Freedom from Passwords

Sujit John:
Welcome to this Times Techies webinar. I'm Sujit John and I have with me my colleague, Shilpa Phadnis. The two of us will moderate this discussion. Our discussion today is on freedom from passwords, accelerating digital transformation through identity.

As India celebrates its hard-fought independence, we find ourselves standing at the cusp of a new era, the digital revolution. In the era of rapidly advancing technology, one cannot solely rely on manpower to drive evolution. Not just organizations, but even countries are looking at ways to stimulate economic growth. And one of the ways is by leveraging identity as an enabler for digital transformation. All of us know only too well how irritating passwords can be. Everyone tells us, use different passwords, use complex passwords, don't write those down anywhere. That's asking the impossible. Today we are going to discuss how a unified approach of using modern identity verification and authentication technologies can do away with passwords and fuel the journey to a modern digital India.

And for this, we have a highly distinguished panel. We have with us, Mr. Ved Mani Tiwari. Mr. Tiwari's CEO of NSDC, the National Skill Development Corporation and MD of its subsidiary, NSDC International. NSDC launched NSDC International to provide impetus to international workforce mobility by developing skilling, re-skilling and up-skilling programs. In alignment with this vision, NSDC International has partnered with various national and international institutions of repute, positioning India as the global skills hub. Mr. Tiwari has three decades of experience working with the Government of India, has also major corporates. He has been director of Welspun, global CEO of Sterlite Power, MD of SunEdison, director in the Ministry of Railways and director in Kochi Metro, Chennai Metro and Nagpur Metro. During his tenure at NSDC, NSDC International has already partnered with leading economies like Australia, Germany, Japan, UAE, and Switzerland, across sectors like manufacturing, hospitality, agriculture, renewable energy, and electric vehicles. Welcome, Mr. Tiwari.

We have with us Mr. Nandkumar Saravade who has also had extensive experience with both the private and public sectors. Mr. Saravade started his career in the Indian Police Service, IPS. He was posted in Jammu and Kashmir and West Bengal. He was in deputation with a CBI for some time. He went on to work as CEO of the Data Security Council of India. At Think Tank specializing in cybersecurity, industry development, policy research and advocacy. He worked as director at Citibank India, heading security investigation and vigilance. He worked as general manager of the Financial Crime Prevention Group at ICICI Bank. He went on to become the founding CEO of Reserve Bank Information Technology. The organization was set up in 2016 as a fully owned subsidiary of RBI for technology management and cybersecurity for RBI systems and the Indian banking sector. He took it from scratch to a 350 strong team. He continues to be a senior advisor on governance, strategy, ethics and cybersecurity for many organizations. Welcome, Mr. Saravade.

Shilpa Phadnis:
We have Anuj Gupta. Anuj is CEO and director at Hitachi Systems India. Hitachi Systems is a global leader in the systems integration and IT services space. During his tenure with the company, Anuj has helped Hitachi Systems grow from a 100 pro company with 800 employees to 1500 pro industry leader with more than 3,000 employees.

This makes it one of the fastest growing and most dynamic businesses within the Hitachi Systems global network. Besides his ongoing journey at Hitachi Systems, Anuj has been a part of two ventures that he successfully scaled up, including his own startup. Trident Infotech, which he started with family seed capital and grew to 100 member PAN India Company in just over five years. Welcome, Anuj.

And we have Hemen Vimadalal. Hemen is the founder of 1Kosmos. Hemen identified the need for an identity centric approach to authentication that makes the concept of passwordless safe and simplifies the user experience. Prior to 1Kosmos, Hemen founded two successful identity management vendors. Simeio Solutions, which was acquired by ZMC. And Vaau, which was acquired by Sun Microsystems. He's also an active [inaudible] investor. Welcome, Hemen.

Those of you sending questions to the Facebook comment box, Sujit and I will put them to Mr. Tiwari, Mr. Saravade, Anuj and Hemen. Ved, coming to you, India is currently on the cusp of inflection as an economy, how do you think digital transformation will play a key role in India's future growth?

Ved Mani Tiwari:
First of all, thank you so much for having me here and it's a great panel. I look forward to a meaningful discussion on this panel. So when it comes to digital transformation, we all have seen that India has done some remarkable work in this area. I would like to start with the Aadhaar itself, UIDAI. We have our first national ID system, which was biometric. It's probably we are among the first in the world who did like that. And then came UPI and post demonetization and post-COVID. We now see that the whole world is following India in terms of the success that we have had with UPI. And if you see the foundation of these two systems, Aadhaar provides foundation to UPI because the identity becomes an extremely important construct. And what it takes us to is that paperless, presenceless system for payments and probably there's no other country in the world where we have this kind of a thing.
Through eSign, anybody can do a transaction not being present at the place where the transaction is happening. Through Aadhaar, we can do a biometric verification from anywhere. So this is a very important construct that we have built for last few years. At NSDC, we are building on top of this that while Aadhaar and UPI give us an opportunity to do a credentialed financial transaction. The real transformation happens when people are able to up skill themselves. And that is where over the last few years, maybe one and a half years, we have built a skilled digital stack. What a skilled digital stack does is that, on one hand it creates a national registry for skills and skilled professionals. On the other hand, it provides an opportunity for every citizen of the country to publish their digital credentials.

So somebody who's on a screen digital can create digital CV and it's a fully GDPR and DPDP compliant. One can publish one's credentials to a potential employer across the world. And when you do this, you can actually do a career path and the learning path for individuals. So I'm very excited about this that the Digital India stack gave [inaudible] to people. Now Screen India Digital is another attempt in that direction where we want people to actually to share in the, not only in our domestic economy. But as you know that as our honorable prime minister also said yesterday, "We are the young nation and we'll become the skill capital of the world." The upcoming India is actually going to stake a claim on at least one fourth of the global economy. Because every fourth individual who will join the workforce in the next 25 years is going to be an Indian. So I'm personally very excited about the digital transformation that we are all witness to and we'll be leading the way for the whole world.
Thank you so much.

Sujit John:
How many programs do you have Mr. Tiwari, on the platform? There are lots?

Ved Mani Tiwari:
So today if you see we run one of the largest skilling program in the world, which is called Prime Minister's Skill Development Scheme, which is Pradhan Mantri Kaushal Vikas Yojana now. Yesterday PM announced the Jayanti Vishwakarma scheme that also will be on skilling data digital. There are self-learning programs. And so potentially today we have about six Slack candidates register on Skill India Digital. We are looking for that by end of the year, we should be reaching to close to 5 million individuals register on Skill India Digital itself.

Sujit John:
So this digital thing that you're talking about, I mean these certifications, what anybody around the world can look at those things and make sure that it's a genuine certificate? Is it?

Ved Mani Tiwari:
So what it does is that there is an NSDC trust, which what it does is that we have access to the identity database of the country through UIDAI. So we can do an identity verification for an individual. We can do educational qualification credentialing, we can do a skill qualification credentialing. We are connected with almost all sovereign databases. So the residential credentialing and also through accounts aggregator integration. We are also able to provide some credentialing about the financial. Of course it is all dependent upon how much the person wants to disclose because it's a fully privacy compliant system. But practically now we have given this power in the hands of any user on security digital. It's a fully portable shareable construct where they can share their digital badges on any social media platform, et cetera, or to any employer who they want to share with. And that's the power that the digital credentials system is try to drive.

Sujit John:
Okay. So you're saying any global employer can be absolutely confident that what they're doing is genuine?

Ved Mani Tiwari:
Yeah, and because a candidate makes a representation, any global employer wants to verify those credentials. The NSEC stands behind it and it is a friction free system. Because employers can actually do a credentialing sitting from if they come on SDC trust, they can do credentialing from anywhere in the world. It's a presenceless... It's a faceless credentialing that we provide and it's an automatic credential with the authentication from NSDC sitting behind it.

Sujit John:
Okay. And your students, are they using it quite a lot now? How is it?

Ved Mani Tiwari:
The good part is that until now we thought that it'll be government funded program, which will find a lot of traction. But of late we have found that lots of individuals are coming on the platform. And they're self-learning and there's a system available on where you can do self-learning assessment and self-certification. So lots of self-certificates are also coming. Many training providers who want to do complete online system, they are also coming to NSDC to be on the screen digitally. Because unlike most other EdTech platforms, here you have a fully credentialed system and these certificates are issued by the regulatory controlled entities. So this is a unique feature that we are trying to pick.

Sujit John:
Oh, very interesting. We'll come back to the technology behind it a little later. But Mr. Nandkumar, can I ask you this, the ambitious objectives here, there are several issues related to cybersecurity and identity. Can you help provide your thoughts on these issues and challenges? You had lots of experience around this.

Nandkumar Saravade:
Sure. First of all, great to be here and it's very accomplished group and talk about some of the key issues in Digital India journey as we have been witnessing for the last several years. First of all, one thing we must acknowledge and I think everybody in the know acknowledges, is that cybersecurity is a very hard problem to solve. And when I say it is a hard problem to solve, we have to look at why it is so hard to solve. So let's look at the complexity as the one factor which always comes in. We have, especially in India, we have hundreds of millions of users of every platform which has come about just taking the JAM Trinity. The other database, the whole mobile user database and the bank account which got open. All this has led to a tremendous explosion of entities and accounts and devices and when things become complex, they become difficult to secure. Because with complexity comes lack of visibility.

It comes the vulnerability which are inherent into any software platform. Just to take some numbers into account, I think if you take an operating system, which is the main software interface that people interact with, it can run into a hundred million lines of code. And by nature, software engineering assumes that there'll be 10 to 15 errors per thousand lines of code. And that gives you idea about what is the potential for vulnerabilities which can be found. Now we also have supply chain, which is in hardware, which is in software. We have coders who are using other people's work without understanding it too well. There's this whole open source ecosystem where a lot of work is being done, but a lot of that work is also not being tested fully for vulnerability. So we get on the technology side itself a huge number of huge number of vulnerabilities.

But when we add this to the number of people, because user is a very important element in security. And in India we have maybe 10 core users who can speak English and the rest is all long tail of very different geography, age, educational background languages. And the people who are joining the internet subsequently are people who are very different from people who came in early. And the assumptions which were made while designing systems in the beginning may not be valid anymore. And then there is a whole issue of processes, the process engineering has to keep pace with the kind of complexity that we are building into platforms. And it's very heartening to hear about the skills platform going global. UPI already is out of India into multiple countries and the whole digital public infrastructure is a concept which is now gaining bigger option.

We are looking at essentially very, very large attack surface as it's called insecurity. And the other issue in security is the advantage is always with the attackers. They choose the target, the asymmetry in how the whole system operates is very much in favor of the attackers. I remember the famous statement by the Irish Republican Army when they're targeting the British Prime Minister Margaret Thatcher, that you have to be successful a 100% of the time. We have to be successful only once that is the attackers credo and they always trying to find vulnerabilities and get an entry, get access, escalate access. Secure data which belong to an organization, ex filtrate it, try to sell it, try to exploit it and so on. It's a very hard problem to solve and we have to keep that in mind when we are designing big systems. Of course it is at the end of the day, it has to be solved, it is a solvable problem. But we have to put all our focus and might behind that particular object.

Sujit John:
What has been India's experience so far with all of these big systems that you've done?

Nandkumar Saravade:
I think it's always a glass half full kind of a situation. I mean the scale of rollout itself is so staggering that there's no parallel anywhere in the world. I think some of the basic elements which came in early. The proliferation of mobile devices, the kind of QIC regime which improved over a period of time. The whole other infrastructure to verify identities and ensure that it becomes progressively difficult to pose as somebody else or a fictitious person. All that has been improving.

But there is a long way to go. I think the PDPA Act is now a great step which happens because that puts expectations where they belong. That organizations are bound to protect user's data, they have to invest into security, which then fulfills that particular function. And we have to also look at scaling up the investment on the people side. And I'm really happy to see NSDC getting into the scaling part. Because in India we have demographic dividend as our advantage. And globally there are millions of jobs in cybersecurity which are lying vacant, because there's simply no people to fill those in. India also, we are ramping up our supply of people and the market is global in this side also. So I think the glass half full, but we had to really work on filling the rest of the glass.

Sujit John:
Okay. Okay. Shilpa?

Nandkumar Saravade:
Hemen, to bring you in here, how modernizing authentication and digital identity verification help drive digital transformation and organizations?

Hemen Vimadalal:
First of all Sujit, Shilpa, thank you for setting this up. And Ved and Nandkumar, it's a pleasure for Anuj and I to be here. I think to your question, Shilpa, is it a combination of the business discussion around digital transformation on India. And then the business problem associated with all the digital initiatives that are out there. Digital initiatives started in India because we wanted inclusion, we wanted financial inclusion, we wanted people inclusion, we wanted economic inclusion. That was the whole idea. And one of the first paradigm of digital transformation in India was to set up a strong identity infrastructure, which started off with building the Haar platform. And I think that was represented as one of the most transformative initiatives within a very short period of time globally. And why that was done was the realization by the government that if we do not have an infrastructure which allows every individual of India to communicate with services in India, it's going to be impossible to provide the transformation that the country needs.

So identification of each and every individual in India was the most important thing. And that's how all the other layers of digital transformation came in. And with this comes suddenly what used to be very difficult to identify individuals, very easy to identify individuals now as well on the internet. So the attack surface now is digital. So now I know 1.4 billion people in India, so I can easily go in and compromise individuals. Which is exactly what has happened is as soon as India has gone through the digital transformation, we've seen a lot of fraud also increase. We've seen a lot of issues with compromised individuals. People who are not even aware that there is a compromised identity associated with you on the internet, especially the older generation who are not very skilled with technology. They have been a target on a regular basis. So authentication and identification of any individual on the internet has become super, super critical. And that's when a technology platform like ours comes in.

And what we've done is we work with different government provided capabilities to provide a strong infrastructure to say who the person really is online. Today a lot of people interact with any digital services using a user ID and password. You log into your bank using a user ID and password. How does a bank even know that that user ID and password belongs to you as an individual? Anyone can impersonate me. We essentially provide an infrastructure to ensure that the person who he says is really the person who he is. Just like the way Aadhaar identifies you as a biometric, you use your fingerprint, you use your iris. Similarly, we use biometrics to identify an individual online, not a user ID and a password. And so that infrastructure really helps secure all the digital services that citizens are consuming in India but also give better experiences. It's not just about security, it's a lot about better experiences and I think digital transformation first initiative is better experience and then everything else follows right behind it.

Sujit John:
You have what you call verified credentials. So how is that different from what everybody else has, things like identity wallets and other identity management solutions?

Hemen Vimadalal:
Correct. And Sujit, I think without having a proper identified individual, there is no verifiable credentials associated with it. So the first thing that you need to do is ensure that whoever you are interacting with on a digital service, is identified as a real person and the right individual. And then comes the whole verifiable credentials part of it, is directly related to what [inaudible] was talking about. Is how do I assign that this person has finished or this skill online? And Sujit, to your point is how do you identify that this skill that this person is claiming to have is not fraudulent? It's very common today without NSDC's kind of infrastructure to just claim that I went to a certain university and there is no way for me to go back and check it. It's very easy for someone to claim that I'm an electrician without having any certificate.

So starting with the blue collar to the white collar capabilities, you need to have certification, a verified certification. So that someone can enter your house and fix a problem and you have all the right information about that individual. And that's exactly what is verifiable credentials. And our platform allows you to have a trusted verifiable credential associated to a trusted identity. So that the person can perform a job. And the person who's consuming that particular job in service is very confident and sleeping peaceful at night that this is done by a legit person with a legit degree and capability. And a platform like NSDC, not just services India but services global needs. Like Ved mentioned is we are going to be the largest populist country in the world with the youngest citizens globally. And so we have a lot of capabilities today to provide these skills to the global economy, not just the Indian economy.
And I think for the global economy to trust any individual, you have to have a trusted infrastructure where they can easily in a frictionless way. Consume that Hemen is an engineer and he's going to be able to solve your problem with the confidence that NSDC platform provides. And I truly call it the LinkedIn for the globe with all sorts of jobs, not just people who are capable of technology related items. I think it's a great platform if an individual is equipped with something like this. Will not just have local capabilities but global capabilities to be able to become a part of the digital economy in the world now.

Sujit John:
So biometrics is the core there, is it?

Hemen Vimadalal:
Biometrics is one of the core items if you think about Aadhaar also, biometrics was the core. So in our platform biometrics is the core and privacy preserving biometrics that the user always controls his or her own identity at any points in time. And so no individual, other individual or no individual services or any organization can control his or her own identity. And that's the sovereignty that any citizen or any individual really needs. And our platform truly provides that capability of control and sharing only based on consent when requested by a service provider

Shilpa Phadnis:
Hitachi provides some of the largest global cloud deployments for many organizations. What impact has the cloud had on the industry and how do you think it's made the need for a stronger verified digital identity for successful digital transformation?

Anuj Gupta:
Thank you Sujit and Shilpa for hosting this and it's just an honor and pleasure to share stage with Ved and Nandkumar. Thank you so much for this opportunity. Yes, we've been seeing a lot of cloud usage in the last two to three years, especially postponed. There has been a lot of, I would say a lot of consumption, a lot of technology has got built which is cloud ready or cloud native. And for an example, we have the honor to work with NSDC where we are trying to build the entire cloud for them. And it just helps us give the entire scalability and as they grow, as Ved has said, there were going to be about seven cloud users today and it'll go up to 5 million or 8 million by the end of the year. So you need a robust cloud infrastructure to actually scale on the way the customers are going to scale.

So we are seeing a lot of demand there. And again, as you go on cloud and as Nandkumar also highlighted, security has become the biggest concern. And as we move forward, as they say the war is lost, we are fighting small battles. It's all about how resilient you are. Are you going to be hacked? Probably yes. It's about how fast you get to know, how fast can you react to it and how fast can you come back on your feet. So that's the most critical part in any kind of security solution that we provide. And the other thing in that is again, it's like the golden hour when you get a heart attack. If you can detect it in 60 minutes, you're the hospital, there's a chance of survival are much higher than the otherwise. And again, as we go on cloud, people are almost accessing information from anywhere.

They have the convenience ease, be it mobile devices, be it your laptop, the controlled environment from your organization. Or be it from work from home, or the most weak Wi-Fis from airports. Now as you do that, again, identity zero trust comes into the biggest play. So you trust nobody you verify and only then you let them in. And so that's where we've been working a lot with 1Kosmos to really see how we can integrate identity based authentication so that we know exactly if Anuj Gupta is logging in, it is Anuj Gupta. He's verified by his facial recognition or a finger biometric. So some kind of authentication, which is very, very unique to me. And on that basis I get authenticated and then I get access to what I'm supposed to get access to. So that is what we've been working on and we've got a lot of success.

We've got telecom providers who's onboarded on this journey. We have banking customers who onboarded on this journey. And I think it's just the start as we talk about digital India, we talk about digitalization, we talk about all of this. Making it much more convenient for end users or individuals as you go down that route. Identity based authentication blockchain based, so that it's you who controls your identity, all that will play a very, very important role. And we are very excited to see what happens in next two, three years. I think India is at that pivot where in next two to three years we are just going to see some massive transformation across the board. Again, a small example is NSDC. If they're talking about 5 million people skilling all over the world in next six months, in itself is a number which you can't even predict. So it's going to be interesting time and I'm really looking forward to your move from [inaudible], Nandkumar. Thank you.

Sujit John:
So in your experience, much safer than the traditional passwords, Anuj?

Anuj Gupta:
I think passwords are just compromised left, right, and center. So we've got a big firm who audits us and now he's asked us to get 16 digit password. It's tough to remember eight digit password and now he's asking us for a 16 digit password. The moment you do 16 digit, you are going to write it down somewhere. And I think if you observe in the last two years, 60 or 70% of the hacks have only happened because it was a weak password. It's what password at the rate one, two, three. And even today it's true or admin at the rate one, two, three. You just do Google and you realize that large infrastructures including the biggest mobile based car service, they had a password which was admin at the rate one, two, three at one point.
So passwords are passwords. You can't have 16 digits passwords, you just can't remember them. So it just gives that ease of use tool to any user to just authenticate with himself. And fastest way to authenticate, it's a quick one. You can get boost notification, accept there. So yes, password, I think it's a matter of time where we will see that no longer we will be using passwords. It'll all be identity-based authentication.

Sujit John:
Yeah, Mr. Nandkumar, you also see that moment? I mean we see in these James Bond-like movies, people taking fingerprints from a glass and then copying that and using that for all that. That's far more difficult to break those kinds of things, is it?

Nandkumar Saravade:
James Bond always is 10 years ahead of probably what happens on the ground. But password is of course as Anuj said, is long gone as the way to really authenticate. In fact, at one point of time I used to recommend using a password manager just to keep track of so many passwords, hundreds of passwords that you have. But go and behold the password manager itself was compromised sometime back and we are back to where we are. So I think multifactor is definitely the way to go ahead. Biometric also by itself will be vulnerable because unlike password, which can be reset, biometric cannot be reset.

So it has to be used in conjunction with other factors and in a secure manner, which then becomes very easy to manage in the long term. So we have seen even registration document fingerprints being looked at and being converted into [inaudible] kind of or used to impersonate somebody on [inaudible] systems. But without that reasonably good cameras can pick up fingerprints from a distance or person who is just sitting idle and in a cafe and somebody wants to pick up his fingerprints, cameras can do it without anything being touched. So we had to look at very advanced technology from the attacker side. The processes which earlier was password, one password and you could store it in the browser wallet and go on. Now that is no longer the case. So we have to be very agile as the attackers are agile.

Sujit John:
Even these are risky. Hemen tell us, I mean are there some common misconceptions surrounding this whole passwordless authentication identity?

Hemen Vimadalal:
There are several misconceptions. Look, yeah, this is a 60-year-old problem. Internet was built on the foundation that I will log into something. And log in means the first question and the first thing that comes to your mind 60 years back and now today is, "Oh, what is my user ID and my password?" That's the first thing that comes to your mind. And so that's a 60-year-old problem. And people believe that changing the behavior of 60-year-old issue is extremely hard, extremely difficult. But all the technology advancements that have happened and we continue to see faster than we think the technology advancements that are happening in the world. It is no longer an impossible solution. It is there today. When you go to the airport, you actually are already looking at the face that's a biometric and walking into the check-in line. I was in Charlotte yesterday, literally my entire process from going from curb to check in was less than about five minutes and I had no document with me, I had nothing with me. And that was all done through biometrics.
So passwordless is already there. Today you log into your phone, I think close to the statistics, say on an average a person logs into his phone close to 35 times a day if he has a biometric phone. He keeps on opening, keeps on opening. And that is all done without any pins or passwords. So the error of identification of yourself through strong biometrics like Nandkumar said, is already there. Its mass adoption is already there. Now how do you apply it in digital services that are being used on a day-to-day basis is a scaling issue. It's not about the possibility of happening. So it's a scaling issue and I think that's where we are today is rolling it out across billions of people. It's not just a millions of person problem, it's a billions of people problem. So that's one.

And I think as Anuj said it's interesting. All the auditors today, because of the lack of scale that is out there right now, they're suggesting to go from an eight character password to 16 character password. And trust me that 16 character password is just going to be a very simple phrase, something to do with their house, something to do with their children, family and spouse. And it's going to be much more easier to socially engineer than an eight character or 12 character password. So just increasing the complexity, yes, if you add in many more characters, et cetera, it becomes harder to break into. But with all this quantum computing with AI that is out there, literally passwords can be broken very, very easily. Someone can be impersonated very, very easily. And if you look at the statistics over the last five years, the fraud has exponentially increased exactly because of compromised identities.

So there's another misconception is increasing the complexity of passwords will allow to secure the internet. Yes, it'll reduce the footprint of attacks. But the friction that you're going to introduce to with your consumers, with your customers, with your workforce is going to be much higher. And that's going to allow people to think innovative ways to make it simpler and that's going to give access to the hackers and adversaries to compromise you. And lastly, I think identification of an individual. It's all about trust. Why and how I can trust an individual on the internet? Especially for platforms like NSDC, UPI et cetera. How do I trust you, who you say you are? And what can be done better with knowing that Hemen is who he really says he is through his biometric, which is exactly what is happening today, is the way to go.

So the misconception here is passwordless is going to make things less secure. And I think today if anyone thinks that it's going to make things less secure, just think about all the stuff that you do on your phone without a password, on the airport, without a password. In Aadhaar world without a password. In NSDC today, you don't have a password. You actually register through a mobile number, which is tied to your Aadhaar card, which is again an advancement towards the platform. And when you get a skill like for example, I was looking at the skills on the NSDC platform for flying a drone. Learn how to fly a drone, get certified using that. How do you trust that that certificate is going to be associated to an individual? If you do is the NSDC way, then the trust is going to be much, much higher for anyone to take your service and consumer service essentially, yeah.

Sujit John:
And the scaling that you mentioned, of course is the cloudish thing that Anuj mentioned. But apart from the cloud, cloud of course helps you scale. But beyond that there's also what the architecture et cetera is an issue. I mean is that-

Hemen Vimadalal:
No, so I think there are two parts to it. Cloud scaling is really helping advance adoption of these technologies. A platform like Aadhaar, a platform like UPI. Especially UPI would not be very scalable if service providers could not consume it using cloud services. They have to consume it using cloud service because it's agile, it's scalable, it's on demand. In terms of the identity infrastructure itself, the architecture needs to be number one, privacy-oriented because if that is compromised, everything else is compromised. So making sure that the architecture is privacy preserving. Making sure that it is not vulnerable to and susceptible to zero day attacks. Because those things can compromise in infrastructure completely.

And number three, I think in terms of trust, we need to have the trust layer. Even if it is privacy preserving, even if it is secure from other adversities. You've got to have trust in that infrastructure to be able to, so to adopt this trust, you need to have decentralized architecture. Centralized architecture creates a centralized way of attack. So if someone compromises that centralized infrastructure, then you have pretty much compromised millions of users on your platform. So you need to have a decentralized architecture which follows standards, which follows regulations and things along those lines which make the platform more trustable. So those three things essentially allow the adoption of this kind of a technology and that's what is kind of the issue around the scale that's being addressed as we speak right now.

Sujit John:
So it has to be decentralized architecture, okay. Shilpa?

Shilpa Phadnis:
Mr. Saravade, if you can help us understand what advancements are you seeing when it comes to public private partnerships? This is a must in order to ensure that the country works together to give citizens the best and secure experience.

Nandkumar Saravade:
I think in India we have the great opportunity and the great demonstration also about how we find our own solutions. I mean of course the success of UPI is very well known, but in UPI we had the good fortune of working on the account aggregator framework, which Mr. Tiwari referred to earlier. And it is a wonderful way of exchanging information in a secure manner based on the consent earned by the user. So entire authority dwarves on the user decides what information needs to be shared with whom. And it gets transmitted from those who have the information to those who need the information in a secure manner. And this kind of architecture in banking, it is called open banking, but you don't see it elsewhere in the world. And this has happened because in India we have been very audacious in the way we have architected things.

And this is where I think public private partnership comes in a very big way. I think the government has done the foundational work of in the identity management space itself by creating Aadhaar. And of course some of the services and authentication also being provided, but with Aadhaar the verifiable identities in place and how it is then leveraged in providing a decentralized architecture for enterprise employee side authentication on the customer side. Is something which can then be innovated and experimented upon. Likewise, I think in terms of publishing standards, publishing growth paths for professionals in the way they can follow opening up things or to the world to consume Indian talent on the skill side. Indian or services or the models that we have by just emulating what's happening in India. I think those are some of the big things that are happening and it would not happen without public private partnership.

Sujit John:
Same question to you Mr. Tiwari. Public-private partnerships, give us an idea kind of impact it's having.

Ved Mani Tiwari:
So I would go back to what Nandkumar said. What Anuj was also talking about that, if you see how Aadhaar grew on the basis of that, it was built on the foundation of public partnership. There is an infrastructure behind it and a number of users can go ahead and use that. And same way we saw in the UPI also that many applications got built and that's how the public private partnership happened. We're trying to take it to a next level. We believe that there's a massive task of reskilling, upskilling that we all have in front of us. I'll just take a minute to talk about it, that if India continues to grow at 7.5% or 7% as we are doing. By the end of 2047 in the hundredth year of our independence, we'll be a 35 trillion economy. Our per capita GDP will be around $25,000. $2,000 economy going to $25,000 economy.

We're 43 core middle class today, we'll be a 100 core middle class at that point of time. And if you see from a median perspective, a 100 core middle class individuals spending around $35,000 a year. And India has been an internal consumption growth story, unlike most of the economies which survive on the external economy. That's where the skills are going to play an extremely important role because otherwise we'll be a country of huge disparities. And that's the agenda in front of us. How we can achieve that, that will happen only if we have a trusted system of collaboration. There are about 55 grow people in the workforce and about 30 grow students. So it's a massive task that we have in front of us. This has got to be delivered at a speed scale and a cost which has not been seen until now.

That puts a question in front of us, how do you deliver at this scale and the lowest cost possible? And that can happen only we all talk about that the personal data should not be shared and all that. But if we have a trusted system, because if I want to customize learning program for me, which helps me do better in my life, I need to share some of my attributes in a trusted way. And because that's how the knowledge providers will be able to bring down the cost and make it very contextual to me. And that is where this whole foundation of trusted frictionless system comes into picture. We also are in the world where there will be hybrid teams operating across the globe. And when the teams operate across the globe, we exchange a lot of intellectual property with each other and some of these intellectual property will be a carpet property.

And that means that we need to authenticate each other, that we can share this intellectual property with each other across the globe and in a real time basis. And that's where I think the power, what Hemen was talking about, the passwordless trusted identity system is extremely important construct. If I am participating in a webinar like this, every participant of a webinar should have a default trust into this, that the system is taking care of it. And that's where we believe that the public private partnership will play an extremely important role. The people like Anuj from Hitachi systems will build an infrastructure which can be trusted. The identity wallet providers like Hemen will build those systems where there's an inbuilt trust into this. And then all of us collaborate to skill reskill each other, each one of us and collaborate to create value which has not been created until now.

This is also the important factor is that the only way today it can be my AI avatar also talking in this webinar. But the only way we can differentiate between a human participant and the AI avatar of that person is only through the biometric identity system that we are talking about. So I personally believe that we are going to enter into an era where we are not only talking about a collaboration at a massive scale, at a global level among the hybrid team members sitting across the world. But also machines also participating into it. And we should be trusting that what part of collaboration is happening through machines and what is coming human being way. So it's not only about the security, it's also about co-creating the value that we are looking for. And that will happen from this. And that is why I'm saying that we are going to see partnership on a scale never seen before.

We are going to be operating in a world where robotics way of working has to happen. Human beings, our ability to operate in this world, will be determined by how well we can work with Ais. And that's where the partnership will happen all the time, real time basis. And this partnership will be in a creative partnership. Until now, we have been only seeing a transactional ecosystem. We are probably entering into a creative economy and first time we are going to have a system where a creator until now has been thought of as a person who can create on. But the whole brain computer interface and multiple teams working together, we are probably entering into an era where it's a crowd created economy that we are talking about. And I'm so excited about this. This is our vision and where we are focused.

Sujit John:
Very interesting. NSDC, have you completely done away with passwords?

Ved Mani Tiwari:
So as far as NSDC is concerned, what we do is that we have the application that we have built Skill India Digital has both web and mobile app. You can download that Skill India Digital from Android Play store or Google Play store or app store from Apple. Once you have the app on your phone, then the whole architecture of security emerges from this. That only what you only have to do is that you have to put your phone number, the phone number is connected with aha. So this is the only link that you have. And since that your app is native and you just set your own pin and that's it because it's all authenticated from the Aadhaar itself. It works beautifully because we have our team, our IT team, my CTO Hitachi and the team of everybody has created a system where it's security of top order. But it's a frictionless security. You just have to rely upon your app and you have a frictionless system.

Sujit John:
How long did it take you to implement this?

Ved Mani Tiwari:
It took us one year.

Sujit John:
One year?

Ved Mani Tiwari:
Yeah.

Sujit John:
Any advice for other government departments?

Ved Mani Tiwari:
My advice would be Skill India Digital actually is connected to all these sovereign databases. The approach that we followed is don't reinvent the wheel. The Aadhaar is there, UPI is there. Use those stacks to build something on top of it. And what we did is that we also connected to all the sovereign databases. So as we talk about multifactor authentication today, we can actually, we are connected with voter ID card election commission. We are connected with all the RTOs in the country. We are connected with the... So we can authenticate you through your driving license, voter ID card, your PAN.
We have all connections with all the utility providers. So there are multiple ways in which one can establish one's identity. And even for entities, because we are connected with JST network, we are connected with Ministry of Corporate Affairs network. So Sentinel Pan, all these authentications can happen. So I personally believe that Skill India Digital is perhaps the most widely connected, frictionless, secure system that we can have. And the team is working on coming out with services so new developers can use services. So we are taking two approaches, exposed services which people can use. And the other approach that we're doing is that we are going to expose APIs from screen digital with this. We personally believe that a lot of innovation can happen on top of this, what we have built.

Sujit John:
Okay. Okay. Anuj, you want to add to that the public-private partnership part of it?

Anuj Gupta:
I think we also work with more or less everybody, be it UPI and NSDCC and IC. So we work with a lot of public organizations and we come as a private partner. So what Ved's actually I highlighted is the trust factor, which is the most important aspect. And that is what we have been working on as how a corporate organization or a global organization works with a government organization creates that trust platform. Creates the thing where it is actually it's a lot about how we coexist in the ecosystem. And each one of us play a part. So clearly define what the public organization needs to do and what we need to do. So we provide the infrastructure, they have the entire team, which is a very, very capable team. Build this whole thing in one year. And believe me, to build something like this in one year is a quick, quick turnaround.

So they've built something in this one year and then of course we keep auditing it for them and then we keep enhancing it for them. So the good thing is it's in any such initiative, if we both work like partners or we both work as providers for a common goal, it works. It's not a supplier buyer relationship, it's not a relationship where I'm just trying to sell something to them. So that is what is happening. And as we move forward within this digital era, we are talking about AI. We're talking about digital twins, we are talking about so much that is happening around the world. I feel that more and more we will see this private public partnership to come out. And again, most of these causes are noble in nature. What NSDC is doing extremely, extremely noble cause. Because you're really skilling the people of India and then giving them one platform where they can be visible and then they can apply for jobs and improve their lifestyles.

So like that with UPI really helped during the covid times when the tough times were there. Because of UPI we could deposit 200 500,000 rupees to the needies. So we also look at it, and again as Hitachi, we always believe in social innovation. So we believe that these things are going to become even more as we go down the line and as we, it's going to be very, very exciting times in the next two years. Believe me, we will see a plethora of transformation from as basic as just getting into as what Hemen talked about. Getting into airports, which is with DigiYatra or with NSDC on skilling or on digital wallets. And now RBI launched the e-money. So there is so much that is happening. It's going to be a very interesting time. And just last bit before I go, I don't agree with Hemen that I don't think American airports are even close to what technology Indian airports are using.

So at JFD you definitely need a big upgrade. And I think India again, it's a way to look at it. If I look at the way airport modernization that is happening in India and I traveled so much around the world, I think in the next two years we will be a true digital airport. But a true digital DigiYatra, whatever you want to call it, it's going to be extremely interesting. Thank you.

Sujit John:
Yeah, when Hemen mentioned Charlotte, I also thought of DigiYatra and all that. I thought we'd already done it.

Anuj Gupta:
I don't know how he's saying he's happy with American. I don't want to say anything more.

Hemen Vimadalal:
And I think Sujit, first of all, Anuj, we can have a separate discussion about that. But from my perspective look, public-private partnership is not just about providing services to each other, it's about sharing. As India is one of the fastest growing countries in the world, we are surrounded by adversaries. As soon as we grow, we are going to be attacked more and more and more. And that's the issue. If public-private partnership foundation is not built on trust and built on sharing information, which is what I've seen across the globe now that creates a sense of responsibility. If someone is getting an issue in the private sector, public sector needs to know because they're soon going to get that issue. If the public sector is getting an issue, private sector needs to know. It's a lot about sharing public private partnerships is about that.

And if you share more information with each other, that allows you to build a stronger infrastructure for all of India. And I think that's what we are seeing with, especially with what NSDC and wait are talking about is leveraging all the resources that India has built that a private sector can use, and all the intel that the private sector collects that the government can use. And that is paramount. And I feel like we are at the cusp of going through that cycle right now where a private company can trust the government and the government can trust the private sector. We are not there yet as a country, but I think we are slowly moving in the right direction with all the right policies, procedures, standards, regulations, et cetera.

Sujit John:
And you work with a lot of private enterprises as well on this technology, right?

Hemen Vimadalal:
Yeah, I mean we are working with some of the largest telecommunication providers, the largest financial services organizations and government entities. And so we've been fortunate enough to have a platform be selected by these organizations and honestly gotten some great feedback. Which always motivates you to do more, yeah.

Sujit John:
Hey, Shilpa?

Shilpa Phadnis:
Mr. Nandkumar, with the new Data Protection Bill, can you help us understand what kind of impact would it have on service providers and citizens at large?

Nandkumar Saravade:
I think what the new law does is to spell out the responsibilities of the data fiduciaries as they're called. Basically those are the organization which collect our data and then the data is processed by data processors who work under the instructions of the data fiduciaries. By bringing in the expectation about collecting the right consent, limiting the purpose for which the consent was collected. And not extending the data to other users, providing access to the user to his or her own data. All those principles of privacy management are now enshrined in the law. And I think the government has talked about a graded approach where they will expect the significant data fiduciaries as had notified from time to time by the government to be following the regime much more rigorously. And of course it's early days, but I expect some of the sectoral regulators also to get some role in ensuring that the data protection proceeds faster than what we have seen.

So it puts responsibility on many stakeholders. I think the privacy board will be able to take up grievances and the sheer fact that there is a forum, there is a greater awareness will lead to uncovering of data breaches. Privacy compromises lacks privacy practices and we'll see everybody getting more aware around this will lead to firstly better compliance and secondly, also better response to what incidents happened. And then the feedback loop coming back to stranding the systems further. So I think the bill was under discrepancy for a very long time. In between the goal changed, new technologies came in, new threat factors also appeared on the scene. So this law is now coming at the right time and we'll see, I think around privacy, greater awareness, better compliance and greater response to the data breaches.

Sujit John:
Some good progress there. I know we are running out of time, but quick there are a couple of audience questions for Nandkumar and Hemen while asking both are own password managers. Hemen, give us an idea. Nowadays all of us use these password managers more and Sohan says, most of my passwords are saved in password manager. What do you think of this technology and what happens with the password? Can't the password manage itself be hacked?

Hemen Vimadalal:
Yeah, they have been. I mean Anuj and I can give you several examples and Nandkumar also, you've seen several examples. It's almost like storing the keys to all of your kingdom inside a locker. And a lot of times people use open source because they don't want to pay for it or they use commercial versions that are not architected well. So there are certain password managers that are extremely architected well, but a lot of them that the general public use have been attacked. And if you just look up your password manager and just search for the word hacked or compromised, you will see articles on it. So I would recommend password managers are a good bandaid for the problem, but it's not the solution.

Sujit John:
Not the solution. Okay. I know like I said it's... But final words to you Mr. Tiwari, you are the CEO of one of the most important organizations created by the government. Tell us how soon are we going to see India as the skill capital of the world?

Ved Mani Tiwari:
So as I told you that the world will see in a hundred grow new people joining over next 25 years in the workforce. Every fourth or fifth individual is going to be an Indian and our honorable prime minister, yesterday in his speech he said that when he became the Prime Minister, he formed a skill ministry. And the skill ministry is not only going to serve the needs of this country, but also needs of the world. And with this thought, we formed a company NSDC International. We are working across the world with 13, 14 countries right now, within two years of our operation. And we find very positive response coming from all across the globe because this whole system of tenant mobility is broken all around the world. And the broken pieces are all about trust. That how do I trust the credentials of an individual about identity, about credentials, about the experience, and that is the problem that we are going to solve.

So we are working on this on multiple fronts. One is that solve this trust issue. Anybody, any employer sitting anywhere in the world should be able to use NSDC trust as a medium to solve their identity and capability related issues. We are working with multiple global standards providers to map our skill qualifications to other countries qualifications so that people have the opportunity to appear for multiple level of certifications, but the information is available to them. So they only do a bridge code and there's a career path that they can have for global mobility. We are working with large employers across the globe to understand what are their talent needs and how do we solve for them. So I think if you see the digital platforms that we are building, the knowledge partnerships that we are building and the trust platform that we are creating, that gives us an opportunity for India to actually be there.
Today we are considered a superpower when it comes to it. It happened because there was a crisis by [inaudible] crisis as many of us know at some point of time. Which made India the IT superpower as we are today. Now world is facing many more the healthcare problem, the logistics problem, the energy problem and on top of this demographic problem. And that's, I personally feel, believe that our Prime Minister says that, that India has always demonstrated, and the next two decades are going to be decades of India. And that is where all of us should pull our knowledge of abilities to take India where it belongs to.

Sujit John:
Absolutely. I mean, I sit in Bangalore and I can see every day some new global company's setting up a massive new center around all over, I mean, hiring people. But now with the kind of technologies even NSDC's developed along with 1Kosmos and all of you. I mean, it's become easier and easier for us to offer our services to the world global mobility like Mr. Tiwari said.

So thank you all for a fascinating discussion. We are entering a whole new world, which will not require the painful passwords. But technologies that are extremely seamless and simple and easy to use to authenticate you and to ensure trust. Thank you, Mr. Tiwari. Thank you, Mr. Nandkumar, Anuj, Hemen. Really nice having you on this platform. Thank you.

Anuj Gupta:
Thank you so much.

Hemen Vimadalal:
Thank you so much.

Anuj Gupta:
Thank you all.

Hemen Vimadalal:
Thank you.

Sujit John:
Thank you. Really appreciate it.

Ved Mani Tiwari:
Thank you. Pleasure to be here.