Decentralized Identity Panel
This panel, with Rohan Pinto, CTO of 1Kosmos, discusses the question, “When will the promise of user-centric identity become reality for large enterprises?”
Okay. So why don't we dive right into it? We have such a great group here. It's a topic that we spent about a third of the time on our identity legends panel earlier today. It's one that as many of you on the panel are probably aware of is fairly near and dear to my heart as well. And let's talk about that. I'm going to do a really quick level set and then I just want to dive into the details.
So at times, there we go. So the basics. I know to everyone on here, the basics are pretty apparent. We have a problem that's getting worse. We'll talk a little bit about the decentralized identity promise, and then I really want to turn it over to you guys and lady to get your perspective on it because this is a tricky area and it can fundamentally change the way we look at things.
It can change our model, but on the other hand, I want to be careful here. I don't want to say it hasn't moved fast enough. It hasn't moved as fast as maybe, I'm naïve, as I expected, it probably would, four, five years or so ago. That said, I think that's why we're here to really try to understand it, try to understand where it may go and what we can do.
So password problems. And we've seen that even more, obviously during the pandemic, I characterize it is, we're just collapsing under our own weight. We keep trying to do these things that make it impossible to use services at times. And from at least a consumer perspective, the goal is to have something different. The goal is to not have to maintain the passwords and the ID's but the goal is also when some of the Genesis, which I know all you guys can relate to part of the Genesis for this is the fact that individuals want to have a little bit more control over this, and they want to be peers in this discussion.
It was something 20 years ago, we were calling user centric identity, and we've had multiple iterations of this, but the ability for a user to control their own identity, for a user to control what they make available and what they don't make available. But then along with that, the ability to have a party that could validate claims that are being made within an ecosystem. I think the tricky part is there does need to be some ecosystem that exists for this actually to operate.
So you have this chicken and egg challenge, but at one point for me to be able to make a claim for a service that I would like to participate in, in some way, and then have a third party that could validate it, maybe it's a job I want. And I claimed I had some sort of an advanced degree and that perspective employer might want to actually validate that. And I would authorize that, because that's something I want, but that's under my control.
And we're seeing lots of investments from the vendors that are on here and other vendors, Microsoft, IBM, PING, SAP, 1Kosmos, Evernym, lots and lots of startup companies, lots of bigger companies. So we're starting to build some critical mass here, one hopes.
So with that extremely brief intro, why is it taking so long? How should enterprises be moving forward in this space? What are some early use cases? And with that, I would like to just turn it over to this group and give you the opportunity. Maybe take 4 minutes or thereabouts each. I'm trying to do the math in my head in terms of how long we have, but just take this on. Do we have Kim on? That's not showing
Yes. I am on, can you hear me?
We just don't have your pretty face this time.
No. I thought you had enough of it before.
But we saw you earlier. So maybe start with you Kim. And we can just go down this list as I have it shown tell us what you think, maybe address these questions or others as you see appropriate.
Okay. I'll begin. Yes, for those who don't know, I was with Microsoft for 20, some years and retired last year. And now I'm working with a little group in, or relatively small compared to Microsoft in Toronto, Canada called Convergent Technologies. What's interesting there is, we won one of the contracts to do a prototype system for the Ontario Health System. So in Canada, there are public health systems and they're quite large. And typically they consume more of the government's budget than any other part of the government. So it's a very big deal and it's a very complex area because there are privacy issues, very, very significant privacy issues.
You have a mix of citizens who will be the customers and also practitioners of various kinds. So for example, doctors who want to be able to get in and see the records of patients. So Gary asks, why is this taking so long? First thing I'd like to say is compared to what? Were you there while we were waiting for SSL to work? It took probably a decade and a half really before enough issues were ironed out that one could actually relax a bit about it.
And here we're talking about, depending on the version of SSI that we're talking about. Some of the proposals want to rewire the entire world's identity infrastructure, right from the ground up. So in other words it makes SSL look like a weekend project. Here, we're talking about dismantling the current infrastructure and recreating it. My feeling has been, let's figure out where the high order bit is here.
And how does it work? It works the same way as your health card. There's no, where do you use it? Wherever you use your health card. It's a very interesting situation because the model is there, nobody has to be taught what it's doing. That's modular a few hand waves, but it is generally true. And I guess the final thing there is that the benefits in terms of privacy, security and everything else are totally visible, totally explicable. And some of the proposals have a different high order bit than rewiring the world. Their high order bit is simply to have cell phoned credentials with verifiable following the verifiable credential model. And that's the current SYOP work being done at open ID connect. And my view is that Eve Muller talked this morning about to make a deep change it's necessary, in order to get it accepted by the relying parties, it's necessary to use a paw, like a cat's paw. And I added paws, not claws. And to me the notion of rewiring the world is on the claws end of the spectrum. I would like to see us go for the high order bit and solve the most important thing we can do for the future of humanity, which is turn control over to the users and thereby enrich all of the service providers
That is such a great speech, Kim. I'd hate to be next Pam. But I do want to comment on one thing quickly, which is in all fairness, Kim, I'm projecting my own expectation on this group, because back over the last six, seven years, I've been looking at this, but you raise a good point that the task and the impact across everything is so big that perhaps, BIAS is coming across by saying, why is it taking so long? And I just like your explanation. So thank you.
It took us... Just let me say one more thing about, because I feel very strongly about this so long business. It took us 10 years to have the concept of claims accepted by the industry.
And without claims, you're basically living in a barbaric jungle, because either you have centralized attributes where the owner of the issue of the attribute is God or you have a closed domain like walled gardens. And so when you open it up and say know, well we have issuers, but you can decide what you trust them for. That's when you move from attributes to claims that took 10 years, Gary.
Fair point. Pam?
Probably more, I would even say probably 18 years and without that, none of the current wiring, would be possible that we have. Basically the whole world is wired right now. The whole enterprise world is wired for sharing on open ID connect and OAuth. And that would've been impossible without the claims work that we did back in 2004, 2005. So long times in this industry, we're talking about changing the whole world and we have to get it right.
I agree. Pam?
So I agree. We've been working, various people, in fact, various people in this call have been working on this problem for quite some time. I will say that. I don't think the exciting thing about verifiable credentials is solutions to the password problem. I don't think that is what's cool about verifiable credentials. I think what's amazing about verifiable credentials is that it's about data sharing under the control of the user, right? So the authentication piece, it's not that it's not possible, but there are many other things that do that, as well. But very few things solve this concept of what I would call a direct presentation of information, right? We have many, many federated credentials where data is passed over the heads of the user and very few use cases where the user is in the middle and can be a cryptographic participant in the transaction.
So it's taken this long to get to that point because it's taken this long for us to recognize, I think the need. The other thing I would say is all of this is highly abstract, but there are some really cool use cases that work here and a lot of them have to do with intuitive models of presentation. So the idea for example of entitlements is a huge problem for enterprises has been for ages. And yet this idea of giving someone a temporary entitlement, right in a format that they understand how to hold and use, right? This idea of being issued a credential that you see and can touch, right? And then choose when to present, that is the piece that has amazing enterprise use cases. And you can think of the enterprise use cases here, as if you want to invite somebody to collaborate, right.
And you want to give them limited access. That's a perfect example of a really interesting use case that normal federated credentials don't work very well. And that actually outlines the second really interesting thing about verifiable credentials is that it enables or potentially enables an ad hoc trust model. So if you think of how to do OAuth, OAuth is an amazing protocol, but you really need to preestablish trust. And the real challenge in front of us in verifiable credentials is in fact, figuring out how to do ad hoc trust and do it in a way that merchants and enterprises can safely use.
That's just great points. Phil?
Yeah. Thanks. So obviously agree strongly with everything that Pam and Kim both said. On the topic of why is it taking so long, most of you have been, have attended or been involved with internet identity workshop over the years. We started that in 2005. Most of us had something else to do some other project we were interested in. We just knew we needed user-centric identity in order to make it work. And here we are, 16 years later, we're still meeting and trying to solve this problem. So on one hand I kind of feel your pain, Gary, but I also agree with Kim that this is a sea change in how people look at things. I wanted to, if it's okay, just share my screen for a minute.
Sure. And let me stop mine and go ahead.
And just show a few use cases quickly, because I know there's limited time in other people that want to talk, but there are a number of in-production use cases right now, which I've written about and explored a little bit. One is member pass, which is credit unions. And I won't go into lots of detail here, but I think one of the things that's interesting about this one and the next one I'm going to share is that they're more or less closed ecosystems. This one, it is the credit union industry. So obviously it's not a small ecosystem, but still it's saying, okay, how do we use credentials inside our ecosystem to solve our problems? And the real problem they're trying to solve is they want to stop asking you, what high school you went to every time you call in on the phone and credentials help do that.
The second use case, which I'd bring up is the national health service in England with digital staff passports. There are 84 at the time I wrote the article, maybe it's more now. NHS organizations participating, the primary use case here is medical staff in particular doctors proving that they have certain credentials as they move from care facility to care facility. And this apparently was exacerbated by COVID where they needed to move people and they needed to know what their credentials were, in the medical sense. And they used verifiable credentials in the digital sense to be able to have doctors bring those credentials with them. Third use cases, pharma connect, which is Self-Sovereign Identity for coffee producers. And this goes all the way. I mean, there's various aspects of what farmer connect is trying to do. It's actually, was started by the people by Sucafina, it's the second largest coffee distributor in the world.
So they're going all the way from giving farmers digital identities in the form of verifiable credentials that they can use when they go to the washing station to prove, that they are a certain farmer who brings a certain amount of beans to the washing station. And then all the way through the supply chain, in order to connect that supply chain from the farmer who grew the beans all the way to the consumer, who's drinking a coffee and being able to show people, for various reasons, where their coffee comes from. And then the last one, which I'll mention, and James may be able to talk a lot more about this one, is the travel pass. The Lennox foundation's global COVID certificate network has created a trust network, which is... So this is a very large ecosystem.
This is an ecosystem of ecosystems. And there are at least three different credential examples in here from cardio, which is Indicio and CIDA, I had a travel pass from Ida and Urbanm and then MedCreds from proof market intrinsic. There could be others I'm not aware of, but this is essentially a travel pass that can show that you have been vaccinated as you travel. So anyway, though, I'll stop. Those are the use cases I wanted to share just to show that it isn't just all pipe dreams at this point. There are people doing real stuff.
Okay. I'm trying to remember who I had up next now that I don't have. Oh, there's my slide. Rohan?
Hey Gary. Thank you. Thank you guys so much. I've been involved in the identity space, right from the time during my days at Netscape and then Son, and I've been playing around with the whole, what we called as, at that point in time as the identity gang with Phil and Pam and Kim. So we've been in the identity space for a very long time. And with the advent of blockchain and with the advent of verifiable credentials, yes, it does. It has taken us a very, very long time to get here, but I feel that it's still going to take us a very long time to actually meet the end result because vendors, all vendors, I love the concept of verifiable credentials and everybody's issuing them right now. But again, it goes back to the trust model of actually trying to find out whether the credential that has been verified or issued is something that you can trust.
So a conjunction of just verifiable credentials, along with the concept of verifiable organizations would add a lot of value to the ecosystem because it's not about just trusting the verifiable credential. It's also about trusting the issuing authority or the organization that issued that verifiable credential over to a user. I know that out here in Ontario, at least in Canada, there's DIAC, that's working actively on verifiable organizations. And I hope to see that proliferate down to the south and to other countries as well. So yes, while verifiable credentials are here to stay, there's still a lot of work that needs to be done in the space to actually meet its maturity model.
Thanks, Gary. And just picking up from where Rohan left off really. I definitely agree. Look there's more work to be done, but it's like, how do you eat the whale, right? You eat it one bite at a time and we've made tremendous progress that Phil, thanks for highlighting a bunch of those use cases where we're involved in number of those. And I think to Pam's point earlier, what we really need to do is do things which are uniquely better because of the properties of this system, right? We are not going to rewire the trust fabric of the internet overnight, even though that is absolutely our goal. And we're not going to sell people on that grand vision without a practical roadmap to get there, right? Instead, you find the use cases which can only, or can best be solved with this fundamentally user-centric model.
And yes, some of those benefits might simply be privacy and control for the user. Those are popular consumer sentiments right now, regulations back them all that stuff. But some might be that literally it's the only practical way to get the data in the context that you need it. And so both the NHS example that Phil mentioned and the travel pass are great examples of that, right. At the NHS, a doctor who works at hospital A and urgently needs to fill a shift at hospital B cannot wait the 24 hours it would take for a background check to be performed in their professional qualifications to be manually verified that if they have that information in their pocket, they can get back to saving lives and to put in context, a hundred thousand clinical days a year are wasted in this country alone because that process currently takes too long.
And in the case of the travel pass, it's not just that they want to make sure that a passenger is safe to border a plane and is not going to be turned away at the border because they don't have the right health status. It's also because they don't actually, as an airline, they don't want to process personal health information. They want to be confident that the passengers met the requirement, ideally without ever touching that data. And so these are capabilities which are actually very hard to do in some cases, impossible, or at least impractical to do with the legacy approaches. And so certainly the approach that, that, that we are focused on at evident that I think it would do the industry well to sort of rally behind are those things that demonstrate the unique value of what this can bring. And then I honestly believe that the rest will take care of itself. Yeah.
And those are great points. Armin?
Thanks, Gary. And lots of agreement, I think with what everyone has said, let me see if I could add perhaps a couple of other twists in terms of just really answering some of the questions that you initially asked Gary. I think we focused a lot and I've been doing this now since 2015. Our company was Shokar that got acquired like Ping a year and a half ago. And there's a lot of thought put into the technology, how it works and the underlying of what's behind this thing to be able to allow these verifiable credentials to be shared. But I think some of the things that are important for this thing to move forward, and we're seeing that with our customers that we're working with, one of them is not just the providers of the technology - that's all of us. It's not even the enterprises, but it's the consumer, it's the end user. And I think the value proposition for the end user has to be very simple and obvious going to an end user and saying, this is more secure. You could go... I talk to lots of people who not in tech and I tell them it's more secure, well, that's great. The only realize security issues when something is violated, right. When they get violated, when they've been breached and they lose money or they can't access something, that's not what's top of mind for them. Being in control of your data. I think some of those is not necessarily value propositions for users, but if you make it easy and simple makes a big difference. I'll give you a couple of examples, just real quick. Think of, and this is anecdotal data.
I'm sure it's not the case worldwide, but now we use QR codes on our phone to get on the plane, right? The value proposition is A, I remember the times like that, my travel agent used to mail me my tickets, I would get a printed a copy of whatever my ticket was that I had to remember to take with me to the airport, pull it out and so forth. All of that has become my phone. It's always with me, it's obvious and people know how to use it. Now, if you don't use it, you always got the backup. It's not, we're talking about this whole revolution. It doesn't need to be a revolution. It's an evolution. You could still print your own printed copy as still a QR code, but take that in with you. But it becomes obvious to users as simpler and it makes their lives easier.
That's one of the things we have to remember. I'll give you another example and we're receiving progress with that with MDLs, right? Digital driver licenses that can prove, what you have to show TSA, for example. Right now it's law and TSA has to accept it. We need the implementation in place. And there's a lot of work being done on that. But example that is about a month and a half ago, my wife had to get on the plane, early flight. I took her to the airport. Think it was something like around 6:00 AM we get to the airport. She's like, "you know what I did. I took out my driver license"... As she's getting out of the car and I got her bags out, "I left my driver license on the kitchen counter. I wanted it to be easy access so I could whip it out. So I took it out of my wallet."
We had to rush home, fortunately, it was early in the morning, but we were able to get her driver license, get back over there. She always has her phone with her, but just little things like that, being able to tell someone like her who doesn't really care about technology, your life is easier. You always have the stuff with you. That is a value proposition people get. So I think we have to focus on users quite a bit. And that's one of the things that would take for this stuff to move forward. The other part of it, is also value proposition for enterprises. Security is obviously part of that, cost savings how do you save money? And customers wanting it, but it's really those enterprises that actually need to push their adoption. It's not us as technology providers. We make the enterprises interested, but those enterprises, their banks, health providers, insurance providers.
So I think that's part of the ecosystem that needs to work for them as well. And one of the things that we're seeing is the implementation details for those enterprises is sometimes too complex. They have to go get engineers that their time to grab SDK will build, POC, so it's a lot of effort. The easier we make that process for them to be able to adopt it. And the more we follow standards, these piece of cake for them to do it, the easier that becomes. And part of that is also creating interoperability with existing stuff that we have. We're not going to get through this revolution where everybody throws away their identity platforms or what, that's just not going to happen. We have to work with open ID, existing directories, data stores that already exist, but stop providing mechanisms to do what oftentimes refer to as crawl, walk, run. Don't go to a customer and say, the future is this bright, but you need to start running to have any piece of it. And I think if we do those, then it becomes easier to get those adoptions and we're winning cases, right? There are use cases that are getting created that create that value proposition, but that already needs to be the focus to move this forward.
So despite my initial leading question about why is this taking so long? I'm a massive proponent of this for a lot of the reasons that everyone has mentioned that said from an analyst perspective, I look at it and so I'm trying to figure out how can it move forward? I think from an individual perspective, from a privacy perspective, from an individual usability perspective, there are clear benefits and an organization like Microsoft, some of the statements that are made about protecting privacy, giving users choice and all of that, those are great marketing themes. And I mean that positively, that's not pejoratively, those are good things. I think everyone gets that, but as we take it back to the enterprise, and it's something Armin you were touching on, for us to go to our corporate, global thousand clients, and basically say why you should be using this, what do we see as the value proposition? How can we basically chip away at this from an enterprise perspective and get them engaged, or is it too early for them to be engaged? Because that's one of the questions we get asked all the time. Well, this stuff's cool. I understand it. But we have our Microsoft or our Ping or our other identity solution already in place. And we don't really want to look at this right now.
So Gary if I could jump in there. I think if you look at the use cases I shared, right, there are different reasons why those use cases got going. With credit unions, it was fraud. They have a fraud problem, credentials solve their fraud problem. So it's worth getting into and developing the ecosystem. You look at the NHS, right? They have a credentialing problem. They need to move people between hospitals quickly. They need to be able to digitally prove who these doctors are when they move from one hospital to the next is James said they can't wait 24 hours. So they're solving a real problem with credentialing and call it decentralized identity, your SSI or whatever you want. But it was really the credentials, the claims that mattered there. And the third one I point to is travel pass. There, you've got a huge ecosystem with lots of different players. You need interoperability, and a way you get interoperability is with protocol and standards. And that's what this offers. So those are the three reasons I can think of right off the top of my head.
I'll throw out one more here, which is the architecture can actually be adopted by a single company, who can provide both the verifiable credential and the issue the credential and run the relying parties and so on. So you'd say, okay, well in other words, there is an architectural choice there, which would be built upon this new technology. Now, what would the advantage of that be? Well, basically all existing in previous technology is based like it or not on domains, including open ID connect and everything else. There's always - the early version of open ID connect. There's always a domain there. And when you start to get multiple domains, things start to get complicated. Then you need Federation. Once you start to get many, many, multiple domains, things become a nightmare. But inside a single company that is doing mergers and acquisitions, like when all the time I was running active directory, the most complicated and horrible thing that we had to face was mergers and acquisitions because people would come in, they would have everybody from a new domain, you try and plug a new domain into an old domain, and you basically have to restructure everything.
If we can get people to say, well if I adopt this more flexible architecture, mergers and acquisitions start to become vastly simplified. And I can make sure that at least everything within my own value work is flexible and isn't dependent on domain wiring.
And Gary I'll add something to what Kim said there. Part of what we're seeing with verifiable credentials is sometimes done still in a silo, capability is a lot more. It's like when you buy a four wheel drive, but you never take it on dirt, but you may have all the power there, but the thing is still a vehicle and a good vehicle and gives you the ability. I don't know, to be a soccer mom, perhaps take the kids with it and put a whole bunch of things in the back is still sufficient for that. But if you go to snow, then it's going to be, it's got a four wheel drive as well. Eventually when you do that, part of what we've seen is also in silos, a lot of verifiable claims being adopted. A lot of that is around use cases that I would say since 2020, right, since COVID hit, became more pronounced, a lot of that has to do with proving an identity of a person and being able to do that again and again, when you need to doing facial match comparisons, biometrics.
That in itself has added a lot to it. And what we're seeing a lot of push forward right now from a lot of our customers is proof of vaccination for workplaces, right. And not necessarily all in consumer space, but certainly for workplaces. So there are natural things that are pushing us in that direction. But this is the other thing about verifiable claims, even though a lot of our demos certainly demos that I do, show these wallets that look fancy with all these cards and visuals that illustrate what's in it. You could adopt verifiable claims without having all of that in it. So you can go into your existing application. A lot of times, if you think of identity, oftentimes, it's got to be something you don't worry about.
You don't see it, that's when it's working best. And so some of verifiable claims just work that way, right. And that's what we're seeing. And I think that's probably part of the start of the adoption as we're seeing it, at least right now. And one last thing I'll add, because I think you mentioned this, but we have a lot of customers. I think all of our customers for verifiable claims are existing Ping customers, right? Huge fortune five hundreds that we work with and so on. None of them want this, unless it integrates with existing pink platforms that they have, right. So we have to have those bridges and it's not something that's just standing in its own separate island and it has to always integrate with it.
Yeah, absolutely. And just to add to what I mean, and Kim said, I know, Kim is the one who is considered to be the father of identity. He's the one who wrote the laws of identity way back, back in the early two thousands and why we have, we do carry all our identities in our digital wallets right now. But I think it's also imperative for us to also remember that it's not always about the online world, especially with the advent of MDL and Apple actually now leveraging MDLs into Apples, own wallet system. It's also imperative for us to remember and understand that it needs verification in an offline mode as well. You could have cops in a remote area trying to verify the identity of a rash driver or an individual, but giving them the ability to verify that particular credential when you do not have access to the online world is also pretty important for us to keep into consideration while we build on this eco system.
Yeah. Look I don't disagree with that because I think you're absolutely right, but I think we've often we identity people fully into a trap of talking about identity with a capital I right. Using the driver's license use case and all this kind of stuff, right. As if being fully identified, according to the government is the canonical use case. And so like, what you said is completely valid, but actually what decentralized entity and verifiable credentials let you do is break that apart into tiny, tiny little facets and let you be highly contextual about what you prove in order to have the particular interaction that you're trying to have. And so absolutely driver's licenses, birth certificates, educational qualifications, those things are great use cases, but so are memberships. And the proof that I've bought five coffees from my favorite coffee shop, and the fact that we are on a panel together at this time.
And so I've got yeah. And all these kinds of things, right? You can actually just use it anywhere you need to bring some amount of trust from domain A and in domain B. And in our experience at Evernym that's actually where the really compelling use cases are cropping up. We're not going to rewrite how people think about sort of capital I -identity. Although many of those government use cases we mentioned are bubbling along in Canada and places like that. It's in the smaller, slightly more nuanced use cases where you are literally just achieving that cross domain trust, where the user is the conduit for that.
So I think we're out of time, we easily could have spent several hours here. Without breaking a sweat, I think, because I know we're just touching the surface on this, but the insights and just the deep thinking in this area are great. This is an area we'll clearly continue to pursue with our enterprise clients. I think it makes sense for organizations to consider this, to begin to look at it, even if they're not ready to fully execute and they don't have one of the examples Phil, that like you raised or Kim in terms of clear value proposition and use cases. I think to get familiar with it. And as some of the major vendors, Microsoft and Ping and the smaller vendors as well are investing in this. I think we're going to see some rapid momentum in this space. So thanks everyone. I appreciate it. Now we're moving on to our session on standards and integration and hopefully over time, this technology will help in those areas as well.
Hey Gary, can we just help out Chris Wallace in the chat who wanted to take a shot on mention of blockchain? I think we only said it once or twice. So blockchain, blockchain, blockchain.
There we go. [laughter] All right. Thanks everyone. See you guys.