KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Ladies and gentlemen, welcome to this panel on modern identity approaches. Now you might be wondering what is an identity panel doing in the midst of a cybersecurity leadership summit, but you hear me out individuals as, you know, have their own contextual understanding of identity and agency. So my perception of digital identity might be entirely different to yours and the same rings true with cybersecurity. Also you can have end number of best practices, but there is no one universal approach to security.
And that's primarily because risk is difficult to measure, You know, over this panel, we'll explore new modern identity approaches and also try to generate some key learnings for our audience here, both on site and virtually we have seasoned identity experts today with us. We have Jacoba Cedars who has explored identity through the lens of a bank for quite a while, and now runs the European self identity framework lab or SF lab. We also have with us, Dr.
Tarin, Ted, I hope I pronounce that correct. The CTO of yes.com who runs the POC for the global assured identity network or gain, which was launched a much fanfare at EIC earlier this year. And of course last but not the least. We have our very own Annie Bailey, the coping call Analyst for emerging technologies.
Now, You know, we hope to stimulate conversations that matter, and that won't be possible without active participation from you, the audience both onsite and virtually. So please sending your questions to us and let us together drive chains that permeates beyond these, these walls with that being said, let's get started. So I'd like to start off with asking you, you know, how did you end up working in the field of identity?
So to say, so how did you come across identity? And could you perhaps talk us through the scope of your work, maybe a COBA you could start off?
Well, I started 20 years ago, I was a junior consultant at the consulting firm and I was hired by a large banking group, the NG group. They couldn't email each other across 60 countries. What they needed was an email backbone, containing all the names, surnames, and first names of all the employees in 80 countries, 150,000 people. Now you call by you go and collect this data from HR.
That was, that's what they said. That was all. And I had to Google what units there were everywhere I would mail to I N G careers, Canada to learn who was the head of HR. There was nothing. Okay. So building a directory to serve the email backbone. That was my first engagement. And from there I never left and then identity developed itself and I came along Amazing. And could you perhaps talk a bit about the scope of your work at SF Lab? My current scope is that I'm deciding with others. Okay.
The SF lab is there to use the European blockchain infrastructure owned by the EU and they want to play with it for the legislators. So the EU understands what it is blockchain. And one of their lines of business is identity, self sovereign identity. As we have heard this morning from Kim yen, explaining that EU now wants all the citizens have good identity wallets. This could be starting with self-sovereign identity and they hand out money. And anyone who has a good idea or invention, like it could be academies or te delve or yes.com or anyone they can apply. And then they will be rated.
And I'm one of the board members to decide who gets what to spend to implement. So it's open call on business oriented call. So business ideas or infrastructure improving the underlying infrastructure. Those are the things that I'm working with. Fascinating Torson Yeah, well, I started my professional career software engineer and it consultant.
And after quite some time, I, I was, I was hired for, for a project at Deutche Taylor Deutche Taylor has a identity team that does consumer identity management for all their consumer oriented products, such as entertainment and cloud and, and communication. And well, that was my, my entrance to identity. So I was responsible for managing the identities of 20, 25 million customers. And I learned what it takes to, to really develop and operate large scale identity systems.
And at that time, I also started to contribute to the international standardization of technical standards in the identity space, most notably oof two and open ID connect where I still work. And now with my role@yes.com, I'm a cto@yes.com. So we are a commercial open banking ecosystem and we, we enable thousand banks to, to, to be identity providers for their customers. And by the way, we also applied for SF grand and we, we got approved. So brilliant. Yeah.
We also, we also dig into, we also dig into how SSI could be, could be leveraged for our financial institutions, for example. Yeah.
I mean, we'll definitely look into how you, you guys manage stakeholders coming from different backgrounds later on in the panel. Annie, could you perhaps talk us a bit about your work?
Yeah, absolutely. So I had a much less traditional entry into the identity field.
I have my, my formal education and early career and li linguistics and international development and diplomacy. And so that means I bring a, a very different perspective to I am something which is very people focused. So really keeping the, the human face on the other side of the digital identity that we end up building. And so my current research is from my Analyst chair on these newer identity models, which are coming out there. So really piecing out what does it mean to have a verified identity? What could it mean to have a reusable identity? How do these things mesh?
How do we make it happen? So Brilliant.
Now, anything new almost always is born out of an existing problem. So I'm curious to know, you know, what according to y'all is, or rather are the problems of the identity status quo and what has specifically led to the creation of new forms of identity management such as SSI or gain for that matter? Torsten maybe first.
Yeah, sure, sure. So first I would like to point out gain is not a new approach.
So the, the reason why we started to gain global or short identity and initiative was the digital society needs, needs a foundation based on, on, on assure digital identity. So I'm not talking about self-assertive identity.
I'm, I'm talking about trusted identity that has really been verified. And I think the global pandemic has, has made it even more obvious that we need solutions for that.
And, and those solutions needs to be global and there are already existing solutions out there in the field, but they are local in nature. So for example, if, if you look to Scandinavia or Netherlands, right, I mean, you've got iden in the Netherlands, you've got ne ID and Denmark bank IDs in Sweden and, and, and Norway it's me and Belgium, couple of other places.
And, and there are also identity providers in Germany. And what we, what we intend to do is we, we, we intend to build a network that allows to leverage that existing digital identities, those short identities, because that's important, not only for users that can use their identities someplace else. For example, if I'm traveling to France or to the us, I can use my identity to, to, to, to identify myself there. It's also very important for global relying parties, as we, as we, as we call them, to be able to, to access as many digital identities prove digital identities as possible.
So that's, that's basically the idea we published the paper, as you mentioned at E I C this year in Munich, and we've got more than 150 coauthors of that paper. So this is really a global initiative, Absolutely Yuba.
Well, I think I have, that's already clear from what you are stating. We have too many identity. That's the problem. We have have too many solutions. There are 300 best solutions for solving your identity problem as a business today and password less and very secure hundreds of them. And it doesn't help because it makes the world even more scattered and fragmented. And that's why lab is trying to get standardization. So I least interoperability is enhanced across all these identities, and that would be part of the solution. So it's not that we don't have identities.
That could be good, but we have too many, Right. And with too many identity solutions also comes in too many abbreviations, which is also difficult to catch up with.
So Annie, could you perhaps yeah. Shed light on, on what's your take? Yeah.
So, I mean, we could spend all day talking about this problem or this, this situation of, of why we're here today. You know, talking about gain, talking about decentralized identity solutions, and there's a lot of functional reasons. So there's a need for increased security. There's is a mistrust of organizations who are holding honey pots of data. There is more general awareness for data privacy, but of course there are a lot of areas in technology that need improvement that also are not seen such revolutionary. One could say revolutionary development.
So I think identity is a bit different here because it is involving a lot of different parties who have active voices here. And so this is probably most easily seen with consumer identity and access management, where you could think of the organization who has its needs to communicate with a consumer to set up a consumer account, facilitate online transactions.
They have a lot of different needs for an identity for their consumers, but the consumer also has, and is becoming more conscious of their voice and the role that they play in this relationship, which is then to indicate their preferences, to insist on basic levels of privacy, things like this. But of course there are other members in these transactions who also have voices. So twist in this here with yes, and, and, and this open banking scenario. So there are many other types of organizations that play a role here.
And so that I think is what's really unique here because there are so many different voices which are then spurring a conversation and, and this particularly collaborative development of new methods or not new methods, but hopefully more popular methods, Right. I'm just coming off a fantastic round table discussion on ranking priorities for CSOs. So I wanna drive that question to you guys now, in the sense of, you know, what are your priorities when you build these new solutions? And do you have a sort of ranking framework as in how you assess priorities?
Well, that depends whether you look at identity as an insulation isolated topic, because I think identity is the foundation and it in itself, it's a priority as a whole, right? But still going back to the previous question, I think it depends where you are acting because we see that the environment has been hi changed as well. It's not a castle anymore. This is a bank, it's a castle, there's a front door and guard to the front door. Data is everywhere. And it's difficult to know where the most critical data resides, right.
Even finding it, knowing what to protect is one thing that should be done properly. And that's not easy in every organization and all this hyper connectivity hybrid clouds.
That, that is the new challenge. And knowing at least where you are being fully aware of the situation, that's, that would be the first step to do. And then of course there would be making sure that you have good sources for identity that are validated and yeah. And then building on with that right. Trusted. So I would like to, to answer the question from the perspective of someone that has, has been building identity services for quite a while.
So consumer consumer identity service, I think that's, that's important to point out because the requirements might differ for, for enterprise services. So what I've learned that first and foremost, the first priority is reach quality and reach. So you need for the use case, the appropriate level of identity, and you need as many as possible digital identity user account. So that's that's first priority. Second priority is user experience because without user experience, it just doesn't doesn't fly, right?
So if the user doesn't understand what it needs or she needs to do in order to, to authenticate identify and so on. So user experience is a key success factor. And the third key success factor from my perspective is developer friendliness. And the same way as the, as the user needs to understand how, how to utilize a U a solution in order to, to, to come to the, to the end and, and, and, and reach your objectives.
It's important that each and every average developer can integrate such a solution into a business application, because as you pointed out, identity itself is a priority, but it's always part of a solution. So, and if the integration of such a solution is to cumbersome, insecure, whatever you break the system. So user experience, developer experience, and conversion reach all the pieces, Accountability, I would say, oh, I forgot interoperability. Oh my God.
Yeah, you're right. Yeah. Right. We will look into the interoperable or interoperability question later on in the final, Annie, it's gonna be a more, it's gonna be a more different twist to this question because you don't build solutions, at least not now, you know, could you perhaps talk about how you evaluate identity solutions out there in your research? Yeah.
Well, if we didn't talk about interoperability before now, then I would've brought it up. So between us, we'll, we'll cover it in some way, but yeah.
So as, as an Analyst, we, no matter the, the type of solution or the technology, we have a few different categories that we always really look closely at. One of those is on interoperability, also the overall security, the usability, the deployment, and the market standing of products.
And, and we feel that this gives a, a, a very well overall assessment of, of different types of solutions or technologies. But of course, we do look at the, the specific capabilities of different types of solutions.
So, so, but my more recent research was on reusable, verified, digital, digital identity solutions. That's a mouthful, I'm apologize, but the, the assessment then breaks down those different capabilities, which are really important.
So the, the different methods of verifying that the digital identity does indeed correspond and is held by the individual. It describes, or being able to bring in different types of identity attributes, not just traditional ones, but also moving into education, credentials, or health records or employment credentials, and how these can be managed. And of course, secure data storage and attention to privacy, which then becomes very interesting because depending on the technology, these can look like very different things.
So, yeah, that's a quick look, Right. Another important talking point throughout CSLs is about talent or the lack there of, and, you know, with participants coming from different backgrounds, both cultural and professional, how do you foster a culture of innovation within your team or network, and also, how do you retain talent Tosen would you like to take that? Hmm. Take your time. Yeah. That's a certain change in direction, right? That's true. Since I'm leading a team, I think I should be able to answer the question.
So retain retaining or recruiting talents and retaining talents is, is basically, I think some of different aspects, first of all, the really smart people want to work on interesting topics and they want to work in a challenging atmosphere that also give them the freedom to, to, to, to do, to, to, to work their way. So that's, that's basically on the level thing, what you, what, what you need to achieve. And honestly, that's also one reason why we are looking into SSI because that's where that's, that's where interest is right now.
And, and a lot of really smart young people are interested in that topic and in that technology. And so if we go that way, we also find the talents right. And retaining the talents means to give them the ability to growth and to, to yeah.
To, to apply their, their talents. Absolutely. I don't know whether that really answers your question, but thought that almost solve my thoughts on that. Y Yeah. I'm also thinking hard.
Well, I had a very, my last team was very large and very diverse. I had developers from other countries, overseas countries onsite and offshore. There were seniors, almost ERs with nice pullovers going for their coffee, all together, all the time. And really young talents from consultancy firms. There were a mix. And what I once did, I had the whole identity scope. So there was authentication authorization and identity, which are three different parts of IAM, but together they built the whole process. And you could see that for the authorization, it's all this mainframe right.
Setting operations. Those that was a different population. But for building the new stuff where we had the innovative building blocks that we were preparing, that would also be authorization. So I split the team across these topics, which made a different mix from the old guys and young guys and innovation and a newly built stuff versus the legacy people. And they would come together because they were now joined as a topic, working and handover of knowledge was also better in that way.
And, and I had really a lot of team events or events. I was myself, always never sitting in my boardroom type of room. I was always walking around. I knew who is who I did a lot of personal intervention all the time and also to scout the talents and to make sure they had a next career step ready for them. I think that's important. Right. And speaking about scouting, is there anything organizations can do to build expertise in a sense from the grassroots level? Yeah. Go to the universities, be where the people are that you need to meet. Be part of GitHub.
I know one person who did that for a big automotive company, he has all his P built by on, by open source youngsters volunteers. And he presents it to his board because he can't get that done internally. Right. Amazing stuff. Charleston, do you wanna add something or I just want, I just wanted to share on observation about this young and old thing, right. In identity, there's also a young and old thing. So the older guys doing federated stuff, open ID, and so on the, even those do Samil and we've got the SSI forks, and I'm, I'm a long term participant of the internet identity workshop.
So, which is the place where a lot of the technical standards on the technology was invented, that, that we used these days. And over the last couple of years, there were two different communities there. The people talking about vendor, relationship management and SSI, and the people talking about oof, and the practical stuff and open ID connect and all that stuff. And what I see right now is there is a, there is a convergence, there is there's corporation.
So I'm, I'm, I'm really fascinated because we are working I'm as a representative of open ID foundation. We are working with folks from decentralized identity foundation on, on, on making open ID, usable for SSI. And this is so fascinating.
I mean, we have the calls at late times in the evening or something like that, but every everyone is really is really passionated. And, and the younger, the younger folks want to learn from those guys that have the operational experience.
And, and we want to like, Hey, how can we do things differently? And that's really, that's really cool. So diversity, diversity is really a key, key, key success factor for innovation.
So, yeah, That's, I think also that it's, it's a generic way of it's in the air everywhere. If you look at most blockchain solutions and use cases, why do you need blockchain? Because you have to share stuff with people who don't trust our organizations who don't trust each other and the blockchain and yours, your integrity, your data integrity, and your availability. Cause that's how blockchain functions already distributed ledger. So you see a lot of coalitions in that world and use cases where lots, where the whole value chain is cross, cross anything.
So that's by the default use cases already where coalitions and, and cooperation is needed. And I think when you standardize you also by default have to talk to many people it's plus. Yeah. I think it's also the time we're living in hyperconnectivity and value change across many channels.
And many, many parties has to do with it as well. Right.
Let me, let me take a different perspective. So you asked for innovation and I think there is another aspect that, that I would like to shed some light on. So standards interoperability also enable markets. Yeah. So what we do, for example, in gain is we create a huge marketplace because we, we avoid the, the lock in factor that is caused by proprietary technology. So if everyone speaks the same language, this is not no longer a competitive edge, right. So everyone speaks the same language. So you have to compete on the level of the innovation of your product.
And, and that's why we, in, in some sense also do in the yes ecosystem because third party service providers come join the system and can, can provide their additional services and they compete with other, and this is, this is a natural driving force for innovation. Right.
So, Yeah, and also open source. I mean, it's one for the SF lab. It's one of the requirements. When you want to get the money to leverage SSI with your invention, it should be open source. Right. Brilliant.
Annie, could you perhaps talk us through how you bring in different points of view when it comes to your research and then ate those into your findings? Yeah, absolutely.
So, first of all, it was fascinating to hear Toten and COBA your, your ideas here and your experiences, which does with my philosophy of, of innovation, which is really exchanging ideas and being curious and, and continuing to learn from each other, because each of us, even just the four of us on stage have such different perspectives. So the more we share, the more we can learn and hopefully that sparks innovation, Right? The former CTO of Daimler says that identity is a means, but not an end.
So my question to you is when you're building projects, should the development be focused on a specific use use case or, or agency for that matter? Jacoba I think it should be generic convertible op interoperable, reusable, persistent identity that you build from what, from where you could have multiple use cases. Okay. Torson you wanna add something? That's a difficult question since looking onto that from a long-term perspective, I'm fully with you. So it should be generic. You should be able to, to, to reuse that across different use cases and services.
On the other hand, if you started something new, you should carefully manage your requirements and make sure that you at least fulfill the requirements of the first use case. So it's, yeah, it's, it's really, it's, it's Really generic with variations for use cases maybe, but that's what happens when you have a core identity, which is basic, which I'm talking about and generic, and then attribute added to that to make it specific in certain cases. Yeah.
So what I have seen in, in, in, in my, in my career was that people started with the use case, which was okay from a risk mitigation and, and project delivery perspective, but the neglected two factors, first of all, an identity as a life cycle and, and, and, and, and the user journey, and you always need to consider really the full journey, not just the registration and the first login. Also self-care deletion of attribute a deletion of user accounts. And so on that, that's very important. And I mean, GDPR, I think makes a very good point in, in that.
And What I also have seen is in, in enterprises that for different products, they implement different approaches to identity, which means customers have to learn that they have different accounts for different products, which make, makes their user journey really cumbersome. And they also lose the ability for cross-selling.
I mean, single sign on is an is, is, is an enabler for cross-selling. You can use it with one product and you are sent to another product. You do not need to register again, just check mark, and you can use the new product. So you need, from my perspective, identity works the best. If there is a someone responsible for it, living it and advocating products, You need the identity, Mr. Or Mrs. Identity should be a well known person who can sell very well. But coming back to the type of identity, I, I would call it fine grained identity.
So indeed, it's the enrollment, it's the, the different life cycle phases of a customer. Are you already a customer? Did you already buy something? Or are you just looking around on our website, whatever role you could have, you could be delegated, delegated authorities. The whole authorization structure could be very complex. Yeah. You could even be banking on, on behalf of your mother, but with your own identity, right. That that type of structures should be so, and there is an identity, main maintenance duty. It's not just ones of enrollment. Okay.
Getting in is always easy because there's pressure. It needs to be fast, easy, everything, but main maintain the right level of identity, the right fine grained attributes or validations, or reverifications for identities. That's always, yeah. Forgotten because it's not pressing, but that's could be an attack factor, of course, empty identities or that are not being taken out. Right. Torson you briefly mentioned user journey. Could you perhaps double click on how you deconstruct a user journey when building a product? It depends on, on, on what perspective you take.
So at Doche TECOM what we differentiated was clearly the registration. So the, the step where you become a customer set up your credentials, accept terms of service, accept the contract, or sign a contract and configure the payment for that. Then the usage, which is login and recovery. So you could also deconstruct that, but in the end, recovery is kind of a login. So it's just a bit more cumbersome. And then you've got the life cycle part where you got an, where you want to get informed. What have I done with my account? What services do I have access to?
Could I use other services with that account? And again, it's all consumer identity.
So I'm, I'm experiencing consumer identity and nothing else. And then clearly you have to be able to, to, to delete, to cancel your contract, to, to delete your user identity. That that's very important. Yeah. Right. And if you, if, if, if the kind of identity you're doing is also used with third parties, then it goes a bit beyond that. So we see that, for example, in the banking industry. So due to PSD two, you use your resources all over the place, which is great.
And this also means you need to be able to explicitly give consent to that because it's no longer covered by the terms of service you initially accepted. And you also must be able to manage that content. So go someplace, see, okay, I gave consent to share my data with site X, and you need to be able to remove that as well. So those are the functions that I see typically.
And you cover when it comes to incubating companies, you support them with, you Know, when, when you look at the banks, that's where I have my experience and knowing your customer, anti mono laundering laundering, lead insulation, it has a set of requirements that would go far beyond regular, right? Onboarding. You can't do business as a bank with a person that you haven't completely very fight. Whether that's a politically exposed person, are they on a blacklist, not just identity verification. So digital or personal onboarding are two ways of doing it.
You come to the office, personal onboarding, you show your passport, and then they do your background checks and you get your accounts digitally. It's very difficult to bind and natural person to a legal or a digital identity to convert that. How do you know it's really you? So is your identity, not counter feet or synthetic. You can be, make pictures with your passport. Then in some cases, they read the chip with your iPhone, the chip, which is in your European passport can be read. And the data can just go to the bank straight away through that app in your phone.
And then they do some liveness check. You said before the camera and you, your photo could be fake or a film. So you have to say your move. So they really know it's not a film. Someone made of you. That's really the person is there. Yeah.
And there, there was a big struggle, but nowadays it's become more easy. Now we have these chips and chip readers also in the iPhone, which is opened up for that, right? So there are a number of vendors who do that very well. And after you have become a customer and the whole set of data is ready, you get your digital identity, you would add a credential set to it. And maybe later on federated, right. From other areas, if there's an identity Federation that the customer would enroll for or would delete Starstone is saying, Yeah. And that's what we want to utilize.
I mean, that's a good starting point because banks spend a lot of money, have very complex processes and do to do that verification and the validation because they are obliged to do so. And what we do with gain is that they can, they can also leverage that identity and, and help their customers to use that identity. That was so painfully created to, to someplace Else later on, because if there's a trigger, if we see something with a customer, we have to do it again. And otherwise we have to do it once every, so many time. So there's, it's not one, but it has to be the re-verification as well.
Yeah. Yeah. Germany up to two, twice or every two years, for example, Let's bring Annie into this conversation.
Annie, could you perhaps weigh in on how analysts fit in when they, when, when, when they come in together and discuss marketplaces or do their market research understand the players in an ecosystem? How do you go about that process? Yeah.
So was first of all really interesting again, here in to, and Yoba speaking on this, if I can touch just very briefly on deconstructing the user journey again, before I get to that question, the way they explained it, it's perfect because you can, you can imagine all of these individual steps in the identity life cycle, and we can start to kind of, of laying them all out in a line. This happens first that happens next.
We can start to see identity proofing or verification happening at the same time as registration, or even as Toman was saying, you can begin to inherit or import an existing verified identity. So skipping this registration stage altogether. And so the user journey then is a bit more deconstructed, is more modular. So then coming back to the, was it the ecosystem Raj that you wanted to know about? Yeah. So there's a lot of interesting partners then that, that are, that are coming onto the, the stage here.
So I think we've already mentioned that this is a first of all a hugely collaborative space. And so I think it was also already mentioned that the gain white paper had over 150 co-authors and that's something which is not unusual in this space. So that's something that's really, really noteworthy here, but kind of bringing in these different ecosystem pieces. I thought it would be interesting to list out some of the, some of the interesting partners that I see from an, from an Analyst standpoint, having a, having an interesting role here.
So first off national registries, depending on the perspective you take from the decentralized side, there are of course an important issuer of identities. And then from the other side, coming from perhaps an identity verification standpoint, they are an authoritative source against which to verify those identity attributes. I find law enforcement also a particularly interesting partnership to have, especially in these identity verification scenario.
So yeah, COBA you explained this really well of going through a, a document scan and then a liveness check and this entirely digital process of verifying your identity with a government issued document. But however, that does have to be verified that it's not counterfeit, that it's not forged, that's typically done with machine learning models. Those of course need to be trained and they're best trained of course, on real documents and forged documents, but it's highly illegal in most countries to actually possess forged documents.
So that's where a partnership with law enforcement can become really handy because that can allow access to those forged or counterfeit documents to then train and improve the model. So there's all sorts of interesting ecosystem partnerships. Yeah. That We can see here. I agree. Yeah. There's a lot of background checking done by other companies that are servicing the banks and they're forming partnerships. That's a big value chain. That's not, not all done within the same bank because it would also be too expensive to intense to do that. Right.
And speaking about partnerships, let us switch gas to this concept of decentralization. You know, gain is known for having a decentralized model of leadership, which is quite rare because organizations across the world more often than not follow a hierarchical way of reporting, that's the way things have been done.
Yoko, you deal with a decentralized technology where decentralization is a primary core. So my question to you is how do you manage stakeholders, partners, network members in a decentralized manner in terms of decision making, in terms of the rate of getting things done in terms of consensus, you can choose whatever approach you'd like to start. In my opinion, I've worked with a Dutch blockchain coalition, and I think that's the key word coalition, okay.
Working on identity for the Netherlands, three banks chamber of commerce notaries, the, the Dutch financial monitoring authority, they're all setting at the table and we call it the coalition of the willing, because if they're not willing, you have a problem, but the Dutch passport organization was also part of that. So you need the right people at the table. That's first of all, one thing, and then you need consensus, but that's nice when you do APAC or when you are playing around with use cases and doing all the data gathering and what are we doing and why do we do it? Everyone is happy.
Everybody has a job and is delegated from his bank like myself or from his organization. But then really when you want to implement it and really start using that identity, and it needs to become a reliable, real thing in production for real business, then it becomes difficult because what type of legal entities should such coalition be. And I think the legal guys are, have been looking at this in many, many other use cases as well. Right? And so you are touching on a very new problem that we didn't have before. It's the informal managing of customer of stakeholders, how to keep them happy.
That's probably what you mean, but secondly, how to formalize such a partnership. And I think that, that if you look at liabilities and if there is big money at stake, I think for the legal guys, that could be a new trade to find out how to do that in a way that it keeps everyone happy. Right. Do you think Dows decentralized autonomous organizations? Do you think that they're an answer to some of the problems that might crop up?
Yeah, I think so, but still you must make people feel secure or organizations to be part of this and to have responsibilities, which are not always their core business. If the issue is handing out his data for a purpose that is not his own purpose, but surfacing the globe. Yeah. What risk does he run and why would he help that's That Is true. Not easy Person, Never underestimate liability, legal issues, contracts, commercial aspects, regulation, and so on. Yeah. Competition, what you, what yeah. Competition. So what you just described more or less also describes what we do in gain.
So we started as a coalition of the willing, those are the co-authors of the paper. So 150 plus people from all over the world, different roles, different perspectives, both from financial institutions, identity experts, tech guys, product managers, lawyers. And what we know as we are now in the stage, still a coalition of the willing, but gain is not in, is not an, an organization that's, that's very important. So it's like right now in informal coalition and what we are doing right now, we are setting up a, an initiative across different standardization bodies.
So different aspects of gain will find their home in different standardization bodies, existing bodies, like open ad foundation will take care of technical part. The open identity exchange will work on the governance, which in the end will result in the governments governance framework that will then allow us to establish the, the right legal entities and, and, and the framework to really make that operational. But this is still some way to go until we come to that point.
So we also talking about with the international Institute of finance, the fi Alliance will be part of the, of the game, the cloud signature consult. I hope I did not forget anyone. We Are two, I dunno are three consortium. Not as far as I know, but potentially there's an idea Life I would. Yeah.
Right, exactly. Thank you very much. So GL is also part of the, of the, of the initiative. And as I said, O will develop the governance framework for that. And based on that governance framework, we will decide how to run that thing. In the meantime, we are running a technical POC and the technical POC is, is again, is an, is a group of people that want to really build something that is tangible in order to cop or avoid all the legal issues, special data privacy issues. We run a test bed. So we use existing implementations of bank ID, Sweden, for example, or from the ecosystem.
But we do it in a test bed just to be able to demonstrate, Hey, it works. We can connect IDPs from Australia, from the us, from Sweden, from Germany.
It, it works for those use cases. And if more people are, are joining, then we will establish the legal, the legal basis for that, because we may need to make sure that there's a clear, we need to sort out liability, right? So even IDP asserts an identity, the receiving and needs to get some, some attestation and some, some liability. Otherwise it's, it's, it's useless, right?
So it's, it's, it's, it's, it's still some way to go, but I think we have the experts in, in, in all those different groups that that will be able to sort it out and it has been done before. So one of the, of the key, the key statements of, of gain is built on what has been built, right? So this kind of schemes already exist. They exist in the credit card industry, in the payments industry.
So it's, it's not a new thing at all. We need to project that onto a global identity scheme, Right.
Annie, do you have a take on, on new concepts of leadership that perhaps our audience here could, could in a sense, adopt or implement? I think that to COBA covered this to, to the extent that we know today, of course, there are always experiments out there and in a sense, this is quasi and experiment, you know, however far it is through POCs and, and whichever solutions we see out that have been commercialized. So this is, yeah. I think you guys covered it pretty well. Right. Let's shed light on the interoperability question.
What do you think are the critical requirements for an IOP digital identity ecosystem? Is that some sort of a utopia or could that actually be made a reality? Torson Well, Please positive answers only.
Yeah, Yeah, yeah, yeah, yeah, no, no. I'm very positive about interoperability.
I spent, I spent nearly our 11 years of my life working on technical interoperability now. So there are two aspects to that. So first of all, you need to have technical interoperability. And in the end technical interoperability, always as a function of features and the degree of interoperability. So we have the technologies today to come to come to tech. We have the technologies to come to technical interoperability across different solutions and not only different solutions, but also different architecture.
So the game POC will show that using open ID connect for identity assurance, we can bridge the gap between centralized solutions, federated decentralized solutions, and even SSI solutions, because the technology is powerful enough to, to convey all, all the data. That's just the beginning. The more complex part is the semantical interoperability. Exactly. Yeah. Yeah. Cause that's very, that that's everywhere. That's even within a company, you, you meet that when you do IAM.
So let alone on a global scale that, And on a global scale, it's even getting more complex because you are hitting cultural cultural walls. Just to give you an example in, in us, UK and Australia, there is no government issued identity, at least not officially, right. So how do you cope with that? In central Europe, we have a certain concept of identity that we can utilize. So the government, as the highest authority, we can check against that.
And there are also different regulations let alone in Germany, the regulations completely different for the banking industry, for the tailor communication industry and for the government services. And you can't really compare them. So semantic interoperability also means to, to, to map between those different contexts, right? We call them trust framework and identity assurance levels. And if you go international, I mean, you can't really compare that because that's, that's mostly influenced by law.
So you can't compare in the end, you, the trust frameworks are being used in the us to them used in Germany. So this is really a complex undertaking. And also again, opend exchange will be working on ways to compare and even trying to map between those Right even naming conventions. So when I was integrating all this data for the NG group, the Chinese names were very interesting. And the Belgiums also there because they had a completely different way of first name surname and so on.
Yeah, of course. Yeah. That was really, we had to issue a standard first before that could be working in one system, which was also global.
Annie, do you wanna add some points? Yeah. So I think this is already a, a great start on the conversation.
And I, I was combing through the, the gain white paper recently, and I, and I found a quote, which I thought was really pertinent here. So it's kinda laying out the, the situation so that the, the digital identity landscape is fragmented. And two important factors will determine success. Those are trust and reach. And I think interoperability here is, is that link between at least what, what the gain network is, is working to communicate, which is that financial institutions do have this level of trust.
And in order to then get the reach aspect of this within countries, within regions, and then finally across borders, across countries and oceans, the interoperability here is what is going to enable success. So that at least highlights how, how important the, the technical, the semantic interoperability here on the taking a look at the decentralized side, it at times can be really mind boggling, at least for the technical interoperability, how many different ways we need to look at this.
Cause of course you need interoperability between the many different digital wallets, which are coming out in our available between an individual user's own devices, because most people have somewhere between three and five devices, which they'll want to be using, then you have between different credentials or D methods, of course, different IDPs should be able to accept different types of verifiable credentials or different verifiable credentials from different issuers. And so this kind of just grows in scope. So there's a lot to do here, and that is really the linchpin for success.
One thing I want to add as, as we know, the w W3C working groups on decentralized identifiers standardization, they had a vote and 350 old members were voting for the given standard to be further accepted and developed, but Google, Mozilla, apple, and one other party they voted against. Right. So I think that's another problem when you standardize that some people have a business case not to be interoperable or not to be part of the coalition, and they are part of the unwilling group.
And yeah, if you, if they're too big, what to do, Right. I think the problem with that discussion is that I'm, I'm, I'm partly with those that, that voted against adoption of the debt method, because one of their criticism was there, there is no real true interoperability because there are hundred 50 plus debt methods. Yeah. But a standard is not the same as an implementation of the standard. I know.
So I know, but that shouldn't be a reason I know, but in the end, if you have 5,050 different options, then that, that that's a real impact on inability. I, I, I do not comment on, on, on that, on that voting in particular, but what I see is in the SSI space, this is an emerging market in the end. Right.
So, and, and there are little of, a lot of different technologies that are being developed that are competing against each other. So true interoperability among S and SSI will take some time in my observation, but that that's okay because it's emerging. Right? Yeah. But I think fragmentation is the biggest threat to any improvement in identity. Right? Speaking about an internet Overload that cannot be named, there is a lot of talk about a certain metaverse, which brings light to a direct to avatar model where you could have multiple identities beyond the contextual self.
So how do you see this management of multiple identities playing out in the future? Are you positive? What's your take on that?
Oh, the question is what will be the application area if that's for banking now? I don't think it's a good idea if it's for gaming. Why not? Depends on the use case. Right.
What's, what's really interesting to observe is that most people say, well, we want to give to user choice, but on the other hand, if it comes to identity, I, I, I, I often hear people stating we need to make sure that that person only has one identity because otherwise it's gonna gonna be complicated to that person. So what choice or dictate, I'm not quite sure.
So I'm, I'm, I'm in favor of choice, right? Because I, I, I assume user will have to, will need the choice and will use the choice to, to have the identities they need and want. And I mean, in the end, it's, it's, it's a question of the context, right. AML will not allow to, to use an avatar. Right. But in gaming or entertainment, why not? Annie? Any words. Yeah. Yeah. So I think this is a, a really interesting situation. I think it'll become more relevant eventually. Not necessarily right now. Okay.
But it's, it's also really important to differentiate that, that there are of course different types of use cases here. Very, very generally at the, at the highest level, there are those which require an identity, which does it, it's it, which is based off of real world attributes or is linked to a government issued identity. And there are use cases which don't require any link to a real world identity.
And so I think there, there is of course space to be exploring these, these direct to avatars, as you say, different use cases, but there needs to be also a differentiation for those types of use cases that do require a very verified and a validated identity.
So there's, there's lots of interesting things out there, as you said, in the gaming scene, you know, things where you could have, you know, an object in one game and be able to trade it for something with, of an equal value in a different game, even when it's from a totally different producer and ownership company, which is a really cool and interesting idea.
But I think we still have a wild to get there, cuz at least when we're back to talking about exchanging digital credentials, a lot of the use cases, which we talk about most are in a physical situation, trying to exchange digital credentials. So when you're at the airport and you wanna do a passport check with a digital credential, or you need to do a vaccine check at an event, so a physical setting, digital credential age check at a bar, and we haven't always progressed to that digital situation with a digital credential.
Some for sure, but in a lot of those, we haven't really made it there yet. Right. As the future I'm allowed to say the future is sooner and stranger than you think finally, Torsten Jacob, COBA Annie, what's your advice to anyone looking to start a new initiative or a POC at the own organization, one piece of advice Reuse before buy before build. Okay. Yeah. I mean use existing stuff because I have seen people building new stuff and they just got it wrong from a security perspective and from a UX perspective. Right. Annie. Yeah.
And you know, exactly use what people already have, especially end users use what end users already have in situations that they're already in. Don't make them go looking for a way to use whatever it is you're putting out there On that note, COA Torson Annie. I'd like to thank you so much for your time. The work that you guys are doing to dismantle barrier to identity is incredible. And I wish you all the very best of luck moving forward, ladies and gentlemen, please run applause to our panels today. Okay.
