Decentralized Identity - Catching the Wave in Government and Financial Services | Part 2

We close the door just so that we lose some of the outside volume, those that are hanging around in the shadows. Just outside. Welcome in and hello everybody. Thanks for joining us at this set of talks and then open discussion at the end around decentralized identity in government and financial services. The talks that we had before the break gave us an introduction to the business and customer value of decentralized identity and went through some use cases and live deployments of in government services.

What I thought was interesting that Darryl didn't mention was that the German government have just chosen through their innovation guide, I think it's six different pilot teams to be building out their implementation of digital wallet as well for adoption here in Germany. Worth plugging. So something else worth plugging is our q and a gathering.

Slido, please give a quick scan of the QR code. We are not gonna have QA in between the next talks. We're gonna go straight one, talk into the next. So please save your questions to be addressed by the panel as a whole. We'll have Darrell, we'll have Jamie and have Yaron as well coming up to answer questions. So I appreciate you holding your questions until the end. There will be time to have that open discussion. So Darryl's going to come back onto stage now and having looked at adoption in government is going to look at adoption in financial services.

Those of you that already heard Darryl's intro, I'm afraid I'm gonna read it again. So here we go. Darryl is product lead for Ping one Neo and has been on identity and access management for 25 years with his first job as the first product manager for Touch id, which I thought we actually saw a little sneak preview of in the earlier session. Most recently before joining Ping Darryl led the team that built and delivered the world's first interoperable mobile driver's licenses across multiple US U US states and built the TSA security checkpoint Verify.

So Darryl, if you'd like to come up and take us through use cases and deployments in financial services, Hopefully I won't show my Gmail this time. There we go. Okay. I added my one more thing. Improving user experiences. So I'm gonna be talking about a little bit one of the reasons.

Yeah, just There we go. One of the reasons that verifiable credentials and wallets can be very compelling is the user experience aspect. So I'm gonna cover that a little bit and then toss it over. And we're gonna go into some real world use cases as well. So one of the things we talked about was this, and Frank brought it up, was this, constantly reach it proofing yourself over and over, trying to build trust over and over and over again. And so obviously that's one area where we can greatly improve the experiences and banks especially are concerned about this.

'cause today if you open a savings account, then two weeks later you apply for a credit card, you have to start all over again, right? Like it's, it's crazy, right? They don't even have autofill yet, right? That works. Even your webpa, your websites never work, right? Web browser. So being able to not do the redundant checks over and over and over again, that's one of the challenges. Gartner says that 90% of the checks that we do are completely redundant. 90%. And that's why the identity verification market is over $18 billion market, right?

The other thing is open Id connect if, if you're a developer or worked with developers, you know that making OIDC work in the mobile world isn't always as easy as you think. And the user experiences, especially for exception cases when it doesn't work, is a nightmare. And the users get very frustrated very quickly and the, and actually this ugly experience as it were, can be solved with credentialing and wallets. So we've solved the issue of all the exception issues around OIDC and that's one of the, one of the banks we talked to.

That was the reason they started down the path with verifiable. It was the only reason in the beginning. And then later they started picking up on these other values and benefits of it and started adding more and more use cases. The other thing is, we already talked about this context, switching across all these different plethora of methods and modalities and for authenticating both online and in person, being able to harmonize that and have the exact same credential that's used online, also used in person.

That's, it's really a game changer. And so the experiences can be very similar across it. If you know how to interact with your bank online, you can also do it in person. And with the privacy and data sharing laws and regulations now and the increase we talked about in the previous session how federation can't scale, the other thing that can't do well is, you know, help deal with some of these new regulations that kind of isolate what data can be shared between these two servers right in the sky. So the regulations are getting tougher and tougher and tougher every year, right?

So federation struggles more and more, but if I'm carrying it with me, I'm by na by default, consent is built into the architecture. So I'm now the one carrying the data instead of point to point in the sky. So applying for a new service is one of the ones in financial services that we see. This is the flow of a, a big UK bank that we're rolling out. And one of the things they want to be able to do is reuse that proof. It's a simple example of a use case, but if I've already proofed myself once to get a service, A, why would I, why should I go through the entire proofing all over again?

Even if the regulators require some of it to be redone, that's fine. But take as much as you can from the original proofing and recycle it right for your other service B. And in their their case, they're also gonna put credentials in the wallet that represents each account that you have. So because another use case they're gonna have is payment for using your credit card on the internet. So they want to have these service credentials, account credentials inside the wallet as well.

But you can see the user being able to get proof once being able to get that first credential in the wallet, that identification credential or KYC credential. And then being able to present that the next time they get a service A and service B each time they can re represent the credential with the proofing. And you can put as much detail about that proof as you want in the credential. What level of assurance, how was it proofed, even what systems of record was looked at or how the data was analyzed and assessed by that bank. That can all be captured as metadata inside the credential.

So that's kind of a example of a use case that's simple, but that's very powerful and like Gartner says, 90% of verifications are unnecessary. So maybe someday we'll be at a point where this use case is is more than just the UK bank and all over the world. Right.

On that, I wanna thank you and I'm gonna pass it on to our next speaker. David, Are You?

I am, yeah. We're gonna be ahead of the game. You've upset the agenda slightly there no More time for the demo. Okay. Was expecting there to be a few more use cases to be walked through there. My apologies for that, but we'll move on.

Yaron, are you ready already? Yeah, to jump in. Cool.

Okay, in that case we should be good to continue without any ado, if we can get the screen up and we can progress to the next slide. Cool. So Yaron is now going to speak to us about some differences, different approaches towards assured identity and look at what answers DCI brings to these use cases. So yarn is working on everything Siam, onboarding, authentication, authorization, payments and approvals across rif, Heisen, bank International's group of banks.

He's seeking how emerging standards and solution patterns can harmonize RBI's, Siam journeys, improve customers digital experiences and maintain uncompromising security. So yarn if you'd like to come up. Thank you. All right, seems to work. Good morning everyone. Thank you for joining. And as David said, I come from Vienna, from Rafi as a bank international and we are a group of banks. So we're not one bank and head office in Vienna is trying to look at emerging standards architectures. How can we harmonize our architecture landscape?

So by using standards, by using technologies and enabling us to deploy applications that are developed centrally but to be used across our group and therefore increase reuse. And as mentioned earlier, we've been, we started with federation and stepped into the credential space trying to solve the problem of mobile login. So we were trying to develop mobile applications and ensure universal SSO and Federation brings us to the browser.

The browser session is logged out because of PST two and then the user needs to downgrade from a native mobile experience to a browser login experience, which is not the UX we want to have. And so we looked at credentialing as a closed ecosystem so we know who our customers are, we can authenticate them, we manage the entitlements, we know which applications can they, can they use, can we then bake that into a wallet? So what if we take these and create them as credentials in our mobile banking app.

So basically a closed ecosystem where we are both the issuer and the verify and we were really trying to tap into the SOP capability. So part of open id, decentralized credentials, protocols, part of it is psyop, the self issued open ID provider. This technology makes any mobile app act as an IDP an IDP with a directory of one user. So that authenticated user, we put credentials about them. So from the KYC credential we can mint the ID token. So we can say, yeah, this is the user, this is the ID name, email, all the other details we need.

And with the entitlements credential we can control, can you use this group application, can you use the other one? If you can welcome, if not, maybe we are, we're gonna do the onboarding flow and then is issue credential on the fly and, and let you enter that experience. So that gave us some learnings and, and for us coming to an evolving organization where you have different IDP technologies in each of the countries, those are totally different IDP stacks in the backend. So the moment we put this wallet, SDK onto the app, we, we level the field.

I don't care if they're using in the back ping for drug key cloak, whatever the moment that we meet and converge on that credential, very good for us. So we can now achieve the reusability. And on Thursday we're gonna give a talk about that. But since we have time in the workshop, so our architecture is that relying parties on the left side consume our PingFederate component and that node still uses a lot of federation. So we can make those decisions there.

So the orange lines, we have the existing federation, the countries in the previous slide that were green are the ones that are already connected. So great this works. But then we add the DCI components. So NV is our codes for network units. Those are banks on the, on the top right side and they can use the ping nao platform to do the credentialing work. So they call APIs and they issue credentials. You are a customer, you are entitled to use this application or not anymore, or you get the the right to use another application. And all that goes into the wallet.

And then through the work by Open ID Foundation does all the presentation protocols, open ID for verifiable presentations and then we can hook it up and, and therefore our PingFederate can act as a smart router. If the country uses decentralized credentials, we can route it to the universal link of the app. So instead of falling on the web endpoint, the app pops up and takes up that flow and then the user interacts with the wallet component or the mobile app.

So in our use case, the wallet is not something, you know, previously Darl was showing the whole issuance flow where you know that you're joining the European Digital identity wallet. So you are very aware that you're taking some steps, you are getting something. In our case, the wallet is under the hood. So it's just a piece of technology that we use to tap into the SO capabilities.

The user, in our case, we did a long analysis. Do we tell them there's a wallet? Do we take them through issuance? Do we start explaining what's going on? And we realized, no, it's just a piece of technology working in the background, allowing the user to complete those flows natively in the app. So for our use case, we can control a lot.

'cause as, as I said, we are the issuer, we are the verifier and basically we push it all to the mobile app, making it a universal authenticator device. So that can be used now in mobile to mobile. So you use one app and you authenticate with your key central app that can be used in web to mobile through cross device. So that's our vision, how we wanna see the future of authentication authorization for our own ecosystem across many banks.

So we, we viewed it as a tool of, of reuse and standardization. But taking a step back from that, we started thinking, okay, what does it mean for us as a bank that does onboarding? What does it mean for our partners who are corporations that deal with retail? And they also need, there's this challenge where we need to know a lot of things about the people we interact with for, for various journeys. So our ID card, the contents of our wallets tells part of the story about us. Another big portion of the story is our professional qualifications, assets that we own. Job history, income history.

So we all have a physical wallet and we all have this folder at home with the university diploma and asset deeds and qualifications that we've done. And we need parts of these in different journeys and, and how do we get that? And so we were trying to do the exercise of how are we going to onboard customers in the future? How does the EUDI wallet change that? What do we do now and, and can we done differently and can we use parts of the technology to maybe offer this service to our partners?

So what I'm sharing with you is, is parts of our analysis and we were trying to to think how come there are so many solutions, right? We're gonna discuss some of these patterns in a moment, but there are so many solutions for assure identity. I'm sure a lot of the vendors are are here now. So how do you prove someone is who they say they are with biometrics and liveness checks and document proofing, document validation and government EID and a bank id. And yet this, this does not yet enter the day-to-day journeys.

We do, we still do, we still see a lot of these NASCAR lines. We still do the social login, which offers very quick frictionless login but offers very little assurance. And then later, if you're a big player like Airbnb later when you actually need to finalize the booking, does identity verification done? And so we were wondering how come these techniques don't permeate so much despite the need, right? Retailers need to know where they ship the product. Like in Darryl's example, you, you need to have the right email address to, to send tickets and, and other types of online material.

You want to keep contact with the customers. If you are ordering, if you're, if you're making a flight reservation, you're gonna cross borders many times they wanna see your passport in the issuing country to make sure that they comply. You wanna rent a car, you need to have a driver's license. Maybe they wanna know how many years we've been driving that impacts their insurance requirements. So there's a lot of need and yet we do a lot of social logging that kind of triggered our interest. So we're also advising our strategy team and they're trying to think what is our role in this?

So we have a need, as I said, to onboard our customers in a safe way, prevent fraud, establish the identity, comply with customer due diligence. And we also want to support our, our retailers. So can we offer the something tho those are the questions that we were tackling with. I can tell you that in Slovakia in one of our countries, we use our identity verification platform. So the one that does digi physical id, proofing and resell it as a service. So if someone's a small or medium business needs that service, we offer that as a service.

And especially in Slovakia, they, they offer an API that after you do the government ID check, you can also do another back channel call and, and get more validation on that identity. So does that remain? And so we looked at the different patterns and kind of compare them and said, okay, when we are looking at, at ID proofing, so the physical ID to put it and go through that journey, it, it carries a bit of use of friction. So you go, you jump through a few hoops, you need to integrate with a specific, so if you're the relying party, you wanna consume that.

It comes with a licensing cost, it comes with an integration cost. There's not a lot of content on the ID card is there at the end of the day. So for journeys where we need more information about that person, many of these vendors augment it. So they're gonna call APIs, they're gonna consult ISTs.

That's, that's in banking. We need to know if someone is politically exposed.

So they, they consult different registries, different APIs to enrich the data and provide more about it. But those vendors can offer good geographical coverage. This is their business model. They will tackle the ID cards of the different countries and the different registries. So you get a lot of, a lot of coverage when you integrate with such a service provider. And there's good user adoption. So users prefer to go through this process than to arrive in person often. And then there's the classic bank ID where we currently don't offer, but we are asking ourselves should we offer, right?

'cause if we have this credential that I mentioned earlier on the mobile device, it's very easy not to just log into our experiences, but also to offer it outside. So offer it to third parties. Should we play that role?

Now, some of our, some of our countries that you've seen on the, on the previous slide, some of our countries are in the eu, some are not. So of course everyone who's in the EU in two years' gonna come out the European Digital Identity wallet.

That is a, a big factor. Why offer this experience when people are gonna get the wallet? Still many, many open question mark, right? People need to, the governments need to deliver on time, people need to join in, get the application. So I think it will take time until the adoption really ramps up. But some of our countries are not in the eu so they won't get the digital identity wallet. Some are not in the eu, but our candidates. So they're bridging the gap to, to show that they have everything so that they can promote their acceptance.

So we were asking ourselves, what what about this pattern? And, and we talked to the different, to some scheme providers. And so yeah, so this, this offers more data than, than just the ID card. 'cause many times through the interaction with the bank individuals provide more information about themselves. Does good user adoption? 'cause you don't do this process once in a blue moon. People usually interact with a bank on, on a, a frequent basis.

So, so the friction is not so high and, and the user adoption is, is pretty good. However, these schemes are very much geographically specific. So if you are, I don't know, booking.com or Airbnb, you have a lot of schemes to integrate with in order to achieve internet scale solutions. In some of the cases there might be privacy challenges. So there's always the question, where does the data flow? Does the scheme operator touch the data? Does the data flow through?

Is it, is the, is the customers privacy really preserve? So it's, it's a challenge. We also spoke to some s scheme operators that are going in a more gain inspired model. So GAIN came up with standards, OIDC federation, open ID Federation.

I think, I think it deserves a rename. It's more like open ID trust services. So it's a standard that allows discovery, trust establishment. How can a, a relying party trust an open ID provider and vice versa. How can an OpenID provider trust a relying party with policy language choosing the right algorithms and supported methods. And there's also open ID, O-I-D-C-I-D-A identity assurance. So a way of providing data about, you know, if I do social again, I can be Madonna, who knows.

But identity assurance is about providing evidence about what kind of policies were followed, what kind of governance was done. Did you see the person, did you see him in in in person? Did you do an ID verification? Did you call an API? What are the methods that were involved? So in these schemes, actually the data does not flow through the scheme. So the scheme provides the directory discovery services, the trust establishment. So the privacy challenges are, are taken out. The data content, it's still banking data, it's still bank login.

So has has a good potential and, and through Open ID federation, this can, this can scale up. So GAIN had a, a global vision and therefore if you call some discovery endpoints and you want to get a bank id, you might through that tree discover various scheme providers that can provide to you harmonized content through the standardization of identity assurance. So we think this is a model that can scale. Of course we are here talking about credentials. So credentials come into the mix as well. The various US states that LL mentioned in the previous session, the EUDI wallet.

So this one requires, I would say, kind of a bit more effort from the relying party. 'cause they do need to learn open ID for verifiable presentations. They need to use a query language and ask which credentials they're asking for. They need to know how to read the format in the EU under the iida. They need to register with a member state article six B. So they need to come up and say, I'm gonna be a relying party for this intent and get something that allows then the, the wallet to trust this very file. So a bit more challenge the coverage. So the EU is EU wide.

Other schemes a bit more specific, the user adoption, yeah, kind kind of low now, but on a good path to rise right in the eu, it's gonna be offered. So the vision is that it'll rise, but no one has a crystal ball and can read the future. So we all expect and hope in the eu it's supposed to be without licensing costs for the end users that it's still a big question how to monetize this, right? Who's gonna, who's gonna pay for this? But the whole decentralized identity model gives the, the decision and the power and the control to the user.

So the privacy challenges are, are pretty well mitigated. Data is at the, at the hands of the user, which which then opens the door. Maybe not in the eu but also bank ready. So here banks can come into the mix again. So here we, we have the open question, do we as a bank in our subsidiaries that are not in the eu want to take this capability that we have credential wallet already and enable third parties to read our credential and therefore allow bank id.

So yeah, this can allow great user adoption. 'cause you use your, your banking app that you use daily, now it has a wallet functionality. Now we can allow relying parties to consume that. The privacy challenges really depend on how the wallet is implemented in this case.

And, and we can offer a lot of data. I'll, I'll touch on that in a moment.

Yeah, so, so, so this brings us to ask the question maybe credentialing in banking is a good use case, but not necessarily for proving your identity. So in Europe, you EDI wallet is gonna solve identity in a great way. Other patterns are coming up, but there are other needs that you need about banking. So what if you want to go from one of our countries to another country and open a bank account? So you wanna prove the fact that you have an account confirmation. Maybe we want to onboard customers who come over from other countries. And so can banks.

First of all, bank is a, is an issuer on the right side and another bank on the left side or a retailer. So can we exchange information about our customers or empower our customers to prove that they have a bank account to prove their income, to prove credit worthiness. Let's imagine someone goes from one of our countries to the UK and wants to buy a property, wants to get a loan, so they need to prove things about themselves to open a bank account. They need to prove equity in order to take that loan.

So we could exchange this information based on banking credentials that are, that are not necessarily identity credentials. And to do that, there needs to happen a lot of collaboration. So we need to have this discussion within the industry and discuss not just the credential formats, but actually the underlying data scheme. What do we need to know about the customers in various jurisdictions in order to make that conversation happen? So align on on what's inside there and then the technical format.

And so yeah, if you come from the banking industry and you wanna onboard a customer, there, there are data items that you need beyond identity. So you need to know if a person is politically exposed, you need to know if they are a US person because it has taxing fixation implications. Of course you, you need to know income. So various credit scenarios or you go to some consumer credit, they usually wanna see all three last salary slips. So income is very relevant. Liabilities. Can we put a credit report there and and allow the customer to show that when they want to take credit? Yeah.

And if you talk about small medium enterprises, they, they might have also tax returns, invoices, ownership deeds. So there's a lot of information that goes into a banking use case beyond just establishing the identity that we think through collaboration with peers in the industry could be driving great use cases, but we are not sure this is on anyone's implementation plans or attention at the moment, right? So although IDAs mentions that it will support additional attributes that are very interesting for us, so our our compliance colleagues were like, oh, when is this ready? We want this.

So we're trying to find out, but it seems a good intention but not yet implementation. That's it. Do we take questions or we do it in the final discussion? We'll do the question. Thank you. Awesome. Great. Thank you so much. Thank Thanks for that Yaron. Now are we good to go or the, are we battery powered up and already for the, for the demo?

Yep, let's get it, get it powered up while we push over to the introduction. So now we've had all the introductions to decentralized identity, to decentralized identity in government to decentralized identity in finance. It's time to lower the tone a little bit and get a little demo going and have a little bit of fun.

So we're gonna have a brief demo, think about 20, 25 minutes from David and Tim here in which we walk through a functional deployment of the use of decentralized identity in an automotive retail environment, having onboarded the user from their physical identity through their digital credential using that and their wallets to interact with these real services and things. So David, I hope that's good enough for you. David and Tim are sales engineers here at Ping and have built out a demo of the technology in action. So I think we just need a few minutes for the little toy car here to warm up.

And while that happens, David, do you wanna plug in? I'm plug in.

Yeah, cool. Just hit it on top. Okay. So You may need to make sure that it's ping Go go. It's The fourth time you jumped Suicide pinging.

No, it's, don't use that wood. He's a very happy little square of red belt.

Yeah, So great. So let me just, just adjust my screens and now we can go on. So Well welcome from my side. So I'm David as mentioned sales engineer here in the D region. And we are currently going from the theoretical world into the some red pill demos showcasing a debt banking scenario as well as some kind of retail car retail scenario. So with which shows interoperability between a bank ID and the retailer itself that uses the bank ID that was issued to identify test or driver, let's call it that way. Okay. Therefore we have some cool tool here.

So maybe when we are at the, at the, at the car retail demo, we would really see some guys more in the front to really see that, that cool interaction with the wallet and, and the car. So as we will have really have some kind of a driving car around, which is enabled via an NFC enabled Apple Pass. So it's really cool.

But, but let's go through the, the name Woods first as mentioned, we have two stages right here. We have banking scenario first. So we had a lot of discussions, we have a lot of cool sessions from Frank, Jamie, Darrell, it's all about user experience, right? It's all about going above the waterline. How Jamie told us is what, what can this technology bring us as a consumer in this case? And we want to showcase what we think is a practical approach on all the stuff that we heard so far. So let's go through that little demo right here.

So how do we see a sign up for a bank account in the, in the in in a real life scenario? Oh let's, of course it's have to wake up, sorry for that, but let's, let's talk through that until it's loaded. What we're seeing in here, just to give you a brief intro, is that we are really going into a registration process for a bank account. That means we really have to fill out some forms in first place. Then we are going through an identity proofing ID proofing scenario, which, which has some cool biometric fuzzy matching.

So we are really checking the inputs of the form that we see early, that we see in the first stage against the OCR data that was read from the ID document. And if it's valid then we are really proceed otherwise we'll getting an error so that we have some kind of in invalid checks after, afterwards we are just checking some emails and SMS contact details. We're sending out an S-M-S-O-T-P as well as an email OTP. And in the end it's all about QR codes. It's just we're presenting a QR code that starts our pairing process with the, with the wallet, which was with a sample wallet app that we had.

And then we are getting some credentials issued. So that's the goal. So let's see if that all works out and how we set that up. So when you're looking on the signups, so we are getting into the registration process, we will getting a welcome screen and then we are getting into that UI which has that form in here. So it really, let's use my data. So now you will all see where I'm coming from and how old I am. So I'm pretty old in that case. So let's go with that one. So the first stuff, why do we need that form?

It's just about that we don't have any kind of API calls that goes into governmental database that has that information. So it's really just for that, that kind of checks at the end. Then we're getting our first QR code. So it's a lot of QR code base, what we're seeing right now. So now that, let's scan that with camera.

So, and as maybe you've read, read the text here, it's going into the ID debriefing process. This is just, okay, of course you have to get aware of all the possible scenarios that way. That's why we have that kind of polling check as well. So we just, it's all fine. So we just go retry, but we're starting on the right side when you're looking at my mobile screen. So it's really about the scanning your, getting into the ID proofing concept and scanning your id. So it's really a life scenario. So really taking off my, my ID card, my German passport. So we're really making a really valid check.

So let's see. So we see, so I'll just make ID card front work out. So we have going to the back.

So, so everybody knows everything about me, not right now, so no worries. So next thing is that what we set up is that we want to have not only checking the ID document, you also want to check the, the data which is in the OCR data against a selfie that I'm doing face not found, let take off my, So was just a selfie. So everything is successful. And now all the data we sent back to our registration flow, lemme just check that one. So lemme just rearrange that one real quick. Normally it should work a little better. So what's the next, oh, verification fail. So it's really cool.

So what we see in here is that we say, okay, we getting some error codes that everything, something is not working right? So, but let's check that again. It's always when showing a life the everything, something really went not went wrong, so went wrong. So let's do that a little, little quicker. But as you see, so we really have every kind of failure scenario as well. That means if there's, there's something not detected or if the face id, the liveness check is not working properly, we are really getting errors in every kind of scenario that can be handled in any way. Let's do that real quick.

Maybe there's something wrong with the, with the, with the pictures. Take a picture.

Ah, but I think there something, I think that's something wrong with you. Let, let me just try because it's, it's a little mirroring I think.

So the, the photo that are taken are not on the quality that is needed. Is that glare on the ID document?

Yeah, I think it's the lights. Yeah, it's a problem with the lights and the mirroring on the, on the document. Let me just check that one. It's always about lighting as you know, I think always when you're doing some kind of a PostIt end, which is really familiar.

Yeah, I think I can, I should take that into my hand. So, so it's good that we have more time than expected. This is why we Need, that's why We need to get away from all This.

Yeah, So let's check, I think here should be a little bit better. Now it looks much better.

Oh, What's happening with the light here? I think we really have some problems with the light. Lemme just check that real quick. Just to just put that on the Yeah, Lemme just check.

Sorry, sorry for that. So it's really, we have that on other fares as well, so that the lighting is really a problem. Do you have registered?

Yeah, we can, we can have, we can have Try it one more time. We just let, let me just block that out really quick so that we can really have a proper scenario afterwards if everything works. So we just, let me just put that somewhere, which is, huh? Just Where's Just the lights? Lemme just here. I think that's Should be better.

No, it's just Otherwise just why we don't know exactly what's happening otherwise. Well, let's, I have, we have some, some vi it's just verification failure and I don't know exactly why. Document facial comparison document in bureaus license check.

Okay, let's give it, let's just let, let's try and then we'll go into a, a video that we recorded so that you, you see everything is should work probably. So it worked this morning. So You already have a thread in your wallet though.

I, Of course not. So, but let's, let's do it. Let's just go through the choose some recordings that we have Recording. Yes. Okay. Do we get audio through? We don't need it.

Just walk, walk, walk you all through. So, So let's, let's go through, sorry for that. We'll take, we'll check that. So this normally it should look like that.

Oh, this is just, oh, let me just, don't thing wrong video. We just need the sign up. We wanna see. So this is what, what I wanted to showcase in the live scenario. Don't know exactly why the other one's not, not working correctly. So it's the same, the same version. So you see that I'm just filling out the, the form here as I did before, afterwards going, going to continue. We're just also seeing the process of the ID proofing on the right side, scanning the QR code and requested information. Of course you see that my document currently is not that mirroring.

So it's the same document that we saw before Also With capturing selfie. And what's next is that on the, on the left side, we are just presenting what we have read out of the, out out of the ID card. So it's just for you, for us proving that the OCR data are correct and you can also, if necessary, you can also correct them if necessary when you're just going to continue, it's all about the verification, the email and the SMS verification part. That means that that's pretty easy.

It's just an email, an OTP that was sent out to the contact data you entered just entering that here first for the email afterwards for the SMS that was sent out. Pretty standard stuff. And then afterwards, so after everything is completed, right down here, you have the second QR code. And second QR code is for the wallet pairing. That means you're opening up your wallet, scanning the QR code. And then we are, we are triggering a pairing process that ends up with issuing some credentials in, in, and of course with an authentication on the left side into the BX finance service side.

What you see on the right side is that we have issued more than one credential. Let me just put that up. So currently we have issued 3D credential, we have an ID card, we have contact card, and we have that account. That means it's not only necessary to have one big credential, which holds every kind of information. So we couldn't really split that up and really separate the data. So that's what we did here. So that we say, okay, we have an ID card that really represents the ID document that was read before.

And then we have the one for the contact card because maybe something when you're just maybe giving content for, for newsletters you just have to read these, that kind of data. So you don't want to go give them all kind of information out of the bank id that way why we came up with a contact card. And last but not least, of course when you're signing up for account, you, you should have a account card that holds all the kind of account number and expiration dates and whatever. So that was the in intention about the, the whole banking scenario, right?

Going through ID proofing, checking out some contact details and then afterwards getting some of the credentials issued. And now, so definitely I'm a little worried because I don't have the credentials anymore, but maybe Tim or so what we, what we are now doing with the, with the book test drive thing. So we want to really get that, use these kind of banking services or these banking credentials in a retail scenario.

So like, just imagine that you say, okay, we have, come on, let's see that one. Let's, There's My mouse here. So let's imagine that there is, There's another relationship between our bank that we saw before and a a car or company that is called cheater cards, right?

So let's, let's imagine that they have some kind of relationship and CHEETA cards are using financial service for, from neo bank due to leasing or financial stuff and, and why not using the bank ID for example to identify a person and also why not using the contact card that we already seen just to send out some con confirmation emails when they signed up for te for test drive, right?

So this was the idea about that we say, okay, as also said, why not using the bank credential for third party services so that you don't have to store any kind of, or that the the third party service has to grab the data from forms or whatever. So this was really the idea. And what's also behind that one is that at the end we don't, we really wanna have the, the easiest user experience ever. So we just wanna have a sign up using QR codes and, and at the end everything should really be via email or so on or via issuing another credential to really get access to the card as well.

Because during the process we have to say, of course, when do we want to have, when when does our test drive should be on? What kind of date, what time? And that's all about what credential also offers.

Oh, we can really offer you. Okay.

It also, it only is activated on that special date, on that special time as well as for maybe only two hours, right? And that is afterwards is re quoted. Everything can be, can be in there because it's inbuilt in the whole credential scenario. And that's what we wanna see as well. But first of all, I just have to check the other one and then we really let this car drive with a, with an apple pass. But lemme just, just rearrange the, the BX finest because I'm really sorry about that. This is not working as expected, but let's find that out. We'll get that.

So just give me, give me some more minutes to really prove that we are doing, we are not faking anything in here. Try somebody else's I Otherwise we have, we have, we have, we have credentials here, huh? Try My, yeah, also you can also try my driver's license. So this the next scenario like, like that you can use different ID cards and have of, of course when you're looking at a driving scenario, you can really ask for a mobile driver's license as well because only if you have, no, not that you're, you definitely can prove that you are personal and then you are over 18.

But does that mean that you have a valid driver's license? So it's really everything that can can, can be used in the presentation request.

So it's, it's really a cool thing right here. But let me just check that again. Let's do that with my driver's license. Maybe there's something, maybe there's just something Yay Driver's license working. Yay. Okay. What you really see is that you see my driver's license ID number, so everything of the IOCR data is here also my thing. Then we have the same procedure right here, but I can just, I think if you believe me that this is worse. So if you wanna take a photo then you have my contact data as well if you have some questions afterwards.

So this is really just about the TPS and then I will just give you also my phone screen as well to really give you the credentials so that really have some credentials in here. And then we'll see the onboarding scenario for test drive. So as a mass verification done. So you'll see that we have that QR code. Let me just plug that in again that we see it, that one. Oh so that's in here. See let's pair that one. So now confirm the pairing and after, well no landscape mode, that's fine. And now we see that that's actually working. So it's not, not only on recording.

So it's actually working and we de definitely get these kind of three credentials. So, and you see registration completed as we saw on the records. And so just really also for what's you into the BX final. So it's really working was just about the lighting and so on. So it's really sensitive, which is really good to be honest, but it's definitely working. Now let's go into the cheetah cars glitch page. When you're going in here going into book a test drive, you definitely also see a lot of interactions.

More so you have seen some kind of a dialogue interaction on the first proving now we are going into this OIDC redirect procedure. Now it's just about what do we want to do first? So let's go to wanna book, book a car, drive at at fancy cars, when do you wanna do that? I think maybe tomorrow would be fine, then we're going into 1130, let's agree on that, let's continue. And then you just say, okay, how do you want to identify yourself? So of course you have to deliver more than one option as we mentioned.

So we have problems with the requirements like do you really have some kind of a smartphone that gets all the information, holds all the information. So that's why we need to say okay, we have that option. Now let's go into digital credentials. So now what what we are now doing is we are just scanning the curate code again. And what it's now doing is really opening up a presentation request and ask for share the question here. Also what we've seen, so this is really a, a high level wallet app on what we see on there.

There's nothing in with selective disclosure which makes it more effective to really interact with the data. But what we are doing right near is is that the presentation request, we see the, the result, the output, we see it on the left side what we, we are asking for two types of credentials. So we are looking at the for the, for the identification proofing and as well for the contact card so that we really set can send out the email for confirmation, the whole stuff. So that's all about just showcasing what's working.

And then of course last but not least, we want to have some kind of a new issue wallet post that holds our test drive information about that one that's the same procedure but as mentioned before, a lot of QR codes involved of course we have to go for for push in some scenarios for sure. But that's just all about, but it definitely makes everything a little easier. You don't have to fill something in forms, it's all about just scanning that you don't have, you only have to have your camera under control to to to make that all work. So test drive registration completed.

And what we see on the right side after a couple of minutes is that we are getting a new test drive credential issued. So it depends a little bit on the on think then let's go. If the others shared their email account then I will do that as well. So what we are sending out, so on the right side you see the the chita test drive pass. In that case you see okay, what kind of brand it is, the type you see the the dealer, you see the date and the time. And on the left side you always also see that we are sending out some notifications.

Means we are providing you with an additional pass that is connected to Apple pass to get the whole whole NFC enablement. So this is one of the, the things that we need to really get NFC enabled because as Darrell mentioned, so we're currently the standards do not, do not support NFC so far. So they're in progress. So first mail on the right side, thanks for signing up, test drive and then we're going into the digital car. So it's the same procedure when you're booking a flight, right?

So you're getting this information then you have to add that to your wallet and afterwards it should be in your wallet as you see in here, right? So you have your biometric scan, then you see that there is NFC enabled and let's now move to our fancy car. Now we see the beep beep and now it's takes some time because it's really just rising up the spun end as you see card starts and of course we have cresto. I think that's the next next scenario what we have to this now we, when you're to to banking scenario, you have to have a good insurance as well, right? So it could be also in, okay, Yeah.

So real life scenario, right? So yeah, so it's just all about an accident during a test drive. So it's all about credentials as we know.

Okay, thanks guys. So that was from my side to see a little practical, sorry for the accident but happens.

So, and we had some laughter, so thanks guys. Thank thank you David. Don't say a live demo. Don't do a live demo. They said they just show a video, it's much more reliable. The live demo won't work. Well we hate to prove them wrong, but now there's water all over the floor and you know, smash glass and we'll have to move the panels but that's fine. Thank you so much. That was excellent. Well I enjoyed seeing other than you know, the, the event at the end should we say the issuance there of the two credentials, both the contact information as well as the actual verified identity information.

And it's not just the friction of doing those heavy interactions like validating your passport to say you are a real person, but it's about minimizing those interactions that you have to do jumping over to your email client just to do one-time passwords that you can now get the benefit of just through DCI.

If you are a verifier, if you're an RP and you have a trusted issuer that's already done that verification of the user's contact information, then great, you can just call up that contact information, trust it straight away, do it using the same type of experience, using the same type of flows as you're using to get their actual identity information.

So it's about creating the same reliable interactable experience with the user no matter whether you're requesting something like their email or their passport or an account piece of information or something that they may have claimed about themselves. So that was, that was, that was a great little diversion from the rest of the talks.

Yarn, are you ready to, to come back up? So Yaron is now going to come and we're gonna talk about cars.

No, we're not gonna talk about cars anymore. We have a problem with nascar, with NASCAR login where you have multiple, multiple options for IDPs to use to log in and YARON is working on a solution with modern standards to help mitigate some of these problems. And I won't act as a spoiler for it, but ya if you're ready, thank you. I'll pass over.

How, how do you top David, you know, to be after that just Right, so I showed previously that we have these NASCAR lines, right? Log in with Google login with Facebook and if we talked about identity patterns, how do we break it up? How do we recompose them? How do we allow relying parties to discover relevant open I providers and interact with them? So this row, this, this April, a couple months ago in Rome at the all security workshop, Tim Capelli from Okta and Sam Goldie from Google had to talk about fed cm and they were coming from a totally different angle.

It's, it's a method of, of reducing tracking. So I don't know if you heard about it, but these tracking mechanisms that impact us out the internet with third party cookies, link decoration, bounce tracking, that's a privacy concern. And they were focusing on, on these three and saying, well third party cookies affect us all the time. So if you, you go to website eight places a cookie, that's what it's for, you go to B places a cookie, this prevents them the need to keep backend state.

And then if you consume any resource from another website, an image, a script, a, C, s, S, they can also place a cookie and then get it back. And then A also gets a cookie when you visit B with the origin and that starts to collect the data. So you've been here, you've been there. So tracking influences us a lot and, and they looked at various mechanisms how they can break it up. But the problem is that these cookies are also in used by open ID connect flows.

So if you look at front channel logout, if you look at session management, if you look at iframes that jump and say, hey let's let's do the silent login, let's do the silent refresh, let's using cookies as well and all these things are gonna break. Yeah, bounce tracking with the redirects, right?

You, you you wanna see a product, you wanna put it to the cart. Oh redirecting you, you see this page redirecting you, that's a tracker that says this is the product you were looking at. That's what you're doing. Stores that information and and in the funny example, someone's looking for an engagement ring and then the, the girlfriend looks for shoes and gets ads for the engagement ring and she knows what's up.

But, but, but they know anyway WhatsApp. So that kind of tracking no technology has been able to overcome.

So, so they were saying, you know, open Id connect, we do redirect, we use cookies, we use link decoration 'cause we have a lot of parameters. All these things are gonna go out. So Google together with a W three C are coming up with fed cm.

So then they were having the stock and various solutions, but they were saying it's a flow that enables us to go, you know, to break up the or dance and break it up into steps that in a controlled way through a lot more endpoints, there's a new browser, API and then these endpoints are hit, the UI is rendered the user chooses the identity provider to use and, and through a, a more complication for the IDPs, right? They wanted to keep the relying parties life easy. So just three lines of code and it works and yeah. And then they said, Hmm, we are also working on a feature.

How do we support multiple IDPs and can we support this Any, they said any, any IDP. So you visit target.com, you do a login and target.com could hit this register browser, API in the JavaScript and registers an IDP on the user's browser. And then later if a relying party says, Hey, I'm willing to accept any IDP, then that target.com is gonna get rendered. So we found it very interesting.

We said, oh, so you can break up the NASCAR lines, right? You can basically say I don't have to have this preexisting relationship where I, I issue them a relying party with this IDP and that IDP and I put those NASCAR lines. But in our use cases of banking and of a short identity, everything we mentioned, any sounds, you know, too liberal, too wide open. So can it be not any, but some, can we ask for some IDPs that we trust because of policy and governance that they perform. So that was a question that we asked and we joined the working group. And so we found it.

Yeah, this is, this is the basic fed, so these few lines of code, this is what the relying party does, and he, it provides an array of providers. So this way you would put the Google, the Facebook, whatever, but together with OpenID Federation, which allows a discovery endpoint, we were asking, can you maybe fetch first open ID providers? So what if I'm a relying party and I know that I want a bank id?

So, and that means some governance was done. That means some policies were done. That means some liability. So there's a lot of assumptions here, we'll talk about it. But let's imagine I want a government id. Let's imagine I want a bank id. So through Open ID Federation, we can call these APIs and we can say, give me, you know, we, we could, we could create these, they're called trust marks, and we could query and say, I want to discover from this trust angle, give me all the open ID providers that provide a bank id.

So then this query goes through intermediate authorities, accreditation bodies. So someone, someone needs to perform the trust work and say, yes, you are indeed a bank because you have a banking license and therefore you can participate in this.

But this, this could be a dynamic way where you discover a, a relying party can say, I don't want any, I have some compliance requirements, so I want the government id or I want a bank id and that's gonna return the list. So we found it very valuable. But then comes and, and then you feed that list that you discover dynamically to fed CM and the list gets rendered. But then you don't want to end up with a huge list and have the user choose from a disambiguation list of hundreds of results. And then we learn that Fed CM ignores all of these results you gave.

And just regards the ones that have a pre-existing relationship with that user agent. So once you've used that, IDP, there's a browser, API, which says I'm logged in. So this relying party is remembered.

So, so great. You can feed it with, I want a bank id, you got 500 and a user operating in the US might get these two banks that they're using and a user operating in Europe will get those two banks that they're using. And the relying party still gets a compliant way of authenticating without having to know beforehand what the user is actually gonna use. So we really like that as, as something that if you look at, at gain and you say, we have Open ID Federation offering us a way to discover IDPs.

We have open ID identity assurance, so we can express our needs for identity assurance procedures that were done and get data that was verified this way. And Fed CM could be a neat UI layer where this dynamically constructs the UI with the options that meet the relying party's compliance requirements and are also actually used by, by the end user in a, in a privacy preserving way.

So we, we were interesting and opened also some tickets on the working group to see if, if all our requirements for a banking use case with things that are API inspired, so financial grade API API security profile, how do you do those things and in line with banking regulation? And so far we, we are very happy. There are, there are though, indeed challenges. So who provides the trust framework, right? Who provides the accreditation and says this is indeed a bank, and what does it mean that it's a bank?

What governments, what governance frameworks are, are they complying with in different regions? What assurances do they do they give what, what procedures they've done?

So, and therefore someone needs to run this open I federation. That's a standard, but someone needs to run this infrastructure and create those canonized trust marks and, and put put the, the services and there needs to be trust establishment. So there could be requirements from both sides. So we talked a lot about the relying parties saying, I want a government id, I want a bank id. What about the open ID provider? They might have requirements. So technical requirements, like I only support UpToDate algorithms and protocols, but also maybe other, other compliance requirements.

Like I serve certain jurisdictions but not others. I wanna serve certain industries but not others. So there needs to be both a trust establishment and and agreement, which includes what are the terms of service.

So, okay, I'm agreeing to any, or I'm agreeing to use a bank id, what actually am I getting in terms of liability? What if, what if I made a mistake, the identity was provided to me is wrong. That's not the right person. It does not comply with regional age requirements and I did a mistake. Is the liability here? What content am I gonna get in that, in that identity data? What about pricing and monetization of this mechanism? Yeah. And then when we, when we look into the future and try to envision the, the future of NASCAR lines, it could have a part that is coming from fed cm.

So with this new browser, API, you can construct dynamically as we said, options that are meeting compliance requirements and relevant to the user, but also there could be credentialing there. So there's also a credential, API, so the, the market is moving, right? All of these things that we are discussing here at the Ike digital identity wallet, various states in the us. So if I'm the future relying party, I want to act internet scale, I need to support users that use federation, I need support users that have credentials.

So no one has a crystal ball, but maybe in some years the future login to big internet players will look something like that. They can accept credentials of different kinds represented by this QL code. And they can even show the user somehow.

Yeah, you somehow you need to communicate to the user what's gonna work and they can accept open ID providers through federation that can be combined dynamically. So who knows, maybe the future is more composable. Brilliant. That's wonderful. Thank you so much. Ya. If I could ask ya, Jamie and Darrell to not step on the glass.

Yes, we are. There you are. And we'll now move to the one second. Just need to grab my Phone here. We'll move to the open discussion section of the, we're not, that's because I plugged in the wrong USBC. Hello? Could I have a screen please? There we go. We'll move to the open discussion area for the AV folks. When questions get asked, will they be picked up for the live audience online or should we repeat the question? Or do we need to run out and do some game show host stuff with a microphone?

No, we need to do, Okay, You you, you'll repeat the question as it gets us. Cool. Okay. So just to give you a reminder for those that weren't here in the earlier session, Jamie is the founder of customer futures.com, a leading online community focused on the future of digital customer engagement. He's also the co-founder of Mission. The world's first consultancy focused entirely on empowerment technology, which includes his decentralized identity, digital wallets, and personal ai.

He spent the last 15 years helping businesses re seize the opportunity around empowerment technologies, including decentralized idea E and Jen Digital. So thanks for joining us for this panel. Jamie Darl is the product lead for Ping one Neo and has been identity and access manager for 25 years with his first job developing touch Id later acquired by Apple and Yarn is working on everything Siam at RAF Heisen Bank International. So now like to open it up to the room to questions on the topics that we've had.

I've got some example questions up there that I'll be throwing at these folks if there's none from the room. But judging by the questions that Darryl got earlier, I think that it shouldn't be too hard. So who's brave enough to step forward with the first question? And I would just like to, you know, caveat this by saying please ask a question. It's not for making comments. Let the panel respond. If you have a follow up, consider if it's really necessary to get into a back and forth debate in this environment. Is anybody interested in querying on the topics that we've had otherwise?

I think there's some topics we can definitely come up with. Yeah, please do. It's okay If there are questions from the online audience, then the Slido link in the bottom left will allow you to ask your questions there. I'll pick them up and put them to the panel myself. Yeah. Did I switch it? Is it on?

Yeah, it is. It's on, you are on your, on your part when you query for bank ID in practice, like I work for the like international insurance company and we have several also IDPs around, and it's not, most often it's not about the like the name, but it's more about what are the properties, so attributes or the actual schema. And maybe it's more worth querying about does this provider, oh please return all the providers who like fulfill this type of like, properties towards schema.

So how, how could this be addressed? Maybe You, you hear me on this, right?

Yeah, a good question. So in into establishing this trust relationship goes a lot of things, right? So as I mentioned, both need to trust each other as being valid, a valid relying party and willing to accept and a valid open ID provider.

And, and I, I put in bank ID as a trustmark as example, but there are other things that go into this trust establishment and handshake. So open id, IDA and, and Mark Hane is here is a co-chair of, of this working group has a way of, of saying which claims does an IDP provide. So I think they're working on expressing those verified claims like governance policies, assurance policies as metadata that you can search and query on.

Yeah, so, so you could already open ID federation includes policy in the query. So you can query and say I only want ones that accept these technical, you know, formats, flows, et cetera in order to align on the profile. So if you, if you have to do it in a certain of profile like api, you can filter for that, but also you can filter for these parts of, of the policy part. So I think it'll go in this direction where you could query both Trustmark are basically someone external saying, I trust that this one is really government is really bank that's already part of it.

And then what do you actually provide that's within IDA and there's also SAO or a SC advent, advanced syntax for claims. So there's a draft that is being worked on where a relying party can express, but this is already when in the conversation, right? So you'll have, you'll have basically two steps. You'll have discovery which says, who do I want to talk to? Are you meeting my compliance requirements? Do you have the data that I need it? So this discovery and then does the actual transaction where there's also policy language going into there.

So the IDA spec allows the relying party to ask for certain verifications and there's another open ID draft, this is a SC advan advanced sax four claims where you can say, I want, I want only this data if you comply with my requirements and the, and the if not then omit my request, et cetera. So I think that the, the specs are, are heading into this direction that to make this handshake contain more governance and policy elements to support such yeah, such challenges.

Yeah, Because on practical level it, some teams approach us like the unit which responsible for authentication. Like, oh, we, in our country we have that fancy like IDP, let's make it happen.

So, okay, let's see what it does. And this thing could be potentially one of the things to how to fix this, how to answer the questions, how to explore. Yeah. And with digital wallets, you can compile from multiple credentials on the fly as part of the request. So if you're requesting from a wallet, usually you can accumulate and then you can decide whether that's good enough. If there's one or two missing, you could still accept it. Thank you. Question please. But that gotta work. Bring it to someone.

Well, while somebody was to, to put out the hand nose a question from the Slido will not the EU DI 2026 or digital identity wallet earlier, EI does two compliant be used as an IDP way to onboard with one or two clicks at least within the EU plus three. Yes, I I can answer that.

So yeah, the theory is that you become your own IDP in effect because you've got a, a root of trust from the government inside of your wallet. So you can act as an IAM in effect. And the standards allow for that. The idea that you can snip in the sky and go through the wallet is not a problem. So in effect, you do become your own IDP because you have a root of trust credential and that you can serve as an individual mobile IDP. That's one of the benefits of the standards open ID for VP and PSYOP V two.

I mean, just, just to build on that, I think that the question speaks to not just the trust question about can I trust this customer showing up at the front door of a, a website or an app, but the customer experience benefit of seeing, well, we can now share not just an identity credential, maybe even some other credentials that might be in the wallet at the same time I can put them together and share them in one transaction. And so we can start to, you know, that idea of getting rid of the form on the website.

Well maybe some of those attributes are gonna over time aggregate in the wallet and therefore it can be a, you know, one tap, one scan moment and if it's for a particular high value transaction, we can then step up to authenticate with biometrics from the device And speaking up further on that.

So we looking into UDI wallet and the PID contents and we don't find a lot there yet, but it's a very important first step 'cause it's gonna enable then other players to issue additional credentials, the eaas, and then you'll have a root of trust saying this is really that natural person very strongly identified. But then what more can we know about them? So we'd like to see in the banking industry maybe salary slips being issued that way. We have corporate customers where someone says, I work in the accounting department, I need to access on behalf of that company.

So employee card could be a credential. So currently for us to service corporate customers, how do we know if this lady or gentleman really works for that company, really in the accounting department, did not leave, did not change the job. So we are looking into more content added to the wallet.

So the, the root of trust will be yes, this is really strongly identified, you are the person, but we need to know more about you to give you a loan to give you access to systems. I'm gonna, I'm gonna selfishly bend the conversation around to, you know, the the value conversation, not just the compliance conversation, right? Because as, as Darrel pointed out in one of the, the earlier sessions, you know, large organizations are gonna be mandated to accept this. So there's a compliance story, which is a cost story, right?

You're gonna have to implement this and that's gonna require new processes, it's gonna require new API calls is there's, there's overhead there. So how do we turn this into a growth opportunity?

You know, there's the customer experience side of things, but actually once you've got a new digital endpoint for the customer that's better than email, that's better than SMS, that's may be better than the app that you've given to them, but they check once a year, you've now got a new customer engagement channel. And I think that's becomes the bedrock for not just, hey, we need to check your date of birth and your driving license entitlements, but a new way to engage a customer to collect more data in a consent, you know, customer engaged way.

And that means, you know, the whole story around transparency and digital trust and, and engagement with the brand. So I think there's a huge opportunity here to shift the narrative from a one of compliance and cost and you know, how long is the igat gonna take and how many brands are gonna engage with it to, one of this is a real digital opportunity for, for brands to engage in a new way. Cool.

So the, the room's still open, please just put your hand up or, or start shouting out if there are questions that you'd like the panel to answer. I've got a question for you myself, which is, you start with one EU maybe issued wallet or your US state wallet, and then later you end up with your banking app that has a wallet embedded in it and then the next app that has a wallet embedded in it, and then the next and the next and you end up with a proliferation of wallet capabilities all over the place in your phone, maybe on the cloud.

What, what's the end state of this? Do we just end up, everybody's got to accept that there are wallets everywhere and there's gonna have to be some kind of modal interface that acts to to to to, to choose between them. Do we end up with one operating system level wallet that incorporates all of these credentials? Or do you end up with generic wallets that all those credentials go into? Or how do you see this playing out over the next couple of years?

Well, in the EI das model, the wallet has to be certified. So you'll have certified wallet on your phone and maybe that's the one you go, it's your go-to wallet. That doesn't mean that there won't be other wallets and apps, but really you won't even know about it. It's not like you have to have a Rolodex of IDs or cards that's not required. Right?

And, and yarn mentioned this, their implementation of it, it's all under the covers. You don't even know you have a wallet, but you're exploiting the functionality for the user experiences, right? So we have a couple banks that are doing that that they're not gonna expose. You have all these creds in there, so that can always come later. You could start out under the covers and exploit the technology and then later introduce that concept.

Or eventually the platform wallets will modern, you know, accept all the standards and play nice and then we can leverage that as a single data store and have many views into that credential. Right? That'll be the future. There'll be a mashup eventually, but it's gonna take time. But in a way we don't care because all it matters is the user experience, right? I think the standards are very much considering this challenge. So Christina and Ston are giving a talk, I think on Thursday, I'm not sure, check the agenda, but they're talking about it.

And in the OIDF digital credential protocols work group, they presented exactly these challenges, proliferation of many wallets. So from my understanding, but I'm, I'm an observer, they are the experts and the doers of course. But the standards are going to the direction that the, the credentialing API. So someone says to the browser, I need a credential. The browser talks to the wallet through standardized mechanisms and can find and discover on the device any wallets are compliance or becomes an nonissue. And then there's a lot of thought in the standards how to do metadata exchange.

How can I talk to you, can you talk to me even before the consent from the user happens or equivalent to a TLS handshake. So it it's built into the, the standards.

This, this challenge. Speaker 10 01:25:56 I, sorry, just if you don't mind me, You want the mic? Yeah. Is there's, I think there's an Audience.

Mike, Speaker 11 01:26:03 I don't think you need to take Oh no, I'll just, I'll just grab this one. Okay.

What, what about the, what about the benefits as a brand to using the wallet capability within your app as a way to boost engagement? I mean, yeah, You can speak to that.

Yeah, Absolutely. That's, that was the use case that got us in into playing. So we simply needed the mobile app enablement. So we were seeing that we operate across 12 countries. They each have the IT infrastructure, but we wanna build a lending gap and a mortgage app and deploy it across the country. Is it mobile? How do we do that? Login federation fails on, so it's not native mobile. You end up redirecting, well, you end up on a web login on the, on the browser that's like not, not experienced customers expect and worse the, the product owners, they're like, no way, that's not gonna fly.

Okay. So, so we went to to wallets as a capability because it, it makes native mobile as a first citizen. So you just go app to app and it's, it's very convenient.

So we, we really like the experience that this enables. Yeah.

And that, that builds the brand because people are happier with the experiences. We do have a credit union in the us they're launching wallets and their main, to his point, their main first use case is getting 10% off discount at a coffee shops in the area because they believe that will drive more people to the bank, right? They're actually a credit union. And so they're very community based, right? But if you're at the coffee shop and he gets 10% off his coffee every morning because he has a a credit union credential, you're gonna want to go get an account at the credit union.

So that builds brand loyalty. I mean, I'm, I'm gonna make the point about customer experience again, because I think we can't make it enough.

You know, there's a, there's that famous Steve Jobs video where he was in a q and a and someone stands up and the audience says, oh, what about this particular protocol or that particular technology, Java, whatever. And he said, look, there, there are better technologies out there. Sometimes we're gonna win, sometimes we're gonna lose, but we have to start with the customer experience and backwards. And that is how we win customers. It's how we win market share. It's how we sell millions of devices. And he said that in like 98 or something, right? The point is, we are well below the waterline.

We're talking about technologies and protocols and I believe all that will get smoothed out and sometimes the best technology doesn't win, but it's the one that's gonna be most adopted. But I really believe back to the brand opportunity point. If we start with the customer experience and work backwards, that's how we win.

And I, I, there's one more point I think we, we forget, is that I do, I do think from an experience point of view, we're looking in the rear view mirror. We're thinking our apps, what we'll do is we'll get the customers to download yet another app. We have another app for this conference. And I have another, I have two KC apps on my phone for some other version that was a couple years back or 2016 or something.

Like, we all have apathy, right? We're downloading another app and maybe it's gonna be one tap, but my experience is still fragmented again, right? So we should be thoughtful about what conversational UI is gonna look like once GPT-4 oh is added to Siri and that's given permission to access to data inside those apps. And I have multiple wallets that can permission with consent, the data flows, and I've got a cryptographic record of which apps shared what data with which AI and that AI might be on device, right? So we're not sharing it with a, with the borg in the sky.

My point is start with the customer experience, work backwards and then work out how the wallet and protocol stuff fits in. I think you mentioned AI there, I think it's worth picking up on that. And just picking your brains generally about what kind of threats or opportunities do you think AI poses and what kind of, yeah, what, what place does decentralized identity play in helping maybe mitigate some of those threats or otherwise I'll just leave that as a fairly open question. Be interested In your question.

No, I can answer that. 'cause I'm working with a car manufacturer now to look at putting wallets in the head unit inside the vehicle, right? And so the idea is they want an AI personal assistant to, while you're driving the car, you're starting to get tired and you say, Hey car, go make a booking for the hotel in the next 50 miles. I'm exhausted, right? And you don't have to do anything and the AI assistant will use your creds and your wallet and go do what it needs to do, including payment tokens to go book you a hotel, right? That's the future, right?

And this car company is actively building this AI system for the head unit, but they need creds to feed the AI and, and empower the AI on your behalf, right? I mean, I think I'll repeat what's been said a lot is that, you know, the, the, the value here is not gonna be in the model and it's not necessarily gonna be whether, you know, the, the, the number of tokens it's gonna be in, the quality of data being fed in. And it's gonna be the trust in the training, trust in the sources, trust in the intellectual property and the licensing and all that stuff, which is still being worked through.

So if you bet that the value where the, the value gonna be created by AI is gonna be in the data and the training and the learning of it, then our wallets and our identity and the verifiable of it is where we can create value on the customer side, right? So if you look at the existential crisis for AI and said organizations, it's about IP and it's about leakage, it's about hallucination and about where the data is being trained.

And I think once you assume that we're gonna have small language models, not just large language models stuff on my device, then how it's trained, what wallets have got access to, you know, I think the AI revolution in full swing can't and won't happen until we have verifiable trusted sources of data. And that can't happen until we've started the key key rotation problem and the wallet problem and the protocols problem to start moving data around in a trusted way. So I think what we are doing here, we won't realize how important this conversation is for, for a decade or two.

And I think if we can crack the verifiable data, the digital wallet problem now is gonna unleash even more incredible stuff with ai. But not until we can trust the data. I wanna talk about a little about the risk coming from AI and DeepFakes. So I don't know if you heard, but this February there was the heck where the financial services employee in Hong Kong joined a teams call with his fake colleagues and CEO and was told to make transfers and did those transfers. And I think the damage was $25 million in, in that area.

So I think it's gonna drive in the future more stronger requirements for authentication. So if you talk about device biometrics, et cetera, that's, that, that's not enough. So we're gonna need to go to the higher end, especially, you know, corporate use cases. Does the bank have liability in accepting these orders?

And I, we see the bigger problem in, in the corporate use cases because then you're relying on, you know, what's your second factor? That might be a phone or an email that the company controls. If they don't do the good job, then your second factor is compromised. How do you know on time that this employee may left the job or maybe got hacked in another way? So through these channels, how the users authenticate transactions are enabled of the highest value, right? 'cause it's corporate scale money, not private people in their own funds.

So I think we'll see a push where credentials combat that. So I think the future of employee card is not the plastic card, but the credential, this credential in high, you know, imagine that that financial services in Hong Kong gets now an identity wallet from the company and in order to approve those high value payments needs to prove his identity and the others to join such a call, prove the identity with a crystal biometrics and liveness.

So I think, I think we'll go into an arms race to protect those high risk scenarios and, and he credentials and, but You're right, generative and a and adversarial AI will be extremely difficult to impersonate us if we have wallets and credentials because they can harvest the data, but they can't repackage it and sign it again and present it as me. You can't do that.

And it's, it breaks the protocols, right? So security, so this is David one of your favorite things to talk about, but we do have, we can't talk in detail, but we do have some work going on around mutual identification with some video conferencing players. So you're gonna see this happening where you get a little green check next to your name in the participant list because you've been checked, right? Yeah.

So, you know, in the payments world, in the, in the card network world, there are transactions that are card present and transactions that are card not present and the card not present. Meaning I'm, I don't have the customer in front of me presenting the card, it's over the phone or whatever. There is just, it just carries more risk, there's more fraud. So those transactions are more expensive on the network, right? They're charged at 3% or whatever rather than one and a half percent.

And I think with a wallet, we're gonna move to a world where we've got customer present versus customer not present, right? Today we're ingesting data into a business that's come from a third party, API, it's come from a document scan, whatever, and the data's coming in, it's gonna verify the customer, but the customer's not present, right? And I think with the digital wallet or authenticating, authenticating to a zoom call or a teams call or whatever, we can say the customer's present or the customer's not present. So we can still process business transactions without the customer there.

It's just we're gonna have a higher taxes or a higher fraud or higher risk assessment because we know the customer's not authenticated in with their wallet. And that's, it's like the EI DS conversation looks like an ID thing, but suddenly it's gonna look like customer present transactions and it's gonna lower the fraud, but it's also gonna give us higher assurance for certain transactions like moving, moving money around from, from the deepfake that told me to press go. Cool. Thank you very much. Another question from the online audience directed to yarn.

What drives financial institutions to adopt these solutions? You've obviously been an early adopter and trailblazer in this space. Is it the technology, a promise of resolving an operational pain point or a customer benefit? And I'd like to add on, so that that's the question from online, but I'd like to add on some, some other elements. You've been exploring these use cases. I'd like to know a little bit more about your experience of educating your team, your engineers around you, about getting these use cases live.

How have you found what Jamie called using the customers, the API or your customers, that integration point? How has that worked with your technology teams?

Right, so there are two parts. So the first part about the drivers, everything before, yeah, IDAs two passed, right?

Was, was initiative not compliance. So we had a pain point, we had a journey of harmonizing 12 subsidiaries. They used different technology. So it was about reuse for cost cutting and superior customer experience while maintaining best security. So all of these drivers, and then we found a good match in this as a, as a foundational technology. The moment that the regulation passes, this changes into a compliance discussion. Compliance on the one side. So we have to comply those a deadline and, and what are the steps we need to do and what processes this impacts in the organization.

But also opens the door to other interesting discussions of is there an additional opportunity here? So can we also perform the KYC this way, what I showed you about financial data, can we do customer due diligence? What else is there as goodies that we can perform our processes more efficient, less friction, reduce the fraud.

So, so that becomes a driver as well. And educating the team is sometimes, sometimes hard, sometimes easy.

So, so the team meaning the teams in the different countries. So of course when you come with something new and shiny, there some excitement to it, especially if you can demo it. I mean I've, I've learned that demoing things and, and really it's a privilege where we work that we have the time and the capacity and the support to look into these things. It's not obvious that it happens. And it's great that it does because your understanding of it when you see slides or read a spec is something when you put your hands onto it sometimes you're like, oh, it's not what I thought.

It's a bit different. So it's, it's, it's very important and then it's very, makes things easier when you go to a team and they say, does this work? Is this real? Why are we the first? Is this maybe risky or not? So it helps very much that it's standards based.

So it has, it lies on the shoulders of giants, right? The whole industry and research and and academy are, are working on this contributing, validating this. And it helps very much to show that it's live, we built it, it works still, then that doesn't mean full adoption.

Okay, so now we need to put the SDK, what do we need to do? Budget, timing, et cetera. It's always a journey. Quite straightforward Question here. Also online. How do you know if the wallet data is still up to date? I can answer that. Yeah. So whenever the issuer issues the credential, it it, it'll have a record that attribute that says time, date, and time last refreshed. And so the verifier has the option of of rejecting if it's been too long. And by the way the TSA does this at the checkpoint for mobile driver's licenses in the us.

If the MDL hasn't been refreshed in a while, sorry buddy, we're not gonna let you through. So if it's your phone's been offline for three months, it's a problem, right? And you have to look at churn. How often do you push out, refresh you, you want to have time to live, you may want that ex expiration of that credential to be every 30 days or every 45 days and you just churn it, refresh, refresh even if no attributes change, right? So you can create time to live so that if they do do go on airplane mode, it'll time out, right?

So these are the kind of things that are built into a lot of the standards and specs and always can do that in your as an issuer to help the verifier. Brilliant. So we've heard a lot about use cases where DCI seems like a great improvement.

You know, what problem are you trying to solve is the question that we ask often when we're interacting with our customers and clients. And I know our audience is made of con you know, consultants as well. I'm sure they're asking that same question in what scenarios is DCI not the solution? 'cause it sounds like it solves every problem in the world right now, but that can't possibly be due for any given technology. So what are some red flags that when you hear them, you think this isn't appropriate, I need to do address this with maybe more traditional technologies?

Yeah, I think in a workforce model it's sometimes people are hard to see where there's value because it's a closed ecosystem. You have all your data systems, they're all connected, they're all lit up, data's flowing back and forth. You might say, well how, why would I use this internally at the company? Right? So that's a good example where it may not make make sense, but as soon as your employee decides he is going to leave the company and go over and be a consult a contractor to your customer, now you have supply chain.

And suddenly it becomes very powerful to get instant trust when you show up at your, we have one trucking company doing this, we're enrolling about 3000 truckers a week and they, they're a matchmaking service that match makes the trucker with the load, the load needs to get moved. Well, whenever that person shows up to pick up the trailer, nobody knows who he is.

I mean, they've never met him before the greeter. Right? And this guy's picking up a trailer of $2 million worth of televisions. So as soon as you leave your company, that workforce credential matters if you're interacting with other corporations, for example. But within the company itself, eh, maybe it doesn't add much value.

I mean, I'm gonna disagree with Darryl, but there's a sequencing of this of like, it doesn't make sense yet. Yeah, exactly. Right. And there's some academic study that looked at the value of data to an organization and actually most of the data that was valuable was outside the company walls, right? We spent the last 20 years building fences around the business and alligators and barbed wire to stop data leaving, right? Organizations are not built to have data moving around in this way. The policies, the governance, the department of no, you know, the compliance teams.

So this is a mindset shift as well. But once we enable, or you know, help organizations realize that there is value of data they can get outside, you know, whether it's bring your own identity from a new customer or a staff member that's moving outside the firewall, it might not make sense yet. Like the answer might be wait six months. But once there are enough supply chain problems or data sources that you wanna get from outside the organization, then that's when we start need to explore.

And, and frankly it's like, well when should we move? We're waiting for the standards to settle. The answer is you gotta have an understanding of this stuff now. You don't have to implement it yet, but you gotta have an understanding. So your exec team, your point about education that the businesses kind of got the mental models to understand what they need to do, even if they're not building Yet and you pull the thread if, if, maybe not supply chain, but how about business meetings? Wouldn't it be nice to go to a company and you can just present your digital credential to check in, right?

Instead of sitting there and waiting in line and filling out like we did this morning, right? Filling all this paperwork and stuff that, you know, so even for business meetings, there could be value, right? But it is intra intracompany at the moment is the things that rise to the top Okay. In the workforce. So if it's, if it's Intracompany and Jamie, you mentioned kind of getting started with the technology. We've spoken about use cases, government through finance and we've covered a whole load of them. How do you get started?

What's, what's, what's the first domino that you push over? Ho ho hold on before that, oh, apologies. You asked what? It's not you, you hit the pain point.

I, Sorry, sorry. By all means, my apologies.

Yeah, so when we were trying to build approval schemes based on it payment schemes, so if you think about a customer sitting with a bank, they're discussing a certain banking product, like a loan, and then you want the customer to approve on that or the customer is making a stock trade or a payment that needs to sign off on that payment. So what is the wallet?

At the end of the day, if you talk about the core standards of issuance and presentation, it is a secure container of credentials by a trusted issuer that are controlled by the holder and can be presented at their discretion while preserving privacy. So it does not contain the UI layer for taking a transaction like a payment or any JSON data and presenting it to the user, in our case, multi-language. And it does not comply out of the box with PST two scar.

So strong customer authentication i if we need in the banking industry to prove that we indeed got two factors of two different classes and show the transaction to the user and bake it all to show the audit trail. So it can be used in combination with these to achieve it, but out of the box it does not do that. Right There I said it.

Yeah, not yet. Right?

I, I'm reading. So about the question about kind of the first domino to topple, how, how does one get started? What's the, what's the best way to, to begin to engage given that you know, that that two year clock is is ticking to, to May, 2026? Well let yarn answer, although he might say that we weren't always perfect helping support him, but yarn maybe How did you get started with us?

Well, we, we found a use case and a pain point and, and through coming to these events and, and you hear a talk that triggers your, your interest and, and you seek more knowledge and thought about the use case and, and found out that, that this could help. So that's a good start. Yeah.

And then, you know, be very practical about it. Maybe try to whiteboard it, the architectural, you know, 'cause getting around the technology, it, it, it works different than other schemes. So it's important to understand all these questions. How do I know that it's not stale? How do I revoke it? So all of these things, how do I know that the wallet is legit? So there's a lot of understanding to, to ask when you, when you actually put it on a whiteboard and start making sure you understand every segment and then take it to maybe a demo. Yeah.

And, and get heads on it. Plc.

Yeah, plc. Yeah. Frank always calls it a Rorschach. I mean every person that looks at credentialing and wallets looks at it differently. So every time we interact with customers, they, they're coming up with new ways of using it that we never even thought of, right? Like Frank and attest to this. So going through those designs is really good. Like flows, right? We typically get in lucid and we go online and we create a lucid chart of the flows for one of their use cases where they have pain and, and debug and figure out how we can help them, right?

But it is, they come up with things that we never even dreamed of all the time. I mean, I think the only thing to add is understanding like what are the solve problems? What are the not solve problems? What's yet left to, to resolve? Where's sponsorship gonna come inside the organization? Is this a product led thing? Is this an innovation led thing? Is that compliance led thing? Because some of this is RegTech, right? Some of it's coming from the head of customer experience because they see a 10 x improvement of the crappy form you fill out today.

And some of it's data, supply chain, head of data, CRM, whatever. So I think understanding where this is gonna sit in the organization, but having really solid education, like what does it mean? Where are the use cases better solved by a centralized database internally, when will the technology be ready? And then we can get ahead of what happens if I lose my phone and what about bad actors and threat, you know, injection attacks and biometrics and stuff. So I think education, sponsorship use cases. Brilliant. Thank you.

Okay, so I, it's kind of the end of of my questions. There's no more coming on online. Is there any further questions for the panel, for the room or even maybe from the panelists to one another There? The question down there, I'm Speaker 12 01:49:01 Not gonna look behind me here. I know I'm gonna insult someone, But Speaker 12 01:49:05 Isn't China's kind of doing something similar? She didn't wanna ask the question, she just got back from China and everything is like digital this digital that here asserting your identity.dot.dot.

There's Yeah, there's certainly programs and projects in China with verifiable credentials, if that's what you're asking. We have some customers doing a couple things, but you know specifically about Speaker 13 01:49:29 China as the government, China as the government.

Oh, government digital credentials. Say Speaker 13 01:49:34 How That feed to the Yeah, So I I I think maybe also what the question is is alluding to here, certainly in the uk there's a lot of resonance and concern about carrying any form of ID card issued by the government. For some reason we don't mind carrying around passports and driver's license, but the idea of an identity card is yeah, sure. Anathema to to to to the UK population. For some reason China's taken the concept of a population ID to the nth degree with their kind of social service tracking. Yeah.

I'm not, Is this the gateway to that worldwide and is, is the UK right to be so concerned or Yeah. What, what would you say to those As far as government tracking is concerned? Is that So it's, it's tracking, it's, it's the idea that the only way that you could get given a digital credential Yeah.

Would be, there must be a centralized database somewhere and therefore government bad because it knows things about me. Yeah. It goes back to the old self sovereign thinking of why can't I just create my own identity? The truth is that governments grant you your identity. This is a big debate, right? Like you don't really own your identity. You even some countries you can't pick certain names, you can't, you know, right. Like even here in Germany, sensitivity around Nazis and Ss, you can't just, you know, affiliate yourself that way. So governments grant you your identity at birth, right?

If you think about it, parents pick your name if it's allowed that name within that country, right? So there's some things like that. So in a sense, our identity is given to us by the government in one respect, right? That doesn't mean that's who we are, but it means that's how we are represented. Right? And I think maybe it's a a a kind of technical distinction, but it's, it's the, the differentiation between the land of identification versus authorization Yeah. And authentication.

You know, is this the same person coming back? And I think once we're, we have digital wallets and credentials, we can start to do things in a much more privacy preserving way. I don't need to who it is, but I know, you know, are you on this side of the airport because you have a plane that's leaving in the next four hours, yes or no? Right?

You know, are you an individual that should be at this conference, yes or no? Are you an employee that should be allowed in this part of the building so we can, you know, it's all the whole data minimization story, which we won't rehash here, but from a governmental perspective, it's why the work at e IDAs is so important because it's answering the functional and non-functional requirements of what a government ID looks like. You know, the hot potato that we can point to is correlation, right? Does my wallet accidentally become super cookie?

'cause if I've got an identifier, whether it's a pit or a public key that says I've used it here, here and here, should that be a little digital breadcrumb that I leave behind as de described by the a RF, the architectural reference framework At the moment it does. Right?

This is a, this is a question mark, but it gets back to policy and like what do we want citizen outcomes to be? But that opens a whole can of worms Right before lunch.

Well, having said that, it is right before lunch. So how about some final comments from our panelists and where you can go to find more information?

Yeah, for us, you know, obviously we're a vendor here, neo identity.com or ping i identity.com has a lot of information. We also have use cases and a lot of artifacts for educational purposes that without our brand. So if you guys want, if anyone wanted to just run an education session at their company, we do this all the time, including without the ping logos, we wouldn't have to mention Ping. So we're happy to do that. It's all about learning right now we're in that phase. It's a marathon, not a sprint. We're still early days, so a lot of education going on.

So I'd say that's where we can help the most. I think we're in the beginning of tectonic change, so things are looking different or gonna look different in organizations how we interact with our governments. Some make it very privacy preserving, some not. Yeah.

And, and we don't, we we know very little. Yeah, a lot of things are trying to make assumptions and take use of what's so our, our stance as a, as a, as a bank, we're not a vendor. So we're trying to use the parts that fit our use cases in the, on the way we try to learn and be ready to be compliant quickly and seize the opportunity. But there's so many things moving.

Yeah, the rate of change, the rate of new drafts, new standards is really mind boggling. So we are enjoying the ride, but hard to say.

Yeah, everything is clear and we know how it's all gonna play out. So I've got two hats. I am a co-founder of a company called Mission and I became a building and selling this stuff for doing all the workshops Darryl's been talking about since 20 20 12, 20 14. So mission helps organizations make sense of this shift, whether it's decentralized ID or personal ai. And you know, we're in the business of helping organizations make sense of it, build a business case, look at use cases, do vendors selection, all that kinda stuff.

But it, I, my other hat is I write a blog or a newsletter called customer futures.com where you can find out more about where I think things are going and having that narrative of why we should be paying attention. Oh, there's also customer futures paying are very kindly gonna be helping us with drinks this evening we're having a, a meetup at the Motel One Hotel. It's about a five minute walk around the corner. There's some brochures around, but customer futures is a meetup tonight after the award ceremony. If you wanna come along to Motel one, that's an Alexander Platz. Brilliant.

Thank you so much. And you'll be around the conference for the rest of the day as well, so please feel free to approach them for those that are joining us digitally. Obviously the KC app I think has a chat feature that you can use to, to write to people. So I just close off now. So thank you. Appreciate you coming and attending this opening workshop to EIC 2024 on DID in government and financial services. Thank you.