Panel | Decentralized Identity in Production

So to begin, let's get to know everybody who's here on stage. We'll do a quick round-robin introductions, please say your name and how you are connected with digital identity, what work you're doing in the space. Let's begin here.

Hi, my name is Marie Wallace. I'm the Global Lead for Decentralized Identity at Accenture. So we do a couple of things. So my organization, we do kind of standard consulting. So a lot of, you know, helping companies understand what it means, how they're going to reinvent their business using it. And then another part of my organization, we actually do the implementation work. So the SI work. So that's me. I'm Chris Eckl from Condatis. We're an identity consultancy based in the UK in Edinburgh.

I also work for a company called Scikit, which is very involved in staff passporting and personal health records in the NHS. And we came to this NHS digital staff passport project, which was one of the first decentralized identity implementations in the UK.

Hey, my name is Wayne Chang, founder and CEO of Spruce ID. Our mission is to let users control their data. Instead of people signing into platforms, platforms sign into your data vault. That's the architecture that we use in California for the MDL wallet. We also work with the state of Utah on credential pilots and also recently working with the Department of Homeland Security in the US, looking at how to align things with stuff happening in the EU. We're really interested in the long tail of credentials.

MDLs and strong identity is cool, but how many millions of credential types exist past that? And I'm Eric Scutton with Adobe, and I'm involved in the content authenticity initiative project. I'm an identity standards architect, and my role is primarily to determine how digital identity can be used to assert author identity in digital media.

Hello, my name is Carsten Stöcker. I'm founder and CEO of Spherity, and at Spherity we focus on decentralized identity solution for regulated industries, and we focus on enterprise identity and object identity, such as digital product passports, and primarily work in the pharmaceutical industry, automotive industry, and in banking.

Thank you, everyone. A quick reminder to the audience, if you have questions for them, feel free to send in your questions via the app. I'll be able to receive those here and then bring them to our panel members. But to kick us off, can you tell us a bit more about the projects that you were a part of? What are the really key features of them? What's new or unique about them? How are they working? To give our audience a little bit of context to begin.

So, Accenture is a system integrator, so we're not a product company. So, we work very closely with product companies like Spruce ID and Conata and Spherity.

So, we work with all the product companies out there. So, our main focus is around helping organizations reinvent their enterprises, because the value of decentralized identity, it's fundamentally transformative, and it's transformational, and the value is realized when companies reevaluate how they run their businesses.

So, the kind of projects that we're seeing, that we're really leaning into, we're seeing a lot of activity. We're seeing a huge amount of work around the whole area of worker identity and credentialing, recruitment, employee lifecycle management.

So, identity and credentials right the way through. Actually, in fact, from the moment they start school right the way through, they get their job, they get certified, they get recertified, they leave.

So, that whole worker space is significant, led in large part because of cost-saving requirements and the idea of skills-based hiring, and also a significant concern around fraud and deepfakes. We're obviously also seeing a lot around travel, and that's another big space.

And then, obviously, banking is another area that we're also seeing. But I'll be honest with you, what is kind of exciting for me is that a few years ago, a lot of the work we were doing was predominantly around consulting, advising companies on what they should be doing.

Now, we're seeing it's actually doing implementation. So, companies are getting it. They don't understand everything. They're asking for help, but they're actually looking to do something real.

So, they're not looking just at POCs anymore. They're actually looking to do things in earnest, which I think is exciting. Yes. The challenge we had was we were approached by NHS by their people directorate.

So, they're responsible for all the staff and staff policies throughout the NHS. And the NHS isn't one organization in the UK. It's an organization that's compromised out of hundreds of organizations that all employ people.

So, that staff employment is that major challenge because they're not employed by one organization, but by hundreds. A doctor or a nurse leaves education with a certificate. They need to do placements. They need to get registered on the relevant registers. They need to do recertification all the time, and they need to get employment. They need to get access to systems, and that all takes time.

So, traditionally, that took from one to two weeks. They run around with lots of paperwork. What the people directorate tried to do is see, and that was back in 2019, tried to see how a decentralized passport, wallet can help onboard those people quicker.

Now, thankfully, and I'm probably the only one who says thankfully, in 2020, we had an event that accelerated the whole thing. So, in 2020, we had this event, and all of a sudden, we had the challenge in the NHS that there were hotspots of need for health professionals. And those hotspots had to onboard seconded health professionals from other organizations.

So, the HR departments of all those different organizations had a huge legal challenge just for the secondment. So, it's not necessarily a technical challenge. It's a legal challenge as well to send their staff to another organization, get the staff onboarded in the most efficient and quick way so they can even just stick needles into people. And we were involved in those prototyping sessions, hacks, before the event.

And the event accelerated that we actually put into production very quickly within five weeks a system that, in the end, during the height of the pandemic, had about nearly 100 hospitals connected, moved hundreds, if not thousands of doctors throughout the system, and helped lower those hotspots. Post-event, the NHS, because it was procured under COVID rules, they had to re-procure, but they are now on the path of rolling this out in a more complex way with this whole health professional lifecycle use case. I described from education to re-evaluation to changing hospitals.

That's now in private beta, going to a public beta soon. So, not as many hospitals involved at this stage, but we'll see that within the next few months that's going to that old level again. Thank you. Wayne.

Yeah, so challenges building digital wallets, production, digital credential systems, largely have had to do with the end-to-end user experience and how much it's under-invested, I think. It just always takes a lot more investment in that than I expect, and anywhere where we've been able to deliver value took extreme focus on how does someone go through their whole journey, right?

I attend a conference called AMVA, the American Association of Motor Vehicle Administrators, to think about how exciting it is to go to your DMV, and then there's a conference, and then you can go and hang out, talk about standards and such. But basically, I'll never forget when one of the DMV directors held up her phone, she was like, this is beautiful, pointing to the MDL in the Apple wallet, and saying, but what can I do with it? And I think that that's going to be a premonition for a lot of the big problems we encounter as an industry.

And it turns out that each use case needs to be specifically tapered. You have to think about the traffic stop use case, if that's the one that you care about, or online presentation. But figuring out that general flow I think isn't enough, doesn't go far enough. Someone is typically trying to pay their taxes or get some unemployment benefits or open a bank account, right? Each of these are, I think, very different in terms of the context they're in, and it requires a lot of empathy for the user and research.

So I think that the challenge has always been tailoring the technology and tools we have to the use case and not letting the tail wag the dog. So an increased focus on that and getting the end user experience right through a lot of interview and research, I think that's been the biggest challenge to this day. And it's like you can't build a single product that scales to all of them right away. It takes a lot of specific care, consulting, just it's very situational. So I was asked a few months ago what I thought the biggest impact that we could have with our work is.

And the way that I answered that was to refer to conversations that I've had with people in business, in government, in entertainment, sports, all manner of sectors of the marketplace of public ideas. And across the board, one of the things that I hear is that audiences don't know who to trust. They don't know how to know that the content that they're viewing came from sources that they trust. And the content producers are similarly frustrated by the lack of connection that they feel with their audiences.

So for us, the question is how much more information can we provide to audiences about who is producing content and how? And can we use digital identity to help tighten that bond between content producer and content consumer? So that's really a large part of the reason that we're here is to understand how the standards that we're talking about can turn into a practical and meaningful improvement in the marketplace of public ideas.

Yeah, so I would like to share two use cases. So on the one hand side, we have a use case in the German European ecosystem, which are so-called battery passports in the automotive supply chain. And that's pretty interesting because when you think about data sharing in automotive supply chain, you have to think about global supply chain, digitization. A lot of systems are talking to each other for use cases such as the battery passports, demand capacity management, circularity, quality management. A lot of data being shared among global supply chain players.

And usually you would say, hey, if I spin up such an infrastructure globally, I need identity. First, for zero trust architecture principles, for authentication and authorization among machines, among systems, manufacturer systems, supplier systems, ERP, manufacturing execution systems, you name it. You must have an identity solution for authentication authorization among these systems. This is what CatenaX is doing for the global automotive supply chain. And what's pretty interesting, because they have a conformance model.

A conformance model establishes trust in a similar way EIDAS is doing it. In a similar way, the mechanisms are there, a little bit more pragmatic, and they are spinning out on a global level. So it's not a German European project only. So there are CatenaX hubs in Mexico, Canada, US, South Korea, Japan, and China. So all around the world, South Africa as well. And that's, from my perspective, the only game in town globally for global supply chain digitization, for identity, for authentication authorization, but also for identity, for provenance.

That's in the battery passports, digital product passports, digital trends. I need a lot of provenance. And CatenaX, and that's really fascinating, it's the only game in town that establishes a trust framework and has spun it globally. Adoption is happening globally. And I think that's really a prerequisite to digitize the global supply chain.

However, automotive supply chain is super, super complex. When you think about critical success factors, oh my God, battery passports, a battery, unbelievable complex. Tier 10 suppliers around the globe, unbelievable. On the other hand, we have another project in the US for the US pharma supply chain. We did the same thing. We took the IDAS, all the roles, how to establish trust as a blueprint. Then we defined a trust model for the US pharma supply chain, which was endorsed by the FDA in the US. So we have endorsement by the FDA.

And now we have a trust model for a super, super simple use case, which is there is a pharmacy that scans 2D data metrics, a QR code on a pharmaceutical pack. They do a lookup, then they authenticate, authorize against the manufacturer with the license to operate. And then they get information back, information about the product authenticity, in the future about e-leaflets, a couple of other things. But this use case is for protecting patient health, to make sure pharmaceutical supply chains are much more safer and secure. And it's the use case itself. It's very simple. Just the one thing.

I scan something, do a lookup, send a request, super standardized. It's standardized with GS1 secure supply chain scope. You get a response. That's it. I think that's a bit kind of where we are. Some simple things in pharmaceuticals. And on the other hand, the global automotive supply chain with Cartena X. And there's no other game at all. Thank you for this. It's really important to know where each of you are coming from, what projects you're spending your time working on and solving the unique problems for. And so with that, we can jump into a little more dynamic conversation.

Each of you being able to jump in a little more flexibly with comments or questions, things like that. Let's talk about business models. What are the business models that are working in your context? And what learnings can you bring for other projects, if you can imagine, towards other use cases? We can start at Carsten and work our way down.

But, again, if you'd like to jump in briefly, let me know, and I'll help make the connection. Carsten. I think regarding business models. So I worked in the utility industry. And then people said, hey, power supply, it's a commodity. You can easily end up in a commodity trap. If you're a digital identity, you can easily end up in a commodity trap. You do your identity. And for us, as part of the business model, is to look into regulations. So where do we have to fulfill specific requirements to have a compliance USP? So that there are not many suppliers.

And then you work for regulated industries, for the pharmaceutical industry. That's a good industry to work with. Provide an identity wallet. Integrate it in a business solution. And then it's kind of an okay business model. But I think it's always important not to forget that there is a lot of competition in the identity space. And the commodity trap. When the hyperscalers start to integrate enterprise identity wallets on Amazon, Microsoft, whatever. I think you can easily end up in a commodity trap. And it's very important to go from, let's say, the basic wallet infrastructure.

Even if it's compliant and whatever, conforms assessment you have done this. But really to get kind of the next step upwards in a business application. Where you can sell a business value. Because from a sales perspective, this is easier to sell. And that's important for us. Not ending up in the commodity trap. And the pharmaceutical industry. So we are looking into value-added use cases. Such as the e-leaflets. A digital cabinet. You can do it for cosmetics. And you have a digital cabinet of cosmetics. You connect it with influencer marketing. You have a digital product passport.

New ways of customer engagement. Whereas a product passport, then you suddenly end up in marketing and so on. So there are a lot of more business use cases. And for us, it's really important to do the step from this commodity to real business application. Where people understand the value. And you can go to a business manager that understands the value. And buys the product without explaining how this identity is decentralized. Data sovereignty. You have to integrate it there and there. This is poison for your sales meetings.

So I think one of the interesting challenges when we talk about content in the marketplace of public ideas. Is that there are some pretty wide disparities in socioeconomic status and technical acumen. Especially when you look at content consumers. So one of our fundamental values is that anything that comes from C2PA should be freely understandable.

You know, your socioeconomic status, your technical acumen should not be a barrier to understanding the content that you have access to. You might say, well, okay, that's fine. Put all the costs on the content producers. And there are certainly well-resourced content producers from some of the sectors I named earlier. That have the means to put forth quite a lot to invest in their identity and making that public. But let's not forget about content producers in under-resourced countries and locations.

And let's not make it a barrier to entry into the system for them to also assert their identity. So that's one of the challenges that we face certainly in thinking about how do we construct a business model? How do we sustain it over time? I think it's such an important question to ask about. What are the business models that will emerge? Because I think that the business models will shape the standards more than the standards shape the business models. Historically, I think that's been the case.

The kinds of standard making that I've seen successful are when people already figure out how to solve a problem. And they're like, hey, I solved this problem. And they get together in a group and say, how else have you all solved this problem? And distilling the commonalities between the solutions. And it's something that's adopted and reached consensus. I'm very skeptical of approaches where people who are in a room together and don't know too much about how it's being used on the ground make a decision on how it should work. I think typically there's a gap between the information out there.

And you find that information by entering markets, by working with customers, serving them, solving their problems. And so I think that there are three different types of major business models that I identify in the space. It's my job to think a lot about them. The first one is infrastructure companies. Nothing is cleanly in any one bucket. I think there's always a mix. But infrastructure companies will try to sell the plumbing to build wallets, issuance infrastructure, verifier infrastructure, some variation of this. That's mainly the business that we're in.

There are also companies and organizations that have existing network effects. And they want to find ways to extend those network effects and see this technology as quite a way to do so. So let's say you own a bunch of different physical factories and you have workers across them that maybe you want to create a more dynamic labor market. You want to let one factory worker work in a different factory or something like that. So by introducing digital credentials, you can imagine creating value by creating a digital network effect across the physical world. And then it's more dynamic.

We reduce friction. Workforce use case is a really good example of that. Or if you happen to own a lot of massive LDAP directories all around the world in your cloud and you want to provide better connectivity, right? Then there's quite a good way to make money that way, too, if you have existing network effects and you seek to expand them. And I think the third way is basically wallets that specialize in some specific thing that can provide a really good experience for someone. And I think that the people who should consider making wallets, there are two necessary conditions.

The first one is that you have a trusted brand by end users because basically you're projecting trust that they should be your agent. And the second one is that you can provide a much superior end-to-end experience for a specific use case. So I think those are some of the ways that I've seen Drive Economics, details to be figured out. Is it transaction-based? Is it per active user? How do RPs pay for things, but issuers have the burden of implementation, right? These are some of the challenges that the commercial models need to address. Thank you.

Yeah, and thanks for that. Physical staff movement use case is so important and that's where money saving can happen. So within the NHS, that's the big savings.

You know, if I don't have a doctor waiting around for two weeks, that's a lot of money saved. And it actually benefits patients. And then coming to that system access, you know, being able to quickly get onto a system. So that's the biggest business model change and business value that this comes to. Coming to specialized wallets, it was interesting because we started this journey in 2020 and I've learned a lot of specialized wallets. It's very generic wallets and that was good at the time and fulfilled the use case. We kept it really simple for COVID. We had the COVID staff passport.

It was minimized data. That's what was working. What we now have is this whole wallet challenge with data from identity, education, training, doing placements in hospitals, getting receipts from that placement, getting recertification, getting general medical counsel, registration in the wallet. Presenting the right information out of the wallet at the right time to gain access, to gain onboarding to a hospital. It's a hugely complex process now that needs specialized wallets. And that's a challenge now that needs addressed within the NHS, for example. That's a big thing that needs to happen.

Couldn't agree more. I think one really... Sorry.

No, sorry. You're all right. We'll have Marie respond and then we can jump into the conversation. Yes. So I guess there's three things that we see when we talk to companies across a whole variety of use cases and geographies. The first thing is obviously cost saving. And this is nearly always the first thing that people are looking to do because there's a lot of price pressure. So cost saving is always the number one. As part of the cost saving, there's always a risk mitigation.

So risk, particularly with AI fraud, is a huge issue. So we see that as the primary way. And how you price and how you value, how you build business models around the level of cost saving. But from my standpoint, what I've seen, particularly in areas and sectors where there's a lot of content, there's a lot of data that's being manually processed today, the ROI is eye-wateringly large. So it's a really easy sell. The second thing we're seeing is new products. People are trying to bring new products to market.

They're trying to, particularly when we think about AI, people want to be more kind of smarter, AI driven. And that's also driving.

And, again, AI is only as good as the data that feeds it. I spent 25 years in research at IBM Research doing AI. And the reason I got into the space is because the biggest problem, apart from the ethics of AI, is actually getting the right data and actually being able to deliver really personalized AI. And then the third thing, which I think is the trickier part, is the data economy side of things. We think about this as ultimately this is about a decentralized data economy. And that's actually probably the biggest opportunity.

I would argue, you know, you're looking at multi-billion dollar markets in the cost saving. The actual data economy is a multi-trillion dollar business. There's no question about it. When it's going to happen, it's going to be a few years. But it's a question. I'm going to give you a very, very simple example. We were working with one client recently that's really worried about fraud within the recruitment space, a large company. And they said, oh, we're going to have to go get IDMV.

We're going to have to do IDMV because we need to get, you know, we need to make sure we know who our employees are. And they're going to spend millions on building an IDMV.

And I was, like, scratching my head. But you actually have another provider that provides you a different service. But as part of that service, I know they have to do IDMV. But they actually don't issue it back to you. So when you think about business processes, in AI we talk about data effluent. So that the waste, you know, when you go through data projects, you have this waste that isn't important for your particular outcome. But could be really valuable. So it turns out that the outcome for this other process was to do a compliance thing. But as part of it, they actually did a full IDMV.

They just never credentialized it back to the customer. So now they're going to spend millions on something they've already paid for. They just didn't know they paid for it. So I think there's really exciting opportunities to realize real value when we take a look at the data economy. And as I said 15, 20 years ago to companies building software, like, if you don't see yourself as a data generator, then you're doing every piece of software. All we are is data generators. And that's what we should see ourselves as. And we should make sure that we maximize the value of every piece of data.

Not in an exploitative way. But because it's all value back to the individual as well. So I think that's the biggest opportunity, I would argue, around the decentralized data economy. Thank you. Wayne? Yeah. So on that, I think that when we issue digital credentials, it could be seen as an act of empowering an end user if we do it correctly. Because these systems already have information about you. Why shouldn't it go to a wall of your choosing? And you can use it how you'd like to. And I think that is a really powerful experience that can be unlocked.

But to your point about the user experience and specific wallets, I think that one really interesting thought experiment is why is there an app store? Why can't the base operating system do anything? And it is really a limit of focus and scale. Because one organization can't figure out all the different user experiences across all the trusted interactions you have in the world. So if you agree with this thesis, then you might agree that we're going to have to package experiences to really taper into those individual use cases.

Whether you're a health provider or whether you have your data back to you from a government agency and you can do something more with it. One of those experiences also coming out of the organization you work for. So within the NHS framework, for example, I have lots of use cases where health professionals need to have identity in other areas. So providers of medical equipment, they now need to prove that they work for the NHS or their doctor to log in there. Previously, hugely complex processes.

If we have a staff password, the DSP, as we call it, that can now be enabled for pharma, for providers, and easily can be used for logging in and proving your status. From my perspective, you mentioned the specialized wallets. And I think it's an unsolved problem. Because on the one hand side, you have horizontal infrastructure. I call it a base ID.

In EIDAS, it's called a PID or a legal PID for a company, for a human, for authentication across multiple use cases. And then you have domain-specific verticals sitting on top of it.

And, for example, what we are doing in the pharma industry in the US, this is fully customized to the US pharma industry. It's baked into data-sharing protocols based on GS1 standards in the pharma industry. It's baked in a trust model that is relevant for the US pharma industry. It's fully domain-specific, specialized wallet solution. And this is what I also see in Europe. Different ecosystems have their wallets.

And I think the interplay between a base ID for pure authentication that's derived from a government, either from a government registry for a company or from a government, from your personal identity card for a natural person. And this base ID needs to somehow interact with the vertical domain-specific wallet. And from my perspective, it's completely unsolved. People start to tap into it in Europe. And they try to combine the EIDA's OID wallet together with industrial solutions such as Gaia X, Catena X, Manufacturing X. We have a lot of Xs.

So they try to start working on this, but it's unsolved. And I think for scaling the entire thing, and this comes back to your point, where you say it's an operating system and then the app sitting on top of it, that's exactly what we need to figure out. How base ID can interact with domain-specific features, wallets, however you name it. I think that's very important to solve for broader adoption and for ease of use.

Otherwise, we have a zoo of wallets, and that's what we don't have. And can I just follow up on that? Because it's not even about wallets. I'm going to come back to the decentralized data economy. Because what you said is really fundamentally important if we want to turn this into a multi-trillion dollar opportunity. And it touches on a thing you said earlier as well about don't be commoditized. When I look at all the critical use cases right now around decentralized identity, and I understand why this has happened. It makes total sense.

They're all really narrowly focused on a specific problem, a specific community to solve a very specific problem. And that delivers very specific value. That's perfectly fine. But where the real value, so I would call that incremental value. And it could be incremental value in the form of a big price tag. It's a real value. But where the exponential value is realized when you actually start to connect use cases. And this creates this real problem.

So taking that pharma example and taking the healthcare example and taking a patient example, just imagine if that device or that medicine, whatever, that is also now you can, as a consumer, if I'm taking that medicine and if I have a negative interaction, now you start to want to connect the patient. And now you want to connect. So we've heard a lot of talk about acceptance networks. But I think fundamentally the most exciting opportunity and the way this will be absolutely globally transformative, but it's not an easy problem to solve to your point, is this isn't about identity.

It's the data economy. It's not about identity. Identity is 1% of all the data that you have about yourself. Be it a company, be it a person, be it a device. The identity device is one thing, but all the other things about the devices. So it's only a small fraction of the relevant data. And then the other thing is now when you start to look at hopping across different ecosystems and different use cases, that means this is a hard problem to solve.

Guys, we don't have small people working in this space. If it was easy, it would have been done already. But I guess what I would really call to everybody here would be we have to solve for the immediate. We have to solve these use cases because that allows us to start getting traction. But we absolutely have to see this as about a global kind of interoperable set of use cases because none of us live in a silo. And that's kind of, I guess, one quick observation on that.

And that also means we never get commoditized because I'll be honest with you, I don't really focus on the identity business because I think that's not where the real opportunity is. It's on all the other stuff. We're coming close to the end of our time, and we've only just really jumped into the conversation. But if we can wrap up for our audience members to come away with. We do have a question out from the audience. We all learn from the things we do. Given your experience in digital trust solutions, what would you do differently next time?

And how could you summarize those learnings for others to take away? We'll do a lightning round. I'll be very quick. I honestly wouldn't change anything because I think you learn more from the mistakes you make than the successes. So I just think just be very conscious, learn from your mistakes, be able to iterate fast, and then move in a new direction if you need to. Learning by doing, I totally agree. But also involve governance earlier. We had this freedom during COVID that we didn't have so much governance rules. Now we have them. Involve them. There's legal frameworks.

We realize that, for example, in the NHS, every of those hundreds of organizations had different regulations on identity verification. And none of them accepted digital. So that's a whole raft of regulation that needs change. So involve that early. As much as I spend a ton of effort talking to customers and end users, talk to more customers and more end users earlier and more often. And even in other parts of your organization, too. You'd be surprised how much value a standards engineer gets just talking to someone or watching them try to use an app. It's early days. We're still learning.

From my perspective, it's really in the early days, understand the critical success factors for large-scale adoption. So we have a critical success factor framework consisting out of 20 critical success factors. If I look at most projects, maybe two are fulfilled. The other 18 are not fulfilled. We drop the opportunity. I think the critical success factor is very important. And one of the most difficult to tackle is because you have to cross the chasm and get an early majority. And this is difficult with an ecosystem to get the buy-in of the early majority.

And when you would like to get it really going and scalable in an ecosystem, everyone should have a business case. Most of the time, the business case is super asymmetric. Some big players, let's say manufacturer, fantastic business case. The small dispenser, they don't care. There's no business case. Why should they do it? They need a free of charge solution. But the asymmetry in the business case driving large-scale adoption is very, very tough to tackle. And that's the key learning that we have. And that's my day business as well. Thank you to all of you.