Because that's who we are largely dealing with. The people who are asking about verifiable credentials and staff passes and identity access. I want to argue that the customer becomes the API,
Right? In businesses today they've got an API to do an identity verification.
Another one to do some reputation checks, another ones to, to pull some information for another part of the system. We've got the spaghetti of APIs. Just ask the customer if you need a date of birth, if you need a latest address, an updated marketing preference, just ask the customer. And we've all got those, those transformation programs in organizations where two systems need to speak to each other and it could create masses of value for the organization, right? New revenues, cost reductions, efficiencies.
But the business case finance says no because it's too expensive to bring these systems together. Well just give the data to the customer and they can move it for you, right? This means we can do things in weeks and months, not years. And I'm gonna torture the metaphor further about Netflix. I think we can now have portable reputation and we can now start streaming customer data but not in a kinda creepy data broker back room kind of way. We can do it with the customer and for the customer, guess what? They're gonna share more data.
And with that peer private peer-to-peer pipe, I know everything that's ever been shared and everything that's ever been asked.
And here's the punchline. I think digital transformation as we've described it today, has had the handbrake on it's kind of V one 'cause we've done all the transformation on the business side. We've given ourselves CRM and predictive analytics and customer platforms and it's all really cool. But for those of you who know who Doc Searles is, he would talk about like, that's like kind one hand clapping. It's one sided. We've done half the job.
This is the opportunity, the next wave of digital transformation because I can have the customer just share data whenever they want and we're not gonna get consent fatigue. 'cause that was the GDPR problem, right? Because clicking and clicking and boxes and what did it mean in dark patterns? 'cause I can have just my side of the wallet, my side of the, the transaction agreed to things without me having to swipe every time. If it's from this organization that meets these terms, just say yes, realtime consent, automatic data updates. And of course the classic change of address use case.
I changed my address once I can let 17 different CRM systems know, but not that one because guess what, I was abroad and I was hiring a car. They don't need it.
So let's get above the water line. And I think these things, these things are the CDs, these things are the, the, the, the the value cases that we talk about in the rest of the conference tickets. Poor global KYC, seamless onboarding. And guess what organizations say today?
They say, I've already kinda got that. I've got a system that's really good at that at the moment.
Okay, it doesn't work perfectly, but by the way, I've got a, I've just signed a contract for three years with this vendor. Why on earth would I undo a bunch of stuff and do verified credentials? It doesn't make sense.
It will in time, but that's not the value. What is the Netflix? I wanna argue there's like several things. One of them is gonna be personal ai. If you pay attention closely to what Google just announced, what Apple's about to announce in the 10th of Jan, 10th of June, AI that's on my side, right?
We're giving AI to organizations largely and they're terrified about hallucination and privacy and training data and so on. But we're about to have AI on my side and it's not gonna scale until we know which AI it is in whose interest it's working, where the data came from. Guess what? We're gonna need this new decentralized identity plumbing to make it work. Once I've got that peer-to-peer pipe, that new customer channel, most of fraud happens after KYC 'cause we check where you are, who you are, which address, and then I go on and commit, commit fraud. But at the time it was fine.
And then, oh, the bank has to re KYC you nine months, 18 months with that channel. I can KYC when I need it. And by the way, not in a surveilling way, but maybe when it's over a thousand dollars maybe when I'm buying a big transaction,
The banking community are very excited at the moment about this idea of embedded finance. So I'm in an another digital transaction and I can embed inject of, you know, a a payment and embed, you know, banks as a service.
I'm, I'm embedding the, the, the payment transaction into an existing customer interaction with this new digital plumbing, with digital wallets, credentials, all the stuff that's below the waterline. We can embed identity into anything. And it doesn't have to be who you are, just that you're authorized to do a certain thing.
Yes, no, we can remain users. We don't have to be verified as a specific person, but we know it's a trusted channel. And my favorite is this new customer channel. And when the, the the car motor, sorry, when, when the kind of the the motor was invented, we never could have imagined we'd use it in our wing mirrors or never could have imagined we'd use it to crush ice in a fridge door, right? I'm gonna suggest now we can, we have no idea how this is gonna play out. We're building plumbing below the water line.
But I think this new customer channel is gonna be like the foundation stone of complete customer experience transformation. I think it's gonna be customers that redefine the customer experience.
And with that, I'll pause, we'll hand over to the ping team. Thank you very much.
Cool.
Thank you so much Frank and Jamie there. Really excited to learn about the customer and business value. One quote that I think you used in that digital wallets aren't about identity, they're about a new connection to people and to businesses.
And I think the ability for me as a, as a customer to present myself in any way that I choose picking and choosing which aspects of my identity wow gets to be shared at any time. And that line that the businesses get to use the customer as the API are really exciting. I'm just throwing this slide back up on the screen. So those that are joining us later have the opportunity to jump into our Slido, where you'll find our q and a. You can ask questions there that will be addressed towards the end. This is a double section.
There's a double, I lost the word, but we're, we're running from now until 10.
We'll break and then we'll pick up on the same track from 10 30 onwards. So now that we've looked at the customer and business value of decentralized identity, we said that this talk was about financial services and government. We're gonna start on the topic of government with Darl Geis. Let me switch over and do a quick introduction.
Darl is the product lead for Ping one Neo and has been in identity and access management for 25 years with his first job as the first product manager for Touch id, which was later acquired by Apple. Most recently before joining Ping Darl led the team that built and delivered the world's first interoperable mobile driver's license across multiple US states and built the TSA security checkpoint verifier.
So Darryl, you'd like to come up and speak to us about EI two and other governmental developments involving DCI.
Thank you David. Get my machine hooked up.
Oh, you don't wanna see my Gmail if I only had a Mac M two or whatever instead of this Intel thing, right?
Hey,
I don't know how that works.
All right, I need to go over there
And
Okay, now I can do my swap displays and hopefully it'll come up one more time. There's a trick to this with Microsoft products on Apple. There we go.
All right, so thank you very much. Appreciate your time. What we're gonna do now is we're gonna talk a little bit more about digital identity with respect to verifiable credentials and wallets. And we're gonna have a small primer section and then we're gonna go into some government projects and use cases including talking about EI deaths.
So I put this up and the first question is, well I thought this was all about digital stuff, not physical cards. Why do I care? But we have to really put this in context. We have to frame the conversation, understand why the ways that we interact today in the digital world do not make sense for ourselves. And we can use those physical credentials as an example. These physical and paper credentials have been around for a long time. In fact later I have a timeline to show you how long and we'll talk about that.
But it, the reason we keep using them is because they satisfy key human requirements as opposed to requirements of business and government. For example, we can carry them around with us wherever we need to. We can present 'em anytime we need 'em, right? We don't have to log in to go get them and then do something with them, right?
Also, they include standards that can be recognized when you go to the TSA checkpoint, they scan it and they can check security features, all that kind stuff. And so they, they can be used in different places quickly, right? They also can be used over and over and over again for various use cases. And that adds more convenience to our life. And when we use them, the issuer that gave them to us don't know where we use them. They don't, they can't track us. They don't know when we present them for use.
And if we use them earlier in the day with one party relying party, the second relying party doesn't know I used them earlier in the day. And then the real cool thing is they can represent various personas or roles that I have. For example, an employee badge that's good for use at my company. My driver's license is good for showing that I can drive, but we can also combo these together. We can present multiple at a time in order to be trusted. So you can see why paper and physical credentials continue to persist.
Meanwhile, humans have had a much harder time in the digital space. Think of all the different context switching that we do, right? Every method known to man is used to authenticate us. And we have all these interaction methods and different flows and we have to figure this out and remember it next time we come back and it might change on us anytime.
And right now we rely on what are called trusted third parties, organizations that represent us as a proxy.
Anytime we wanna share data or do anything, something up in the sky is representing us and supposed to do the right thing on our behalf and share data on our behalf. And this way we're really like peripheral to the transaction. We're not in the middle of the transaction, we're pushed over to the side and then these two servers talk to each other and do things that we may not even understand what they're doing. In this construct, this construct involves fairly complex technical integrations between these two endpoints.
Even open Id connect, think of all the security assessments and privacy assessments and contractual stuff. All the legal garbage you have to do to make these two servers talk to each other and start sharing data.
And the, the intrinsic nature of this federated architecture means that you will be tracked.
Like you, there's no option. That trusted third party knows everything you do, everything that you're interacting with, whether you like it or not. And then consent management is a nightmare. If you've ever implemented these systems where you're sharing data, you know that managing consent is very expensive and very complex. And finally we demand access to more and more digital services all the time. And what does that means?
That means you have to create more and more of these point integrations in the sky for me to, to do things that I wanna do that's not scalable. We have one bank that gets 350 requests every month for open Id connect connections 350 a month. They can barely put 20 in and manage them. So federation's not scalable, it's impossible. It's to scale to the digital experie I want. And finally, the service provider frequently also the relying party wants to warehouse a bunch of data because they're not sure when they're ever gonna see you again.
And they don't know if the data next time is gonna be any good. So they start warehousing all this data and instead of just asking you for fresh data every time they interact with you. So we can see that these digital experiences have not been or not fun for us. It's time now to make us the trusted first party again to the transaction, right? Instead of being peripheral, by decentralizing this architecture, we actually are decentralizing the integration method. The way the data moves, everybody always gets upset.
Oh, decentralized identity. Does that mean I have to delete all my data in the survey?
No, that's not what this is about. It's about how the data moves. The the decentralized nature of it is how it moves and how you're managing it. The account is now on the edge, right? And the cool thing is that consent is built into the architecture including things like selective disclosure.
You have an ability to be in the transaction to know exactly what data is being shared and deciding what you want to share with that relying party. It also unifies and simplifies our user experiences to the, what Jamie was saying omnichannel.
The cool thing about now having it here is that the same experiences I do online, I can also do in person. And in fact when we delivered the Arizona driver's license, our first use case was being able to sell your car and move the vehicle registration between individuals without ever visiting the DMV. And you could do that in the desert with no internet access, right?
So again, even without communications now we can actually interact with each other and with systems app, IOT devices for example. And finally it's much more affordable to implement and manage and operate than the federation systems. Federated systems, you can light up endpoints much easier.
You can light up new use cases much easier. You don't have to have negotiations like a committee, you know, to figure out what scope they you're gonna use, right? And so this will ultimately fundamentally transform how we interact with our each other, with systems, et cetera.
And if you implement it properly, it's the only technology today in identity that will simultaneously increase security, increase privacy, and also improve the user experience. And that's very rare for a technology can do that. I love sitting down with a CISO and at the beginning of the meeting we show him the demo and they say, that's too easy. It's impossible. There's security in there. And after an hour of showing everything, he's like, holy crap, this is so much better than OAuth and better than open I connect. It's amazing, right? And so the security is actually better.
So oops went too far. No, that's right.
Okay, so what, what can we put in these credentials? And I'm not gonna dwell on this too long, but you let many of you already know, but you can put things about your identity, your demographics, your biographic biometrics, your pin code, six digit pin. You can have your affiliation. How are you related to the organization that may have issued that credential? Are you a VIP, are you a a member? Are you an employee contractor? And then what roles do you play? All your eligibility, what entitlements do you have?
What privileges and permissions that can all be packaged in there and purpose like are you supposed to be here today can be answered. And how and when a credential is used, how it should be used, account and policy details. You could even put, you know how much money you have in your bank account as as like a threshold over a hundred thousand for example.
Or you can put your credit score in there. We have one credit union that's looking to do that every day. They're gonna refresh your credit score and your credit, your verifiable credential and really anything.
And like Jamie said, the wallet can become a mechanism by which two data systems can integrate that normally wouldn't be allowed or to integrate because of cost or other reasons, including because of privacy concerns. So if you're the carrier of the information across a border and yarn will talk about this later, it makes life a lot easier for GDPR because the user is the one transporting and sharing the data instead of doing it on the backend. So anything can be stored and really wallets can live anywhere.
Don't just assume it's your mobile phone and the future of Mac Windows, the next version of Windows will probably have a wallet in it, right? So wallets will be all over the place that you'll be able to leverage for yourself. So we solve really tactical and strategic challenges. And this is the cool part. We can do some tactical things now and, and yarns gonna get in this, in the financial services side especially.
But few technologies can do what we talked about making everything better. And this is the world we live in on the top right? I hate this world.
Like yeah, I had some stuff I bought at Christmas for my wife and it went to my old address 'cause the payment app, I forgot to update the address. So I had to call the new tenants 'cause we were renting there and beg them, please send my $3,000 worth of pots and pans for my wife.
You know, like special gift. And I may have lost the whole thing.
But no, they were nice and kind and they forwarded it. But the point is that's the world we live in up above with us in the middle. Now we're gonna be the trusted first party and we can actually take more control of our life. So we're gonna go into some global implementations for government right now.
These are some stats from a world economic form report from last summer that I really appreciated on the right that some of the comments they made. But on the left you can still see some challenges for the world. 850 million people still lack a government id. That's not good, right?
And then 24% of adults around the world don't have a bank account and 26% of that 24% said their lack of documentation is the problem. So we need to figure out how to help them, you know, transact business.
And then there was a deep dive from the, from the McKinsey group where they studied seven different countries in detail that have digital id, but it was, you know, it's not fully deployed and using federated models, which was already implemented in those seven countries, if you would just make it more full on and, and actually roll it out everywhere the GDP of those seven countries would go up three to 13% by 2030.
Now if you make it decentralized, it'll by nature it'll go up even farther. Why? Because you can do stuff in person, not just online.
Just adding that channel could rev, you know, add a lot more GDP, right? And when I did the Bangladesh national id, we rose the GDP 7% the first year after they had their first id, national id. So it can make a huge difference, right? And then I thought you would enjoy this looking back over time, kind of back a little bit, nostalgia like Jamie had. But the very first photo id, many of you may not know this was invented in May, 1876. It was a guy named William Notman. He was a celebrated photographer born in Scotland, but living in Montreal, Canada.
And it was the US exhibition in Philadelphia in 1876. He invented this idea of photographic ticket to control who could come into the celebration and when, including workers as well as visitors.
And that was the first photo Id ever made in 1876 going forward. The first e-government website was 1991, but it was in the form of a bulletin board service. That was when the, the concept of e-government began the first mobile fingerprint reader, which I had the honor of actually making as a product manager.
1998 was used by the New Jersey State Police to check the FBI database on the side of a road first phone with a fingerprint reader in it. It wasn't an Apple device, it was Siemens, Siemens phone, Microsoft passport. Maybe some of you remember that adventure that Microsoft, the concept was great, but it was way too early, right? And then the first sharing of data with PDAs, you remember the old infrared port on your PDA and you could zap each other's data, right?
Well, right before nine 11 we were doing a project in New York. We were sharing digital tokens through the infrared board. So it was actually an encrypted token to represent your identity. It was pretty cool. Very early.
Estonians cast the first, oh wait, before that PingFederate is founded as, as Frank mentioned, that was the first use of the term federation. Ping invented that term. Many people don't know that. And then 2005, the Estonians cast their first digital votes online. So the first country in the world where you voted in an election over the internet.
And in 2007 by the way, they had their first mobile app where you could vote on your phone. 2010 social login begins, login with Facebook. And then 2014 was the first mobile driver's license pilot in the world in Iowa of all places, the heartland of the United States.
And 2015 was the first demo of a blockchain Id ever.
It's, it's on the YouTube if you ever want to go visit and watch it. And then 2019, when we rolled out the first standards based driver's license and it was the state of Oklahoma, a lot of people are shocked when I say this. The state of Oklahoma had the world's first interoperable mobile driver's license. And then now here we've arrived May 21, just recently. Now the EI desk law is in full force starting there and there's 24 months before it all has to be wrapped up in a nice bow and presented to the people as it were, right? And if you look at that 24 months from now is May, 2026.
And look what it is, 150 years to the month from the invention of the first photo Id. Pretty cool. So I dunno where you all are gonna be, but we gotta have a party.
We, we gotta meet somewhere May, 2026 and celebrate the transformation of identity. I hope this is helpful. It kind of gives you a, a sense of a timeline of where things have gone.
Well I failed to mention the first digital smart card national ID was 1990. The Malaysia MYCA had before the internet. Okay? So some projects, first one's Louisiana driver's license.
It's, it was actually the first fully functioning mobile driver's license in the world. It was, it's, it was proprietary. There was no standards involved. And since its launch, it's been really proven that use cases matter the most, right? If you don't have good use cases, nobody's gonna use these things, right? And nobody's gonna get 'em. And so they created an environment in a closed ecosystem. So the same organization that delivered the driver's license made sure there's places you could use it right away, including age verification.
And actually Covid helped them a lot too because for picking up liquor and things like this and home delivery of liquor and things like this, they were, it was being used, right? And now they've got, they've graduated, they support 18 0 13 dash five, they can now be used at the TSA checkpoint. They have about 1.8 million users enrolled right now and you can do a lot with it. See all the different credentials that are supported in there and they monetized online verification. That was one of the cool things and that really drove the ability to people to actually sign up.
My Colorado is a ping program. So ping identity delivered that 2019.
It also was very focused on use cases.
You know, let's focus on some use cases where you can use this thing. And I think if later, if you want, Frank can show you his my Colorado app and his hunting license. He's a fisherman and a hunter and it's really cool. You can look at the different animals you're allowed to to have how much fish and things like that. And that can change in there. In Colorado, we, a lot of people do hunting and fishing, so that's an important one for us. Vehicle registration, I just used it the other day to prove my car was mine. And it works with law enforcement. That's important too.
And you see the ratings in the store and it's over a hundred thousand reviews. So it's legit, right? Like that's enough people to make that legit, those numbers. And we're gonna be adding now verifiable credentials and ISO standards.
California I mentioned just because it's a pilot that has over a million users.
See it's, you know what the sixth largest economy on the earth. So this program's very cool. A lot of open source was leveraged in this by the way. And you can use it right now in Sacramento to do age verification as part of the pilot. And you can use it at certain airports in California to, to go through the TSA checkpoint and they have some login apps that you can play with as well. But it's a pilot still. But there's a lot of hope for this one going forward.
And then of course in we have to mention the platform wallets, Google and Apple, they've installed direct issuance services into these states here, Arizona, Colorado, Georgia, and Maryland. So knows Colorado has both, you can use it in Apple wallet or you can use it on an app. Makes it very flexible. You can do a lot more in the app of course than you can do in the Apple Wallet. And then Samsung right now is just Arizona and they're working on getting the other states in. And of course they all work at the TSA checkpoint.
Apple supports wallet APIs for age verification and identity verification. And then Google has an SDK for that.
And over a millions enrolled in some of the states like Arizona and Maryland for example. Greece. So let's move over here to our side of the pond. Now Greece is a well along because they've been involved in some of the reference wallet work for E IDAs. They're probably closest I think I would argue, to having full EUDI wallet built in. So a lot of these governments started with like a a, a proprietary or virtual way to do the credential storage.
And then they know they had to move to E IDAs later, but it set 'em up to start the process, right? And Greece was one of those national ID driver's license.
Belgium is an interesting one. They claim they can authenticate to 683 services now using the, using their app. It's really a virtual wallet, so it's like electronic mailbox. So it's not quite a true wallet yet. But that's coming with EIDA. And the cool, the interesting thing is in Belgium they have a very successful digital ID program that's a public private partnership. And the banks and telecoms have taken the lead.
And the challenge now is they're conflicting with each other. Like there's already 7 million users in that. Like why do I wanna switch over to this new app, right? Like that has to be managed and messaging to the users in the future to make it successful.
France, I love this one. The president posted on the internet, I dunno if you all saw this, he sent it out over LinkedIn I think, and you and a couple other sites.
But he presented his digital driver's license next to his physical one and that was just in February I think. So they're on their way. The residence permit's coming later in 2024 than UDI next. And then I mostly focused on Europe and the US for this conference. But I wanted to mention this one because I think it's quite cool in Thailand and, and these are all gonna be, you know, verifiable credential base.
But in Thailand they've done some cool stuff. Now currently they have a digital id and look how many applications you can log into.
1,626 services. That's pretty neat. OUTTA 2376 total. They've already had 10 million downloads on Android since June of last summer. We don't know the exact count, but their goal is to have 50% of all the nation using digital IDs later this year and a hundred percent by 2025. And they're adding in verifiable credentials and wallet right now.
But that's gonna be an interesting one because it's such a large population, right? And it's the first leader in Asia to do this stuff and maybe hopefully to interoperate with EI Ds. We can only hope.
But that just kind of goes through some of the government programs and where we're at. And we wanted to jump into EI Ds. How am I doing on time? I got eight minutes, so I'll do this quickly, but you'll get the slides later. These are the main tenants of E-I-D-A-S. This is the European law that went into effect May 21st, eliminate private and disparate ID methods, unnecessary sharing of data be recognized throughout the eu. So the interoperability across, you know, borders and then the relying parties by law have to support the new digital wallet and credentials.
So like anything over a certain size in certain market sectors, the law says you must support it.
So banks have to support it, Amazon has to support it. So you can go use it to, to log into your account on Amazon, for example, right? Facebook will have to support it, right? So this that's written into the law. So at a minimum, these organizations will need help verifying these credentials even if they never issue one, right? Does that make sense? No cost to the user for the validity of the wallet or the relying party.
But of course various issuers, there may be fees involved and there may be different ways to recapture this fees. This is the construct on the left hand side is the, the different types of issuers that the categories. The first one is pid, personal identification data that's reserved more for government. That would be your national id, your driver's license, et cetera. So when they talk about pid, that's typically what they're referring to.
Will, will a bank ever be a, I can't answer that question right now. It's not envisioned at the moment. So that root of trust is supposed to be that in the government. The qualified electronic signatures and SEAL providers, these are organizations that could be private organizations that help you create a ability to sign transactions with the wallet.
And it would be QES, which is the highest level of signing. And then you have what are called QAs, where these are organizations that deliver qualified attributes.
Again, they're thinking government like birth certificates, marriage licenses, you know, data around that. Will a private company ever be A-Q-E-A-A?
Yeah, absolutely. Especially when they talk on behalf of the industry to these backend government systems. So the idea is that a lot of these government agencies will never be an issuer themselves directly, but instead a private organization will help them get their data into these wallets. That's what a pub EAA is, by the way. And then they, they've created a category called non-qualified attributes.
Basically, you can think of it as non-government attributes. And this could be banks, it could be retailers, whoever wants to issue into that wallet, account information, things like that.
The digital users in the middle, of course, the wallet. And then on the relying party side, this is how the transaction occurs first. First of all, trusted verifier is built into the equation.
So the, you will never have a rogue verifier trying to harvest data from your wallet, for example, that's been thought through presentation requested. And then select data is provided by the user. And then you know, the data source and the identity can be confirmed by the verifier. And this source of trust on the bottom is probably, you know, X 5 0 9 or some kind of PKI technology or a list, trusted list for a combination of both to be able to know which relying parties are good and which issuers are good. And those public keys are used to, to validate the, the credential.
See, these are some of the standards that we're, that are in the spec for EI ds for issuance. On the left open ID for VCI is included. There is an ISO standard as well that is in design for issuance. So we may have multiple flavors of issuance. These are the formats of the credential in the middle that can be used. And on the right hand side is the, the, the open ID for VP verifiable presentation is the primary standard for presenting. There's also a flavor of that in iso and also a rest API that's inside ISO standard 18 0 13 dash seven for remote presentation driver's licenses.
For in person it's 18 0 13 dash five. Again, there'll probably be a, a generic flavor of that for presenting in person. But we also like this other one called Open ID for V VP BLE. So it's the same kind of protocols at the top, but used in person through Bluetooth.
Right? So those are some in consideration. The idea is to be able to cover those in person and local proximity flows and online flows. And for source confirmation, the EU member trust list, there's gonna be a EU level as well as a member. Each country will have a trust list, they'll roll up.
And then there'll be other things like did web, which is an easy way to put public keys on your internet site. So it's very unlikely that sony.com is not operating by Sony. So you can link what's called DIDs to the DID web for your ver VER verification there.
For eaas, it makes a lot of sense. Here's the issuance example. So this is the steps that you would take
QR code, or you could have a push soft key. The user consents the experience. This is getting a pi, the device is checked for bots and risk and reputation. And then the user's information, mobile phone, email might be checked as well and validated against anything that's on file. The physical ID is verified.
Maybe NFC, it's to scan your EID here in Europe and pull data from it. Or you could just type it in even. And the live selfie is probably gonna be matched against the system of record, right? So they will live selfie match back to the database. It could be to the ID itself. If you use an fc, the user enters either a preassigned code or selects a pin that'll go in their credential. And the wallet trust credential is verified.
So these, each wallet will be validated to be approved by the government. They'll be certified and the capability of that wallet will be represented in a digital credential and protected against policy for that issuer. If it meets their requirements, then you'll get a registration experience with that wallet. It'll pair for the issuer, and then you'll get your credential into your wallet.
So that's, that's the typical process people are talking about in a nutshell. And this is a typical verification example.
In this case, you might be presenting two credentials.
Your, your, let's say your national ID alongside a, a qualified birth certificate or a, sorry, like a marriage license for example. Again, starting on the left, the unlocks the device. They go in to scan a QR code or hit a soft key, trusted verifier status is confirmed.
So the, you can trust that relying party attributes are requested from the, from the government id, as well as the, let's say the marriage license. The user consents the presentation of specific credential and attributes are verified. So a portion of the data from each credentials all packaged and presented the wallet trust credentials verified. So this is a controversial thing right now that the theory is that relying parties will have access to be able to validate that the wallet is a good wallet. Some say that should be inherited trust 'cause the issuer already issued into it.
So why does the relying party gotta analyze it as well? Others say, no, it's important to me. I don't wanna necessarily wanna trust every wallet I encounter.
So, but that's built into the EI desk arrangement. Right now. Photo pen is verified against live data, for example, and the transaction signed and added to the history in the mobile app. So these are samples flows for you all to take away. Just a quick thing on authentication versus verification. There's a lot of confusion around this. Everybody thinks, oh, it's just gonna be phyto everywhere and it'll be local matching on my device. And even my wife will be able to release data outta my wallet because she's registered with a fingerprint in my same phone.
And the truth is, no, not all use cases are gonna be okay with that. If you're, you know, if you're interacting with ikea, maybe they're fine with it.
But if you're actually doing something the with a bank and you're moving a hundred thousand dollars, that may not be sufficient. So you need to step up to do server side matching. These are the different thing areas where it can be, can be done. So on the left hand side is more device bound. Anybody's data could be in there. Now there's pass keys, you can throw 'em out to all your buddies and friends.
So there's some concerns on the left side for high value use cases, right? The middle is kind of a, a software application doing the matching locally, but it's using the data inside the credential. So it's a little bit better, you know, it's unique, at least you know it's Darrell. But do you trust the processing to take place on that endpoint? Not necessarily. The ultimate is having server side matching of credentials and pin codes, right?
And then you have the ultimate control as a relying party.
The relying party can do the matching or maybe the PID issuer could offer a service to do authentication. You know, do the matching as a service right Online. So both are possibles and these are the four large scale pilots. And if you click on these links, you'll be, you'll, I guess you'll have that in A PDF, you'll be able to go and look at each of the pilots and what they're doing. But these are the four large scale programs that kind of prove out E-I-D-A-S as something of value.
It, it's a, it's across the whole spectrum here you have digital travel credentials and the first one, the second one is all about banking, telecom, and government kind of a blend, including health. The third one is about payments. So primarily for using the wallet for payments. And the fourth one is all about being able to interoperate across borders in a trust framework model. So there's various use cases under there. All right. Questions? I don't think we have a lot of time here. I think it's break time, but if you have any questions I can take some.
I think yes,
Speaker 10 01:09:12 Countries and places get percent digital. I think. What about my Luddite mother-in-Law North, who still walks through the bank.
Sure.
Speaker 10 01:09:23 Doesn't have smart.
Yeah.
Speaker 10 01:09:25 Are we forward to leaving behind old people Luddite ice
Or No, I think what'll happen is there'll be a period of hybrid operations for a while, you know, as generations come up, for example.
So no, you'll still have a lot of the old models including in person. But honestly, I was on a subway the other day in Washington DC a woman was 98 years old and she was more savvy on the iPad than I was because she learned it under Covid talking with her family and she knew how to do things on the iPad I didn't even know existed. Right? Like so it just depends.
Don't, let's not paint a broad brush, you know, it depends. But of course we'll be in hybrid operations for a while, including federation. By the way, federation's not gonna instantly go away. Right. You're still gonna have these point integrations have to build some more during this transition phase, right? Yes. In the back.
Speaker 10 01:10:13 Thanks. Good stuff. So can you probably question, but if you're familiar pilot, so you showed, you know, basically opening up your phone. So they say that you visual identity well should be level high. Two or three factors.
So I guess you're using pin and device.
Could be, yeah. Depends on the use case.
Speaker 10 01:10:40 There's no user bind, don't bind to a natural person. Just need to guess.
No. The anybody
Speaker 10 01:10:47 Using biometrics for that.
Yeah. All the US state driver's license for example, use a remote registration for the digital credential and you can do a biometric match against the system of record, right?
Yeah, it is true.
Speaker 10 01:11:00 I Maryland, I had to go in person again
Maryland.
Yeah, some, some issuers are gonna require you to be in person. That's true. Like I know in Austria where yarn is, you have to go in person, for example, to get it in Thailand also.
For real, you
Speaker 10 01:11:14 Have to be in person to get that
Initial initial. Sure, yeah, of course. Doesn't mean you can't remotely get your digital one later. So a lot of states do that today in the US and
Speaker 10 01:11:25 Require ISO 1 7 4 dash five quality photo be in the D.
Sure, yeah, no problem. Yeah, that happens today. Yep. Even Apple has it in Apple wallet. It's the official driver's license photo.
Yeah, I was just
Speaker 10 01:11:40 Wondering if in the EU digital identity wallet, in your experience, anybody's using a biometric according to the EU is comparing against author.
Yeah, actually most are requiring you to be in person actually.
Okay, great. Right. And then you, they do selfie matching, right? In Belgium, they match you live with a camera, then they show the result to the operator sitting in front of you. So yeah. Next question. Somebody had one. One other one. Somebody had their hand up. Yeah.
Speaker 10 01:12:13 You talked about the benefits of decentralized
Yeah. Federation.
Speaker 10 01:12:21 I federation also.
Sure, sure. Yeah. Even the verifiable credential standards are built on top of OIDC. Why did we do that? Because there was lots of developers that already in new O-O-I-D-C. So it's actually a smart way to help get you more of the way there as a, so you didn't have to learn something from scratch all over again. Right. Does that make sense? But of course it has extended capability. It makes the wallet look like an id an op. Right. Psyop V two allows you to know that that wallet looks like a wallet so you can snip to the wire in the sky and reroute it through the wallet.
And the applications don't have to do a thing. They don't have to make any changes. Right. Yeah. That's why it was built that way. Yep. I think we're good. We have coffee break now till 10 30.
