Let's Talk About Digital Identity

Let’s talk about digital identity with Craig Ramsey, Senior Solutions Architect at Omada. What is Identity Governance and Why is it important? Craig Ramsey, Senior Solutions Architect at Omada joins Oscar to explore all things Identity Governance including – the role of Identity Governance in compliance with regulations and standards, how it affects security and risk management for organisation, alongside some real-world examples of Identity Governance in use. [Transcript below] “We’re still trying to shake off the thing that – security is a barrier to efficiency. There’s an old adage that ‘efficiency is insecure, but security is inefficient’. But I don’t think that’s true anymore.” Craig Ramsay, Senior Solution Architect at Omada, from Edinburgh, Scotland. I have worked at Omada for 3 years and have previously worked at RSA Security and different financial services organisations in the UK within their Identity functions. Outside of work my main interests are hiking and travelling. Connect with Craig on LinkedIn. We’ll be continuing this conversation on LinkedIn using #LTADI – join us @ubisecure! Go to @Ubisecure on YouTube to watch the video transcript for episode 102. Podcast transcript Oscar Santolalla: This week I am joined by Craig Ramsey from Omada, here to discuss the importance of identity governance and how it is helping to solve problems in real-world. Stay tuned to find out more. Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar. Oscar: Hello, for today’s episode about Identity Governance and Administration, mostly known as IGA, we have invited a super interesting guest who is Craig Ramsay. He is a Senior Solution Architect at Omada. He’s from Edinburgh, Scotland. He has worked for Omada for three years and has previously worked at RSA Security and different financial services organisations in the United Kingdom within their identity functions. Outside of work, Craig’s main interests are hiking and travelling. Hello, Craig. Craig Ramsay: Hey, Oscar. How are you doing? Oscar: Very good. Nice talking with you. Craig: Thank you, you too. Oscar: So, let’s talk about digital identity. As usual, we want to hear more about our guests. Please tell us about yourself and your journey to this world of identity. Craig: Sure. So, I mean, thank you for the introduction. And I guess, in terms of my journey into identity, it was a little bit by fluke rather than by design. I studied Computer Science and when I graduated, I joined an operational IT graduate scheme. They had recently started a new IAM project, because I think back in 2008, identity and access management, identity governance wasn’t as mature as it is now. It was still kind of seen as an operational IT project rather than an information security principle. So, the drivers there were more about the efficiency, automated provisioning and stuff. But yeah, they were looking for a graduate on that project. That was me. And apart from a few years where I decided to try what it was like being a policeman, I have worked in identity ever since either for, as you said, financial services organisations doing the work at the coalface or for vendors, either in project delivery or, and you know pre-sales in my solution architect role. Oscar: Excellent. So, let’s go first with the basics. We have not talked about IGA yet in this podcast, have not focused on that. So, tell us, what is that? What is Identity Governance and Administration, IGA? What is important? Craig: Sure. So, I mean, identity governance, when you focus on it, at its core, it’s a solution that will ensure the right individuals have the right access for the right reasons at the right time in your organisation. So, it’s protecting the authorisations or the resource assignments within your organisation. And that’s often policy-driven to ensure that all of, and I think the important distinction here when we talk about IGA, that’s traditionally your internal identities, maybe your third parties and contractors. And then in terms of the overall importance of identity governance, as I said, it’s evolved over the years from being primarily driving and focusing, looking at the provisioning element of things. But as governance has become more and more important, as we start to take a more holistic view at identity, when you look at the adjacent technologies; privileged access management, cloud infrastructure and tailored management, user endpoint, behaviour analytics, identity governance is now really being seen as the kind of control plane across that identity fabric. So, I think it is becoming crucial. And there’s a lot of visibility on the importance of identity now, right up to C-level and maybe wasn’t 10 years ago. Oscar: You mentioned this concept about identity fabric. Could you also explain a bit more about that in this context? Craig: Yeah, sure. So, I mean, identity fabric is a term that’s been coined in the last maybe few years by a lot of industry analysts out there. It’s maybe a new phrase, but I think the concept isn’t necessarily that new. So, I think we also hear people calling it an enriched security ecosystem. So, it’s where you look at these solutions in the PAM space, UEBA, your SIEM solutions, etc. Those traditionally have worked in perhaps a bit more of a siloed manner. And the integrations have been maybe limited and not as seamless. Whereas now, I think this concept of that enriched security ecosystem, that fabric is that these things should be joined up and they should be – the convergence of intelligence and data between those solutions, I think is becoming more and more important so that you can take a holistic approach to reducing your identity-related risk. Oscar: It is very important, as you said, because there will be anyway, other solutions working together with IGA. Yeah, absolutely. What are the main problems, just – I’m sure there are many, but what are the top main problems that IGA solves? Craig: Yeah, so from a business problem or business challenge perspective, I think the main thing that we always focus on when we’re helping people build their IGA business case, is that we focus on security, compliance and efficiency. So, it’s looking to increase the efficiency and productivity of your end users and their experience, all whilst ensuring that you’ve got increased compliance, increased security and reduced risk. So, when we look at that, some of those common challenges and problems within that would be reducing the attack surface in the organisation. So, removing unneeded access, adhering to the principle of least privilege, making sure that your identities only have the access they should. I mean, combining those two things is going to reduce the likelihood and the impact of a potential breach in the organisation. It provides you with a unified view of access across the organisation, which a lot of people often haven’t had previously. So, understanding who has what access. And then there’s the automation around identity lifecycle management. So that’s reducing the time taken to provision your joiners, your movers, your leavers. You’re putting governance and auditing around all of these processes too. So, when people are requesting access, you’re ensuring they’re getting it for the right reasons with the appropriate approval. And you’re cutting down on things like rogue IT administration and stuff like that. So that’s high level, there is more obviously, but I think those are the high-level ones that we see frequently when we’re speaking to prospects out there in the market. Oscar: It’s a security compliance, and efficiency. Yeah, we’d like to talk about this. But before actually it will be interesting to – so people can understand the broader concept, how we try to imagine in their minds. If you can see in a real-world example, how work for a typical corporation that uses IGA. So, tell us what are these main processes that you say, mostly employees, right? What are these main processes? Let’s say a new employee goes from beginning until the end. Craig: Yes. I mean, if we’re going to talk – the phrase we kind of, is from hire to retire. So, when I try and explain this to my friends, maybe aren’t so technically minded when they ask what I do, I sort of give them an example. I say, OK, you join an organisation, and you are working in their HR department. So, from day one, you should have access to be able to log into the network, an email account, access to various file shares to do with HR to enable you to be productive from day one. So, the IGA solution will help you identify the policies to automate that process, to make sure that you are productive and also make sure that you’ve only got access to what you should. So, if you’re joining HR, you shouldn’t be getting access to any file shares to do with finance, R and D, anything like that. And then as you move around the organisation or your needs change, you should be able to request access that goes through the appropriate channels. It should be reviewed regularly to make sure that it is still appropriate as you go through your life cycle as an identity in the organisation. If you are promoted or changed departments, that should change automatically in line with those policies too. And if you either leave the organisation, be it permanently or temporary for maternity leave, garden leave, that kind of thing, your IGA solution should then disable or provision that access in a timely manner too, to make sure you’re reducing risk. So, I mean, those are kind of some of the high-level things that it’s that right access for the right people at the right time for the right reasons is kind of trying to, in a nutshell. Oscar: Indeed, that was in a nutshell, very, very easy to understand. Thank you for that. Some of these at least main problems and how these are being solved. But IGA, let’s start with security as you put security first, how IGA is helping with security? Craig: So, in terms of how it contributes to, you know, maybe security and risk management, I think, it’s providing stronger access control. So, it’s starting to limit access to your sensitive and privileged information. So, when you start to look at either personal identifiable information, financially sensitive information, or privileged access, so this is when you start to look at integrations with adjacent technologies in the PAM space, you’re ensuring that the access control is limiting that access. Reducing risk. I already talked about the fact that that principle of least privilege means that if there is a breach in the organisation, the identity of the account that’s breached should have only the access needed to do the job that it can, and it shouldn’t have any elevated permissions permanently. The ability to traverse the network or to have a much more impact on that breach should be reduced. You’re also reducing the likelihood by integrating with identity providers to perform strong authentication. And those unneeded accounts or unwanted accounts or unused accounts have been removed over time as well. So that should be helping you reduce the risk and then improve your security posture. In combination with that as well, if you look at some of the real-time monitoring and identity incidents or detection and prevention you’re starting to see integration with abnormal access patterns, maybe you know impossible logons, for example, we integrate with the Azure identity risk subscription so that’s looking at – user logged on from Edinburgh one minute and they’re trying to log on from Beijing the next. That’s impossible, so that may be an indication of compromise. And then your IGA solution could lock down that account. So, there’s many ways you could do that and it’s obviously a maturity journey, you need to crawl before you can walk before you can run. But it’s a maturity journey you go on to take a holistic view in reducing your identity related risk. Oscar: Yeah, indeed. From basic essential functionalities of security to much more advanced like some of the ones you described. The second one is, of course, we’re interested about compliance is very common that someone comes, start to ask someone from Omada, or from another company even Ubisecure, we also do identity access management and one of the key drivers for them is compliance especially in some industries, it’s more important that. So, tell us about compliance. Craig: Yeah. So, I mean, when you go out there in the market and you’re speaking to organisations like more and more and more we are speaking to organisations that operate on a global basis. So, you’ve got country or region-specific things like GDPR, SOCS, HIPAA, PCI, DSS etc that are external regulatory compliance frameworks that you must comply with. And you know we keep a track on with things like Schrems II as well. We’re always keeping an eye on that to ensure that the solution we provide is compliant with those things. But then we’re also helping our customers comply with how they are storing, processing and managing the data in relation to those things. So, if you look at what I often say is that an identity governance solution is a technical translation of your business processes. I think you always have to look at making sure your people process and technology are working in harmony with each other. Technology alone will not resolve your problems. So, I think as part of a wider identity information security strategy you should ensure that your internal policies and standards are created in such a way that it will help you comply with those external regulations if they apply to you. But you should always look, I think it’s a healthy thing for any organisation across any vertical to have these well-defined policies and standards and ensure that they can comply with those. And as I said that’s where identity governance comes in, because it helps you comply with those things by defining policies that can detect when you’re non-compliant, you’ve got that audit trail. So, it offers – you’ve got transparent auditing for your internal and external users to prove compliance. You will go through regular recertification, attestation, reviews, whatever you want to call it. But that also ensures that you’re demonstrating regular compliance. And then we already talked about risk management as well, but compliance and risk often do overlap each other. So, you’re identifying and mitigating compliance risks through the definition and enforcement of these policies as well. Oscar: Indeed. So, there is some reports that can be directly created, right, from the IGA system. And that can be directly taken by the compliance officer or whoever requires it, right? Craig: Yeah. Oscar: The other you mentioned there was the operational efficiency, right? So, as you mentioned, it’s one of the three main problems. Let’s – I’d like to hear more about that as well, how IGA helps. Craig: Yeah. And I think that’s one of the things that I think separates IGA and the information security market sometimes. That it’s not always focusing on risk reduction and things that are maybe potentially seen as negative. So, you talk about fear and certainty and doubt within the sales process, etc. When you’re doing that, it can often be quite a hard sell because it’s hard to quantify the risk. We can’t help with that. There are formulas out there of calculating the impact of a risk based on, you know, and the likelihood, the cost of the actual breach, etc. But to bring it back to what you actually asked about from an efficiency perspective, if you look at – if organisations are still heavily manual in their provisioning and their processes, there’s a huge cost to that from areas like your service desk, your operational IT administrators. And often it leads you to the potential for human error as well. So, if you start to automate those things, you see a reduction in numbers of calls to the desk, a number of manually created events and things that are being done. And you can put a pound, euro, dollar sign against that clearly from an efficiency and a cost reduction perspective. From an end user perspective as well, I mean, it’s always, I think there’s – we’re still trying to shake off the thing that security is a barrier to efficiency. There’s an old adage that I keep using for it regularly that ‘efficiency is insecure, but security is inefficient’. And I don’t think that’s true anymore. I think if you correctly apply your policies in a way that apply the appropriate level of risk, your users – to them, it should be seamless pretty much all the time. They shouldn’t see these processes as an action. They should see it as; they request the access they need, it gets granted to them in a timely manner. When they move around the organisation, a lot of that should happen automatically. Overall, you should see an increase in productivity. Your line managers aren’t getting frustrated when people join the organisation and they’re having to submit 10 different requests to get them functioning from day one. So, it’s overall operational efficiency and cost reduction. But the productivity. And end user experience of it as a result of a well-delivered IGA program, I think is clear to see as well. Oscar: Yeah, cost reduction is clear and is a great reason to buy a product like IGA. Absolutely. Well, if you quantify that to a buyer, it’s like, wow, you can convince him or her very easily. Yeah. At Ubisecure, we are working with CIAM, and I experienced directly that sometimes requests come from potential customers, and they are looking for identity and access management. And when we review closely, we see that sometimes what they need is IGA or what they need is both IGA and customer identity and access management. So, and in those cases, the customer will need to deal with these two types of system, right? The IGA and CIAM. So, what is your perspective from your experience working integrating these two types of tools? What are the main things that a buyer bought from business and technical perspective should know at least? Craig: Yeah, so, I mean, funnily enough, I have worked on a couple of opportunities where Omada and Ubisecure have been working together on those kinds of joint proposals where people are looking for IGA and CIAM. And I think it’s interesting because you can make a very strong case about where the overlap is, but you can also equally make a very strong case about why they should be separate because of the nature of the requirements. From a CIAM perspective, you’re looking for that seamless, really quick response for all your consumers. And then you should be able to deal with high demand periods when you’re very, very busy, when your consumers are consuming your services. And from an IGA perspective, you’re very much looking at the internal and the control and the level of these privileges that we’re talking about. And there are similarities in the capabilities in terms of, you know, being able to provision in a timely manner, deprovision in a timely manner, ensuring that it’s the level of appropriateness. So, if you look at it from an integration perspective, a unified management of the identities, I think, could be important whilst treating them differently. I think your end user experience again should be important. So, you’re balancing security and efficiency for your internal and external customers. And then you should be able to have that from a scalability perspective by seeing those things integrate well with each other as well. I think what is important when you’re speaking to people, understanding their requirements is crucial. So, when they’re talking about, you know, B2B or B2C capabilities and requirements, it’s OK, well, how do you manage your B2B and B2C use cases? Because I think if you take software or technical organisation where their consumers consume their services in a far, far different way to maybe a retail bank or a supermarket. The requirements for end users from that perspective, they’re opening up a loyalty card in a store and you’re processing their personal data in that manner is very, very different to maybe a software company where people are having accounts created and consuming those services. So, as you can probably tell, not an absolute expert in the CIAM space, but I think whenever those opportunities arise, I think the first important question is why? To understand what it is exactly they’re trying to achieve. And then you map the use cases to the functionality in each of the appropriate solutions to make sure that it’s well matched. There will be overlap in some cases. But as I said, there’s a strong case for when there’s similarities and when they should be managed separately. But ultimately, it’s part of that wider identity fabric we mentioned earlier that it’s kind of all identity in the end, I guess. Oscar: Yeah. Indeed. As you say, you put it very clear, the importance of really knowing very well the requirements because in a conversation, they might tell you we need this one, two, three, five things and can be also in a written Excel file or whatever. But then you have to go deeply to understand what they meant by saying this B2B or anything, right? So, yeah. Indeed. Thank you for sharing that. Looking now at the present and future, let’s say, because IGA, as many other types of products have been evolving, are evolving all the time because there are different needs. So what customers are asking today when they are clear that they need an IGA software? What they’re asking today and what are these new problems that need to be solved, are being solved now and need to be solved if they are not solved today? Craig: Yeah. So, it’s a very timely question. To be fair, we recently released a State of IGA for 2024 report at Omada and we did a webinar discussing the findings of it and it did exactly that it looked at how seriously people were taking identity. And then as you said what are they looking for currently and what are they looking ahead at as well. So, and we just talked about the why and the use cases, so I think, number one that we still see is that the solution they’re looking at adapts and meets to their changing business needs. So, the requirements they have now and the requirements they think they’ll see in the future, it’s the core capabilities must adapt and must comply with that. We’re seeing an increased importance being put on the ability for the solution to integrate as part of that security ecosystem we talked about. So being able to play nicely with the adjacent technologies across the identity fabric. And then from a connectivity perspective, I mean I talked earlier about a unified view of access across the board, the nature of organisations has changed massively in terms of on-premises systems to a lot more cloud services being consumed. So the ability to extend and integrate with a growing list of different target systems is important for them. Looking ahead, we do see AI and Machine Learning coming up again and again. And I think when we see that it’s important to take those as separate things. So, from ML perspective, you know, if you look at kind of the role mining capabilities that have been there for some time, recommendations during reviews, recommendations for decisions or decision support for approvals, that stuff has been around for a little while. From an AI perspective, I mean there’s a huge buzz around what’s happening in AI. Just now Google just released their Gemini Chatbot to rival Chat GPT and that the generative AI stuff and the practical uses of that are going to start to be seen. So, you know integrating generative AI, we have stuff where it’s looking at… you can ask questions about the documentation. So, like what is this object in Omada and like what’s the difference and it’s starting to respond to that so we’re in the process of testing and releasing that. And then looking further down the line, it’ll be generative AI within the solution. So, user logs in and it says, “What are you trying to do today?” “I need the same access as my colleague Allison.” And it’ll say, “OK she’s got this, this and this. Maybe this is what you need to request.” Or it’s becoming more mature and more complex or sophisticated in what it can do. So, I think ultimately what people are looking for is ensuring that the solution they have can do what they need to do today and can do it well, it’s scalable, it’s easy to upgrade, it’s easy to maintain. They’re reducing the complexity of management of it so they’re simplifying it from that perspective. But looking ahead they’re needing that generic connectivity that can allow them to connect to any of the systems they have now and ones they want in the future. And then being able to take advantage of the advances in the AI and ML space to improve end user experience and also the maintenance and administration of the system itself for their administrative users. Oscar: So, you believe that machine learning and the other what we call artificial intelligence is going to be used. It’s to be solving those problems that today customers are bringing up. Craig: I think it’ll augment, and I think – because that’s the thing people get worried about AI replacing us and whatnot. And maybe somebody using AI more efficiently than you might replace what you’re doing but AI itself can’t and I think any algorithm that – it does do in the output of it still needs human validation particularly in a field like IGA where OK it’s taken a huge amount of data, provided this output and most that might look OK. There’s probably some human context in terms of exactly what that business does that’s needed to say, “Yes I’m still OK with that.” Because ultimately the human’s going to have to be accountable for the decision that’s made. I don’t think and I don’t think we’re going to see algorithms being fined or sent to jail for data breaches you know, I mean. Oscar: Yeah, a human will go to jail anyway. Hopefully not. Hopefully that doesn’t happen. Craig: No, hopefully not that’s what we’re trying to prevent. You’re right, we’re trying to prevent that but yes. Oscar: Exactly, exactly. Yeah, yeah definitely. Also, one thing you mentioned, it comes back to what we discussed earlier these identity fabrics. Yeah, the way to coexist all this all these tools, IGA, PAM, CIAM all together that’s also, as you say, it’s something that is becoming more important because the environments are getting more complexes. Final question for you, Craig. For all business leaders listening to us now, what is the one actionable idea that they should write on their agendas today? Craig: So not to spoil the magic of the podcast but we’re recording this just before Christmas towards the end of the year and I don’t know when it’s going to be released but that’s always a time for reflection and looking at where you’re at and where you want to be going. And I think for any business leader right now, I think conducting an identity maturity assessment is something that you can do actionably right now. So, look at where you’re at from an identity maturity perspective and identify gaps that you need to start filling, or priorities looking ahead and aligning that with your business goals, your business risks to ensure that your information security strategy, your policies and standards support your overall business objectives. And then from that, building a plan of continuous improvement, some milestones as well. And I think any well-delivered IGA project should be doing that. It shouldn’t be looking to boil the ocean or deliver everything at once at big bang. It should be continuous improvement and continuous demonstration of value. So, I appreciate that might be – that’s not something cutting edge or brand new or innovative, but I think it is really something actionably you can do now to take a step back, assess exactly where you’re at and then build that plan and start to try an action that. Do that at the end of the year, at the start of the year. There’s never a bad time to take a step back and reflect and put that plan in place. But I think that’s definitely something actionable that they could put on their agenda right now to do from today. Oscar: I couldn’t agree more an assessment, absolutely. It’s something needed. Yeah, it takes time. And it’s very actionable, as you said. Yeah, thank you very much, Craig, for having this very interesting conversation about IGA and other topics, related topics. So, let us know for people who would like to continue this conversation with you, or follow you, or find out more about what you do, what are the best ways for that? Craig: Yeah, absolutely. So, you can find me on LinkedIn, Craig, I think my username is Craig86. Obviously, I work at Omada Identity, but that’s, again, if you search for Omada, you’ll find us there. I mentioned our State of IGA 2024 report, you can download that free from omadaidentity.com. And there’s also an on-demand webinar where myself and Rod Simmons, our VP of Product Strategy, discuss that report in-depth. But yeah, please do feel free to reach out and connect. If you want to chat about all things identity or just want to know a bit more about Omada or myself. But yeah, it’s been a pleasure talking to you, Oscar, as well. Thank you. Oscar: My pleasure as well. Well, all the best. Happy New Year. Now, this coming the new year, 2024, I wish you all the best for you, Craig, Omada, and everybody who is doing all this great job in the identity space. Thank you. All the best. Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

Let’s talk about digital identity with Jesse Kurtto, DPO and Data Scientist at Ubisecure. Is now the right time to invest into Identity and Access Management (IAM)? Join us for episode 101, as Oscar is exploring why now is the right time to invest into IAM with Jesse Kurtto, DPO and Data Scientist at Ubisecure – as they delve into the current economic situation and some of the key factors of investing into identity management. [Transcript below] “Digitalisation is ongoing, it’s accelerating, it’s unstoppable.” Known as the guy who shortened the world and lived to tell the tale, Jesse’s career is gradually arching from the Wild West world of finance to his current position as the DPO and Data Scientist at Ubisecure. Learning to program before learning to read Finnish and visiting 25 countries before 25, he’s no stranger in exploring uncharted waters and discovering connections that others might miss. Surrounded by a delicate balance of the latest technology and dozens of carefully tended houseplants, his secret hobby is putting the hiking boots and RPGs aside for a moment in order to write to his beloved snail mail friends across the world. We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure! Go to @Ubisecure on YouTube to watch the video transcript for episode 101. Podcast transcript Oscar: Is this the right time to invest in Identity and Access Management? This week Jesse Kurtto from Ubisecure has joined us to answer this question and discuss the current economic situation. Stay tuned to find out more. Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla. Oscar: Today’s guest is Jesse Kurtto. Jesse’s career has gradually arched from the Wild West world of finance, to his current position as a Data Protection Officer and Data Scientist at Ubisecure. Learning Program before learning to read Finnish and visiting 25 countries before 25. He is no stranger to exploring unchartered waters and discovering connections that others might miss. Surrounded by a delicate balance of the latest technology and dozens of carefully tended houseplants, his secret hobby is writing to his beloved snail mail friends across the world. Welcome Jesse. Jesse: Thank you for the invite, Oscar. Nice to be here. Oscar: Great having you, Jesse, definitely. We’re going to have a super interesting conversation about the market in Digital Identity and Identity and Access Management. First of all, we always want to hear more about our guests. So please tell us a bit about yourself and your journey to the world of digital identity. Jesse: All right. So, like many or even most of us in the digital identity field, I actually never really actively sought to be a specialist, IAM specialist, on purpose. And my personal background is actually nothing technology even, but in finance and investing more specifically. So, a chance encounter and I liked the people who interviewed me and decided to stay for a while, and that while has been over seven years now. And I’m still learning something new every day, checking out how we really the world of digital identity like and frankly haven’t ever regretted decision. No two days have really been the same and the field continues to evolve and develop quite a bit every year. Oscar: Yeah, excellent and definitely hearing at Ubisecure, we definitely appreciate having this – well call it, like a blend of knowledge – the financial market, not lesser than what you bring with the security and digital identity knowledge, very practical knowledge you also had. So, it’s always super interesting having those conversation with you. And for the first time here on the podcast, we are going to have that, a bit more financial touch on that – What is coming, especially in this well this year, and I think also the years to come. The previous year and the year to come I think, we are already end of 2023 in which – well the financial situation is not good we’re going to talk about. But of course, no matter how the economy is, the companies organisation has to protect their services, have to upgrade the services, maintain them, so they have to invest some money in that. So, from the perspective of companies who today need to upgrade their digital capabilities, what would you say is the piece of the current macroeconomic situation that they should know well? So that was at least what they should know well, from what is happening now? Jesse: Well, first of all, we all know the macroeconomic situation hasn’t really been dancing on the roses over the past few years. But first, we had a massive shock with the COVID pandemic starting from spring 2020. Then we got massive economic stimulus to recover from that slump. And right after we were starting to climb up, then the war in Ukraine saw that all kinds of new problems everywhere around the world seemed to emerge just within three or four months. The energy uncertainty in Europe and the economy went down the drain, and macroeconomic in quite a difficult situation here in Europe. But we would actually want to have some kind of stimulus in order to recover. But at the same time, we are suffering from quite persistently high inflation, which makes any kind of stimulus package basically equal to pouring more gasoline to the flames. So, the European bank is really between a rock and a hard place here. And I can only look over the Atlantic to the States and be very jealous how they are able to both fight inflation and with high interest rates, five and a half percent this talking and meanwhile still have a blisteringly red-hot labour market all but there. So, my first point would be that not all markets are equal. And the second important point is that now is actually a really great time to invest in any digital capabilities, including digital identities. Because now, we are in the middle of a small recession in Europe and investing in recession has historically been the very best time to invest in growth. And if we think for a while, it actually makes perfect sense. After all, the alternative is to invest in the middle of a growth season when everybody else wants to invest in growth as well. Pushing prices even higher and reducing the availability of experts to help with these transformation projects. But now it’s still for a while kind of a buyer’s market. So best time to invest in future growth is now. Oscar: So, time to invest is now. Jesse: Yes. Oscar: Okay. So, let’s go into what – because there are many things that the company can invest now and many things that many companies might need. But if you were one of the – chief executive, like CISO, or someone who is top decision makers in companies and there has to be some budget for digital identity. Thinking of – first of all broadly. Broadly but in digital identity, what would be the most important products that today would be the top priority for buying now? Jesse: Today I would say that the absolute top priority would be – to establish really low friction user journeys from the very beginning account registration to the actual purchase, including solid online self-service. And now this low friction user journey is no way exclusive with security or compliance, but it is actually reaping the benefits of digitalisation. Digitalisation is ongoing, it’s accelerating, it’s unstoppable. So, the question is for every organisation – should they try to fight this change to the last or embrace it and be among the first to actually reap its benefits. It’s actually interesting because my background in finance, the many finance sector operators were among the first to embrace digital identities, but they kind of stopped it halfway there; “Okay, we can build self-service portals for our users, but for many, many procedures we still require hand signed paper documents being sent via physical mail.” And this is really only reaping a very small part of the benefits of digitalisation. So, there is plenty to go. Oscar: Yeah. Interesting what you say in finance services. That’s correct. For reasons of security had to be always in the latest of technology for security. But some of the process has been, as you say, very old fashioned like the old school, many paper fax I think still use or cheques. So, these kind of. Jesse: Oh yes, those ones to. Oscar: Still alive. Jesse: Yes. And it truly hurts the user experience a lot. It even causes direct missed opportunities. Let’s say new bond is coming to a market and you wish to buy a piece of it and participate. But if it takes three or four days just to do all the paperwork, then the opportunity has simply passed. Oscar: And indeed, the price changed completely. Okay, so you say that the top is to – the user journey has to be digitalised. So, what is the category of products that address that? Jesse: Would say a real CIAM system would be the one to go here, and not try to build the user journey from, let’s say 4 to 6-point solutions and then somehow glue them together. I think the best solution would be an IAM solution that’s designed for a whole user journey from the scratch and not something homemade or batched together. Because when business grows, as it will eventually grow, no recession will last forever. And to user numbers pick up and suddenly there’s a nightmare of issues of having 4 to 6 different vendors and trying to keep their products up and running with ever increasing user numbers. And that again, is doing digitalisation the wrong way, if I may say. Oscar: Yeah. CIAM being – so how, well the evolution of the more broadly speaking, Identity and Access Management. Maybe you can give us an overview of that evolution of the Identity and Access Management, what – how we started and what we have today. Jesse: Yeah, that’s a very interesting topic. Through the IAM are from big enterprise internal needs at once to employee numbers just grow to a certain level, they can’t be managed with excel sheets or pen and paper before that. But these kind of internal IAM solutions scale and fit really badly for end customer facing journeys. Internal users can always be taught how to use some kind of system, even if it’s not immediately logical or it feels unwieldy. But for the customers, it’s not realistic to expect that they would spend tens of minutes or even hours to learn how to use some kind of system to log in. And no, they would simply instead put down their laptops, pick up the phone and call your customer service. So, it will actually just cost you more money to have this kind of system. And now, in the past ten years, there have been massive uptake of different CIAM systems. And lately, let’s say after the pandemic, it’s interesting to see that now the full circle is coming back towards internal users with remote working. Remote working, different kind of partnerships, there are more kind of internal and kind of external users than ever, and trying to keep these as fully separate groups is very challenging. Oscar: Yes. So, what about the investment of a company in Identity and Access Management? So what does that imply if the company does not have even, let’s say, a first personal CIAM or open source, something that they started, if they if the company really doesn’t, which actually to me surprise me that, you discover companies don’t have it, don’t have it, almost anything like identity access management and they are looking for some solutions or they are or they know that they need it. Maybe the decision has not come. So why would you say is important for the buyers to know about the product, the Identity and Access Management product? Jesse: That’s an interesting detail what you said that there’s still about 20-25% of companies in Europe that do not have any kind of Identity and Access Management system in place. So, one could argue that every IAM’s companies’ worst competitor is doing nothing. But to the question at hand, I’d say scalability is one very important thing, and compliance. If one doesn’t have any kind of identity management system in place, then it’s extremely hard to tell where and by who are the user identities actually stored. And of course, that is a massive no in the eyes of the GDPR and this kind of adventures just don’t usually end up well. So first job would be to map out how many identities there are in the first place, how it has evolved over the recent quarters and where they are located, how many systems actually are connected, including partners, including systems like let’s say payroll providers, insurance providers, and usually the number is quite surprising. It can often be more than ten individual systems. And now managing all these identities from a single centralised place is frankly a godsend compared to trying to manage this and plus sprawling network identity some here, some there. And of course, it also brings centralised identity management, also brings massive security benefits. For example, if you wish to revoke the access for, let’s say some external consultants that have already finished their projects, you only have one place to do it or you can even automate it. But if the identities are in ten systems, 15 systems, then it’s really easy to forget just one. And who knows, maybe five, ten years later, one of those passwords will get breached and now the attacker gets to your system for free. Oscar: Yeah, what is normally called silos, identity silos. Having so many data repositories and it’s -through the years it’s easy to forget at least couple of those are forgotten but they are still there somewhere in there in some machine, in some server. So, the data is there. Jesse: Yes. And of course, I’ve heard many times the counterargument that it’s not wise to put all eggs in one basket, but when it comes to information security, we as the defenders must secure every single system that we use. But the attacker only needs to find one weak system to exploit. Oscar: Yeah, yeah, exactly. They can just find the forgotten one, the one that nobody remembers that. So, what the company – the buyers should ask for a technology vendor? So, for a CIAM vendor? So, what are the most important things that’s should be – has to be asked to the vendors? Jesse: I would ask them to demonstrate the self-service capabilities first. What exactly the users can and cannot accept less without external help? Meaning customer service assistance. Because that sets quite stringent limits on the benefits of digitalisation. And of course, all the usual user journeys should be handled by the system automatically. So, I would guess that any IAM project touches deeply. So, I would first describe the challenges we are facing. And then I’d ask vendor to explain, just in plain English, that – how does the solution work and how does it actually solve the challenge that we just presented? And after all, one should never invest in anything that one doesn’t understand. Another point I would like to address early in any IAM project is to what is actually included in the price and what isn’t. In order to actually accurately measure the TCO and how it would evolve as internal and external user base grows. And for example, there are many vendors out that charge ten to even hundred times for internal users compared to external users, and that’s not usually put on a large print on the front page. And finally, I would discuss any coming changes in legislation because I would be very interested to know whether any changes will be covered under the current proposal or will it occur additional project and additional costs in the future. Change is, after all, inevitable. Oscar: Yeah, I think that’s very important. We know in – in the European Union it’s coming the digital wallet that’s going to come in. Well, how many years do you predict at this moment? Jesse: I’m optimistic and say late ‘24 launch for some countries. ‘25 mass adoption and hopefully organisational identities soon after. Oscar: Yeah, and that’s something that I think very few people would argue that that will be – that will not have some considerable success because there’s a lot of time invested in people preparing all these new standards in this part of the evolution. What we have been seeing before with Self Sovereign Identity (SSI), the wallet itself is something that is already becoming very popular in the commercial side. So that will come in. Similarly, in other geographies, there will be similar initiatives, there will be new regulations. So that, through all this, the vendor has to offer that, has to tell whether we offer or not. So that’s definitely a good, good aspect you mentioned. Jesse: Yes. And the commission has made clear goals here to avoid repeating the mistakes of the eIDAS 1.0, that was supposed to bring cross-border digital identities to Europe. Well, we all know that it was a commercial failure, but they have really learned from that, and I have great hopes for the EUDI. Both for personal identities and for organisational identities, and especially for the latter one. I believe that the market is currently suffering from a kind of chicken and egg problem here, that everybody’s waiting for cross-border organisational identities and not building services because they aren’t here yet. So, we might see the floodgates open in the late 2020s. Oscar: Yeah. I also believe that as a lot will change in more or less like the, as you say in the next 12-24 months is going to change a lot, in a good way I believe. So definitely exciting to be at this moment. We’ve been talking a lot about Identity and Access Management, other aspects, other type of technology that are also in the minds of the executives who are going to upgrade their technologies. We hear a lot about passwords in the last year. Well, ‘cryptocurrencies’ is getting a bit more quiet. Today we hear a lot about artificial intelligence. Would you recognise some technology that is actually underrated, that not many people are talking about? But these business buyers should be aware, because the impact will be even bigger than those buzzwords. So, what would you say? Jesse: I would say that the coming EUDI and its principle of Self-Sovereign Identities is something that might cause quite big ripples in the identity landscape. The very basic idea that it’s the end user themselves who collect attributes and control to whom and when they release those attributes. That that is very different from the usual data repository centric view that – okay, we have this database, and we control everything here. Everything is set in stone. But when the end users actually decide which attributes to release and which not. Then one can’t take for granted that, “Okay, we always have every single field in our database field. Every user record looks similar in a structural level.” That is no longer true and that might cause some changes. As for technology, I have great hopes for machine learning and especially how it can help accomplish not zero trust, no. But zero friction user journeys. And I don’t mean a strong AI that is still decades into future, if ever. But simple things like; is the user using a different device to log in or the same device as before? And so on. For example, I have a recently having a quick holiday in the US, and I was frankly quite shocked when I logged into some financial services – using a completely different device that I had never used, on completely opposite time of the day. I was even physically located on a different continent. And no MFA prompts, nothing. Just inputting my password, I was in. And that’s a lot of missed risk management there, for both parties. For me as an end user and for the financial service provider. And I believe this is something that will change sooner or later. And of course, I would like, as an end user, for this to work for the opposite way as well. That if I’m logging in using the same device, about the same time of the day, from same city that I’ve done it for hundreds and hundreds of times – then perhaps I could be spared the MFA fatigue and just get in with my password managers embraced password. Oscar: The technology doesn’t bother you when you are in the habitual way of interacting with, let’s say, the banks. Jesse: Yeah, exactly. It should take always the context of the transaction into account. And frankly, what I would like to see many companies to do is; do a more thorough risk analysis at what they are actually trying to defend against. I can give a real-world example. About a month ago, I drove to a gas station, put my car to charge, decided that I’ll have a coffee there. Opened the app and saw, hey, there’s an offer for a coffee and a doughnut €1 off. Great. Okay, it seems that first, I needed to update the app to actually buy. Okay, well, I’ll do it. Then they wanted to add the credit card directly to the app, alright. Got an MFA from that. Then when I actually wanted to make the purchase, I got yet another prompt and confirmation, this time from my bank. That – ‘Hey, in order to buy this €3.50 product, would you please update our app again, and use it as an MFA to confirm this purchase’. For the third time. And by that time, I already got notification that, ‘hey, your car has charged’, and my coffee was called by then and left it there. So that was the opposite of Zero Friction. That was more of a zero trust like game. But the security solution that’s very fitting for, let’s say, authorising nuclear missile launch, is very different than the security that’s needed to confirm a €3 coffee purchased at the gas station. And as discussed earlier, I believe this problem stems – that solution was built from very small parts and every individual vendor only looked after their own interest, only want to save their back in case of any kind of misuse. But nobody took a step backwards to actually see; What we are trying to defend against here? What is the attack vector here? That okay, somebody misuses this app and clones this coupon and gets two coffees and doughnuts for a €3 each. Okay, so how much is an attacker willing to put time and money into such attack? I guess nobody stop to think about it. And as a result, the whole user journey was just failure. Oscar: Yeah, complete failure indeed. Very good way to bring back the very first thing you said, User Journey. Yeah, that’s a specific example how things can happen. Sounds like a marvellous opportunity, not to get a deal nice and then becomes complete failure. Jesse, one final question I would like to ask you is – for all business leaders listening to us now, what is the one actionable idea that they should write on their agendas today? Jesse: I would dream that every executive would dedicate one day, one whole day to actually be an end user for a day and go through their company’s entire flow. All the way from account registration to actually purchasing to product or service that they’re selling. And if there’s time trying out things like forgotten password resets. And then the next day repeating the same procedure for the top competitor and even more importantly, their newest competitor, because that is where the threat of digitalisation is coming. Oscar: Going to be very revealing. Jesse: Yes, and it’s important to go through the entire journey. If one, simply takes it piecemeal. And of course, every piece may look perfectly fine. Okay, this works like this. It has confirmations like this. Great. Next piece. Next piece, Next piece. All right. Everything looks fine. But then actually going through the process, one gets hit by four or five different confirmations, forced updates, all kinds of non-user-friendly things, and that won’t fly. Oscar: Yeah, definitely a very good experiment, actionable idea. Absolutely. Well, thank you very much, Jesse for telling us all this about the – how the companies and why companies should invest in the digital identity and why today. Let us know why people would like to get in touch with you or follow you or learn more about what we are doing. What are the best ways for that? Jesse: All right. Thank you. First, I would ask everybody to check out ubisecure.com, and see how we are approaching these problems on the market. And if needed, I would be very happy to have a chat, over a virtual or real coffee, and I can be contacted at jesse.kurtto@ubisecure.com at anytime. Oscar: Excellent. Again, thanks a lot for joining us, Jesse, and all the best. Jesse: Thank you, Oscar. Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

Let’s talk about digital identity with Heather Flanagan, Principal at Spherical Cow Consulting and David Birch, Principal at 15 Mb, author, advisor and commentator on digital financial services. This is the 100th episode of Let’s Talk about Digital Identity – in this special episode two of our most popular guests, Heather Flanagan and David Birch, rejoined the podcast to explore what is exciting them in passwordless, identity wallets and digital money. [Transcript below] “Passwords have got to go. As we’re moving to passkeys, I think there’s always room for improvement on – even on them. If nothing else, focusing a little bit more on the user experience so that people will have a better understanding of what this means.” Heather Flanagan, Principal at Spherical Cow Consulting and choreographer for Identity Flash Mob, comes from a position that the Internet is led by people, powered by words, and inspired by technology. She has been involved in leadership roles with some of the most technical, volunteer-driven organisations on the Internet, including IDPro as Principal Editor, the IETF, the IAB, and the IRTF as RFC Series Editor, ICANN as Technical Writer, and REFEDS as Coordinator, just to name a few. If there is work going on to develop new Internet standards, or discussions around the future of digital identity, she is interested in engaging in that work. Listen Episode 74, where Heather discusses Making Identity Easy for Everyone or connect with Heather on LinkedIn. “The thing that’s broken in digital money at the moment, is identity, not the payment bit.” David G.W Birch is an author, advisor and commentator on digital financial services. Principal at 15Mb, his advisory company, he is Global Ambassador for the secure electronic transactions consultancy, Consult Hyperion, Fintech Ambassador for Digital Jersey and Non-Executive Chair at Digiseq Ltd. He is an internationally-recognised thought leader in digital identity and digital money. Ranked one of the top 100 fintech influencers for 2021, previously named one of the global top 15 favourite sources of business information by Wired magazine and one of the top ten most influential voices in banking by Financial Brand, he created one of the top 25 “must read” financial IT blogs and was found by PR Daily to be one of the top ten Twitter accounts followed by innovators (along with Bill Gates and Richard Branson). His latest book “The Currency Cold War—Cash and Cryptography, Hash Rates and Hegemony” (published in May 2020) “paints a fascinating and stimulating picture of the future of the world of digital payments and its possible impact on the wider global and economic orders” – Philip Middleton, OMFIF Digital Monetary Institute. His previous book “Before Babylon, Beyond Bitcoin: From money we understand to money that understands us” was published in June 2017 with a foreword by Andrew Haldane, Chief Economist at the Bank of England. The LSE Review of Books said the book should be “widely read by graduate students of finance, financial law and related topics as well as policy makers involved in financial regulation”.  The London Review of Books called his earlier book “Identity is the New Money” fresh, original, wide-ranging and “the best book on general issues around new forms of money”. More information is available at dgwbirch.com and you can follow him @dgwbirch on X. Listen to Episode 75 with David discussing Digital Currencies or connect with David on LinkedIn. We’ll be continuing this conversation on X using #LTADI – join us @ubisecure! Go to @Ubisecure on YouTube to watch the video transcript for episode 100. Podcast transcript Oscar Santolalla: This is episode number 100 of Let’s Talk About Digital Identity. And for this special occasion, we have invited back Heather Flanagan, and David Birch. Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla. We have invited back to the show two of our most popular guests. So, these two guests, let me introduce them is Heather Flanagan. She is Principal at Spherical Cow Consulting and Acting Executive Director for IDPro. Hello, Heather. Heather Flanagan: Hello, Oscar. Oscar: Nice having you back. And our second guest is David Birch. David Birch is an author, advisor and commentator on digital financial services. He is Principal at 15 Mb, his advisory company. Hello, David. David Birch: Hi. Thanks for having me. Oscar: It’s a real pleasure having you both for this special episode, a bit different style, so being out of our usual script. But yeah, hearing a little bit more about yourselves. So, I’d like to hear something in particular, because we want to hear something – a moment in your lives. So, what I want to hear – think of one specific moment in your career in which you told yourself, “Yes, this is why I love working in the identity industry.” Which moment would it be? Who wants to start? David: Well, and it’s a bit self-centred, but probably when my publisher agreed to publish my first book. I thought I had some interesting ideas about identity – I mean you always think that your ideas are – but when you get that kind of validation that your ideas actually are interesting to other people. That really did change my career. Yeah, otherwise, I probably would have just carried on being a pretty average consultant and carried on in payments and banking. So yeah, it’s – but I put it all down to my publisher. Oscar: Which one was this book? Tell us which book was this. David: Identity is the New Money. It was Diane Coyle, the Economist, who encouraged me to publish it. So yeah. Oscar: Fantastic. Heather? Heather: I don’t have anything. I’ve been actually thinking about this question for a while, and it’s really hard to point to any one thing, because there were no lightning from the sky moments. It’s just, it’s always been such a foundational aspect of everything that I’ve ever done since I started in tech in the mid ‘90s. Where the first question was always – when you’re taking over something from a bulletin board system to an email server, “Who can access this? What permissions do they need to have? How do you set up accounts for them?” That was where everything always started. So, no one moment, it’s all of the moments. Oscar: Well, that’s great that there are several exciting moments. I’m sure for all of us, it’s been like that. Several moments in which we feel that this is exciting to be in this industry. But thank you for sharing that with us. Being already towards the end of this year 2023 – so there are some keywords which were buzzing in the last years. But some of these buzzwords today are more reality, we have access to those. What do you think, what you feel about these technologies or techniques. And let’s get started with passwordless. So, if I ask Heather, what excites you today about passwordless? Heather: I’m really excited about the fact that the technology itself is solid, the standards themselves are really, really well-done. But as excited as I am, I am concerned. Like at all the new modern technologies, I look at them and go, “Wow, that’s really cool.” and little anxiety making because for passwordless, what I observe is when you actually get out of the tech field and talk to my mother, she doesn’t trust it because it’s too easy. And so, I do wonder about as bad as passwords are, the friction that they add, it’s something that people can wrap their heads around. Whereas they don’t understand the magic that’s happening behind the scenes that makes passkeys better. And if they don’t trust it, they won’t use it. And if they don’t use it, we lose out on all the benefits. So, one of the things I’ve been trying to think about for you know, the future is OK passkeys are amazing, but how can we make them less magic scary? David: I’m a bit frustrated with it really, because I’m extremely lazy. And so, you know, like eBay, for example, uses passkeys, the whole thing works perfectly. So as soon as I go to a site, as in fact I just did 10 minutes ago to look at something and it’s log back in. I’m like, “What I have an account? I didn’t even know I had the account.” And then I had to remember the password. And of course, I didn’t get it. So, I had to click on, I forgot my password, and then I got the password reset. And then I put in the new password. And it said, “You can’t have a new password that’s the same as the old password.” And we just go around in this loop. And it drives me crazy. I’m like, “Why can’t you just all implement this?” Despite the fears of your mom, which I mean I can’t discount those because they’re real. The sooner we make people stop using passwords, the better. I was reading a fantastic story in the Insider this morning. Did you see this story about the Zelle fraud on Insider? It’s typical kind of thing, you know, guys getting some work done by a contractor. The hackers get into the contractor’s email account, they send him a thing to send money to a different account, which is the hackers’ account. And they make off with all of the money. And so, they go and talk to the contractor and said to him, “You know, did you know that your email has been compromised, you should change your email password.” And the guy, it says in the article, “We may as well have been speaking Romanian.” The guy had absolutely no idea what they were talking about. Because he’s a normal person. He doesn’t care about all of this stuff. You don’t say to people, “Oh, here’s a car, would you like a seat belt with it? Or would you like a piece of string that you could attach in, you know, particularly opt in place.” You know, as a society, it comes to a point where you say, “I’m sorry, not wearing seatbelts, there’s just too many people dying. So, cars have to have seatbelts. And you have to put the damn things on. End of story.” And I sort of feel we’re getting to that point. Fraud and scam, it’s just so completely out of control. And this thing about whether you know, you need to put people in charge of their own data and so on. I just don’t believe that for a moment. I just don’t. Most people don’t have the persistent competence that – including me, by the way, I’m not casting the first stone, I’m one of those people that lacks the persistent competence to make this happen. There are reservations but passkeys are a billion times better than passwords, and we should make people use them. I’m sorry, you got to stop pandering to populism. Heather: No two ways about it – Passwords have got to go. As we’re moving to passkeys, I think there’s always room for improvement on – even on them. If nothing else, focusing a little bit more on the user experience so that people will have a better understanding of what this means. And when they click this button, why would they click this as opposed to clicking something else that might be a phishing site that they wouldn’t recognise. So, it’s an ongoing education. David: Then you sort of think of contactless as the, you know, in the early days of contactless people, “Oh, it’s too scary.” And in some parts of the world, it appears to be witchcraft, that you can pay for things by not touching it with your card and this, people are going to come and steal all the cards. And there are going to be people of Eastern European origin on the subway system, putting their hands inside your clothes to read your cards and all this. Remember all of this stuff that was going on? And now, you walk into a store, anywhere in the world. I’m not talking America, I’m talking about developed countries, of course. You walk into a store anywhere in the world, and there’s that little contactless symbol and you pay, and you go, and no one thinks anything about it anymore. It’s a bit different in America. In America, you have to look for the till and where’s the sign? And then you have to press some buttons. And then sometimes you have to sign something as well. It’s baffling. I don’t understand any of it. Heather: Oh, the day you understand what happens in the United States will be a marvellous day. Because nobody understands what happens. David: No, it’s mysterious. But the point is, generally speaking, you know, we came up with this symbol, and everybody knows, you tap your card there, and it works. And guess what? All of your money isn’t stolen by Eastern European fraudsters. So, they’re not all Eastern European, obviously, other fraudsters are available. Because the corollary is going to be basically, people like us will start using passkeys, and so all the fraud will transfer onto people like your mom. That seems a little unfair to me. Oscar: Yeah, seeing that you are excited indeed with passwordless. But of course, there are some concerns and some things to improve. Absolutely. Interesting what Heather said that, yeah, some people have been using password for so long, but that anything else feels like how do you say the… David: An improvement? Real security? System-wide integrity? I don’t know, what’s the word you’re searching for there? I don’t know. Oscar: How you say the… Heather: Magic. Oscar: Magic. Yeah, magic. David: So, I’m excited as Heather is, I’m probably just a bit more militant on how quickly we should be pushing it out. Oscar: Yeah, we’ll see what comes in the next year as how it really rolls out. But the next one is about identity wallets. So, what excites you today about identity wallets? Heather: Oh, I have a list on that one. I’m particularly excited over how – as much as I worry about people not understanding the magic, they do understand the concept of flipping through a wallet to get to the right card, the right credential, the right thing they need and then using it and giving them that level of control is a vast improvement, I think over some of the other technology has been going on today. I’m watching what’s happening in Europe quite closely because I think that – how the governments are handling digital wallets and digital identity is a very interesting model. I will be curious to see how other countries do it. How they do it well, how they do it poorly. And if there’s some way we can actually – I’d love to standardise ‘what’s a wallet’, you know. That’s one of my little pet peeves, there is no standard for a wallet. There’s standard for credentials, but there’s not a standard for ‘what is a wallet’. David: I mean, it’s interesting to see what the Open Wallet initiative and various other people are doing in this space. I agree with Heather. I think as much as the technology is important, and certainly, in technological terms, the wallet is the sort of crucial pivot between the kind of online and offline world. It’s very central to the next phase of evolution of commerce. A lot of it has to do with – in fact, we won’t even call our wallets now identity wallets, we just call them wallets. But if you actually open up my wallet, I mean, I won’t do it over there. If you open up my wallet, it has no money in it. Everything is in my wallet, it has to do with identity, driver’s licenses and loyalty cards. And my wallet is already an identity wallet, we just don’t call it that. So, extending that wallet across sort of virtual and real world seems to me, pretty straightforward. But of course, that does rather interestingly open up what I think will be quite a vicious battle about who’s actually going to control those wallets. Because certainly, Heather mentioned kind of the European approach. They’re very, very unhappy with the idea of big tech controlling those wallets. We’re very unhappy with the big tech or big government controlling the wallets. People like me will prefer that it was regulated institutions – banks primarily, that control those wallets. Other people think banks should be absolutely the last people to have any sort of control over those wallets. So really, I’m not smart enough to figure out like the end dimensional gameplay as to how this is going to work out. But it’s pretty serious. It’s pretty serious. Heather: Yeah, people understand the concept of a wallet. But what we’re talking about in today’s world is that, you know, “how many wallets are you going to have to carry?” Because there may be one that’s issued by big tech, perhaps via your browser or via your mobile device. But then, you know, as governments are saying, “No, we’re going to issue something that’s completely separate and have its own app, and what is that going to look like. And then how are people supposed to be able to find the credential they need across 2, 3, 5 different wallets? David: No, I agree with you completely on that, Heather. But I think there’s another level of complexity there as well, which is – because is the wallet going to be like if you imagine there’s some kind of standard wallet, is that wallet the app? Or is that wallet, essentially the underlying SDK the apps plug into? So, my British Airways app and my Barclays Bank app, they’re all actually the same wallet underneath. They’re all plugging into the same wallet. But is it going to be like that? Is there going to be like a travel industry wallet? Or is British Airways going to have its own wallet? That’s really hard to know. I would think, and this comes from kind of what I think is a reasonably rational calculus. The credentials that are going to be in those wallets are the embodiment of individual reputations. My British Airways credential is the embodiment of my relationship with British Airways, that I want to take and show to other people. It’s not obvious to me that British Airways would benefit from owning the wallet, because they’d have to maintain it and upgrade it and whatever. They’re having enough trouble just with their own website to do that. On the other hand, I can see why they’d be nervous about just handing the whole thing over to Apple and Google, because then they’ll end up paying a tax, which I’m pretty sure they don’t want to do. So, I don’t know how that’s going to work out. But I listen to a lot of smart people about this. It’s a very fascinating topic to me. Heather: I talked to Don Thibeau and Juliana Cafik and a couple others about “what was the Open Wallet Foundation trying to do?” And they’re trying to work towards interoperability in code and maybe a standard will come out of that someday when they see what works and what doesn’t work. But at the moment, they are not standardising wallets. They’re just… David: No, that’s true. There’s… Heather: They’re just putting together a platform to try and make it work together. David: But as you pointed out earlier on, some of the components are standardised. We have VCs, we have MDL. We’ve got MDL 7 and 9 coming in a few months, a year or something. So I mean, there is some pretty useful standardisation going on anyway. Heather: Yeah, more in the credential format space. David: Yeah, yeah. Yeah, absolutely. That might give us enough interoperability to get started. Oscar: We’ll see. Indeed, it sounds like it’s… David: I’m a naturally simple and optimistic person. Heather’s looking at all the nuances here. And that’s why she’s so, that’s why my superficial, cheery approach to this – it’s not washing with her I can see it from her face. Oscar: You seem to be both excited about identity wallets, I think. David: Yeah, I think wallets are really interesting topic for the coming year. Heather: Huge potential. Oscar: You, David, mentioned that as far as I understood, you don’t carry cash anymore, that was my understanding how you have your wallet, your real wallet without cash. David: No, actually, I mean I don’t carry my real wallet, it’s in the drawer over there. So, I had an interesting conversation with somebody last week about premium cards. That’s how interesting my life is, Heather. I just, I benchmark, I had an interesting discussion with someone else last week about premium cards. This is a tragic trajectory of my life. But I have this fancy new American Express Platinum Card, which is made out of some sort of metal. I don’t know if it’s actually platinum, but it’s sort of metal. And it’s really fancy and heavy and solid and whatever. And I couldn’t even tell you where it is. It’s in the house somewhere. I haven’t the slightest idea. Oscar: Don’t activate it. David: No, no, because as soon as I got it, it’s on my phone. I only ever use it on my phone. I don’t know where the actual card is, I have no interest in that. I’m going into London in a minute, I have a ring. So, the ring I use for getting on the subway and bus because I don’t always want to take my phone out. But if I’m paying in a restaurant so I got to use my phone. I think the days of physical wallets, I mean, lots of people keep saying, well, there’s going to be a backlash at some point, and people are going to want to use cash, sort of the way they want to use vinyl records, I suppose. But I think that will just be like a few hipsters. I don’t think it’ll be the rest of us. Heather: I don’t trust having network access consistently enough to go without some kind of physical something. Do I use my wallet on my watch and my phone more often than not? Well, when I’m in Europe, yes. When I’m in the US, maybe. I don’t count on it. I don’t think I can count on it yet. So, there’s always the physical components that I think I have to have. David: Yeah, I mean, I would say that’s an interesting argument in favour of using offline verifiable credentials. And it’s also a crucial argument in favour as to why Central Bank Digital Currency should operate offline. So, I mean, I agree with you about that. As to the state of things at the moment, well, if the transit gates fail and can’t go online, they have to fail open, it’s a public safety issue. You can’t fail transit gate shut. So, they have to, they should have – I can always get home, you know, but it’s never happened. But when push comes to shove, I’ll get home, so I’m fine. Oscar: Yes, and that related to my last question, but just to hear what you liked the most. So, what excites you about this digital money that we were already starting to discuss? David: I’d say there’s probably three things. I mean, Heather’s going to disagree with me on every single one of them, which is why it makes for an interesting conversation. But I’d say there’s probably three things. So, the first thing is digital money, well, certainly digital currency is the subject of irrational delusional comment by conspiracy theorists, which makes for entertainment. So, I get emails, “oh, you know, Central Bank Digital Currency is the mark of the devil. And we know this because Bill Gates implanted microchips in us through the vaccine, and the microchips are going to steal the digital currency from unvaccinated people and send it through the 5g towers to Satan.” Or somebody, I can’t remember exactly, I don’t remember. But you get emails like this, which add to the gaiety of the nation. So, the first thing is, there are parts of America where non-existent digital currency is already being banned. So, this is all getting a bit, sort of witch trail-y, so that’s quite entertaining. The second thing is, and I wasn’t joking about that offline point, which is any scale digital currency in any developed country, even where you have networks and infrastructure has to work offline. It’s the crucial design requirement of it. If you’re going to have a cash substitute, it has to work offline. And that, for me, poses very interesting technological problems, all of which I think, have already been solved. But nonetheless, it’s really intellectually interesting, so I sort of like that. And the third thing is, I think a lot of people look at digital currency as ‘the thing’. Like, you know, we need digital currency. And that’s it. I mean, what we need is a platform for innovation and development. Digital currency in itself is sort of not that interesting. As we’ve just established, I can already buy milk in the supermarket without using physical cash. So that’s not, but this idea of permissionless innovation that you could bring into our space from the cryp– because digital it doesn’t involve any credit risk, you see. So, you could imagine a situation where as long as you’ve got an approved chip in your iPhone, or something, they’re certified as being capable of storing digital dollars or something like that, then you can use the API to do whatever you like, there’s no credit risk involved. So, allowing people to experiment with interesting new things – micro payments, and Escrow and blah, blah, blah. On top of it is really where it’s at. And that’s why, you know, I get it a bit when people say, “Well, what are the sort of key uses?” Well, I don’t know, I’m too old. Give it to some kids in a garage and let them come up with something. Heather: OK. So, for one thing, I really want to see your emails about this because they sound hilarious. I admit, I’m absolutely a digital currency sceptic. For one thing, as David has said, right, you don’t generally need to carry cash now anyway, so what is it getting you? And everything I understand about it is like, “Well, yes, but then you’ll be able to transfer money quickly without the bank getting in the way.” And I’m like, “Hmm, you say the bank getting in the way and verifying the transaction is a bad thing.” “Oh, but it’s expensive.” And I’m like, “Well, that’s a different problem, not just because the banks are charging a lot.” So that’s like a completely different problem to solve that it’s not a technology problem at all. So yeah, I’m definitely not convinced. Having the permission to innovate and work with this kind of currency, to me in a way, that’s like saying, “Yup, let’s turn this into a barter system, except you’re bartering these digital currency components.” “OK. Go for it, go to town.” That’s just people agreeing with each other. And it’s a completely different system in the same way that a barter system is completely different with my cash system. David: That’s a really interesting point. And I don’t mean that in any sort of patronising sense, I really mean that because you’re right, of course. And what that means is, if this stuff worked, then downstream you could imagine an environment where if you and I engage in some sort of transaction, right, I’m going to pay you to write something or you’re going to pay me to come and speak or something like that. My, you know, supercomputer at the end of a wire, it can be a through my mobile phone, my giant killer robot artificially intelligent wallet will negotiate with your super intelligent giant killer robot Terminator wallet to exchange baskets of tokens to an agreed – The idea that you would need money as an intermediary when you have that kind of barter that works. I think that’s really, that’s as a very interesting point. So, if our super computers could agree on these baskets of assets to exchange, which sounds weird when its people talking about it, but it’s a few nanoseconds for super computers. Why would you turn those assets into dollars or something in the first place? Why wouldn’t you just swap the assets around? So, I actually rather agree with that point. But I think that’s much further downstream. I think, in the short term, you see the demand for dollar stable coins in particular, as an indication to me that a lot of people around the world and in America, for that matter, wants to hold digital dollars. They would find digital dollars useful to do things with that you can’t do with regular dollars, and I sort of agree. So, I can see sort of both things. But to me, the short term and the long term are quite different there. Because I probably do drink my Kool Aid, and I’d probably do think that that’s kind of a stupid expression actually it’s, don’t drink that Kool Aid because everybody that drank the Kool Aid died, didn’t they? Or am I getting the stories mixed up? Heather: I wasn’t going to say it. David: Yeah, no, I think they did. OK, that’s a bad example. But the point is, I think in the long run, you might well be right. I think in the short term, digital currencies, I think would add to the net welfare. I mean, I can imagine, you and I agreeing to something, and the money just goes from my digital wallet to your digital wallet. It never goes anywhere near the banking system. It just goes over Bluetooth or whatever but yes. It is exciting. That’s true. Oscar: Heather, what’s not so exciting to digital money? Heather: We’ll see. Oscar: We’ll see. We’ll see. Anything else that it’s for you is exciting? David: What’s not working digital money, you know, these answers are intertwined, because the thing that’s broken in digital money at the moment, is identity, not the payment bit. Like the reason why you’ve got Zelle frauds and authorised push payment frauds and these massive crypto scams going on all the time. It’s because nobody knows who anybody is. It’s not because the payments don’t work properly. It’s because identity doesn’t work properly. If the identity, you know, I’m going to sound like a broken record on this one for the teenagers there. I’m going to sound like a vinyl implement that used to go around whether it has a scratch in it. So, this sort of needle would prompt up, down and come back to this, I have to talk them through this metaphor. But I’m going to sound like a broken record on this. Because if you fix the identity problem, payments are easy. If you know the reputation of all of the counterparties in a transaction, then pricing the risk in that transaction is easy. And that’s kind of what we should be aiming for. The next phase of evolution is really about identity. It happens that I think, and I can’t prove this with any kind of actual analysis, this is just my sort of crackpot theory about this. But actually, if central banks do drive forward with digital currency, digital currency doesn’t work unless you have digital identity. You can’t give people wallets unless you know who those people are. You can’t maintain limits on personal holdings unless you know who’s got the wallets. There must be an identity system for the currency system to work. So it could be that Central Bank Digital Currency actually turns out to be a vector for people like Heather to actually get something done about wallets and digital identity. So, there’s an interesting interrelationship there. Heather: They are certainly tied together. There’s no two questions about that. Oscar: Anything else that you think that is exciting today in the identity world that we have not covered? David: Well, there’s two things I’m excited about today. I can tell you what I was doing before I came on this call. So, one is – I’m very excited about only because I’m not a normal person. I’m very excited about ultra-wideband technology. So, all iPhones for a while, you know some of the top end Samsung’s you know Apple Air Tags, things like this, they all have this thing in them called you UWB, Ultra-Wideband which a lot of people kind of overlook a little bit because we focus everything on Bluetooth and Wi-Fi. But when Bluetooth and Wi Fi came out there were actually three wireless standards. There was Bluetooth, UWB and Wi-Fi. And UWB never really got used because the Wi-Fi chips got cheaper much quicker, and everybody just started building Wi-Fi into things. And meanwhile Bluetooth ranges went up. But ultra-wideband, which is short range, medium speed that uses this pulsed radio. Because of the way it works, it can only tell where things are, this is how Air Tags work. But it can also tell whether you’re moving towards something or away from it. So, this idea of having a phone that knows you’re walking up to the point-of-sale terminal or knows you’re walking up to a door. And the way that Apple are part of this digital car keys alliance, which I’m very interested in with Google, and I think BMW and people like that. So, this idea that you have one technology like this, which locates you, you’re walking towards the POS terminal, and then it flips to Bluetooth to execute an actually secure transaction with real cryptography, and real keys. I’m really interested in that at the moment for a variety of different ways. So that’s the first thing. And the second thing is, and I think we have touched on this before, we think of identity as being about people. But actually, everything needs identity. And when everything has an identity, working out how to get both privacy and security in that environment is really rather complicated. It’s very intellectually challenging. And that’s what I’m spending the rest of my time on with another startup at the moment. So yeah, there’s no end of things to be excited about in this space, honestly. And frankly, figuring out how people can log into their bank account without password is the least interesting of the things that’s going on at the moment. Heather: Probably the most interesting thing that I’m trying to stay on top of right now is watching the standards development space, because that is like one of my favourite things to do. Because I might also be a little bit of a strange person. So, standards development space, seeing how ISO, the IETF, the W3C, as well as some of the smaller standard’s organisations like the OpenID Foundation, the Decentralised Identity Foundation, Trust Over IP, how they’re all circling closer and closer to each other and sometimes hitting each other, bouncing off. You know, it’s becoming a really dense space to try and follow and understand what’s happening with W3C verifiable credentials? How do those relate to the ISO MDOC standards, and what’s happening with the IETF’s OAuth and CBOR and you know, all of these different standard’s groups are all starting to get closer and closer at nibbling down this problem. And they’re never going to succeed because they’re reaching the point where it’s not a technical problem anymore. It’s a societal problem. And the regulators are starting to move ahead of them and saying, “No, this is what, you know, we need to happen. And it’s not about technology, as much as it is sometimes about the society and the cultural requirements.” So, seeing these organisations tighten up, it’s pretty cool. David: I was just going to ask you, because I’ve sort of lost the thread on this a little bit, because unless you follow it with minute detail every day, you don’t. I wonder if the whole kind of MDOC thing doesn’t have its own momentum. So, in other words, in a lot of circumstances, you can see why people are going to go to MDOC and MDL part 5, even for something that’s not a driving license, just because. It reminds me a little bit, and here’s another one of the teenagers, it reminds me of X.500. Because having spent part of my young life, she doesn’t even know what X.500 is, how he’s been part of my – X.400 was the ISO messaging standard that existed before the internet and that no longer exists. And X.500 was the directory standard for that. And that no longer exists. An X.509 was the standard for exchanging public keys in that directory. And X.509 version 3 is how everything works on the internet. So, the whole of X.400 has disappeared, the whole of X.500 disappeared. And I just wonder if MDL isn’t going to be in the same place, like people are going to end up using MDL just because it exists. It may not be the optimum for a lot of the appli– but it doesn’t matter. The format exists. Wallets can understand it. Apple and Google Wallets can understand it. The MDOC stuff will carry on standardising, and I think maybe a lot of stuff will just get sucked into that. Heather: What’s getting complicated about it – is the MDL standards. They are in their own way the X.509 to the modern world. They’re specifying a credential. This is a discrete concrete, and this is what this is supposed to be used for. It is your driver’s license. It is your identifier. Verifiable credentials using W3 capital V, capital C verifiable credentials. That’s not what they are really, those are much more generic thing that’s actually more an authentication thing. So, the fact that they’re hitting each other in the ways that they are is very interesting and a little disturbing. And the fact that the browser vendors are debating within themselves, which one they’re going to support when ultimately, they serve different purposes, I worry that we’re going to be driven towards… David: No, no, I… your analysis is spot on. I agree with you completely Heather. I’m just saying that in practice, what seems to be happening is like people like me would say, “Well, actually…” you know, use the canonical example going into the bar, you know, people like me would say, “Well, you should be presenting an ISO W3C verifiable credential that says that you’re over 18 or over 21. So, I’m going…” But that doesn’t exist. The standard for the credential exists, but the contents, whereas on MDL, OK, that’s not really what it was meant for. But actually, demanding to see your MDL driver’s license, I can do because the standard exists. And I, you know, so I agree with your analysis. I’m just saying I wonder if actually, well, Trust Over IP and all these other things are kind of circling around, bumping into each other. MDOC is just steadily progressing, you know. Heather: Told you Oscar, I told you, you’re going to have all sorts of fun things to talk about. David: He’s going to get very bored on our – just our island, Heather. Like after the plane crashes, we’re going to be fine. He’s going to be, I don’t know what he’s going to do all day, making those little token at men or something. Oscar: Yeah, fantastic. Hearing all this from you. You’re definitely super passionate about – many of these things that you’re talking about, frustrated about some of them, but yes, super excited about most of them. So, thank you very much for joining us in very special episode for us. So, thank you very much. And please tell us how people can learn more about you, Heather? Heather: Oh, easiest thing is – go to LinkedIn and find me there. I check it every day. It’s one of my major social media accounts. David: Yeah, I mean, I spend more time on LinkedIn now since Twitter kind of went all weird. So, I mean, I’m on LinkedIn too. But it also you can just look up www.dgwbirch.com. Oscar: Excellent. Well, thank you very much. So, let’s see how exciting comes the next coming months, years and yeah, how all the things we were discussing today will roll out. So, again, thanks a lot and all the best. Heather: Great. Bye David: Bye guys. Talk soon. Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

Let’s talk about digital identity with Gautam Hazari, mobile identity guru, technology enthusiast, AI expert and futurist & is the CTO of Sekura.id. Join this episode of Let’s Talk About Digital Identity where Gautam Hazari, mobile identity guru, technology enthusiast, AI expert and futurist & is the CTO of Sekura.id joins Oscar to discuss the missing identity layer of the internet. Gautam shares details about what the missing identity layer is, more about mobile networks as well as discussing Gautam’s TEDx talk. [Transcript below] “Internet did not have that identity layer. So what did we do? We created a trust-less model.” Gautam Hazari is a mobile identity guru, technology enthusiast, AI expert and futurist & is the CTO of Sekura.id, the global leader in mobile identity services. He led the implementation of the mobile identity initiative – Mobile Connect – for around 60 mobile operators across 30 countries. Gautam had also been an advisor to start-ups in digital identity, healthcare, Internet of Things and Fraud and Security management. He is a thought leader for digital identity, advocating solving the identity crisis in the digital world and speaking on making the digital world a safer place. If you ask Gautam, “What is the best password?” you’ll always get the same answer: “The best password is no password”. Connect with Gautam on LinkedIn. We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure! Go to @Ubisecure on YouTube to watch the video transcript for episode 99. Podcast transcript Oscar Santolalla: On this episode of Let’s Talk About Digital Identity we are joined by Gautam Hazari, from Sekura.ID as we discuss what is the missing Identity layer of the Internet. Stay tuned to find out more. Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla. Oscar: Hello and thank you for joining us, a new episode of Let’s Talk About Digital Identity. Today’s guest is Gautam Hazari. He is a mobile identity guru, a technology enthusiast, artificial intelligence expert and futurist. And he is the CTO of Sekura.id, the global leader in mobile identity services. Gautam led the implementation of the mobile identity initiative Mobile Connect for around 60 mobile operators across 30 countries. He has also been an advisor to startups in Digital Identity, healthcare, the Internet of Things and fraud and security management. Hello, Gautam. Gautam Hazari: Hi, Oscar. How are you? Oscar: Very good, happy to have you here in the show. Gautam: My pleasure. Thanks. Oscar: It’s going to be super interesting. Now, we are focusing on mobile – mobile initiatives, like the one you are working with, can help us to solve the identity problems we usually discuss in this show. First of all, I would like to hear a bit more about yourself. So, if you can tell us your journey to this world of digital identity. Gautam: Sure. Thanks, Oscar. I have been in the identity space for quite some time now. And it started in the telecom world and that’s why I talk about mobile identity a lot. So I spent many years of my life in the telecom, so I worked with the Vodafone group for nearly 14, 15 years. What I realised is that there is one thing that the mobile operators have done quite efficiently is solving what I call the identity crisis of the internet. I started to talk about it quite passionately in different forms. And in 2013, end of 2013, GSMA approached me. GSMA as you know is the GSM Association which is the trade organisation for the mobile operators. So the GSMA board was discussing that there were some assets within the mobile operators which can actually help in solving the identity crisis in the internet. Then they approached me that, “Hey, you were talking about this identity thing for quite some time, do you want to come and join?” And that’s when I joined GSMA to do the initiative for mobile operators to solve the identity crisis of the internet. Then I led the technology for what was known and still known as Mobile Connect Initiative. I was the Chief Architect for Mobile Connect. And then me and my team created the reference architecture, the specification. And then of course, that’s not enough, so I went around the world, worked with the mobile operators to implement it as well. You know, at that time, there were around 62 mobile operators around the world who implemented it. And they did very passionately and this is where I met some of the founders, Mark and Keiron, in GSMA, working with the same team. And then I’m taking that journey forward in a much more accelerated and commercial way in Sekura.id. Oscar: Yeah, excellent. Well, definitely a lot of your journey is in identity already and mostly in mobile, as you said. Before we start going to what you are doing in Sekura.id and we definitely want to hear more about that. I know that you have a special experience which is you have even a TEDx talk. So if you can tell us a bit of that experience. Gautam: Yeah. Thanks, Oscar. It has been a fascinating experience actually, while preparing for the TEDx talk and also after that. So I was invited to do this TEDx talk to share my vision and dream of a world without passwords. I have been talking about these things passionately and that’s kind of my personal journey has been as well. So, I had a lot of learning, you have to compact all that you want to talk within 18 minutes and that’s very interesting, right? If you have a free floating, I mean I’m really, really passionate about this identity thing, I can keep talking for days. But if you need to give your message within 18 minutes that’s quite interesting. So I learned how to deliver the message in that concise way. And after delivering that, and once the TED organisation published the video in their YouTube. Interestingly, they didn’t actually remove any part of that, generally they do some editing but they didn’t do that for me. I’m really thankful to TED on that. So it happened end of last year. It’s been just one year completed and it has been viewed more than 157,000 times. And I have been receiving some very, very interesting messages from all around the world. From identity enthusiasts to security specialist, and also, from general public as well, saying that awareness is important. And we are having some inertia, right? We have been using passwords since, you know, 1961 actually, even before the internet was invented in 1989. But we don’t actually think that we are actually using it, and the complication that it brings too. I have been fortunate enough to hear lots of personal stories as well. These viewers, they have been sharing their personal stories related to passwords, and discussing what is the solution that can actually solve this. Yeah, so it has been a fascinating experience and I’m really, really thankful for all the viewers who have been watching it and also most importantly, interacting with it and sharing their stories. Oscar: Yeah, excellent. Yeah, I also watched and as you said, the way you explained also definitely appeals to the general audience which is of course what mostly TEDx is about, reaching wider audiences. So it’s definitely a good job you have done there. And I am happy to hear also that there have been a lot of conversation because that’s also important that people not only hear the stories or the ideas but also get involved in, spreading those problems, sharing their own pains, et cetera. Gautam: Thanks, Oscar. Oscar: I also know that you have written, of course, you write blogs, particularly, I read the you talk about the missing identity layer of the internet, missing identity layer of the internet. Could you tell us what is that? Gautam: Yeah, absolutely, Oscar. I mean it’s extremely important that we acknowledge and realise that. Let me go back to when the internet was invented, right? Let’s face it, the internet was never designed to identify the human users. It was designed to identify the computers, right? That’s why there are IP addresses. Fortunately, or unfortunately, we humans don’t have IP addresses. So, in the initial days of the internet, if you remember, all we used to do in the internet was browsing, right? We used to browse AOL, we used to browse Yahoo, different stories within Yahoo. So, it did not matter if for me, Gautam, is browsing AOL or Yahoo, or it’s Oscar browsing, or there’s fraudster who is browsing, right?  Because all we did was browsing the internet. Yes, the returning user needed to be identified, not as Oscar or Gautam but whoever was browsing, right? So that’s why cookies were invented just to provide a continuity of the experience, right? But then we started to do interesting things on the internet. We started to do commerce on the internet. We started to look for things on eBay and started to pay for those things. We started to do banking on the internet. We started to interact in the social media in the internet. And then it did matter whether it’s me, Gautam, doing that commerce transaction, whether it’s me, Gautam, who is doing that banking transaction or it’s you, Oscar, or it’s the fraudster. Or, in the current days, if it is that AI chatbot who is doing that transaction, right? Internet was not designed to do that. Internet did not have that identity layer. So what did we do? We created a trustless model. So, if I want to pay for some things that I found on eBay, or if I want to do a banking transaction, my bank will say, “Hey, you cannot do that, because I don’t trust you. First, I’m challenging you to prove that you are Gautam.” That’s what we created, because the internet didn’t have that identity layer. So how did that challenge happen? And they initially did this, this challenge happened in the form of user ID and password, right? And again, we all aware of all the complications related to password from convenience to security, right? Then we said, “Hey, passwords are not enough. Let’s add other things.” So, we started to talk about MFA, Multi-factor authentication, we added SMS OTP, right? And again, OTP, the last P is about password, right? Just changing the acronym doesn’t change the problem. But then again, they said, “OK, maybe that’s not enough. Let’s add the biometrics on top.” But again conceptually what we are doing is, we are creating a trustless model where these services are challenging me and the human user to identify myself, right? And whenever the human user is involving in providing a response to the challenge, for example in form of I need to type back the password, or I need to provide back the OTP, however I give, whether by typing back the OTP or some auto read happens. Or even if I do this, let’s say, biometrics in the form of facial recognition and so on, I, as a user, is the weakest link in the chain. I do something wrong, which is perfectly fine because me, as a user, is not a security architect. As a normal user, I am not aware of all those security complications that can go away, right? And that’s where all the problems that you have seen and again, why? Because the internet was not designed to identify this human user. Internet never have the identity layer. It still doesn’t have. But we almost ignored the fact that almost at a similar time, there was a parallel internet that was getting created. So, as you know, I’m actually using the world wide web as synonym to internet, so when I say internet, it’s actually the world wide web, right? So, 1989, this wed, world wide web or internet as we call it was invented. In 1991, there was a parallel internet that was created. And we never call it the internet, we call it the mobile network, right? The first SIM-based GSM mobile network was used in 1991. And that parallel internet worked completely differently. So, as we discussed, in the traditional internet, if I want to do any interaction, where I, as a human user, needs to be identified, I’ll be challenged, right? My bank will challenge me, my social media will challenge me, my e-commerce provider will challenge me, even my grocery store, online store will challenge me, right? But this parallel internet, which we call mobile network, worked completely differently, still works differently. If I need to make a phone call, receive a phone call, send an SMS, receive an SMS, it doesn’t challenge me. My mobile network doesn’t say that “Hey, I don’t trust you. First, you prove that you are Gautam, then only you can make a phone call.” It doesn’t work that way. It just knows that it’s me, who is Gautam. So how did they do that? They actually created this identity layer. They actually created a mechanism which identifies this human user from day one, since 1991. But we know this. How did they do that? They did that using this small gadget that we always carry in our mobile phone, this is the SIM. We almost forget that I, in the SIM, stands for identity. It’s Subscriber Identity Module. SIM was created to solve this identity problem in that parallel internet, which we call the mobile network, right? So, isn’t that a solution? We were just ignoring it and also, just unfortunately, these mobile operators knowingly or unknowingly, kept this with themselves, right? What we are doing at Sekura.id, I’ll just mention here, that we are bringing in that identity layer from this parallel internet which we call the mobile network into this traditional internet so that we actually solve the fundamental problem rather than keep creating technologies on top like password, like SMS OTPs, like biometrics. And that is what will solve the problem from its root and bringing in an identity layer from this parallel internet to the traditional internet. Oscar: Thank you for the explanation, of the lacking, missing identity layer of the internet. And then you put a parallel, I haven’t thought of it in that way, the parallel of the mobile network which always had this identifier of the subscriber. As you say, even in the term it’s subscribe, the SIM card. So, I understand that Sekura.id solution is primarily based on the SIM card. Tell us a bit more how it works and if you can give also how it works, Sekura.id besides being based on the SIM card. Gautam: Sure. So, GSMA doing this Mobile Connect, the conceptual idea was very similar, right? It’s to utilise the assets from the mobile operators, not just the SIM card. SIM card is a cryptographic engine. But there’s a lot of data available with the mobile operators which can help to identify the human user without challenging them.  And also, protect them without putting a hurdle for the user, like what user ID, password, OTPs or biometrics are. They are hurdles, right? They are actually saying, “Hey, you cannot access the service until you pass that hurdle.” This is where Mobile Connect started and this is the journey that we are continuing in Sekular.id as well. So, in Sekular.id, what we do is, as I say, the SIM is a cryptographic engine. And now, in the digital world, there is realisation that all the different, let’s say, identification and authentication methods where the user is actively involved, which means the user is challenged to prove who they are, or authenticate themselves, that is a limitation. A limitation in the form of that you know, if let’s say the user has got an OTP they have received, these fraudsters will always call this user and say, “Hey, I’m calling from your bank, or I’m calling from the government, you have received an OTP, can you hand it over, right?” If the user is not involved, right, these fraudsters can call the user but they have nothing to handover. So in that case, we solved this problem of all the fraudulent activities that’s going on. So now, there is a realisation in the digital world as I was seeing that we need to avoid involving the user. So we need to do passive authentication. And how do we do that? Cryptographic authentication is one way to do. So, Apple last year in WWDC announced these passkeys which is basically based on the FIDO, the Fast Identity Online mechanism, where this is reliance on cryptography and cryptographic key on the device. And then that’s how we identify the user, right? But exactly same mechanism is what happens in the SIM. And it is happening for the last 30 years. There is a cryptographic key which sits in the SIM which the user is not even aware of. And that’s an important thing. The user is not aware. As soon as the user is aware, or the user is involved in that awareness, OK, all these problems will happen because these fraudsters will approach the user and try to do some funny things, right? And that’s another aspect that we say that here, this cryptography is humanised. If the user is not involved, it just happens behind the scene. In that case, this technology is humanised. Invisibility is more humanised. Steve Jobs used to say that technology should either be beautiful or it should be invisible. So here, this technology is invisible so that makes it much more humanised, right? So, at Sekura, we’re utilising this cryptography in the SIM to seamlessly, invisibly authenticate this user. At the same time, there are a lot of what we call signals associated with the SIM which can help protect the user, at the same time, identify the user. For example, one of the largest fraud happening in the digital space right now is SIM swap fraud, right? If we can identify that hey, is there a recent SIM swap happen? By recent, I mean in the last few hours, for example, to one day. If there is a SIM swap happen, in that case, that’s a red flag, that might mean that the user who is in the transaction process, who is interacting with the digital service may not be the genuine user, it could be a fraudster who have got access to the phone number of the user and using their own SIM. That’s one data signal that’s there in the mobile, with the mobile operator, that doesn’t need to involve the user to ask if something has happened or not. Similarly, setting up a call redirect, right? The fraudsters can actually setup a call redirect for my number calling up the operator, doing some mechanism, some process there where they can say, “Hey, I have lost my phone, or I left my phone at my home and I’m expecting an urgent call from my family who is in the hospital. Can you please redirect all the calls to my number to this?” If I can convince the operator, in that case what will happen is, all calls, SMSs will be redirected or forwarded to me as a fraudster, right? So, if we can actually identify, is their call forward active for this number? That data itself can protect the user, again, without involving the user. So, we have identified 66 such potential data signals which can invisibly protect the user and their identity. And that’s what we do at Sekura, working primarily with the mobile operators. Oscar: I like the idea of this invisibility because from the beginning you started that the human side is going to make security fail, right? But if the human doesn’t have to be involved, yeah, I’m sure, there will be less hacking. So that is definitely the concept, it’s very interesting. Gautam: And just to add there, Oscar, you know, of course, there is this identity protection, there is this authentication without involving the user. That element is there. At the same time, it is allowing these good guys to access the service, right? So, as I was giving that example, it’s me, right? I’m not the fraudster. It’s me who wants to pay a particular merchant online, right? And I’m assuming I’m the good guy, right? And I want to pay. In that case, there shouldn’t be a barrier for me, right? And it’s good for the business because the business will get me to pay them. That’s what they want, right? So, in that case, it’s important that the good guys should sail through, right? For them, there is no barrier. If we make it invisible for the user, in that case, these good guys can actually access, you know, without any trouble. At the same time, because it’s invisible, we can actually protect this user behind the scene as well. What does that mean is – it’s not just helping out with the identity verification, security and authentication, it’s also getting better business. Because if we put barrier to the good customers, good users, in that case, there are dropouts happen. We have been told by our clients all around the world that on an average globally 20% of the users dropout due to all these, let’s say, challenges. They say, “Hey, I’m not going to use it.” SMS OTP is needed to do our transaction or to pay and OTP doesn’t get delivered or it is delayed, the user say, “Hey, I’m not going to pay now, right?” So that will direct 20% on an average globally, dropouts happen. Here, if you make it invisible, you don’t have any dropouts, right? Because there are no barriers. There is no door which is closed that needs to be opened. So, in that case, the businesses get 20% more conversion, so that’s more business, more revenue. So that element is also there, if you make is invisible using the mobile operator’s asset like the SIM and all the data. That needs to be considered as well alongside security. Oscar: And what if, myself as a normal user, I want to try Sekura.id, how can I use it already? There might be some services which is already available? Gautam: Yeah, absolutely, Oscar. So one element here is you know as you can understand, this is B2B service, right? So the businesses are using us. Businesses are protecting that. All our services are, you know, they go through one single API, right? So, it’s not the user who is accessing our services directly. As I was giving the example, I, as a user, accessing my banking service, right? And my banking service is using the Sekura.id services through the API, right? So that’s how I, as a user, as a consumer use it. Not directly through Sekura, through my services. And then again, I may not be even aware that that service is getting used, right? Because this service, as I said, for the human user it’s invisible. So majority of our clients right now are mostly from the financial services, so the major banks in the UK, they are using our one or more of the services like Barclays is using our services, Virgin Money is using our services. In the US as well, Morgan Stanley, they are using our services, Flora Bank, they are using our services. But again, just to reiterate, it’s not a B2C service, right? So it’s not that me, as a consumer, is using the Sekular.id services. It’s my business who is using the service to help me as a user getting protected. And at the same time, no buyer has been put by the businesses to access it. And we are actually expanding globally. As I mentioned to you earlier, I was in India, I came back yesterday, we are actually launching in there. We have some very, very exciting discussions happened across the use cases there, not just in the financial sector, beyond as well. And then we will be announcing those pretty soon. Oscar: OK,as soon as they are launched, it will be interesting to know what are these use cases. So, very interesting initiative that you have in Sekura.id. So what happens for instance if – because this depends on people having good mobile networks and good phones, so what happens if that’s not available in some regions in the world? Gautam: That’s a very important question you ask, right? And there are two elements you said, one is good mobile phone. One of the thing that we really passionately believe in Sekura is inclusiveness. And that’s very important for us. We have a mission statement for identity for all and everything. So no one should be excluded from identity protection, right? And this is why we tackle it from multiple angles. So for example, we have platform that we have created from ground up based on all our learning from the GSMA and also my learning from Vodafone. That platform can integrate with any mobile operator in the world, right? Because all mobile operators are different. There are 700 plus mobile operators there. Right now, we are connected to around 75 mobile operators globally and we want to connect to all. Why? Because we don’t want any operators to be excluded because if we exclude that, their consumers or their users will be excluded. So, one example is in India, one of the phone smallest operator is BSNL, right? It’s government-owned operator. They are quite small. They don’t have platform. And they were actually not included in this identity space. So what we have done is we have provided our platform to them so that, that platform can actually connect to that mobile operator and then it can actually expose their services, right? So that we don’t want to exclude their users. At the same time, it is important, as you rightly asked. What happens if I don’t have a good phone? So, this is where the principle that we use in all our services has got two major aspects. One, I already talked about – not involving the user because if you don’t involve the user, we increase the security, because user is the weakest link, right? And rightly so. And the second thing is not depending on the mobile device, because that’s extremely critical. Because let’s say, if the user can afford an iPhone 15 right? Of course, that’s extremely secure. The key chain there where the keys are stored is a hardware, right? That’s an HSN. So, it will be extremely secure. But what about the user in let’s say Southeast Asia or in Sub-Saharan Africa where it’s a sub $10 phone? That may not have that much security. So, it’s unfair on the user because they cannot be pay for that advanced phone, they are getting excluded from security and identity verification. At the same time, it is unfair on the businesses, they cannot rely on a security because the user cannot afford that high end phone. That’s why that’s the principle we use. We don’t rely on the mobile device. What do we rely on? The SIM. The exact same SIM is in the iPhone 15 or any of the high-end devices or in the low-end, not so expensive phone and provides the exact same security, right? The cryptographic security that I talked about doesn’t differentiate whether it’s a very high-end, expensive phone or not so expensive, much simpler phone. So that’s an important element here, right? So, our services don’t rely on the device. It doesn’t matter what device the user is using. Secondly, all the data elements that I talked about is in the mobile network. This is completely independent of what device it is. So that way as well, all those data elements that I talked about, all those 66 potential data elements are independent of the device. So, that’s how we use the service and then make it inclusive end to end, for any user, right? The other thing you asked about is what if there is no mobile network? It doesn’t really matter. So, the way to look into this thing is, we are relying on the mobile network. But the user doesn’t have to use the mobile device even at that moment of time for majority of the services. For the authentication services, the mobile device need to be in the network. But again, if the mobile device is not in the mobile network, it is connected to Wi-Fi or any other networks, in that case, we have fall back mechanism because we cannot really, rely on the mobile network because the device is connected to Wi-Fi, still we have a fallback mechanism. And in some regions, like in US, we have worked with one of the large mobile operator there. Where we have worked with them to utilise the SIM, even if the device is connected to Wi-Fi. Because even if the mobile device is not connected to the mobile network, still there is a SIM there, right? If you can reach out to the SIM, we protect the device anyway. And the other thing I was talking about, all these 66 potential data signals, they are available at the mobile operator’s secure CRMs, CVM and all the OSS, BSS system, right? So they don’t need the user to be using the mobile device at that moment of time. For example, if there is a SIM swap that has happened in the last few hours, the mobile operators databases, they already are aware of that even if there is no network. So, all our services other than the authentication service which we call SAFr Auth, all our services are data-related or signal-related services where these businesses, let’s say, this is a bank or an e-commerce provider or even a social media provider, their server makes the API call to our platform to get this data signal. So the mobile device is not involved, mobile network is not also involved there. Because again, we want that inclusivity for every user to be involved in there. Oscar: OK. Well, definitely very novel way of addressing these problems. So I’d like to ask you one final question, Gautam, for all business leaders listening to us now, what is the one actionable idea that they should write on their agendas today? Gautam: Thanks a lot Oscar for asking that. The most important thing to add into their agenda is an acknowledgement that the internet doesn’t have that identity layer. Because that’s a fundamental problem. Because if we start to add technologies on top to fill the gap, that will not solve the problem. And we have seen over the years, right? We have seen user ID password, they didn’t solve that, SMS OTP or any form of OTP, they didn’t solve that. Then we added all sorts of other OTPs, right? TOTPs, authenticated apps, we even used those RSA tokens that we used to carry on. Then we evolved into biometrics. And by the way, biometrics, I’m sure your audience is aware of this, after Generative AI, every form of biometrics is challenged. And then actually, you know, interestingly, LexisNexis, which is one of the largest fraud management provider on app based in US, their CEO of the government affairs came to the press. This person gave an interview to Fox News in June, saying that we are so much relying on these biometrics and after Generative AI revolution, there is a financial impact in the industry and then that impact is around 1 Trillion USD because every form of biometric is challenged through this Generative AI. Not just through deep fake, through all sorts of mechanism. I mean you can actually search the internet on those kind of fraudulent activities happening on almost a weekly basis. So, let’s acknowledge that there is a fundamental issue with the internet and that’s no one’s fault because internet was not designed for that. If you acknowledge that, then we can solve the fundamental problem, right? And that can be done through the already existing identity layer which is existing in the mobile operators. Let’s work through that and solve the problem forever. So, basically, what I am saying is, let’s bring in that identity layer from that parallel internet which we call mobile internet into the traditional internet. And let’s solve that problem at the root. And that’s what we are doing in Sekura.id. And that’s what we would invite all the leaders in the digital space to look into and solve the problem. Oscar: Thank you very much, Gautam, for this very insightful conversation. And let us know if people would like to find more about you on the net, what are the best ways for that? Gautam: Thanks a lot, Oscar. Thanks for inviting me. I am on LinkedIn. Please connect to me. It’s Gautam Hazari, G-A-U-T-A-M H-A-Z-A-R-I. If you Google me, you will find me there as well. And also, please visit Sekura.id, S-E-K-U-R-A.ID. You will find insightful solutions there and also we post lots of insightful stories, articles, blogs and what the future is looking like. Recently, one of my article is published in Forbes, I’m calling it Internet of Thoughts, where the future is coming and where, if you don’t solve this identity crisis in the internet it may create more issues. So, please reach out. Please look into Sekura.id and let’s solve this identity crisis together. Oscar: Yeah, of course. Again, thank you very much Gautam for this conversation, and all the best. Gautam: Thank you very much Oscar for having me. Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.  

Let’s talk about digital identity with Russ Cohn, the (Go-To-Market) for IDVerse. In episode 98, Russ Cohn the Go-To-Marketing for IDVerse joins Oscar to explore Generative AI within Identity Verification – including what is generative AI and deepfakes, why deepfakes are a threat for consumers and businesses, and some of the biggest pain points in the identity industry and how generative AI can support this. [Transcript below] “It’s very important that we understand these threats and start to mitigate and create ways of helping to support and stop these practices.” Russ Cohn is the (Go-To-Market) for IDVerse, which provides online identity verification technology for businesses in the digital economy. Russ has spent more than 20 years scaling businesses of all sizes by delivering successful growth strategies across the UK, EMEA & US markets within fast-paced and high-growth online media, fraud, identity, SaaS, e-commerce, and data-driven technology solutions. His strong tech knowledge is coupled with deep operational and commercial experience building teams within SaaS, advertising and marketing technology-driven revenue models. Russ was previously a key early member of the Google UK leadership team who grew the team from 25 to 3,000 people and the revenue from £10m to £1billion during his tenure. He brings deep experience supporting international technology companies and has a passion for marketing development, startup growth and technology solutions. IDVerse empowers true identity globally. Our Zero Bias AI™ tested technology pioneered the use of generative AI to train deep neural network systems to protect against discrimination. Our fully-automated solution verifies users in seconds with just their face and smartphone—in over 220 countries and territories with any official ID document. Connect with Ross on LinkedIn. We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure! Go to @Ubisecure on YouTube to watch the video transcript for episode 98. Podcast transcript What is generative AI? This week Russ Cohn, from IDVerse has joined us to discuss generative AI and deepfakes and the threat this imposes on businesses and consumers for their digital identities. Stay tuned to find out more. Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla. Oscar Santolalla: Hello and thank you for joining a new episode of Let’s Talk About Digital Identity. Artificial Intelligence, in particular, Generative Artificial Intelligence is a topic that has been, I believe on most of our radars in the last 12 months, particularly. And there are amazing things going on. But also, we know that the bad guys are also using those tools. And one of those is related to deepfakes that are being used to cheat the identity verification system having existing until now. So, to see how we are going to solve those problems in identity verification, these newer problems, we have a special guest today who is Russ Cohn. He is the go-to market for IDVerse, a company which provides online identification technology for businesses in the digital economy. Russ has spent more than 20 years scaling businesses of all sizes by delivering successful growth strategies across the UK, EMEA, and US markets, within fast-paced and high-growth online media, fraud, identity, SaaS, e-commerce, and data-driven technology solutions. His strong tech knowledge is coupled with deep operational and commercial experience building things with SaaS, advertising and marketing technology driven revenue models. Hello, Russ. Russ Cohn: Hello, Oscar. How are you? Oscar: Very good. Happy to have you here. Russ: Thank you. Very glad to be here. Oscar: Fantastic. It’s great to have you here. And we’ll talk about the deepfakes and how the newest practices in identity verification are solving these problems. So, let’s start, let’s talk about digital identity, Russ. So first of all, I would like to hear a bit more about yourself, your story. Tell us about yourself and your journey to the world of identity. Russ: Absolutely. I am fairly new to identity. I’ve only really started in the industry probably just over three years ago. I was the first international employee of OCR Labs, which is we recently rebranded to IDVerse, but I joined about three years ago. We’ve since then built the international team to over half the company, and we continue to grow in EMEA and the US. As a background, I’m a marketer, a commercial leader, investor. I’ve spent probably over 20 years in technology-driven companies of all sizes. And I was lucky enough to join Google very early on, and there were 20 people in the UK, and 600 people around the world. And I grew up with them a little bit, and I left there with 65,000 people. So, I’ve got a fairly good experience at scanning companies and have invested and advised companies since then. I’m now, as I said at IDVerse. And I’m focused on the go-to market. So, helping them globally, to take our products and execute them in the best possible areas and help our customers with the most cutting-edge technology to drive identity verification, make it effortless. Obviously, through the use of our sophisticated technologies and techniques, including Generative AI. I’m excited about the opportunity for identity verification, as the need for verified trusted identities has grown exponentially, globally, really, since the pandemic. And with digital growing at such a phenomenal rate as well, we’re now living in a mobile-first world, and we need the right kind of identity verification to support that growth. Oscar: Indeed. So, let’s go to some basics. For someone who has heard about that term, Generative AI and still is not so clear what it is, particularly. Could you tell us what is that? What is Generative AI? Russ: Yeah, sure, I think, you know, everybody is talking about ChatGPT and Bard and it’s brought these techniques, the AI techniques to the public, and we can’t get enough of them. But everyone is using ChatGPT and Bard, etc to learn more, do their jobs better, find new facts. It’s pretty addictive and very, very useful but still at the at the fairly early stage. So Generative AI, short for Generative Artificial Intelligence refers to a class of artificial intelligence systems and techniques that focus on generating new content or data rather than simply recognising patterns or making decisions based on existing data. Now these systems are designed to create original content that resembles human created data such as images, music, texts, videos, and more. I use Spotify extensively. I’m sure most people do. And I’ve got an AI system on there now a couple months ago that’s going through my music catalogue in my background and choosing the right music based on my tastes. Generative AI models are generally trained on large datasets, and they learn to understand the underlying patterns and structures within the data. So once trained, they can produce new examples that are similar to the data they were exposed to during their training. These models are capable of generating content that didn’t exist in the original dataset, making them a very powerful tool for creative tasks in content creation. Now at IDVerse, we’ve been doing Generative AI for a long time, probably since the start, seven or eight years ago. And we use a technique, a very familiar technique called Generative Adversarial Networks or GANs, I’m sure a lot of your audience will be familiar with. Now GANs, just to go back to basics, consists of two neural networks, a generator and a discriminator. These are trained together in a competitive manner. The generator creates the synthetic data, and the discriminative task is to differentiate between the real and the generated data. So, the competition between the two networks leads to the generation of increasingly realistic content, which we see everywhere in videos, photos, documents, et cetera. Now, we’ve trained millions of synthetic and real documents and millions and millions of synthetic faces using these techniques. For us, just to be clear, we only use ethically sourced or fair source data for face biometric, particularly in the training. This refers to the facial recognition datasets collected and used in a manner that upholds strict ethical standards and respects individual’s privacy, consent and fairness. Such data is obtained transparently with informed consent, minimal intrusion and efforts to mitigate bias. So, these measures ensure the responsible and equitable use of biometric technology. In the context of facial identity verification, training data refers to the specialised datasets of facial images used to train the machine learning algorithm, or deep neural networks that are responsible for recognising and verifying individual’s identities based on their facial features. So that’s quite a mouthful. Hopefully, that gives you some context. But this is how we look at Generative AI in identity verification. Oscar: Yeah, thank you for that introduction. Of course, in one of the products of this type of Generative AI, in related tools are deepfakes that we are seeing more often, sometimes we saw that only for, like, say celebrities or famous people. But now, they can be used to attack me or to attack you, actually anybody right? So, tell us how the use of deepfakes is a threat, a real threat for both consumers and businesses? Russ: Yeah, absolutely. I think they are a massive threat as the rise of Gen AI, and you touched on it,  fraudsters use the same if not better techniques than we do, or many companies do. And they are very, very good at surging ahead of these technologies and finding ways to create very realistic synthetic identities to both impersonate real people, as well as to create brand new identities of people who actually don’t even exist in real life. And so, while that’s exciting as we talk about Web3 and avatars and these opportunities and possibilities, I think both consumers and businesses will continue to fall victim to many of the risks out there, unless measures are taken to prevent this. Now, I just want to highlight a couple of examples of these like disinformation and fake news, right? So, creating videos of public figures, you can grab off Facebook or YouTube, and replicate those and make them do things that they never did. That can be exploited to spread false information. This can incite conflicts and it can really manipulate public opinion. For us, we see and obviously, we’re very close to and care a lot about frauds and scams, so businesses and consumers of course, can – in the UK particularly we have a huge fraud problem. And we see a lot of deepfake base scams that can impersonate company executives, trusted individuals, they can deceive employees or the customers who can make them reveal sensitive information for financial transactions. We’ve seen some of that just recently with MGM in the US in this recent breach. We don’t know it exactly, but we do know, I think somebody, an employee was actually targeted. This can cause you know I think like reputation damage of people, you know, politicians, businesses and people, fake videos and audio can be created. To endorse a product or not support it and that can create problems. And of course, the things we care about a lot of, identity theft, right? And deepfakes can be used to impersonate individuals leading to identity theft. This may result in unauthorised access to personal data or systems. And of course, manipulation in financial markets, personal bank accounts, breaches of banks. So, this can cause big issues like privacy concerns, security threats and erosion of trust, through the wide use of this, and internal security problems for businesses, and privacy for people when they violated, and their identities are stolen. So, it’s very, very important that we understand these threats and start to mitigate and create ways of helping to support and stop these practices. Oscar: Yeah, indeed, you already explained some cases in which these criminals are already targeting the identification system that has been existing in the last years. If we focus on these services that are today and have been protecting us or helping us in identifying people in the last years. So, what are these – the biggest pain points or the weaknesses that they are being attacked by these criminals? Russ: Yeah, look, I mean, there’s a lot of weakness in existing systems, which can come across in the fact that vendors don’t disclose, for example, that they don’t use their own technology, and they can’t always deliver on their promises. So, I think a lack of global document coverage, old style techniques like templating exclusion, like racial bias, gender and age in these poorly designed systems can cause huge problems. And systems that don’t have the ability to understand where these attacks are coming from with these synthetic IDs. We create all of our own tech in-house. So, we don’t use external vendors to drive our fully automated solutions. So, we feel pretty confident. But they are, as you mentioned, these legacy systems that we’ve relied on, that aren’t necessarily up to speed. We’ve seen, from a pain point of view, is badly trained human spotters in remote locations, for example. So, some people in the industry and vendors use those, this can cause slow response times, and they can’t keep up with the standards and the technology that’s being used to identify fraudulent documents. And also, the biometrics of people that are not real. So, it’s very difficult for them to keep up. And then, we’ve seen an issue around a lot of bias or differentials in the natural bias that’s in previous ID systems designed by, traditionally older white male engineers. And that’s a problem because these biases are built into these systems. And the humans who are evaluating physical documents, depending on where and how and what can inflict their own biases on age, gender, and race as well. Now, this can slow down experiences for customers, as they take a lot longer. And of course, they aren’t as accurate, you know, humans can’t scale. And so, technology can do a lot of that heavy lifting, and can solve a lot of that. And you can still have humans for critical tasks, but it’s important that you use technology to identify these gaps. In fact, we ran a study a few months ago with an external testing company called BixeLabs of 1500 subjects, male, female and transgender, across eight regions in the world for our facial biometrics. And we came back with zero bias on either race or gender on the facial biometrics. So, it’s pretty important that businesses start to use, and people start to get comfortable with one of the strongest, probably the strongest biometric there is for lots of actions that we do take in our everyday lives, whether it’s on a personal or work basis. And I think that the other things that are challenging for us in the identity space is we see a lot of unethically sourced based biometrics, right? And that can refer to the acquisition usage or distribution of these, that can violate privacy, I mentioned earlier consent or ethics. And these practices really can result in privacy infringements, discrimination, social harm and legal issues. And some examples of that are data scraping and profiling, lack of informed consent, data breaches, of course, we’ve seen that recently and frequently, deepfakes as we talked about and manipulation of people, government surveillance, employment discrimination. These are big issues. And I think the lack of unified government standards around these things is also difficult. And it’s important that people use the latest technologies like computer vision and Generative AI to start, to be able to scale and address some of these issues and keep users and businesses safe going forward. But those are definitely some of the issues that we’ve seen accumulate over the last few years. Oscar: Yeah, yeah, I can see there are quite a few. And how these more recent generation of identity verification system that are working together with Generative AI. So, if you can tell us a bit of the how, how they are different to the previous products, and how they are tackling these problems? Russ: Yeah, as I expressed in some of the technologies that we use, I mean, training data for Gen AI, for example, if you think of it, if I can frame it in like nutritional labels like food, right? So, you’re feeding a machine, essentially. And so that training data should come with some sort of nutritional label, and to know what the macro nutrients will affect performance. So, you know, it’s important that when using Gen AI, you understand that the nutritional makeup of their training data, supply chain transparency, where do you get their data from, for example. But it’s important, these techniques are able to detect the proliferation of these fake documents. I think digital identity is becoming more and more, of course, prolific and governments are starting to bring onboard connectivity into these digital identity databases that are able to verify customers in a much more robust way than potentially documents were. So, I think we’ll see that constant trend of digitisation of technology, mobile-first, wallets, and of course, documentation that will become digital will make life a little bit easier. But, in order to protect themselves, consumers and businesses really need to think about what they can do to stop and be vigilant, right? So, I think consumers need to educate themselves. They need to use things like password protection and protect their devices and be aware of things like phishing tactics in social media and email. So, we can do as much as we can for businesses, but I think businesses need to invest in these systems because they are stronger, the security measures are stronger, and will help protect them and their customers ultimately. I think the differences that we see, we believe facial biometrics is a very, very strong and has been proven externally through, you know, NIST iBeta certification, for example, we have a 99.998 certification of liveness biometrics, I mentioned the inclusion and lack of racial bias. If you want to capture and work with people of all races, all genders, all colours across the world, it’s important to use systems that are inclusive, otherwise, you’ll end up discriminating and losing customers. So, it is important to make these investments into these systems to help protect your business and help protect the consumers behind that. But ultimately, consumers have to also be educated themselves. They have to think about what they’re doing and be aware of things that are out of the ordinary or suspicious, unsolicited requests, for example. And then lastly, I think, you know, government needs to engage in some sort of public dialogue as well to help consumers about understanding what they’re doing in these initiatives. And government needs to work with business as well to inform the public about things like biometric technology, ethical implications, and why they should be using these. But ultimately, there should be some ethical guidelines and review boards to be able to support the usage of this new technology that’s coming at us at such a pace. It’s really strong, really powerful and really useful. But there have to be some guardrails around that, and I think it’s going to take a collective effort from consumers, businesses and government to get us there. Oscar: You mentioned, for instance, a liveness detection that is one of the ways that this identity verification tools are checking that the person is a real person moving in front of the camera. In terms of the end user, so when the end user is in front of this identity verification system that are based on Generative AI, so let’s say user experience is similar, is so how transparent or is different? Russ: Yeah, I think, look, with facial recognition, for example, and the techniques we use in identifying people when they’re going through the process of verifying themselves or for account access or re-authentication, no personal data is stored. So, the use of those biometrics is the ability to give people a robust way to prove themselves and their proof of life, if you will, when doing a particular action. And I think what’s been missing in the past is people have accepted a document which could or could not belong to that person to be the valid form of identity. The reason why identity documents around the world had been the standard is there was always a picture of your face on that document. So, you had a passport or driver’s license, you could see it was you in a sense. So, with liveness, people are protected the same way as using phones to open up access to your phone and to those systems. But these systems are tested and there is no personal data. People should feel very comfortable that the data that they’re using to generate that action is protected and their own in terms of doing that. We’re just using technology to be able to verify that that person is live and present, and is not a deepfake, was not a synthetic ID. Because what we see a lot is these presentation attacks when people are using video footage that are grabbed from external sources, for example, to try and fake systems or try and trick systems that they are actually live and present. But we are able to detect these digital footprints and be able to detect using multiple sources of multiple techniques on the mobile phone that we build software for that that person is live and present and is presenting the document that they say they are in order to verify themselves. Oscar: Thank you, for explaining better how it worked for users. So, it’s simple for users. It’s not more complicated. Russ: Simple and seamless and quick as well. It’s not more complicated. It’s less complicated, in fact, right? So, when you presented with it – there has to be a trust of course in the environment that you’re doing, and then providing your face to do that. But ultimately, it’s safer and quicker, and ultimately more secure than any sort of biometric that they might have used previously. Oscar: Yeah, it’s true. You mentioned also faster sometimes I think, being in front of these systems and yeah you are, waiting a little bit in front of the camera, right until it processes. Russ: Yeah, look, it depends on the speed and the connectivity in the region you’re in, and it might be the phone and your mobile network, for example. But we account for all of that in the software that we design in helping people to process that. So, we shoot like a live stream video, and we take the best shots out of about 100, 120 frames that we shoot out of that video. It’s a very quick two or three second capture, and we’re able to compare the best quality face to the document that’s presented in this process. Now, we can account for age, facial degradation, loss of hair, glasses, et cetera because we are looking at the underlying structure of someone’s face when doing that. So, we’re 3D mapping essentially that person’s face, and are able to then tell against the original document that’s presented if that person is the same person. And that you can’t do, it’s very hard to do with humans, for example. And that’s why technology can do a lot of this lifting very, very quickly. We can do it in seconds and verify the person against very old very age documents or changes to their facial structures. And so, we’re very excited about how these techniques can verify people to the grade that I mentioned before. Oscar: Yeah, indeed, it sounds like there’s a lot of innovation hearing what you’re talking, you are describing. So, what we say looking at the future, so what is the future of Generative AI in identity verification? Russ: We were excited about Gen AI’s ability to create these huge datasets of synthetic personas, because it’s going to help prevent fraudsters trying to use this synthetically created people and documents that they create to trick and penetrate low grade systems. And the more people we can support, the more businesses we can get our technology into, the more we can stop this the synthetic IDs and penetration attacks that are happening. And we’ve seen the velocity of these increase as we see better and better tools and faster processing time to be able to do this. So, the ability to cover the identities of the world’s population through technology and creating inclusivity for all ethnicities, all genders, means that people can be granted access regardless of where they live, what device they’re using, what colour they are, what gender they are. So, we’re very excited about how Gen AI can train and help people. And again, this is all ethically sourced data, right? So, we didn’t go and grab it elsewhere. It’s very hard to get in front of tens of millions of faces of variations of age and, again, colour, ethnicity, gender, et cetera. So, Gen AI really helps us to do that, I think detection tools. So, developing and using advanced technology like Gen AI to detect this deepfake content can be crucial to mitigate the potential harmful effects that might come from that. Authentication mechanisms. So, implementing strong authentication, like facial can help, again, verify the identity of individuals and reduce that risk of impersonation. So, trust has to be ensured that it’s in place there. And of course, eliminating frauds and scams, so businesses and consumers fall victim to deepfake base scams and others every day.  For instance, a scammer can impersonate a company executive, as I said, and deceive employees into revealing sensitive information or maybe making financial transactions. So, we want to stop fraud at the door. We want to stop fraud internally, externally. And we want to help protect businesses and their customers, whether their business or consumers from the rising threat of what’s coming on synthetic identities and the scale of using Generative AI at the fraudster level. Oscar: Sounds good. Final question, for all business leaders that are listening to us right now, what is the one actionable idea that they should write on their agendas today? Russ: Yeah, look, there are a lot to choose from. I think the one action from my opinion, maybe is – you’ve got to think like we’re living in a mobile-first world, right? And Gen AI solutions, as we’ve talked about are surging. So, the action I would take is take the time to speak to your fellow executives and to the teams and to the people inside your business and understand how identity is currently viewed in your approach to your people, your processes, your security, your products and your customers. Where I sit and where we sit, is we are seeing the velocity increase of identity usage across the world. Governments are enforcing and implementing more and more identity standards in order to control obviously, governmental services. And so, it’s important that people think about identity for their own businesses. It’s going to become critical to protect them and their customers. They need to think about everything from employee onboarding, how well you know your employee and your customers. And of course, ultimately, what we’re all achieving, or trying to achieve in digital is improving user experiences, anything from onboarding to account management, to customer services interaction. So, it’s everything that your customer, your employee might touch within your business, potentially has something to do with identity. And the better you know the people in your business and your customers, I think, the better positioned you’re going to be to be able to not only stop these threats but take advantage of beating your competition by staying ahead and knowing your customer much better. Oscar: All right, thank you very much, Russ, for all this very interesting conversation about how Generative AI is going to help us for the identity verification now and in the future. So, for the ones listening to us who would like to know more about you or get in touch with you, what are the best ways for that? Russ: Yes, thank you again, for the time letting me talk about something we, you know, and I’m very passionate about and obviously we’re very passionate about fraud and particularly technology. If they want to get a hold of me, I’m on LinkedIn, you know, Russ Cohn, C-O-H-N. IDVerse.com has a repository of amazing content and information and thought leadership around a lot of these areas, so please take your time to look across the site. And if you want to get in touch with us, there’s lots of ways to do that on the site. So, look forward to seeing and speaking with anybody who’s interested in learning more about IDVerse and about – chatting about fraud and identity. Oscar: Perfect. Again, thank you very much, Russ. And all the best. Russ: Thank you, Oscar. Appreciate the time. Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

Let’s talk about digital identity with Riley Hughes, Cofounder and CEO at Trinsic. Join Oscar this week, he is joined by Riley Hughes, Cofounder and CEO at Trinsic and host of the Future of Identity podcast. They delve into Verifiable Credentials, including what verifiable credentials are, some examples and success stories of how these are being used and implemented, the connections between verifiable credentials and wallets and whether verifiable credentials will become interoperable. [Transcript below] “It seems like the future of identity will be much better than it is today.” Riley Hughes is CEO and Co-founder of Trinsic, a reusable identity infrastructure provider. As a leader in the decentralized identity community, Riley has pioneered efforts on making emerging, privacy-preserving technologies such as identity wallets and verifiable credentials adoptable to the masses. He began his career in the decentralized identity space as the second employee hired at the Sovrin Foundation where he established and led several teams. Connect with Riley on LinkedIn. We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure! Go to @Ubisecure on YouTube to watch the video transcript for episode 97. Podcast transcript Oscar Santolalla: This week we are discussing verifiable credentials. I am joined by Riley Hughes, the host of The Future of Identity Podcast, to explore some of the most recent success stories of verifiable credentials and how we can work to improve adoption moving forward. Stay tuned to find out more. Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla. Hello, and thank you for joining a new episode over Let’s Talk About Digital Identity. One term that has been in our radar for the last – I would say four or five years has been verifiable credentials. Which I will say personally, I’m feeling that is becoming in the last one, two years pretty crystallised. And we have not talked too much about this lately, so I have a very special guest who has a lot of insight – what’s going on worldwide about verifiable credentials. Our guest today is Riley Hughes. He is the CEO and Co-founder of Trinsic, a reusable identity infrastructure provider. As a leader in the decentralised identity community, Riley has pioneered efforts on making emerging privacy preserving technologies – such as identity wallets and verifiable credentials – adoptable to the masses. He began his career in the decentralised identity space as the second employee hired at the Sovrin Foundation, where he established and led several teams. Hello, Riley. Riley Hughes: Hi, Oscar. Great to be here. Oscar: It’s great to have this conversation with you. So very welcome. And let’s talk about digital identity. And as usual, I want to hear more about our guests. So, if you can tell us about yourself, and especially your journey to this world of identity. Riley: Happy to do so. I am very fortunate to have totally fallen into this amazing industry. And it happened because while I was at college, I was seeing all those smart people around me going and getting jobs at elite places, you know, investment banks and management consulting firms, and so forth. And I thought that I wanted to kind of differentiate my resume enough that I could, maybe I could get an interview as well at one of these places. So, I thought, “What is the most, kind of, off the wall internship that I could get that would differentiate me from all of my peers?” And I ended up getting a job at the Sovrin Foundation, as you mentioned. Sovrin at that time was very early. I was, as mentioned, the second employee hired, and it was kind of a blockchain meets identity meets nonprofit, you know, meets early employee kind of a role. And so, it, sort of, fit my criteria for differentiating my resume. But it was also just really, really exciting to be part of an early organisation. It grew up to about 25 employees in short order. And I was able to participate in some of that growth. And that was a lot of fun. And what I realised is that there are a lot of problems to solve in this world of digital identity. I remember just thinking, “Man, it seems crazy that we are sending people to outer space, and we’re editing genes, and we’re doing all kinds of unbelievable things with science and technology. And yet, the best way to prove who I am on the internet is to take a photograph of my government-issued document and a selfie, or something. It just seems kind of backwards.” It seems like the future of identity will be much better than it is today. And so, although I didn’t necessarily know whether Sovrin would be the ultimate manifestation of that better digital identity future, I did know that something would happen here that would lead to that better future. And so, I thought I would stick around in this space. I decided not to go for those other kind of recruiting opportunities that I alluded to. And instead, I started Trinsic with a couple of -. And that’s kind of how we got to where we are today. That was a little over four years ago. Oscar: Yeah, super interesting that one of the first jobs – when you start to differentiate yourself – it was Sovrin. How did they find you? How did you find them? Riley: The Chair of the Board of Sovrin was Phil Windley. And he was a professor at the university that I was attending. So, they had a job posting out for university students. And they didn’t have any money yet so they couldn’t pay very much and so they needed a university student and that’s sort of where I came in. Oscar: Right place, right time. Fantastic, those coincidences that sometimes happened. So, you’ve been around, as you said, four years/five years in this space already. So, what would you say has been something that has surprised you the most, something special you would like to tell us? Riley: Yeah, that’s a great question. I think that when I started in this space, and the way we were talking about verifiable credentials, was as if it was a digital representation of a physical document. Right? And we can get into more about what verifiable credentials are and what they aspire to be. But the thing that was most kind of interesting and surprising recently, is – at Trinsic we are an infrastructure provider for verifiable credentials. And so, when companies want to incorporate a verifiable credential-based solution into their offerings, we’re an infrastructure to enable them to do that. And as we did a kind of – an inventory or a survey of the landscape, of all of our customers and the ones that were most successful. What we realised was that people were not using verifiable credentials as a replacement for a physical document, generally. Instead, what they were using it for, is – in the same way that a FinTech developer might use an open banking API, right? Basically, open banking allows you to unlock your data from its original silo, which is your bank account, and reuse that financial data and make it interoperable across other third-party applications. And, you know, what our customers were using verifiable credentials to do is something similar, but for personal data. Unlocking that personal data from its original silos and making it useful and interoperable and reusable across multiple applications. And so, it actually changed, Oscar, the kind of form factor of the product we needed to build, right? And we realised that the correct – you know, we needed to change some things about how we were approaching our product. So that’s been what we’ve been in the thick of doing for the last few months. And it’s been a fun journey. Startups are always a little bit of a roller coaster. And this is a fun part of that roller coaster. Oscar: OK, super interesting, Riley. So, let’s jump into the main topic. So, tell us please, what are verifiable credentials? Riley: Yeah, I alluded to verifiable credentials often being talked about as a digital representation of a physical document. And generally, when you hear the term verifiable and credential – a credential is sort of an attestation, or a claim made about one party by another party. So, in healthcare, right, your credentials are something that you’ve obtained, from a trusted source, that you can use to prove to somebody else certain things about you, and what your qualifications are, et cetera. And verifiable credentials are a way to do that verifiably, cryptographically in a digital form. Now, if we’re talking about – I think there’s two ways that people use the term ‘verifiable credentials’ today. One is with an uppercase, V and C, an uppercase Verifiable Credentials, that is the formal official W3C Verifiable Credential Data Model Standard. And that is a specific kind of verifiable credential that is sort of an interoperable, and probably the most well-adopted, and well talked about kind of verifiable credential. And then you have the lowercase, vc, verifiable credential. And there are lots of different kinds of lowercase verifiable credentials. Lots of things that can fit this model of an attestation that is given to you by some trusted party, and used to get access to the things you need throughout your life. So, I guess it depends on which of those you’re talking about. But I hope that that’s a helpful kind of intro. Oscar: All right, thank you for that. And the same term can mean different things from different perspectives. Let’s make even more concrete. So, let’s hear from you some concrete examples. If you can tell us something that is already widely used, some that most of us might already know about. So, tell us a bit of some examples of verifiable credentials. Riley: Yeah, I mean, again, if we’re to zoom out a little bit and talk about verifiable credentials in the broadest sense. Even something like a credit card could be considered a verifiable credential. It is something that was given to you by a trusted source, likely a bank, and you can use it with third party merchants in a way that they can authenticate that card and charge your account based on your actions with that card. And so it is, you know, in the broadest sense, even something like a credit card or a government-issued ID could be considered a form of a verifiable credential. But if we’re talking about specifically, the new W3C Verifiable Credential Standard, I think, one example that is helpful to conceptualise what this looks like, is the vaccine, or the sort of travel pass type products – that many of us used throughout the pandemic. I think this is where – this is the first use case that we found that Trinsic received broad adoption. And, you know, these are products that allowed you to prove that you were vaccinated against COVID, or that you had obtained a recent COVID test, and that you are therefore eligible to travel. And you know that is a form of verifiable credential, Apple and Google even were accepting those credentials into their native operating system wallets as verifiable credentials as well. And so that is maybe an example that a lot of people have used in the recent years. Oscar: And those were already based on the W3C standards. Riley: Yeah, technically, I think the smart health cards was what they were based on, and smart health cards were based on the W3C standard, so yeah. Oscar: OK. Yes, definitely that has been a case that millions of people have used. Those helped us during the pandemic without knowing the term of ‘verifiable credential’. So that definitely has been widely used in different regions, different implementations. But yeah, that’s correct. OK, if you tell us also some other examples, how has been, yeah, across different sectors, let’s say verifiable credentials are being implemented and as well, interesting stories. Riley: Yeah. So, I think when you look at Trinsic, we are, again, an infrastructure provider. And so, we see companies all across the spectrum using Trinsic to accomplish their verifiable credential use cases. Everybody from a car manufacturer to a B2B supplier, an invoice management solution to a consumer product application for events and concerts, to education and healthcare use cases, I think. A use case that I really like, is the medical staff passport. It is something that’s easy to conceptualise, really, it’s an identity wallet that a provider, a physician or a nurse could use to prove that they have the correct credentials and qualifications to do that job. And so, if you’re a physician that needs to go to a new hospital, to substitute for some staffing shortage or something. The way this works today is there’s a big, long credentialing process where the new hospital needs to spend a lot of time checking lots of different things to make sure that you are eligible to do your job. And still, there’s fraud that gets through. With a digital staff passport, a doctor could simply prove who they are much faster, prove their credentials much faster, and get to work serving patients much sooner. So that’s a use case that I think is pretty helpful and has been succeeding, I think there’s four or five projects that I’m aware of around the world that are that are doing that, including some that are being built on Trinsic. But I think regardless of where you look across all of those different industries that I mentioned, you see a couple of common patterns. And one of those common patterns is – you often need to anchor that credential in something, some foundational verifiable credential. So, what we’re seeing is, you know, if you’re a doctor, and you want to get your credentials in a digital verifiable credential form. The first thing that you’ll do is not actually go get your doctor credentials. But instead, the first thing that you do is verify your identity, scan a government document and authenticate yourself against some authoritative, again, government type document. And then when you obtain your doctor credentials, you can then make sure that those match. And then when you prove who you are in subsequent interactions, it’s much higher trust. Because you can cross reference the two credentials, and that brings a high degree of trust. And so, what we see across a lot of these use cases are people doing, sort of, an identity verification step. In addition, and that becomes the foundational verifiable credential, or reusable identity (as we call it) that anchors some of these verifiable credentials. And that step is something that we at Trinsic help facilitate as well. Oscar: OK, so the very first identity verification. So, when you mentioned that for this healthcare professionals, credential, you mentioned, there are a few worldwide. So, will these initiatives, I don’t know how much if they are in production, or is still in development? I don’t know, but if you know enough about the difference of these projects, do you think they will become interoperable or they are following different paths? What’s your view? Riley: Yeah, I think that, yeah, I think that they will become interoperable. It’s hard for me to say a blanket statement that every single one will definitely be. But yeah, but I think that many of these projects are based on the W3C Verifiable Credential Data Model. And if they’re not based on that data model, they’re based on something else that is very similar. And I think the important thing to remember as it relates to interoperability is there’s a little bit of a conflict, actually, between two very important things. When you’re launching a product, you want the ability to move fast, to iterate on the form factor, and change things to the extent that they’re not working, and bring the best technologies to bear, to build the best product that you can for the customer. And at the same time, you also want interoperability and compatibility across applications. And these things come into conflict because in order to be interoperable or compatible with other applications, you sort of need to slow down and agree upon a set of standards. But to be sort of innovative and moving fast, you kind of need to speed up and be willing to throw away your old solution and replace it with something better. And so, you get is this tension between innovation and interoperability. So many of the solutions that you see out in the market today are not interoperable simply because they’re focusing more on the innovation side of the equation. And yes, there are proof points of kind of interoperability testing and interoperability suites that people can come into compliance to. But oftentimes, that’s kind of a steppingstone and will come into compliance with that. And then you’ll see another divergence of different attempts, and then they’ll sort of converge back to another point of interoperability at some point in the future. And so, it’s never quite as cut and dry as just interoperable or not. And so, the important thing, before you build a bridge between your island and someone else’s island, you need to make sure there’s stuff on the islands for people to do, right? You need to make sure that people actually get to drive their car across the bridge. And so, in my opinion, the most important thing to do first, is get a product out there and get people using it and get happy customers where you’re solving their problem. And once you’ve done that, you can incorporate interoperability to make your product even better for those customers and solve even more problems. But I think trying to solve interoperability before you have a product in market is a little bit of putting the cart before the horse in some ways. Oscar: Yeah, definitely. Definitely a good observation. And I agree that, yeah, you need adoption, you need adoption, you need to solve problems. To see that yeah, this new technology, this new product is really solving, solving problems for a big enough mass of users. And from that perspective also, my impression is that most of the companies who are building these products are not the big ones, right? Not the big companies, that’s my impression. So, it’s like, startup entrepreneurs, mostly. So how is the – are they doing profit in this space of verifiable credentials? What is, what you have seen? Riley: Yeah, I don’t think I can say that there’s a, you know, hundreds of really successful, kind of, high profit generating companies out there. But there’s definitely companies earning revenue. To the extent that their revenues exceed their costs, I don’t know. But from a revenue standpoint, I think, you know, the key to making money with verifiable credentials is not the verifiable credentials. The key to making money with verifiable credentials is to – solving a problem with a customer. And to the extent that verifiable credentials can help you do that better and more effectively, that’s the extent that you will profit with verifiable credentials, right? So, you know, what we’ve seen is really not a whole cloth reinventing of the fundamental economics of the internet, or anything like that. I’ve seen a few ways that people are making money. The first way is they build a consumer product that makes a person’s life better, and they charge the consumer for that product. Right? Password managers cost a few bucks a month. CLEAR is an identity product that you might see in airports, especially in the United States, you know, where you can skip the line at the security by enrolling in this identity company called CLEAR. These are examples of consumer products that consumers pay for because it makes their lives a little bit easier. And I’ve seen verifiable credential type products that do the same thing. I’ve also seen products that solve a problem for our business, and they take, maybe it’s a subscription revenue, maybe it’s a usage-based fee for that. And they follow the software as a service playbook that is sort of tried and true. And, you know, this is – I mentioned the doctor, kind of the staff passport solutions a minute ago. And I’ve seen some of these types of solutions that have done really well by leaning into a vertical, a vertical software approach. And using the kind of verification of individuals and employees of a given hospital or something like that, as a benefit, a value-add to their existing software as a service product. And so that just sort of strengthens their revenue proposition there. And then the third way that I’ve seen are companies that are already doing some kind of an attestation, but in a non-verifiable credential way. So, for example, this might be an identity verification company, a background check company, a student ID verification company, and the list goes on. And I’ve seen, you know, these kinds of companies incorporate reusable identity or incorporate verifiable credentials into their product. Or in other words, issue their attestation as a verifiable credential, instead of just simply, you know, an API response, and continue charging the same business model that they always have, and actually make more money than they were making previously. Because now that it’s a reusable credential, people can use it more places than they otherwise would have. Or it becomes their go-to resource for authenticating themselves, which then leads to even more revenue for the attestation provider. So, these are a few ways I’ve seen people make money with verifiable credentials, and then our fundamental kind of transformations of the business models that may have come before. Oscar: Yeah, but it’s very interesting to see that there is value generation on top of solving problems and solving people’s problem. Excellent. So, one, relatively new term that is relatively new is wallets. And that is a term that I feel that is already reaching the masses, so people hear about that more commonly at this point, 2023, that we are having these conversations. So, what is the relationship between – or the connection between verifiable credentials and wallets? Riley: Yeah, it’s pretty simple. I think the easy answer is wallets are where your verifiable credentials are stored. So, you get – just like in real life, you obtain a driving license. Where do you put it? Well, generally speaking, you put it in a wallet. And in a verifiable credential world, that holds true. I think this breaks down just a little bit if you think about wallet in the way that most people use the term. Most people associate a wallet with payment of some kind. So today, your verifiable credentials are unlikely to fit inside of your Apple wallet. They’re unlikely to fit inside of your crypto wallet. They’re unlikely to fit inside of some other things, which are called wallets today. But I think that’s just a function of the maturity of the technology. I think, you know, we’ll get there. For now, the term that I use are ID wallets, right? They’re sort of wallets that are built for verifiable credentials. And today, they sit alongside other kinds of wallets. So, in the Web3 space, we have some customers in that world. And for the users of their products, the ID wallet is a separate container or a separate data store or separate wallet that sits alongside or next to a crypto wallet for those Web3 applications. And, you know, in a Web2 world, again, a user ends up getting a wallet, oftentimes, they don’t even know that it is a wallet, they don’t even know that we refer to it as a wallet. To them, it’s just storage of their verifiable credential, or of their staff passport or something. But, yeah, hopefully that helps. Oscar: But the ID wallet that you mentioned, it’s also from a normal user perspective, you just want one more app in the mobile, something like that? Riley: Yeah, it could be an app. It also could not be an app. I think oftentimes if you are requiring your user to redirect out to an app store, download an app, authenticate to the app and get on boarded through the onboarding screens, and then obtain a verifiable credential. Also, that they can verify themselves and get the thing they actually want, that user experience becomes pretty tricky. So, while we have seen some apps, you know, mobile apps, you know, succeeding and that is a model that is definitely a viable option. It definitely should not be the only option. And I think we’ve even seen web-based wallets or cloud-based wallets really taking off in much, much greater numbers than a lot of the mobile app wallets that we have, that we’ve seen. And I think it’s just a function of the friction required for a user to go through that journey is just so much less. So yeah, it could be an app on your phone, it could be embedded into an existing app you already use. Or it could be a web resource that you, you know, authenticate to and get access to your credentials that way. Oscar: Looking at the future from where we are now, what do you say is needed in order to see a broader adoption of verifiable credentials? Riley: Yeah, I think we need more products, and more focus on product. So, you may have kind of heard from some of my previous answers that I, you know, I tend to think a lot about adoption. I think a lot about product. And I think a lot about business models. And that’s obviously because of my background. You know, I’m not an engineer by training. But I do think that a lot of times, people get a little bit lost into the weeds with the technology. There’s a lot of cases where, you know, we’re talking about theoreticals in the technology, before anybody is actually using the product and we’re sort of holding up these, you know, certain technology principles as gold standards or best practices. When in reality, many verifiable credential approaches do not have product market fit yet. And so, we could build the most amazing, elegant, utopian technological solution. But if nobody uses that solution, then what’s the point? So, I think really, the thing we need to focus on so much more is adoption and product execution over anything else. The technology is there, it’s good enough, it’s plenty good enough. It’s been good enough for – I mean, four years ago, literally, we launched the first version of our product, which allowed any developer to issue a credential within five minutes on Sovrin. And then a few weeks later, we expanded it to where there was a dashboard where even a non-technical person could issue credentials within five minutes. So, the technology has been really accessible for a long time now. And when we look at our customer base, and we look at the success rates, and then we try to correlate those success rates with something and see what predicts success in this market. Every single time it comes down to product execution, and just being focused on solving a real problem for people. And so really what we need to get more verifiable credential adoption, is we just need – more of that, more problems being solved for businesses and people who are willing to pay for it. Right? Oscar: Yeah, I agree. All right, thank you for the explanation of what’s going on verifiable credentials. And I agree a lot of your views on the focus on solving problems. So, leaving us with a final question, for all business leaders listening to us now, what is the one actionable idea that they should write on their agendas today? Riley: Well, I am going to piggyback off my last answer for this one, Oscar. I’m going to say, if you are a company that has an identity product, or some kind of attestation service for people, or something like that. You should write on your agenda to explore how verifiable credentials could augment your business, because it’s likely that there’s some startup out there that is sort of doing something using verifiable credentials in your space or an adjacent space. And, you know, and they’re learning fast about what’s working and what doesn’t, and what this new world will look like. And so, as the world moves to fully digital and moves to reusable identity, the ones that sort of obtain those insights fastest and move first are going to get a lot of the benefits. And so, that’s the first thing. If you are not in that category of a company that would sort of incorporate verifiable credentials, then the action item that I would give to you is to be a user of one of these products. And if you can’t find a product that uses verifiable credentials, if you can’t find an ID wallet that solves a problem for you, that’s maybe a little bit of an indicative of where we are as a space. But if there is something that you can use and try out and actually use it in the real world to solve some problem for you, I encourage you to do it, give it a try and give feedback to the developer of that product and let them know your experience. Because these are the kinds of things that will drive adoption of better identity systems in the future than what we have today. Oscar: Yeah, definitely. Oh, thanks a lot for this very interesting interview, Riley. Please let us know how people can follow the conversation with you. Riley: Yeah, I – so the first thing I’ll say is that we do a podcast as well. This has been a blast, Oscar. This is a great podcast. I love it. I think if you’re interested in reusable identity, specifically, and diving deeper into some of the stories of companies that have launched reusable identity products, or verifiable credential-based products out into the wild, I have a podcast that we do, called The Future of Identity podcast. And so that’s what I would encourage you to check out. If you’re interested in following me or getting in touch, you can email me at riley@trinsic.id. Find me on Twitter @rileyphughes. I’m also accessible on LinkedIn. If you search my name, I’m sure you’ll find us. And I’m always open to feedback and love the conversation so please reach out if you think there’s a way we could work together. Oscar: Yeah, thank you and indeed I’ve been listening to your podcasts, The Future of Identity, so it’s highly, highly recommended. So, if you want to learn more in identity especially the topics that Riley has been bringing us today. So again, thanks a lot Riley for joining us. And all the best. Riley: Thanks, as well, Oscar. You as well. Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

Let’s talk about digital identity with Drummond Reed, Director of Trust Services at Gen and Andy Tobin, Commercial Director, Europe at Gen. In this series opener of Season 5, Drummond Reed and Andy Tobin join Oscar to explore vLEI’s and Self Sovereign Identity (SSI). Including building an understanding of what LEI’s and vLEI’s are, and how SSI principles are used within vLEI’s, the benefits of vLEI’s, which sectors and industries will benefit the most and some use cases of where the vLEI has been applied. [Transcript below] “If LEIs were digitised in a way that could be instantly verifiable, it could transform company onboarding.” Drummond has spent a quarter-century in Internet identity, security, privacy, and trust infrastructure. He is Director, Trust Services at Gen, previous Avast after their acquisition of Evernym, where he was Chief Trust Officer. He is co-author of the book, ‘Self-Sovereign Identity’ (Manning Publications, 2021) and co-editor of the W3C Decentralized Identifiers (DID) 1.0 specification. At the Trust Over IP Foundation, Drummond is a member of the Steering Committee and co-chair of the Governance Stack Working Group and the Concepts and Terminology Working Group. At the Sovrin Foundation, he served as co-chair of the Sovrin Governance Framework Working Group for five years. From 2005-2015 he was co-chair of the OASIS XDI Technical Committee, a semantic data interchange protocol that implements Privacy by Design. Drummond also served as Executive Director for two industry foundations: the Information Card Foundation and the Open Identity Exchange, and as a founding board member of the OpenID Foundation, ISTPA, XDI.org, and Identity Commons. In 2002 he received the Digital Identity Pioneer Award from Digital ID World, and in 2013 he was cited as an OASIS Distinguished Contributor. Connect with Drummond on LinkedIn. Andy Tobin leads European and eIDAS strategy for Gen’s Digital Trust Services business. He is one of the pioneers of self-sovereign identity and helped to establish Evernym as the world leader in this field. He is a well-known public speaker and writer on the topic of digital identity and has delivered some of the largest SSI projects to date. His career has spanned the three rapidly converging sectors of identity, mobile and payments. He has written code to control cash machines, built the world’s first mCommerce server, run a £1.2bn mobile messaging network and been CTO for Europe’s first fully mobile bank. He is a passionate technology strategist who believes that the identity ecosystem and the personal information economy is poised for massive change, enabled by the capabilities being built right now by Avast. Connect with Andy on LinkedIn. We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure! Go to @Ubisecure on YouTube to watch the video transcript for episode 96. Podcast transcript Oscar Santolalla: Welcome back to Season 5 of the Let’s Talk about Digital Identity podcast. In this series opener I am joined by Drummond Reed and Andy Tobin, from Gen Digital, joining us to delve into vLEIs and Self-Sovereign Identity (SSI). Stay tuned to find out more. Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.  Oscar: Today, we are very happy to have two expert guests, Drummond and Andy. And today, we are going to discuss vLEIs and what is the connection with self-sovereign identity. First of all, we have Drummond Reed. He is Director of Trust Services at Gen, previously Avast after their acquisition of Evernym, where he was the Chief Trust Officer. He is co-author of the book Self-Sovereign Identity, published by Manning Publication in 2021. And he’s co-editor of the W3C Decentralised Identifiers, DID 1.0 Specification. At the Trust Over IP Foundation, Drummond is a member of the steering committee and co-chair of the Governance Stack Working Group and the Concepts and Terminology Working Group. At the Sovrin Foundation, he serves as a co- chair of the Sovrin Governance Framework Working Group for five years. Hello, Drummond. Drummond Reed: Hello, Oscar. It’s very good to be here. Oscar: Welcome Drummond. Our second guest is Andy Tobin. Andy Tobin leads European and eIDAS strategy for Gen Digital’s Trust Services Business. He is one of the pioneers of self-sovereign identity and helped to establish Evernym, as a world leader in this field. He is a well-known public speaker and writer on the topic of digital identity and has delivered some of the largest SSI projects to date. His career has spanned the three rapidly converging sectors of identity, mobile, and payments. He has written code to control cash machines, built the world’s first mCommerce server, run a £1.2 billion mobile messaging network, and been the CTO for Europe’s first fully mobile bank. Hello, Andy. Andy Tobin: Hi, Oscar. Nice to be here. Oscar: Welcome as well. I’m very happy to have both of you, Drummond and Andy. So, let’s talk about digital identity, and as usual in this show we want to hear a bit more about our guests. So please, both of you tell us a bit about yourself and your journey to this world of identity. Drummond: Oh, the journey. I don’t think we have long enough in this podcast to cover the whole journey. Yes, I’ll just say, originally, I was very interested and focused on solving problems of what we’d now call decentralised data exchange, and how people can share data, sort of directly peer to peer over wide area networks, like the internet, when it was first getting going. And I had no idea that to do that you actually had to solve the problem of digital identity and trust. And so, working on that led me over into this area. We didn’t even call it identity when first working on it, we just said, “Hey, there’s this challenge that you have to be able to establish a trust network.” And turned out that the problem there was identity. And doing that on a decentralised basis. And at that time, I was working on it was really centralised identity. Where you have an account with every different system you were interacting with. That was the norm, and it was – the pain was such that we had to have some solution to that. And so we thought it was federated identity, where you could take one account and reuse it in a whole bunch of other places. And in the end that’s what most people, encounter with social login. The login with Facebook, or Google or Twitter now X, whatever. And so, we spent 15 years and three generations of standards developing a federated identity. And it seemed like we could get there and then it just – we hit the ceiling. It just – federated identity by putting an intermediary in there made it – you could solve certain problems, but you couldn’t solve others. And then blockchain came along and sort of taught us, “Oh, there’s a way to make this fully decentralised that actually simplifies things tremendously.” And so that era, I really, market starting in 2015, 2016 that’s when Evernym came together, which is where Andy and I met. And we’ve been working on decentralised ever since. Over to Andy to talk about his journey. Andy: Yeah. Thanks, Drummond. I think the thing I like to look at most frequently, and that gets me most engaged is – seeing how megatrends that emerge affect existing businesses and capabilities. So, I’ve seen, for example, the digitisation of payments happening. And then digitisation of telephony happening and the emergence of mobile phones. And then the digitisation of commerce through the internet. And with the digitalisation of identity, we’re seeing really something a little bit different, which is – we need to have the ability as people to identify ourselves or prove things about ourselves – it doesn’t need to be identity, it could be anything – without having to rely on anyone else to help us really to do that. So really, we’re looking at a return, if you like, to the world we used to inhabit where you could go along with a piece of paper and show it to someone, like a passport, for example, and say, “Hey, look, this is me.” We don’t have a digital way of doing that. And so, there’s lots of, what I call, work around solutions in place and Drummond’s just talked about a bunch of them that fudge the problem. The problem is solved properly by giving people digital versions of the paper documents they’ve got and giving them to those people in a way that enhances their privacy and security online. And when you have that capability, you can apply equally to companies who find it very difficult to prove who they are online, and also to things as well. And as we move into the next megatrend of artificial intelligence. Underpinning artificial intelligence is – how do you know who or what is at the other end. And as it gets much easier to fake everything, there’s going to be an explosion of trust issues. And if we can solve that with some of the techniques that we’re working on, which we can, artificial intelligence gets a lot less scary. Oscar: Yeah, indeed, through your life, I could see the reasons why this topic of self-sovereign entity had to happen. But just a few years ago it is getting, mainstream finally in these very recent years. And now we talk also about the future, there’s a lot, a lot of problems to solve still. In this conversation, let’s go into much more specific topic related to self-sovereign identity. This is going to be about vLEIs. But to give a bit of concept, if one of you could throw a simple definition. What is an LEI? Drummond: The LEI, that’s pretty straightforward. In fact, what’s ironic, is an LEI is really a classic, what we would call federated identifier, it fits into that second category. And that’s because – so it’s, to be very, very concrete, it’s a 20-digit identifier of a legal entity. And it’s important to clarify that term legal entity, because it can – in some legal jurisdictions, a legal entity is either a person or a corporation. They call it a legal person. But what LEI means are – the legal entity in LEI means – a legal entity that’s not a person. So, anything that’s legal entity that’s not a person – a corporation, a partnership, government agencies, whatever it is, it’s to identify what we would generally call an organisation. And so, the LEI is 20-digit identifier, and then it is issued. GLEIF, the Global Legal Entity Identifier Foundation, is a public-private partnership that operates the GLEIF LEI system. And they’re based in – it’s a Swiss nonprofit, it’s headquartered in Frankfurt. And they oversee I think it’s roughly in the mid-30s, the number of, they’re called Local Operating Units or LEI issuers around the world. They have to be qualified, and when a business or organisation wants an LEI, they have to apply for it. They have to basically go through what we call identity proofing for individuals, but this for an organisation. You have to prove yes, you whoever supplying is a legal representative of that organisation. They have to provide their local business identifiers, like identifiers that they’ve registered like a corporation ID or a tax ID in one or more jurisdictions, and some other what they call reference data. And that entry, the reference data entry is then associated with the LEI. It’s all verified and then the LEI is issued. It’s good for a year. You have to renew it every year and it goes into a global database, a public database, anyone can check to verify the LEI for an organisation. Oscar: Very, very good explanation. And so, something that caught my attention, you mentioned that it’s still the federated model, right? So, which it is – Drummond: Yes. Andy: There’s a central body that is in charge of the governance of the whole LEI capability. And there are, as Drummond said, regional bodies that do the actual certification. But they’re all approved by the central body as well. Oscar: Exactly. Drummond: Right. So that makes it a federated identifier system, which is going to setup this wonderful conversation we have about how that fits into the SSI model. Oscar: Exactly. So now let’s move to – what is vLEI? Andy: So vLEI is a digital equivalent of an LEI, so Verifiable Legal Entity Identifier. Now, when I was contacted by Stephan Wolf, the Chief Exec of GLEIF years back now, six years ago probably. Who had been following this emergence of SSI very, very closely and thought there’s something in this. Because underpinning self-sovereign identity is a technology called verifiable credentials. And verifiable credentials are packets of data, they can contain anything that can be passed from an issuer to a holder. So, an issuer, like an LEI issuance body, to a holder, like your company. And that holder can then present that data and it can be verified by a verifier, which could be a tax authority, a government and other company, instantly as being authentic and the integrity of the data is preserved. So that’s the technology underneath it. And what Stephan wanted to know was – how these verifiable credentials could be used for LEIs. Because he could see the direction of travel, of the digitisation of identity documents and paper identity information. And he saw that if LEIs were digitised in a way that could be instantly verifiable, it could transform company onboarding for bank accounts, for example, supply chain management, et cetera. So, we sat down and included also Karla and Stephan from GLEIF, I think it was in an office in Canary Wharf, and we designed the way the vLEIs would work. We designed a cascading chain of authority that allowed a local LEI issuance body to be certified by GLEIF and have a credential themselves that says they are a certified LEI issuer. And they were then able to issue these vLEIs to companies. It’s essentially a very similar set of information, but a bit more detail in there, than in the LEI. But issue that as a verifiable credential to a company, and the company would keep that in a digital wallet that the company runs. But enhanced on top of that is that then employees of that company could prove that they work for that company. And those employees could themselves have verifiable credentials saying, “I’m an employee of Gen, and Gen is this business with this vLEI. And you can check the vLEI is authentic, because it came from this vLEI issuer. And you can check the vLEI issue is authentic because it came from GLEIF.” So, you can run all the way back up the chain. And then you can also add the ability to provide employees with – for example, confirmation they’re allowed to submit accounts to the tax authorities. So, it could be – “Andy Tobin, who’s a member of Gen is allowed to do X”. So, you end up with a cascading hierarchy, which is driven by the vLEI as the identifier for the company and then that being chained into lots of other relationships relating to that company and to the employees of that company. Oscar: And how do the vLEI use the self-sovereign identity principles? Drummond: OK so, as I mentioned earlier, the definition of a federated identity system is it has one or a relatively small group of organisations that almost – in fact, I’ve never heard of federated identity system with an individual that run it, they are always organisations or governments that run it at the centre. And then there, it’s federated around them. So, for instance, when we we’re using social login, it’s Google, Facebook, X, LinkedIn, they’re the – called the identity providers. You have an account there, and then you go use it in other places. And so, the GLEIF LEI system, as we said earlier, it’s a federated identifier system. GLEIF is at the centre, they authorise a set of the LEI issuers around the world, and they issue the LEIs. And that’s how you can sort of trust the whole thing. So, some folks look at that and say, “Ah, well, that’s a federated identifier system, how is this self-sovereign?” So, with self-sovereign identity, as Andy said, it’s all about the entity that is being identified that needs to prove their identity to anyone else. Having a digital wallet, and a set of credentials they can use to prove their identity. What GLEIF did with the vLEI was say – Hey, we are a federated identifier system. But we can provide verifiable credentials as one issuer, one hierarchy of issuers to organisations around the world, any place that can in turn, as Andy explained, then issue the next credential in the chain to their employees, or their contractors or their alumni or anything to prove their relationship with the legal entity that then can prove its relationship to the issuer and all the way up to GLEIF. Fundamentally, what Stephan Wolf and Karla McKenna and the GLEIF team saw was, we can take a federated identifier system, and actually bring it into the world of self-sovereign identity credentials, digital credentials, from hundreds, thousands, to maybe eventually, millions of different issuers, that all serve as what we call Root of Trust, right? And, yes, GLEIF is one Root of Trust, and the whole GLEIF, what we call digital trust ecosystem, it may end up being one of the largest in the world. And it’s very important, I think, to note that it is adjacent to – it doesn’t replace government issued identifiers to organisations, but it’s adjacent to it, and it’s worldwide. It is – the G is global. So, you can get an LEI and any entity in the world, any legal government or other entity can recognise it, and then translate it to the local identifiers that it might need. But that credential, once it’s issued into a digital wallet, is just like any other credential in that digital wallet. It can be used for that entity, in this case, an organisation, to prove its legal identity any place that’s needed. That is exactly what self-sovereign identity is about. Andy: And I think it’s really worthwhile here describing the incentive. So why is this interesting, right? Why is a vLEI interesting? And at the moment, it’s very, very difficult for a company to prove that it’s a legitimate company and it has a bunch of certifications, it’s got the right ecological credentials, it’s got the right qualifications in place to operate as a company in the business it does. And that causes huge problems for supply chains. As an example, I was talking to some very large pharmaceutical companies, we call them big pharma in Switzerland about this very problem. And they spend millions and millions and millions and millions of Swiss Francs trying to work out who is in their supply chain. And they kicked off something called Pharma Ledger, which was an initiative to use this concept of digital identity for companies and the qualifications and certifications they have, to allow an onboarding of a new supplier in a few seconds rather than weeks and weeks and months. And the same thing with banking, it’s very, very difficult for a company to get a bank account. You’ve got to supply lots of pieces of paper, you got to send them in, they’re going to be notarised and signed by somebody. It’s horrendously complex, and very, very slow and very costly. So, the dream here is instantaneous, you know, a few seconds verification that a company is legitimate, and the person acting for that company is legitimate. And the potential savings are in the billions and billions and billions of dollars worldwide. So that’s why people are interested in it. And I think people get a bit hung up on the tech under the skin. And this term, self-sovereign identity, which I kind of wish we’d never promoted in a way because it’s about… Oscar: Scary. Andy: … the credentials under the skin, rather than yeah. So, this ability for an organisation to have verifiable data about itself digitally, which anyone can check is authentic. Without that company having to go back to GLEIF and say, “Hey, please give me a new version of this that I can use today.” That’s the sort of self-sovereign, the company has this information, they can use it wherever and whenever they want, for whatever reason they want. And the verifier can, or the recipient can check it’s authentic, instantaneously. Even if GLEIF cease to exist, you could still do that. So that’s the big picture here. And the vLEIs are one aspect, but a very important aspect of this new digital ecosystem for organisations. There’s an anchoring credential that says this company is this company. In some jurisdictions, you legally have to have an LEI – vLEI makes things a lot easier. So, it’s the anchoring credential that says this company is this company, and then you can hang lots of other verifiable credentials on the back of it as well. Drummond: I want to make that point that Andy just did. So, the LEI, because of its cross jurisdictional characteristics is legally required in certain jurisdictions for certain kinds of transactions. For instance, in Canada, if you’re involved in the financial services industry, you have to have an LEI. The regulators, and GLEIF has a board of I think it’s roughly 72-75 regulators from around the world. It’s called the ROC, the Regulatory Oversight Committee. Those regulators are now – the next step is to start to mandate the vLEI. Because the regulator is saying, “Hey, it’s really expensive for us to have to, verify, audit companies and the records and everything when we have to manually process papers.” So, they’re basically saying you must do these things digitally. The Securities and Exchange Commission here in the United States requires electronic submission of reports. So, the emergence of the vLEI as a credential, for example, digitally signing those submissions to regulatory authorities is starting to be mandated by regulators. And I expect it’s just going to grow and grow and grow. And so, in certain places, organisations, as part of their formation and maintenance they’re going to get maintained vLEIs in order to be – handle their regulatory documents. At a minimum of this many other uses. Oscar: Yeah, indeed, you explained very interesting cases, problems that are being solved by this concept. And also, when you put it in numbers, it also sounds very convincing. Indeed, to understand a bit more what is – how does it work in practice, I think you have explained pretty well. But let’s say, if I want to visualise, ‘so what is the vLEI?’ So vLEI is – will be registered in an app? So where can I see if my company has registered a vLEI, where can I see it? Andy: Yeah. So, vLEI, we need to introduce here the concept of an organisational wallet. So, you’ll be familiar with digital wallets that you might have on your phone at the moment as a person, so an Apple wallet and a Google Wallet. Gen has launched its own digital wallet called MyD and there are others that are being launched as well. So digital wallets are going to be huge. And there’s going to be a big fight about who’s going to have the best digital wallet. And a digital wallet is a container that you put these verifiable credentials in. And in the case of you, as a person, that might be a digital version of your passport. In Europe, it might be the new personal identity data credential from eIDAS. They could be a driving license, a boarding pass, et cetera. Imagine the same thing for a company, rather than sitting on a phone, it’s going to reside probably in a server somewhere. I guess it could sit on a phone. But it’s the same concept. It’s a secure container that will hold a company’s credentials, including a vLEI. And that’s just like your own wallet, you control that wallet yourself, and you have a fingerprint or something else. Access to the organisational wallet will be most likely controlled by a number of people who have credentials that they can use, that will prove that they work for that company, and they have the right to access and execute transactions from that wallet. So, you can see the way the personal credentials and organisational credentials come together. And a vLEI will sit in an organisational wallet, it could manifest in many different ways. It could be embedded in the enterprise planning software that that company has. It could be in a cloud-based software facility that company is using, well, names like SAP workspace, that kind of thing might do something like that. I don’t know if they have or not, but it would be logical for them to do so. So that’s how the vLEI would manifest. And it would be used when a business transaction requires the company to prove something, prove who they are, prove their legitimate organisation. And a lot of those interactions at the moment are handled fairly manually, something will pop up into somebody’s queue. And then they will have to go off and do something and then they’ll go in and fax some document that they’ve had signed by some notary or whatever it might be. In this new world, all that gets digitised and happens in milliseconds. So, requests will come in digitally saying, “Hey company, please prove who you are.” The organisational wallet will respond back immediately saying, “Here’s my vLEI. You can go verify it.” And that will be verified instantly. So, the business process improvement you get from this, this is what this all comes down to is optimising and digitising business processes that so far had been too expensive or complex to optimise. There’s been no good way of doing it. vLEIs are the key enabler that helps you to get those digitised business processes working. Oscar: Yeah, excellent. The concept of organisational wallets I think it’s something that yeah, it’s – well, it’s new in this equation of the LEIs as compared to how we see it today. You have already explained some examples of some industries in which vLEI will help tremendously. But if I ask you what are the top industries or sectors that will benefit the most, which one would be? Drummond: I’ll start out with one of – what has become one of my very favourite examples. And I’m going to do that by reading you some texts that I have recently received. The first one is, “Hello, are you the dentist that Candy introduced me to? When do you have time?” The next one is, “Your Amazon – spelled with a little accent in it – your Amazon has been locked. Click here to fix all your bills”. My Netflix subscription is on hold. I have to renew that one. And then “Hi, it’s Hillary, can you join me for lunch as you promised?” OK? I get – I don’t know about anyone else. I’m getting several of these a day now. It’s called smishing. Right? It’s SMS phishing. They’re just trying to get me to respond, to click a link, to do whatever. So, once you know spam and phishing attempts have moved into our phones. And of course, they’re also, they’re hitting me now on iMessage, on WhatsApp. We’re getting to a level where yeah, we’ve learned to live with spam in email. But when it starts hitting our phones and our most intimate ways of communicating, it’s not just a pain. All right, a lot of money is lost that way, and it erodes confidence in our most important communications infrastructure. So, my personal favourite use of LEIs, vLEIs – well both actually. Because if we’ve never said it, we want to make it clear, the vLEI credential contains the LEI as one of the pieces of the data in it. So that’s how it all ties together. It is going to be used for signed, digitally signed text messages. Initially it will be used by the telcos themselves that deliver that message. They will do the filtering out of the spam because they will be able to basically differentiate and say, “Oh, this is a digitally signed message from a legitimate company, and we can deliver that.” Give it the green light to the consumer and anything else is going to be suspect. That doesn’t mean that suddenly you’re going to stop getting any smishing attempts. But it’s going to introduce a fundamental solution that over time will, I think, essentially stamp out that industry. And this is not theoretical, there are several companies working on putting this in place. I think it’s going to start going operational in 2024. So that’s one example. Andy: Yeah, I think I’d add in any regulated industry, banking, particularly, especially corporate banking, where you need to know who the corporation is, and there’s so many rules, they are coming in about identifying which corporate you’re dealing with. This was one of the main use cases when we were designing vLEIs in the first place with GLEIF, which was if you’ve got a corporation, you need to find the ultimate beneficial owner of that corporation in order to give that corporation a bank account. If that corporation has a bunch of shareholders and those shareholders of other corporations and those, some of those corporations have shareholders at the other corporations. You get an exponentially worsening problem of trying to work out who everybody is, because they all have to provide information about who they are and who their shareholders are. And this is the case with Evernym when we set little Evernym in the UK in 2017, I needed to get a bank account. And to get that bank and I had to prove who Evernym UK was and the ultimate beneficial owner of Evernym UK was Evernym, Inc. in the US. And Evernym, Inc. had a bunch of shareholders. And I then had to prove who all those shareholders were. And this involved getting the largest shareholders over 10% to provide documentation about who they were and notarised certificates and so on and so on. And the ones that were corporates then had to give me their shareholders. And I think, eight months to get their bank account setup, which is insane. So, you can imagine the potential benefits there. I’d also point as well to the European eIDAS program. Which is the eIDAS 2.0 it’s the next evolution of the European digital identity scheme. There’s a consortia and there are four consortia working on large scale pilots now. One of them that Gen is in called EWC has two use cases for people, which is travel and payments, and a use case for organisational identity as well. And that’s been championed by the governments of Sweden and Finland. And has got a lot of traction now, because the same technology that is being used for credentials, for people and personal wallets can be used for organisations as well. So, I see a lot of potential for vLEIs and other organisational credentials, like VAT number and tax identity and Companies House type information. To be provided digitally in that way to transform business processes with corporate to corporate. But also in our human use cases with people. If I’m using my eIDAS wallet to book travel, the vLEI or organisational credential will allow me to check the travel agency I’m booking it with is legitimate. And if they’re ABTA based and certified and are they the right company, all of the problems that Drummond outlined, these scammers pretending to be companies, those will go away because I’ll be able to instantly verify if a company is authentic or not. Oscar: Yeah, you have listed at least three very important sectors, industries, in which it’s very clear the benefit that will come. We know that vLEIs are available now, you have explained pretty well the cases, how they can help to solve these problems. When do you estimate that the full benefits will be realised? So, we are still in 2023, what we say it’s a time in which, OK, it is a massive impact the vLEI have done. Andy: Yeah, it’s good question actually. I think in Europe with the eIDAS program running, I think that’s going to be a big catalyst. And we’ll see how that evolves, these large-scale pilots are going to run for two years. And the actual eIDAS regulation when it comes into place, the governments of the EU will have two years to implement it and get wallets issued. I think we need to look back at the incentives and companies move quickly when the incentives are big enough. So, there’ll be a number of market proving pilots that happen and the output that comes from those will say, “Hey, this is actually real. It really works. And here’s how much you can save.” When the suppliers of software, that businesses used to run their operations start embedding vLEIs into their businesses just like email, or just like, you know, web pages. It’s going to be completely transformational at that point. Drummond: Exactly. It really depends on the industry and the use case. I compare the adoption of SSI digital wallets and credentials, there’s a precedent, the adoption of the web, right? It won’t happen everywhere all at once. OK, that’s not how these things ever happen. Right? It’ll be particular, just like you had certain websites, it started out with physics websites, right? And then authors got involved and said, “Hey, this is a great way to publish.” And eventually we had blogs and things like that. And then pretty soon the web is pervasive. We’re working the same way. There are pockets, as we said that, you know, like the smishing problem.  I think one of the important things to keep an eye on is governments are, you know, they’ve inherently been in the identity industry. They always are, because they’re foundational issuers of identity. And some governments, forward leaning governments that have gone straight, or are seeing the benefits have already moved into. One of the ones I’m closest to here in Seattle, is the province of British Columbia in Canada, which already has a digital wallet that’s all based on open-source code that’s in market and they’re starting to issue credentials to British Columbia citizens. And they’re already using vLEIs for organisations. Another of my most favourite example is the small but very influential country of Bhutan, which has basically said they just adopted a National Digital Identity Act, implementing or mandating a self-sovereign identity infrastructure for the whole country. And that will require LEIs for every legal entity that is signed up and going to be part of that SSI ecosystem. Every organisation, every bank, travel agency, grocery store, it doesn’t matter, if you’re in the Bhutan SSI ecosystem, as an organisation, you sign up and have to get an LEI and a vLEI to participate in that. So that’s the kind of thing that can really generate large adoption. Oscar: Indeed, yes, super interesting discussion about vLEIs and the state of the self-sovereign entity. I’ll ask you a final question for both of you. For all business leaders that are listening to us now, what is the one actionable idea that they should write on their agendas today? Andy: I think that one would be to get up to speed on vLEIs and verifiable credentials, generally. Not to worry too much about the technology under the skin and keys and encryption and DIDs and so on. But to understand the business implications of digitising processes that they haven’t been able to digitise so far, and the benefits to them of doing that. There’s a significant competitive advantage to a business, to digitise processes that a vLEI will enable you to do. And the companies that do that soonest, or a bank, for example, if a bank can onboard a corporate customer in 10 seconds, instead of 10 months, they’re going to have a massive, massive advantage competitively against the other banks in the market. So that’s where the prize is. So, they need to understand the implications. And generally, I think, what would be the word, get into the program. That’s probably not the right way of saying it, but it’s about understanding what is coming down the line. And if they don’t move fast, then somebody else will out compete them very, very quickly. It’s a bit like the early days of the web, get online, get digitised and if you’re not, you’re not in the game. Drummond: Yeah, I think we clearly saw with the web, those companies that got a website early and started to have a digital presence, they significantly expanded. In some cases, they completely dominated new industries, because they went fast. I’m going to provide a very, very concrete step. If your organisation doesn’t have an LEI today, just a regular LEI, just go check out the GLEIF website. You’re going to find very easily how you can get one and go through that process. It doesn’t necessarily take very long, but it will educate you about that. And then ask your LEI issuer, whoever you choose, “Are you issuing vLEIs? When will you be issuing it? Educate me about that.” And you know, just start to climb the path. Oscar: Yeah, indeed, very actionable. Thank you very much, both Drummond and Andrew. It was a fascinating conversation with such experts in this topic. So finally, tell us if someone would like to follow you or continue this conversation with you, what are the best ways? Drummond: For me, yeah, @drummondreed on X. It’s the first time I’ve ever had to say that on a podcast, and it just doesn’t sound like the same. Andy: Does that still exist? Drummond: Yeah, I’m really seriously worried about it. I, you know, I’m finding it degrading and I’m not sure how much longer I’m going to use it. Or Drummond.Reed@GenDigital.com. You can contact me via email too. Andy: Yeah. And I’m Andrew.Tobin@GenDigital.com. Oscar: And are you at X, formerly known as Twitter? Andy: I am but I’m broadcast only because it’s just too much hard work. LinkedIn is kind of interesting. You can find me on LinkedIn as well. I write on the topic of digital identity and verifiable credentials and eIDAS quite frequently and I know Drummond does as well. Drummond: Yeah, yeah, we do. And I’m more and more paying attention to LinkedIn that way. Oscar: Fantastic. Again, thank you very much for this conversation and all the best. Andy: Thanks, Oscar. Drummond: Thank you, Oscar. You bet. Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

Let’s talk about digital identity with Elizabeth Garber and Mark Haine, co-editors of the Global Assured Identity Network paper. In episode 95, Elizabeth Garber and Mark Haine, who were editors on the Global Assured Identity Network (GAIN) paper, join Oscar to share the latest updates for GAIN, including recapping what GAIN is, the challenges that have been faced, alongside successful case studies and what developments we can expect to see for the future of GAIN. [Transcript below] “It’s all interconnected with standards development and has a really big impact on how identity systems will work, interoperable, in years to come.” You’ll remember Elizabeth Garber, who was one of the lead editors of the GAIN paper – we interviewed her in episode 52 (back in October 2021). Elizabeth has a long background in Customer Strategy and Product Management. She has also led the Open Digital Trust Initiative at the Institute of International Finance and co-chairs the OpenID Foundation’s GAIN technical proof-of-concept, which strives to create globally interoperable networks for exchanging high-assurance identity information. Since we last interviewed her, she co-founded IDPartner, a venture-backed startup that puts people in control of their digital identities. It will be a key player in any Global Assured Identity Network (GAIN) as interoperable networks begin to flourish. Elizabeth and Mark recently published a draft paper for the OpenID Foundation called “Human-Centric Design: a primer for government officials” which is all about how to design identity systems to sustain and promote human rights. It is open for public comment – and may feature on a future episode. You can find it on the OpenID Foundation website and blog, openid.net. Connect with Elizabeth on LinkedIn. Mark is an engineer and entrepreneur who has focussed his career on building solutions that enable business and mitigate risk in financial services. Through Considrd.Consulting Ltd. Mark and his team are providing strategic security consultancy to a range of clients. He has also taken on a leadership role in the OpenID Foundation as Co-Chair of the eKYC & Identity Assurance Working Group and is a co-author of OpenID Connect for Identity Assurance specification.  Mark also is a board member of the Open Identity Exchange. Connect with Mark on LinkedIn. We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure! Go to @Ubisecure on YouTube to watch the video transcript for episode 95. Podcast transcript Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla. Oscar Santolalla: Hello, everyone. You will remember Elizabeth Garber, who was one of the lead editors of the GAIN paper. We interviewed her in episode 52, late in 2021. Elizabeth has a long background in customer strategy and product management. She has also led the Open Digital Trust Initiative at the Institute of International Finance, and she co-chairs the OpenID Foundation’s GAIN technical proof-of-concept. Since we last interviewed her, she co-founded IDPartner, a venture backed Start-Up that puts people in control of their digital identities. This will be a key player in any global assure identity network, as interoperable networks are beginning to flourish. We have a second guest. Our second guest today is Mark Haine. He is an engineer and entrepreneur who has focussed his career on building solutions that enable business and mitigate the risk in financial services through Considrd.Consulting Ltd. Mark and his team are providing strategic security consultancy to a range of clients. He has also taken on a leadership role on the OpenID Foundation as co-chair of the eKYC and Identity Assurance Working Group and is co-author of OpenID Connect for Identity Assurance Specification. Mark also is a board member of the Open Identity Exchange. Elizabeth and Mark recently published a draft paper for the OpenID Foundation called Human-Centric Identity: a primer for government officials, which is all about how to design identity systems to sustain and promote human rights. As we speak, it’s open for public comment. You can find it on the OpenID Foundation website – openid.net. So, let’s get started. Hello, Elizabeth. Hello, Mark. Elizabeth Garber: Hi. Mark Haine: Hi. Oscar: It’s very nice having you. Welcome back, Elizabeth, and welcome for the first time Mark. So, we’ll hear more about GAIN, this initiative that was launched a bit less than two years ago. And we really want to hear the news about that. But to get started, we always want to hear about our guests. So, for all of you, please tell us about yourself and your journey to the world of identity. Elizabeth: Okay, I’ll go first. For me, the journey really started in identity when I was working at a bank. We had introduced a new vendor into our identity and access management program. I won’t say who because it didn’t really go very well at first. But I was brought in as kind of fresh eyes to lead a root cause analysis exercise and make some quick changes and fixes. And that led to two things. First, I ended up taking a digital products role on that team and having more and more to do with identity. And second, I was absolutely hooked on the industry. So, there were just so many interconnected challenges and opportunities. The stakes were really, really high. So, I started to form partnerships outside the bank, and most notably with the person who would become my good friend and my Start-Up co-founder Rod Boothby. So, he brought me into the Open Digital Trust Initiative with all the world’s leading banks, the IRS, and also the OpenID Foundation. And that, of course, led to the GAIN paper where I quickly raised my hand to help out and Mark my colleague here and the other co-editors. I then still co-chair the proof-of-concept along with Mark and authored the follow up paper, which will be out by the time this podcast airs, I think. Mark and I then wrote the paper you just referenced, which is addressing how government identity systems can sustain and promote human rights. All of those papers can be found on the OpenID website, by the way, openid.net. Since we last talked, I co-founded my company IDPartner, which is really in the spirit of GAIN and is seeking to help banks and other parties connect into such a global network. So yeah, I’m still relatively new to this industry of being a few years in now, but it’s pretty much consumed the majority of my waking moments for the last three to four years. Mark: So, we’re in some ways similar to Elizabeth, but in other ways slightly different. My background is also from financial services. I have had a number of operational roles and then design and architecture roles in primarily UK banks. I’ve had a rich array of roles. I’m taking on some really interesting challenges along the way. It started out with operational I.T., moved into networks and security design and after some time and lots of rich experiences. I ended up in the Identity and Access Management team at a large UK bank having done a bunch of work on future architectures for that organisation and innovation team. And around that time the UK was starting to move towards open banking. I managed to switch over to become a core member of the Open Banking UK implementation Entity Security Team, where I was involved in designing various aspects of the open banking architecture and the protocols involved. And that led me to interact with a bunch of people from the OpenID Foundation, who recruited me to come and help on the open standards side of things more actively, after I moved on from open banking to do other things. Since then, we’ve been working on new draft specifications, and writing a number of white papers, including the GAIN white paper and the one that Elizabeth and I have been working on together about human rights in the context of government digital identity. And here we are today. Oscar: Excellent. Thanks both of you for sharing your story. Before starting to hear the newer things that happened for GAIN, I hope you can give us an overview. So, what is the Global Assure Identity Network? Elizabeth: Well, so back in 2021 when we last spoke, GAIN was just a paper. It was – we used to say it was no logos and pro-bono. It was 156 individuals, identity and industry experts who signed as individuals because it contained so much that they could all agree on. And primarily that was that we wanted to build a globally interoperable network for high assurance identity. We wanted to connect the islands of trust that exist out there today, the different ecosystems where you can be trusted. And we want to create new ones and connect those too. We want to make it possible for somebody in the US, like me to transact with somebody in Finland confident that you could trust who it was on the other end of that digital session. And we wanted to do that in a really – privacy preserving way. So, no new databases being introduced of PII, full customer consent for sharing and really the minimal amount of information required. All of that was the stuff that the original authors could agree on. At the time we wrote it addressing financial institutions. We didn’t think any such network were going to be inclusively or exclusively led by banks. But we did argue the banks were really well-placed to catalyse such a movement as they had done in Sweden, Norway and other places. And also, open banking was a growing enabler and there were lots of benefits to them, their customers and others. If they took a lead and did so with a sense of urgency. What we have seen in the intervening years though, is that while that’s still true and still would be a great catalyst, but other corners of the market are moving very, very quickly. We’re having broader conversations now in relation to GAIN, including with the European Union and those designing mobile driver’s licenses. It’s all interconnected with standards development and has a really big impact on how identity systems will work, interoperable, in years to come. Sorry, that was a summary and a movement into the present day. Mark: There was a couple of things I would raise from the original paper, that holds true today as well, I think. And those are that we felt back in 2021 that there wasn’t a need for any particularly new or ground-breaking technology to enable this. And probably the most critical thing to allow such a scheme or system to emerge was a way for the three key classes of entity involved, all to find benefits from the services provided. So, the identity provider, the relying party and the end user, who is subject to all of us, all needed to have their own benefits arising from this for such a thing to become viable. And I think that was something that really hadn’t been voiced quite so directly before. Oscar: Yeah, well, no surprise of course. From a paper to the implementation for a proof-of-concept that nowadays you, and some of your allies, are working on. So, I think it’s time to hear more deeply, what are the main updates in advancement that GAIN has had since then? Elizabeth: Okay, so after we launched the paper, we had five organisations initially, who had signed a MOU, a memorandum of understanding. It was legally not binding, but it meant that they would loosely collaborate and align efforts to further the GAIN vision of interoperability. So, I share those organisations now and you can go learn more about what they’re doing in the space. So that’s the OpenID Foundation, the Open Identity Exchange, the Global Legal Entity Identifier Foundation (GLEIF), the Cloud Signature Consortium, the Institute for International Finance. And since then, we’ve had one more organisation formally sign up, and that’s the Secure Identity Alliance. Each of those organisations does work that’s relevant to GAIN and feeds, whether it’s standards or requirements maybe from the financial sector. They feed into the work that is done at the moment through two major communities that we should drill into what both of these communities have been doing. So, we have the technical proof-of-concept of the OpenID Foundation, which is where Mark and I co-chair a community group, and we really have built a prototype that interconnects multiple trust networks. And then there’s the policy work at the Open Identity Exchange, OIX. It’s called the Global Interoperability Working Group, and they’re really looking at more of a semantic interoperability; how two different policies interact, how do the policies in one trust framework translate into another and what enables that. Mark, do you want to give an update on the technical proof-of-concept that we’ve been running? Mark: Yeah. So, to GAIN proof-of-concept within the community group in the OpenID Foundation, has been taking a number of steps to dispel any suggestion that this stuff can’t be done with the technology we have today. One could argue not terribly ground-breaking work because it’s showing that stuff can be done using existing protocols. But at the same time, we’ve been doing it in a way which demonstrates quite significant Cross Domain Examples. So, our first little proof-of-concept was simply allowing existing identity providers from multiple different countries to provide digital identity data to a relying party. And it was existing trust networks of various different types. It wasn’t terribly complex. In some ways. That’s kind of the beauty of it. A relatively simple OpenID Connect implementation with a relatively simple layering of eKYC and Identity Assurance Working Group specs as well on top, to allow us to be explicit about the assurance level for the individual. We’ve then moved on from that Federation example to addressing the question of trust between the entities involved. So, allowing the identity provider and the relying party to be more confident in each other, that they are dealing with an entity that is another member of the network. And the big realisation we had when we were doing that was that we shouldn’t try and have every party register to a GAIN instance. There’s plenty of identity networks out there already and we shouldn’t expect their members to have to reregister for something else. That’s not a terribly scalable way at a global level. So, our decision at that point was to build an instance of a network of networks so that we could keep the implementation impact as low as possible for each member and at the same time enable that global reach. So, we did some work using a protocol called OpenID Federation to allow communication of trust to some of the technical details like; how to verify cryptographic keys across networks. And we ended up building a really nice little demo whereby the end user arrives in a Japanese airport and is able to present their identity from a German network to the local telephony company, so that they could then pick up a new eSIM as they entered the country. It sounds simple. There were a few challenges along the way, but we managed to overcome them and have a little demo which we could share at some point with any interested party. Elizabeth: So, the two main concepts that we’ve been testing there have been – we often break it down as the data plan in the control plan. So, the first piece that Mark was talking about where we tested the OpenID Connect for identity assurance standard, that’s how does the data move between one party to another. And then the second, which we spent a lot more time on, was the control plane, how do we enable one party in one network to trust another party in another? So how does a relying party in Japan trust an identity provider in Germany? And that’s where OpenID Federation came in, as a really scalable way of delivering that kind of trust. Mark: Yes, it avoids having to build direct 1 to 1 relationship between every entity, which clearly on an international level, it’s not going to be possible. Oscar: How many countries have you – mentioned two countries in this example – but how many countries so far have you managed to connect? Mark: We’ve got members from quite a range of countries, actually. Our initial proof-of-concept involved contributors from UK, Sweden, Germany, Netherlands, Italy, USA and Japan. I think there may have been more. My memory isn’t the best on these things. And then the second one, again, we had Italy, Japan, UK, Germany, the US. Any others Elizabeth? Elizabeth: Not off the top of my head. But what I think is really cool about the prototype that we have operating right now is that you’ve got three different trust networks, in three different countries, in I guess four different verticals operating. So, we have the German bank based, yes.com Federation. Then you have that connected, both at a data level and a control level, to an open banking system in Japan and the relying party is in telecommunications. And then you have all of that connected, both at a data level and a controlled trust level, all that connected to what is essentially an Italian government implementation. So, we’ve got lots of different types of systems, different types of architecture. And in that early prototype that we did it with just the data passage, was that we interconnected with wallet-based ecosystems as well there, and we’re looking to bring that back into this larger multilayer proof-of-concept that we have going on right now. So that’s our next stage. But that’s a preview. I want to make sure we don’t move on before we talk about the work that OIX is doing. Their emphasis has been on mapping different policy frameworks. They looked at how well policies relate to one another and how bilateral agreements can enable one trust framework to trust another, and then ultimately landing on the idea that bilateral agreements are not actually scalable the world over. And so, what they’re looking at now is something that Nick is calling, this as Nick Mothershaw, a ‘smart wallet’. So how can an agent or something – Mark: Global Interoperability Working Group has been focusing in a couple of areas. One has been to discuss how we might communicate assurance levels between different jurisdictions. One of the challenges we have is that there are different standards for identity assurance in different countries. And as part of that, there’s been a bunch of analysis work going on in partnership with the Fraunhofer Institute to do a comparative review of the different assurance standards and see whether they’re readily mapped or not. And there will be a report coming out from the Open Identity Exchange in the space sometime in the next few months. Then net-net is that it’s unfortunately not terribly easy to do a mapping and there may be a need to take it to a lower level and map the underlying data points to each other rather than to map to the abstract assurance level. Elizabeth: So, they’re looking at, how can an agent work on behalf of a user to help translate those policies from one framework to another. To how can an agent or a wallet understand what credentials are inside it that meet the needs presented by a verifier? And does a new credential need to actually be issued? They’re looking at how can we know what wallets can be trusted in an ecosystem? How can it dynamically understand what policy requirements need to be met, what credentials qualify? Is there a common format that can be agreed upon for these policy decisions? And all this is underway at OIX. Mark: In terms of analysis there as well. They’re looking at the UK Digital Identity and Attributes Trust Framework, the European digital identity eIDAS assurance levels, the US NIST standards in the space and at the trust framework that exists in Canada and Sweden are on the list as well. Although I don’t think all of the analysis is in. So, a fairly broad reaching comparative review of assurance levels and the new policy framework around them. Oscar: Yeah, it sounds definitely, definitely really good. I haven’t heard of this. I want to hear more information about this. Mark: The best way to find out more about this analysis would be to join an OpenID Exchange and come and attend something that, some of the working group calls that happen. The report I don’t know whether it’s going to be publicly available or a ‘members of’ report at this stage. There might be a summary report available for non-members. So that remains to be seen. Oscar: Excellent. If you see as a retrospective have there been any main challenges or barriers that you had to overcome in this nearly two years? Elizabeth: I would say one of the biggest challenges is really an exciting one, is how quickly the market moves. When you’re talking about global interoperability, you’re talking any kind of shift around the world has an impact on the interoperability aspect. So, I think we do a really good job as a group, both at the technical proof-of-concept level of the Open Identity Exchange and as the GAIN six non-profit, we do a really good job keeping connected to a lot of those moving pieces around the world. Proud to say that we have close relationships both inside Europe and the European Union, those leading mobile driver’s license efforts, or I should say, North American mobile driver’s license efforts. You know, sometimes this stuff means that actually new concepts, new standards are embraced. And we need to make sure that our prototypes move and shift to ensure that we’re still keeping up to date with the standards that are being embraced and matured by regulations and others around the world. This is a really exciting problem to have to see things develop and mature. I guess the connected challenge to that is just making sure that we’re aware of all of that’s going on. We recently got in touch with a group working out of the UN on a similar challenge of; how do you enable one entity to build trust with an entity in a different trust network. And they’re really, you know, we’re all working on similar things and exploring. Once we know; what have been your lessons learned, what have been ours and cross-pollinated ideas about how we can achieve these things together and maybe work together. So yeah, a big challenge is knowing what is going on everywhere. Mark: Yeah, I completely agree Elizabeth Yeah, I completely agree Elizabeth. A couple of other names to drop as well, I know that the OpenID Foundation has been working quite hard to establish and develop relationships in various parts of the world. And I would say the engagement with the European digital identity project has been really good. We had some nice sessions in Berlin around the European identity conference earlier this year. The engagement with the NIST guys in the US around what they’re doing, and their update to their digital identity guidelines has been really positive. Gail Hodges, Executive Director of the OpenID Foundation has also been reaching out quite successfully into a project called ID for Africa, and trying to bridge that global north, the global south part of the problem space. And I would also say that interoperability, I think, is probably one of the biggest challenges that spans across technology, data and policy. And it’s really good to see the OECD call that out explicitly in their drafts digital identity guidelines that are open for review at the moment and coming out, I think later this year, now. There’s an awful lot happening in this space. It’s really dynamic. And echoing Elizabeth’s point, the biggest challenge is keeping up with all of the activity that’s going on. One thing I would say that we’ve been doing in our GAIN groups, has been to try and make sure that we’re relevant to all sorts of different technical architectures. So, this is something that can interoperate across technology difference, at least. Ultimately, the technology should be there to serve the people of various sorts, you know, people who represent organisations and the people who are trying to access services. So, a particular protocol should not necessarily the boundary for interoperability. To that end, although our first couple of proof of concepts have been OpenID Connect focused. The one we’re working on now is to extend that proof-of-concepts to delve more into the W3C quality-based architecture. We’re doing that in part with people involved in the European digital identity wallet, as well. So, there’s a lot going on. And I think, a lot of real dynamism and action in the marketplace at the moment as well. Elizabeth: And the more we do in this proof-of-concept is – the more that we do to really test the specifications of these standards, the more we learn, and the more those standards mature. So really benefits from having a lot of participation. Because the both the Federation spec and the IDA spec, I think have been improved as a result of people trying to build it coming together trying to align it, make sure that both parties understand the same things that are using the same configurations. It just, it makes all the specifications better and more mature. Oscar: Well, excellent. You mentioned already a few examples, but if you have any other success stories in particular that you would like to tell us more. Elizabeth: I think our big success story is the one that we raised connecting the German banking network, a Japanese banking network with coms roaming and Federation’s run by the Italian government, both at the data level and the trust level. Can I trust the relying party and an IDP in two different networks? The big proof of GAIN, there’s always going to come when private companies or other entities actually bring it out there into the public domain, and people are actively using it to create their eSIM in another country. And I think that’s the next big hurdle is to see something out there in the wild. And I’m hopeful that you’re going to hear some more about that in the coming year. Mark: Yeah, likewise. I mean, ultimately what we’re driving towards is something that gets implemented. But I do think that the debates that the white paper originally provoked and the groups that have been acting, following on from that have surfaced a few difficulties along the way. And these were difficulties that needed to be surfaced in order that a solution could be built. I’m not yet certain that all of the challenges have been addressed fully. In fact, I’m fairly certain they haven’t all been addressed fully yet. But we’re working through them as they emerge and prioritising our efforts as best the way we can. I would say a lot of this work is being done either by companies who are contributing their staff’s time to working groups or even individuals contributing their time to these working groups. So, you know, if anybody out there thinks that they may have the ability to devote some time or even some implementation efforts, that would be, I think, a valuable thing to do, either whether that’s in the policy domain or the data domain with the Open Identity Exchange or in the technical protocol domain with the OpenID Foundation. The only way these things are moved forward is by people contributing the time. Elizabeth: Absolutely. Oscar: So, they need more contributors, absolutely. Mark: Just to drive one particular point home. In particular, at the moment, the OpenID Foundation, GAIN POC community group is looking for digital wallet implementers, particularly at the moment, and secondarily, issuers of digital identity credentials as well verifiable credentials. So, if anybody listening to the podcast is willing, able and has some expertise in that area, they would be very, very welcome. Indeed. Oscar: Perfect. Yeah, based on your observations when I asked you the hurdles, or what you find on your way – you find a lot of things moving on projects that have similar goals, let’s say. But now looking at the future, what is coming in the near future, if you focus on the near future. So, what would be the main potential future developments that you think is going to happen in the next, let’s say, one or two years? Elizabeth: I would say three things. Verifiable credentials, as Mark was just saying, we need to be interoperating, with wallet-based ecosystems. And our technical proof-of-concept in the short term, in the next few months, needs to be extended to incorporate those issuers and those wallet providers. I think the OIX work on smart interoperability that takes us beyond the next few months, but into you know, the next year or so I think that that work will take shape a bit more. And we will hear more about how interoperability can be enabled, semantically through such systems. I think that work is really, really exciting. And then the next thing I think you’re going to start to see is more commercial implementations of this use case, of cross border, high trust identity. Mark: Clearly, the European digital identity project is going to march forward dramatically over the next couple of years as well. And I think that will produce a number of successes and identify a number of challenges along the journey as well. At the moment, the topic of international interoperability is a really interesting one to me. And I think the European Union has certainly within its power, the ability to solve that between the member states. But I think there will be challenges to do with interoperability to other nations. I also think that there will be quite an interesting series of events around who wins in terms of wallet provider. Clearly, the big tech have wallets already embedded into a lot of consumer devices. But it’s going to be interesting to see how that plays out. Particularly in the context of the European Union project, as they have quite a different perspective on how a wallet should be governed more than anything else. So that’s going to be a really interesting thing to watch over the next couple of years, and I’m sure will produce some great and informative outcomes. It’s an extremely interesting experiment. Oscar: Yeah, it’s sounds great. Mark: And I think some of the members of our groups are active in that space as well. And indeed, the OpenID Foundation has been contributing quite strongly to that project with a couple of the key protocols in and out of the wallet being selected for the first round of proof-of-concept work in the European digital identity programme. And there’s definitely conversations going on around trust of issuers and wallets. In the context of the OpenID Federation spec as well. I know that some of the Italian contingent are quite keen to promote the use of that protocol in the European digital identity wallet space for organisation-to-organisation trust effectively. Oscar: Excellent. So final question for both of you. So, for all business leaders that are listening to us now, what is the one actionable idea they should write on their agenda today? Mark: I’m going to say that they should be considering how they integrate reusable digital identity into their business processes at some point in the future. A lot of what has been done before has been very organisationally with focussed and very transactional. So, us poor end users have to go through identity verification processes quite frequently. And I think going forward it would be better for end users and better for organisations to be able to reuse those assured identities. Elizabeth: I totally agree. So, I’ll take a different angle on the question. I would address, rather than business leaders, namely standards bodies, regulators and yes, potential ID providers, including government providers, even banks. There’s a lot going on in this industry as we’ve talked about so many exciting movements forward. So many standards reaching points of maturity. And we’re really, really excited by the developments that we’ve seen over the last few years. As we put in our paper that we’ve written for government officials, no single solution or standard or architecture is going to be a panacea. No one thing is going to solve all the world’s problems. So, we would all really benefit from, if not slowing down, then at least taking the time to speak to each other. Make sure that we understand how we’re going to establish multi-party trust, checks and balances in the systems, mitigate the risks of fraud while protecting privacy. I would love to see more, even more open, transparent communications, public private partnerships forming in this space. So that’s what I’d put on your agenda. Oscar: Both sounds very good. Well, I’m very happy to have had this conversation with you and hear this very good news, the progress that GAIN and all the partners have had. So, congratulations and well done for you, Elizabeth, Mark and everybody has been involved and is involved. So, a final piece, just let us know how people can find more information about this project or get in touch with any of you. Elizabeth: Yeah. So, I think the fastest way is probably – there is the OIX Global Interoperability Working Group. The fastest way might be the openid.net, there’s a GAIN, community group there. Either way that will get you to where you need to be. You can also obviously reach out to Mark and myself. We are available on LinkedIn. So yeah, please get in touch. Mark: Let me just reiterate then openid.net and there’s a search box there. Please put in GAIN. You’ll find a number of items there that may be informative. Oscar: Perfect. Again, it was a pleasure talking with both of you, Elizabeth and Mark and all the best. Mark: Thanks Oscar. Elizabeth: Thank you. Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

Let’s talk about digital identity with Keith Uber, VP Customer Success at Ubisecure. In episode 94, Keith joins Oscar to delve into Single Sign-On (SSO) best practises and how organisations can implement SSO – including technical aspects, how it used in practise and the advantages of SSO. [Transcript below] “The best type of single sign-on is where the user doesn’t notice it.” Keith is VP Customer Success at Ubisecure. As an Identity and Access Management product expert, he leads the Sales Engineering team and is involved in many stages in the planning and design of demanding customer implementation projects. Keith is active in various industry organisations and has a keen interest particularly in government mandated digital identity systems. He holds a bachelor’s degree in I.T. and a master’s degree in Economics, specialising in software business. Check out Keith’s SSO video series. Connect with Keith on LinkedIn. We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure! Go to @Ubisecure on YouTube to watch the video transcript for episode 94. Podcast transcript Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla. Oscar Santolalla: Hello and thank you for joining a new episode of Let’s Talk About Digital Identity. Single Sign-On is one thing that, today we take it for granted. So, it’s even hard for us to remember when was the first time we have used it. Today, we’ll go a bit deeper into that and in which direction Single Sign-On is going. And for that we have a special guest, who is Keith Uber, VP at Ubisecure. Hello, Keith. Keith Uber: Hi, Oscar. Oscar: Thank you for joining us for the second time. So, you have been – two years ago. Two years ago, you’ve been here before talking about mergers and acquisitions. So happy to have you back here. Keith: It’s a pleasure. Thank you for the invite to come back. Oscar: Yeah, nice to have you, Keith. And we’d like to hit a few things about yourself. So, you can tell us about your journey to the world of digital identity. Keith: Yeah. So, my entry into the world of identity probably began around the year 2000 when I had just moved to Finland from Australia. I was working for telco provider, who was in the – around the dot-com boom era had been acquiring lots of small businesses. Lots of startups, they had their own projects and all of these have many different types of identity systems and lobbying systems. And my introduction to that process was – my job was to evaluate different solutions to their problem and ultimately, take part in a commercial pilot to implement a product to solve that problem. Oscar: Excellent. And I already can imagine that a single sign-on had some role on that. Just guessing that yes, single sign-on is something that. I was really trying to remember when was the first time that I used it and it’s quite difficult. Because it has been coming in different, in different flavours I would say. Probably the first time I used was in one of my first jobs when, you know, you go to the office – people used to go to the office every day, and today is not, not for everyone at least. And then you sit down, and you login to your computer. You login to the domain and then suddenly, you can access some of the internal applications without logging in again. So that is one of the ways. And then later it came, what we see more often today is the web single sign-on, right? So, several applications. So, in order to start with the basics, how you define single sign-on in a nutshell? Keith: Yeah. Single Sign-On is maybe a more technical term that the industry understands. But for the end users, they don’t really understand what the single sign-on means. But they do understand that they don’t want to have to sign in again and again to different parts of the same website or different sections of the same company. So single sign-on is the ability to sign-on once using any form and use that same session information across many different services. For the end user, that’s great. That means that’s one less username and password, or many, many less username and passwords, or many less authentication methods for the user to manage. And you mentioned the internet, or the web-based applications has a kind of thing they sort of came along. So, a long time ago, we all used to have desktop machines, and we would have PAT [personal access token] client-based applications and we’d even have to sign into those. Early on, there were different solutions for remembering and replaying the usernames and passwords across different PAT client applications. And that’s what we call enterprise single sign-on. That’s very much faded away as the world has moved to web browser-based applications where people are spending most of their time in a browser or signing into applications based on browser-based technologies. Oscar: Thinking of we, as normal user, like majority of users, we are using without noticing, right? You might ask people what is single sign-on and not sure or maybe they try to find meaning from the name itself, but it’s everywhere. So, if you can tell us a bit more how people are using single sign-on, SSO, in practice? So, what are the – how many ways, what are the scenarios? How many scenarios? Or just mention of a few of the most common ones. Keith: Yeah. So single sign-on in essence is the reduction in the number of times that you have to sign-in to the different services. So instead of signing into different parts of the same website that might be based on different technologies, you only have to sign in once. And then when you transfer to a different section of the website or a different application within an organisation. You’re already logged in, your name appears, and your information appears. And a lot of what’s happening, or the technology behind that is happening behind the scenes. It’s mainly invisible to the user and that sometimes makes demonstrating single sign-on, for example, quite a boring demo. Because you’re actually removing a lot of the things which you don’t want to see, and the end result is you see nothing. So, the best type of single sign-on is where the user doesn’t notice it. But there are other advantages. For example, in order to create an account, you only have to create that account once. So, the user registration process is also simplified with a single sign-on. Without single sign-on, you would have to have a registration process for every individual user application. Or at least some way to authorise your account to be used on other applications. So that makes it easier. And then password reset, or credential management is then simplified. Because instead of having to reset your password in different services, you can reset your password in one spot, and it’s the same password used for many different services. Oscar: Yeah, indeed, that illustrates the advantages that as you also said is the users don’t notice. It’s well, in a way, invisible once it’s set up. So, going deeper into, what are the nuts and bolts of single sign-on? I’m sure there are many technicalities behind, but what are the main standards that make single sign-on possible? Keith: Yeah. So single sign-on doesn’t have to be done using standards. But of course, standards simplify the implementation process and simplify the management of the solution. There’s basically two main standards which are in use today. The older standard is called SAML 2.0. And this is an XML-based standard. A way to transfer information about the user and the login session between different services using public key-based technology. In more recent years, and the more modern technology is what we call OpenID Connect, which is based on OAuth 2.0. Different workflows use different parts of those two standards. And that’s a JSON-based, REST JSON-based protocol. It implements most of the same use cases, most of the same user flows. But of course, as technology has developed, new use cases have come, now OpenID Connect is what we call the gold standard. Even though it’s the gold standard, there’s still a lot of software systems and products which are based on the SAML 2.0 standard. So, to truly implement SSO in a – as wide range of target applications as possible, the best thing is to have a solution that supports multiple standards. And there’s ways to bridge between these two standards. So that some applications can use SAML 2.0, and other applications we use OpenID Connect and you don’t have to do a lot of your own development work. Because if the products and the servers support those standards, it’s pretty much plug and play. Oscar: Yeah, indeed, as you said, two main standards, even though there are other ways, but then two main standards is SAML 2.0 and OpenID Connect. Yeah, even though there are two main standards, there are a lot of software that can make single sign-on happen. We know because from experience being talking with customers, organisations in different sizes. And even though we feel as user that single sign-on is almost ubiquitous. There are still many organisations, companies that don’t have single sign-on or don’t have single sign-on, at least for all the applications. So, it’s common that there might be in an organisation, let’s say 20 applications and a portion of them, let’s say four of them, which have some similarity, they have single sign-on. But all the rest are disconnected, different identities for that. So, there is still some technicalities behind putting that in practice from an organisation perspective. So, if you can tell us how organisations can implement SSO. The main step, let’s say, for setting up single sign-on. Keith: Yeah. What you described is a common scenario that even a company that’s implemented SSO in their environment. There could be a lot of applications which are outside of the system, either they’ve been implemented by a team that was unaware of the technology or unaware of the how to do it, or the product developers were unaware, the people buying it didn’t know what to ask for. So, there’s a lot of situations where a company can be – have SSO in place for maybe their main applications. But maybe for their own employees or different user groups, such as external suppliers, they might really go back to square one where the users have to log in many, many times. The best way to implement SSO is to pick the most used applications, that are used by most of your customers. Who are probably requesting that today, especially for consumer customers. The most typical situation is that there’s a main application, it might be a web shop, or some service portal, it’s connected to some other related application such as a support portal or documentation system or something. And these two services are used hand-in-hand and they’re used often buy most of the users. So, you try to work on the principle of bringing in the most used applications that touch the most users sort of in a priority order. SSO isn’t something that you would implement across the whole organisation and across all applications overnight. It’s done as a roadmap project, where over the lifecycle of different applications, you would plan carefully which applications you’re going to switch on for SSO. That might be on-premise applications or cloud services. It’s important at the very start to do an inventory of the applications which you’re offering to different user groups. Clearly define those different user groups, see what dedication they’re using already today, and then prioritise how you’re going to move them across to a true single sign-on system. It’s something that has to be done bit by bit. Some applications may need to wait until their supplier switches on SSO or makes it available for the customers. Some cloud services might charge additional service fees for enabling corporate SSO, some might already have that today that’s just not turned on for your organisation. It’s really good to work with pilot organisations, especially in B2B. And these are probably organisations which are already coming to you, already asking, when will you support my corporate login? When will I be able to click through and not have to log in? When will I not have to synchronise my users with your service, for example? Because one of the big advantages of SSO, when we’re talking about business-to-business use cases. Is allowing customers, not only to move between their applications that you offer but allow them to use the authentication method which they already have. Which is their corporate login. That might be their own SSO system, or typically today, it’s Azure AD corporate login that they use. Not only for the Windows desktop and cloud services, but you can use it for third party applications as well. And as the project goes forward and people start to see the benefits, then it becomes a little bit like a tsunami. That then you get requests to switch on every application that you have or to have a goal, to have as many as possible. Of course, for some applications which are used by a very small user group for a very specific purpose, or very infrequently. The cost and effort of implementing SSO for – even if it’s just configuration, may not be worth the effort or the return. But you’d focus on the high volume, high value applications first. Oscar: That’s definitely a good observation. High volume applications and the most relevant applications, those are the ones to do first and then gradually all the others. In terms of best practices that you could give us – let’s do it from two perspectives. From the end users in which might be easier, and then you can go deeper into the – what are the best practices for organisation. So, what would you say to users, either they’re aware or not, they are using single sign-on. But to users who are regularly using single sign-on? Keith: Yeah. So, for end users, these are the untrained, for example, citizens or consumer users for your services. You have to make it as easy as possible and as simple as possible and use the language that the users understand. So best practices there are to avoid any of the technical terms which are not understandable to begin with. But to make it a very simple and easy process for the user to – for example, register an account, approve terms and conditions, approve attribute consent to allow their information to be processed. To make it easy for them to adopt strong passwords, and have a suitable password policy for the target service. And then, of course, a way to – or today, it becomes basically standard that you would – enabling a two-factor authentication. Which is familiar for the target audience, something that they’ve done before, they know how to use and something that’s appropriate for the risk, sort of the risk involved in the transaction. You don’t want to have to get the user to do some very complex authentication process just to look at their information. But you might want to have a step-up authentication or a stronger two-factor authentication. For example, in conjunction with some high value transactions, such as a bank transfer or termination of an account service. My recommendation for end users is just to remember that it has to be understandable and easy to use and configure or design the system accordingly. Oscar: And for organisations? Keith: For organisation, it’s really important that the whole process and the whole project around single sign-on is very, very well documented. It’s a core part of security for the applications. It should be regularly reviewed, to understand is it keeping up with the latest threats in the environment? Part of that review is not only the paperwork review of the policies and configurations. But regular automated reviews of logging events, things that happen in the system to trigger evidence of potential attacks or anomalies in the processing. And to address those swiftly and quickly to make sure that there’s no impact on the organisation. So, it’s important that you dedicate adequate resources either within the organisation or through a partner. Not only through the implementation project, but through the ongoing day to day running of the system. To understand the responsibilities of who is responsible for what and who is monitoring and actioning those events. Of course, for organisations, one of the downsides for single sign-on is that in some ways, you put all of your eggs in one basket. That if the single sign-on system fails for one reason or another, it can become a single point of failure. But it’s a risk that could prevent users from signing in, and it could prevent customers from buying things. It could prevent customers from moving to a new application within their session. So, it’s important when the system is scoped and system is implemented, that’s taken into consideration. So, it’s highly available, works at a high performance, can deal with any sort of attacks from the outside world. Because it was, it becomes, in a sense a front door for the organisation. So not only does it have to be welcoming for the user community, and easy to use. But it has to be very well hardened, with very strong locks, so that you’re not a victim of any kind of organised attack on the system. Oscar: Absolutely, it’s very good that you emphasize this importance of hardening the systems that are – which single sign-on has been built. As you put a piece of software and behind there’s a lot of infrastructure servers. Everything has to be well-secure indeed. Even though, as you see, we haven’t talking about this easiness of its function, single sign-on. It sounds like a solution that you just switch on, and it’s ready. But it’s very good that you emphasize all these security and availability aspects, because it’s so important. Keith: On that topic, the standards, for example, SAML 2.0, OpenID Connect. They give you a lot of protection. They have well-defined and reviewed and audited protocols and flows, which have been tested and seen the test of time. But even though the specification says something, it’s the implementation which has to be examined. So, it’s very easy for somebody to make a simple mistake, which can put either an individual application or the whole system at risk. For example, incorrectly validating a signature, or looking at the incorrect audience information or so on. So particularly where in the coding is done by an individual team, it’s important to have the technical reviews and technical audits and importantly, testing of those solutions. Luckily, especially for OpenID Connect there is very, very powerful tools for automated testing of implementations. Which is a great way to give yourself faith in an implementation. To see how it complies with the various risks involved in poor implementation quality. Oscar: Such tools that – for instance, in especially in the OpenID community there are these, of course products of several years of, I don’t know thousands of organisations contributing to that standard. So, and there has been, of course, evolution of those standards. So, seeing also the evolution of the standards behind SSO and what other functionality that comes along with single sign-on. What do you see today are trends related to single sign-on? Keith: Yeah, I think single sign-on is quite mature in terms of, how if for generic single sign-on, for example, for web applications, moving between one application and another. What’s interesting is multi device single sign-on when you’re, for example, signing into a setup box using your mobile phone or signing into applications across devices where a session will follow you. Today, we’re seeing the better understanding and the commercial release of passkeys. So, this is the culmination of years and years of work on standards such as WebAuthn and the FIDO Alliance standards. Which is now finally wrapped up into consumer understandable services which we know as passkeys. And that kind of takes the user out of the equation when we’re creating – it’s no longer creating passwords of a passkey. They don’t have that risk of creating a credential which is too weak. It’s all, in a way automated and easy to understand. And I think that’s a really exciting thing. Something new for users to understand how to manage their own collection of passkeys, their own wallet. And how to keep that safe and be able to recover if they lose or break their device. It has its own challenges, but that’s probably the latest, biggest trend. It doesn’t mean that you use the same passkey for every service, still you have a different passkey for every service. So, it’s not like all of the different services are connected in that way. So, it’s privacy protecting. The related technologies, which I think is a current trend is more of an authentication method. Which is used for single sign-on systems, is related identity wallets. Which are now really starting to come into the public use. Where an organisation can issue a credential and assign that credential and the user can be asked to present that at various services. And they can present as much or as little information as they want. And the service receiving that information can be sure it’s issued by the organisation that issued it. It’s really exciting, the EU identity wallet projects will bring that into the forefront as more and more governments adopt those type of services. And we’ll see that, we’ve seen that already with, for example, electronic driver’s licenses and electronic professional credentials. So, they will spread, and it will make things easier, I think, for the user. A lot of time and effort into hiding the complexity and the security beneath it all and making the user experience friendly and familiar. Using the service logos and branding and colours and the analogies to cards that you have and so on. So, it’s a big thing. And this might also drive many, many single sign-on projects. As customers won’t know how to ask for single sign-on, but they say, “Why Can’t We? Why can’t we sign into all of these applications with a passkey instead of using individual credentials for each service?” Those discussions become the underlying discussion of a single sign-on set up with passkeys and authentication method. Oscar: Yeah. I’m sure the user will be pushing the companies or organisations to deliver single sign-on now that these technologies, passkeys and wallets are reaching that usability level. That it’s ready to be used for the masses. Final question for your Keith, for all business leaders listening to us now, what is the one actionable idea that they should write on their agendas today? Keith: I think for single sign-on, one of the related technologies is what’s called federation. And federation is when you have single sign-on across organisational boundaries. So, for example, I could sign in using my Ubisecure login into a third-party application where I do work, for example, with other companies. And this federation signing in with your own commercial credentials across organisational boundaries is something that I think a lot of organisations haven’t benefited from enough today. And that would be – maybe my actionable idea is to look at the B2B applications that you have. Look at the time it takes to manage the users in those systems. For those users to get an account, those users to ask for access, for audits to be done. How do you check what the company is? Are they still in operation? Does that person still work for the company? A lot of those problems can be solved by implementing cross organisation single sign-on – this federation. And it can be as simple as entering your email address and then signing in using the – or approving the login using your existing home organisation single sign-on. Or are signing in using, Azure Active Directory sign in. In that way, the target application or target organisation gets all of the up-to-date information about the user that they were allowed to get or that they requested to get. They get evidence that the user has a continued relationship with that organisation. And of course, they get single sign-on, so they don’t actually have to sign in again. They might just approve the login and get to work. It’s got benefits for all parties in the transaction. It improves security, it improves the auditing. It’s easier to use. It’s convenient, less hassle, less clean up, less risk. And I think it’s not anything new in terms of technology, but it’s something that’s underutilised and maybe undervalued. Oscar: Yeah, I agree with that. I think organisations could use more to fulfil the potential of more collaboration between organisations. By using these techniques that there has been for a while, and we have been discussing today. Thank you very much, Keith, for joining us today. It has been super interesting to hear more in detail what single sign-on can do for different types of organisations. And of course, ultimately, to make our lives and users life much easier. So, if someone would like to follow this conversation with you, what are the best ways for that? Keith: Best way to keep in touch with what I’m doing and what Ubisecure is doing is through our website at www.ubisecure.com. There you can register for various newsletters and so forth. I’m not so active in social media in recent years, but I do have a Twitter handle @KeithUber. Through the Ubisecure Twitter, @ubisecure, we’re happy to engage and participate. We share lots of ideas, including this very good podcast and related interviews. Our team is also responsible for the IAM Academy Training Program. The IAM Academy Training Program is a way that we share our knowledge with our customers, partners, and anybody who is interested in learning more about the nuts and bolts, the policies and practices of Identity and Access Management and Consumer Identity and Access Management. We run that training various times over the year. And that’s a great way to have a deep dive into the field. So, I welcome you to register for IAM Academy, which is also through our website at www.ubisecure.com/iam-academy/. Oscar: Yeah, absolutely. Very welcome to join us in IAM Academy. Well, I’ll be there if you join us. So, fantastic. Again, thank you very much, Keith, for joining us in all the best. Keith: Thanks Oscar. It’s my pleasure. Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

Let’s talk about digital identity with Kalev Pihl, CEO of SK ID Solutions. In episode 93, Oscar is joined by Kalev Pihl, to answer ‘What are the cultural aspects of digital identity?’  They delve into the role of culture in shaping digital identity and how digital identity is being treated as a detached technology, without considering cultural differences. Alongside discussing the challenges in recognising these cultural aspects, as well as sharing some of the solutions at have successfully prioritised the human aspects of digital identity. [Transcript below] “We have to be designing mindfully those digital identity solutions for a specific culture, and I think that this is a value in the world.” Kalev has worked with digital identity over 25 years. Started with the topic in governmental side preparing Estonia for electronic identity on national identity card. Has since worked in financial sector and in Microsoft. Last 15 years he has been CEO of SK ID Solutions – trust service provider that serves digital identities in Estonia, Latvia and Lithuania. Connect with Kalev on LinkedIn. We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure! Go to @Ubisecure on YouTube to watch the video transcript for episode 93. Podcast transcript Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla. Oscar Santolalla: Hello and thank you for joining a new episode over Let’s Talk About Digital Identity. What are the cultural aspects of digital identity? So that’s definitely a good question and very relevant questions and this is one of the questions that our guest today is going to answer. Our guest today is Kalev Pihl. He has worked with digital identity over 25 years. He started with a topic in governmental side, preparing Estonia for electronic identity, or national identity cards. Since then, Kalev has worked in the financial sector and in Microsoft. During the last 15 years, he has been the CEO of SK ID Solutions, a trust service provider that serves digital identities in Estonia, Latvia, and Lithuania. Hello, Kalev. Kalev Pihl: Hi, Oscar. Oscar: It’s nice talking with you, Kalev. Kalev: It’s been a while. Oscar: Yes, Kalev. So, let’s talk about digital identity. And the first thing we want to hear from our guest is something about yourself and especially your journey to this world of digital identity. Kalev: I think of the journey to digital identity for me went through this very physical, governmentally controlled national identity. So that was my starting point. And I guess that’s where I’m a bit stuck with my mindset as well, sometimes. And this is my limit. But that’s how it started. So, it started from the idea that in the world of physical human beings. Governments tend to have this role in society to name, number and identify the residents, they treat as their residents of the country, we are speaking about. And whilst we have probably different other nicknames in different other societies. And somehow, globally, these governmental-issued identities have become the norm of; How do we know each other across the world. How do we identify the people whom we don’t know beforehand. So, I think from that angle, I’ve stuck with the idea that governments have the role of naming and identifying who we are. Oscar: Yeah, indeed. I think it’s – I mean, in my view, probably in the constitution in most countries, I’m not a lawyer, but I’m sure it’s written in some of the laws. So that’s one of the functions of the government. And yeah, and that has been translated in our very, let’s say, not very recent time. But talking, especially in the last maybe 20 years that we have such digital identifications, like Estonia is pioneering and in a few other countries as well. It’s pretty digital, pretty well-established. Kalev: Yeah. I think that the – for the beginning of any country or state in the physical world, some limit, some borders, what is the ground they own. Then we are talking about some legal framework, what is the agreement. Then we need to know; between whom is the agreement? And those are then the human beings in the society, and that’s kind of what every state or country is made of, I would say. And that’s something that if we go now, from this real-life identity and tried to tackle the digital identity, the idea. Then there are two kinds of attitudes. One is that digital world is borderless, global or universal even. And therefore, doesn’t require and there’s no relation to any, these kind of physical limitations and countries, states and therefore, like no borders, no anything. And then the other is that it is just – it should be, is and will be always a reflection of something that physically makes sense. Only then it becomes meaningful in a larger context when it is physically meaningful. So, I think that’s one of the staring points if we say that there is point to the cultural differences. Then the culture that we started off is clearly not so much digital, but rather what is the culture before any digital and then definitely, we have different digital cultures as well. Oscar: Yeah, yeah, that’s true. Every country has internally a different culture while some often several cultures inside a country as well. And this is something that shapes digital identities that we, the ones who are in this industry have been shaping and continue shaping today. So, yeah, tell me more about that role that the culture plays in shaping and influencing the current and the ones that are coming in the digital identity. Kalev: Yep, sure. That’s the topic for today. So, the culture that we can see in the digital identities is quite a lot, related to, the ways how we culturally trust our own governments. How the government trusts its citizens, residents. And also, it’s very tightly connected to the idea of what is and how the privacy as such is defined in the society. A couple of episodes ago, you discussed heavily again, this kind of ISO standard on the privacy. And privacy is something that is cultural as well, and it’s not globally, universally defined as a value. And where the value kind of lies actually and these cultural differences. How they look in the digital identity is exactly, I would say, let’s take the two extremes. One of those extremes is that digital identity is something that is central, that binds all of the digital actions that one does in a digital world together. And therefore, makes you, in essence, traceable, recognised everywhere. You cannot hide in a digital world, based on that identity. This identity reveals you everywhere. And then we have the other extreme. We have digital identity that must, in essence by definition, protect you from being recognised from one environment to another. You must have different representation in different contexts. You have to have the right not to be recognised and not to be traced. So, I would say that, culturally, the need might be on both of those extremes and something in the middle. And that’s I think, something that we are struggling globally now, that we are trying to talk about digital identity and what this identity does. What kind of privacy does it guarantee and what the privacy means to anybody. And then we – then we are stuck with the fact that we don’t define the digital identity. We believe that everybody understands the identity and digital identity in the same manner. And then we also tried to say that the privacy is preserved. Privacy is granted. Privacy is by default as we like to say, or by definition and by default. But what this privacy means in this context of digital identity and usability also is not defined. So, we kind of use the buzzwords, and we neglect the background from which we come from. And therefore, we don’t understand each other, and we try to regulate that into different places. And well, do a lot of mistakes in that. Oscar: Yeah. Kalev: I don’t know if that makes sense to you, Oscar. Oscar: Of course, a lot of sense. So, one concept, one particular concept you mentioned is privacy, right? Which can – well, not can but means different things in different cultures, in different countries. That’s true. I understand that. And it’s a challenge to try to have a definition and based on that create the laws, create the technologies that support that. Yeah, indeed. It’s a very, very good reflection that you are doing. Kalev: I think that with the privacy, again, similarly, those extremes. And as I said, one of those extremes is on this identity and the definition regarding that privacy is that: OK, the privacy means that there is no data about me anywhere that I specifically didn’t reveal myself knowingly, giving the consent to that specific data to be revealed about me. Which makes me in the centre of all the transactions about me. And well, gives me a lot of work, let’s be honest, because there are several institutions all the time that work kind of for me. Make my digital life easier, and they need to make decisions. And if those decisions need my data, then therefore I need to make a lot of decisions to reveal or not reveal that data to them. And the other side of that is and I would say the other way of looking at the same privacy, kind of, from the same concept. Still saying that privacy is preserved, privacy is kind of granted and by default, by definition. Is that whenever your data is used, then you, by nature of the setup, have the control over who and where and for what used your data. And therefore, you can kind of trace back it and say that, well, why did you do one or the other thing? And if they didn’t have the right, didn’t have your permission, didn’t have legal rights to something then they will be punished by the law. So, it’s kind of – one is preventing anything to happen upfront. The other is giving the privacy through the control that you know everything that has happened with your data. And therefore you are able to take the parties involved and make them responsible for their actions. So, like these are maybe couple of ideas of how to look at the privacy from different angles as well. Oscar: Yeah, indeed, in the case of privacy, just to give a concrete example. But how this would start if privacy or any other concept has to be defined based on the culture of our country, or our region? So how it has really defined? Kalev: Yeah, the question then, when we talk about like, building creating digital identity. We kind of often think that this is one type of things to be done everywhere. What I’ve learned over the years, and I’ve really had happy accidents of meeting so many different countries, cultures, in different places talking about digital identity now, really tens of years. Then it still turns out that we are building the digital identity for a specific set of human beings. And those human beings have some connection to a culture, even if that’s a digital culture. Even if we say that digital identity in a social network, like Instagram, is a digital identity. For the people who use Instagram, who have some cultural preferences, otherwise, they wouldn’t use that environment. So, they have kind of agreed to a cultural norm there. Or if we say that we are looking at the country, somewhere in the world, like Thailand or Mexico. Then we are building the digital identity for that culture that suits the beliefs and traditions of that set of human beings. It’s not a one-size-fits-all. But rather that this one-size-fits-one kind of thinking that I’m now become to believe, more into recent years. That there is not this one single solution that everybody will, kind of, inherently fell in love into. They have so many things in their historical backpack that it will definitely tilt their preference. They have some bias to expect something that any other culture would never ever expect from the same solution. And we have to be designing mindfully those digital identity solutions for a specific culture, and I think that this is a value in the world. That we do believe in different things, we do act based in different preferences, culturally and that makes us interesting as human beings. We are not the same everywhere in the world and how to preserve that in the digital world. How not to become culturally one the same. Following one and the same set of rules everywhere, having the same solutions everywhere is an interesting, very interesting challenge, I would say for the humanity. Oscar: Yes, yes, it is, and I agree with when you said that there shouldn’t be like one solution to be somehow imposed to the globally. That is a reason why they are in practice. I mean, the reason why then – just in the case of the national digital identities. The one from Estonia is different from one from Finland, Sweden, Singapore, et cetera. They are based on similar underlying technologies; open ID connect, publicly infrastructure, et cetera. But in the end, they are – they were designed differently because they’re solving a problem for different cultures. That is correct. Kalev: Like facial recognition anywhere in the world, fingerprint-based identification somewhere like. Those are things that either are or are not culturally meaningful. I would say Western Europe has some kind of cultural connection in taking, giving and recognising fingerprints, and it’s deeply I would say, related to the criminalistics and then crime. And therefore, this kind of feeling when somebody asks your fingerprint somewhere, well, wasn’t very, very pleasant, I would say. Touch ID and other similar kinds of things have now a bit eased this feeling. But if we’re talking on the national level, fingerprint collection, fingerprint-based recognitions, then this feeling is still there, whilst it isn’t there with a face. Although like, if we talk technologically then it doesn’t matter based on which kind of biometrics, I recognise you. But the acceptability within the culture, like face versus fingerprint was really, really different, still is a bit different. And the same kind of routing in the criminology didn’t appear in many Asian countries, in some Middle East countries where these fingerprint-based quick recognition tools in physical interactions were introduced. And there was no objection from the society. It was very, very acceptable. So, all of those, kind of, bits that we are taking from different either literature, or some really historical reference that we take with us. Those too change the way how we are able or not able to roll out any given technology for the digital identity, absolutely. Oscar: Yeah, that’s a very good example, the one of the fingerprints. I didn’t think about that. But yeah, it doesn’t surprise me that in different parts of the world, the perception is completely different. And it’s just the culture as you said. Kalev: Yeah, facial recognition in Middle East countries, revealing your face in public for female citizens, well, it’s not very common. And something that again, we from Western Europe don’t recognise easily, but it is, it is a thing. Oscar: Could you share now some successful examples, or I mean maybe not, it sounds like from these discussion site, like there are not many, at least 100% successful examples. But some, in some extent, successful examples of how these cultural human aspects have been taken into account to deliver good solutions for digital identity. Kalev: Well, being a CEO for SK ID Solutions. Of course, I have to tell that I believe that we have been able to deliver for at least the Baltic States, Latvia, Lithuania, Estonia, solutions which are relevant for the culture where we are providing those services. And in that regard, we have also faced some clear opposition from the cultural perspective in some areas here. But yeah, that’s one of the things that maybe is possible here and isn’t possible in some other countries. So, our current service that is really used for more than half of the population in the Baltic countries is based on the fact that people know and use their national identity code as a unique identifier for themselves. And it is used in different environments now but is kind of creating unique identifier per any kind of system. The same pretty much applies to the other countries. But then when we will take that concept, the same concept that is successful in variations also in Finland, in Sweden, in Norway, those are all kind of based on the single one identity. And all of them have like bank ID in Sweden is definitely a success story, from the usability and amount of users behind it. They are based on this idea that there is this one unique identifier, and you can reuse that in different environments. And it’s really serving the culture there and here. So, I would say that this is the way how it has been functionally well rolled out. And we have to then say that the same ideology would not be allowed, possible, accepted, for example, in Germany. That kind of falls to the pieces in the border, of Germany. Simply isn’t welcomed there, by constitution. Because the constitution in Germany says that: well you shouldn’t, you should never ever create a solution where user is reusing its attributes in a manner that you can trace them. From one, let’s say government institutions to another, from one company to another. You have to be messed up everywhere. Where you try to figure out if that same person came from one institution to another, you are bound to by constitution to be puzzled by that. Oscar: All right, well, interesting. Well, that’s defined by law in that case. Kalev: Similarly, it is not allowed in Hungary, for example, to have a unique identifier for a person. Oscar: And what were the objections or the reactions you had in, you mentioned earlier in the Baltics. So, what, what was not culturally accepted, let’s say there? Kalev: One of the things was that really this identity code is semantically meaningful, and to use that as user ID at some points definitely was kind of a controversial and needed longer and public debate. In Estonia, I think, 15 years plus, quite long public debate about whether really the identity code as such can be publicly shared. And then it turned out that the reason actually – well, there’s definitely this semantic part that it really reveals your birthdate, which means that well somebody can understand how old you actually are. But the more practical reason for objecting that was that, and it turned out that and it still is the case. For example, in US a lot of, that kind of identity breaches that we are discussing, and which are like big, big, big fuss around the world. Those are based on the notion that’s kind of user identity, for example, the social security number in US, it is not treated as user ID, but rather as a password. And those are very different things. So, one is the link like this is who you are. And the other is proof that it is you that the claim is actually correct that this is your user identity. So, when it turned out to be kind of public, then what use cases were hit. And what was discussed quite a lot towards this type of phone-based service when you call in and the operator asks to identify you, your unique identifier. Which is public, which is listed everywhere where you have ever been, which is written into your identity documents. But still, as there was no better alternative then they opted for asking you for the identity code. And therefore, if that was now used publicly everywhere, well, everybody understood that cannot be used anymore. And somehow the discussion, thankfully, has gone to that direction, at least in this region. that it wasn’t the right thing to do from the beginning to ask this identity code as a password. Because it has never been meant to be secret. The fact that not everybody in the world knows that doesn’t make it a secret. Oscar: Yeah, yeah. So, what is nowadays, in Estonia, what is the kind of called, the username? Or there is such a username in – for this identity? Tell us a bit on how it works. Kalev: Yeah, it is like 11 number identity code. It really consists of your, like, six numbers of that represent your birthdate and one of those. Then the seventh one gives the century and the sex you are being given. Then there are four digits that you have to really randomly kind of remember. And it has been long discussion whether those should be or could be changed. And now, in Finland, in Latvia as well. We have had this experiment of introducing another identity code instead of the semantically meaningful one. And this semantically meaningful identity code can be like, in Latvia, you can once in a life, go and replace your meaningful, semantically meaningful identity code to this new identity code, which doesn’t mean anything anymore. It’s only a couple of years old, this project there so I cannot say how successful it is. But what is interesting with this 11-digit code really that is based on a birthdate is that most of them are able to remember it, because the birthdate is something that you can remember. If a society like Estonia would be able to remember just random 11 digits correctly, I’m not sure. But like bigger populations, I’m even less sure because they should have like more digits remembered, maybe. Then should be based some kind of – and somehow already based in letters and names and so on. So, in Estonia, it really is semantically meaningful 11 digits which you can easily remember, and people normally do remember their identity code. They are reusing that on a daily basis in different contexts. Therefore, it is something that is not also easy to forget, because the society requires you to remember it. That is also this identifier we are using to allow you to kind of state who you are in the electronic identity context, and the same applies to Latvia, Lithuania. And then the other, maybe just remember the other part of what was discussed in this context of electronic identity then yeah for the identification maybe the semantical information to recognise person is maybe OK. And then – but is it OK for the signature and then therefore, we have had a discussion of where in the signature this type of information should appear or not appear at all. So again, something that we are now discussing, not so much on this user identity but still on this, on signature part. You should still uniquely identify who signed something. But do you need anything other than this identification of this unique person? Whether it makes any sense and discussion, culture discussions not happening in all countries in a similar manner. Some countries are more kind of prone to say that it shouldn’t be there. Others say that it is actually well, impossible to do without. It’s very, very different already in those three countries. I don’t know if I answered your question, actually. Oscar: Yeah, indeed, you have definitely illustrated pretty well how it works in Estonia and also in the Baltics. And that gives us a clearer idea that the –yeah, the problem that you are bringing here is, of course, is big and it continues. As you say, there are some experiments in Latvia, Finland, and there are discussions in Estonia. So, this continues, even though there are good solutions, but this continues, this discussion continues. So, if we focus now on, let’s say, you and I. We are working in companies who are building digital identity products. There are also, for instance, governmental institutions, who are building also digital solutions or services that rely very heavily on these digital identity solutions. So, from – what is the role of technology developers and designers in addressing these issues, these cultural aspects of digital identity? Kalev: I think the biggest responsibility we carry is to be mindful about these phenomena of the cultural differences. And not to sell this kind of digital utopia that, that whenever we go to technical solutions, and your culture doesn’t matter, your infrastructure readiness doesn’t matter. It’s just “Buy my tech and you will be happy.” Promises should be avoided everywhere where it’s possible, even if there is a customer who’s willing to buy that promise. That’s really, I would say, the threat in the world what I see. And maybe the other thing that is culturally important and must be addressed, I would say. In those, kind of, sales processes and discussions about future tech. Is focus on really the cultural position of government, of public sector, how capitalism and making money is perceived in society. All of those things have different perceptions and therefore, your solution must suit the ideology that this culture is accepting. Either the government is the trusted, and well-meaning party in the society where everybody is welcoming stuff that comes from the government because it’s always for the benefit of the bigger goods. Or the government is perceived as somebody who is sneaky. Who is always spying on you, who you suspect of making you guilty over the things that you maybe did or maybe didn’t. So, basically, being paranoid about the government. Similarly, you have to be mindful about if the private sector is something to be perceived as innovative, as providing service for the value they are actually getting from the market. If they are actually stealing behind the people who are paying to them, who are overcharging everybody, who are greedy. Or if they are really making the economy work and able to kind of collect the taxes in the country at all. So, like, these perceptions are also reasonable to know and to remember. When we are offering – what type of setup should a country, should a society, should this bunch of human beings were requiring the digital identity. What they should ask for, what they should build for, what is the way how to fund, how to make that environment sustainable? Me, being a capitalist believer, I’m always kind of telling that, that when we are building digital identities, we have to see if there is a way how somebody can earn something from the fact that digital identity is successful. That it is used, that it is spreading, that it’s actually making sense to people. And if such, for example, motivation is in the society, then there is a possibility that somebody will go after this benefit and therefore make the digital identity successful. If the, like monetary value is taken away from the system, there is kind of everything is free of charge, paid by this anonymous taxpayer or government. Then there might be that we have an environment where if the government is trusted, if the government’s promotional speeches about take it, use it, it’s for better, good. Those could be trusted and could be a good vehicle for rolling out a digital identity. But it again, very much depends on like, did we provide the same model that this culture accepts? Or we took a model from some other culture and tried to sell it to a totally foreign environment for that proposal? So, I think that what we have to – the technology providers do, we have to really build for those cultures that we are selling into and building into. Oscar: Yes, yes, yes, we need definitely to understand very well the cultures and where we are selling or helping with these technologies. As you said in some countries, the government is highly trusted, in others don’t. Then can be the banks are highly trusted in some countries, and in other countries, not at all. And then same can happen with telcos, as you said, also the private sector, some technology vendors from the private sector. So yeah, that’s very important. And the first thing you say is about, yeah, be mindful what you promise. That’s definitely a good reminder. Kalev: Yeah. I think that this kind of naivety about technology being all good for every different situation still lives on. Similarly, of course, exists this naivety that technology, whatever it is used is evil. So, I think that both exist, but you should never fall into one or the other. It is never so simple. Oscar: Yeah, definitely. All right. I will ask a final question. So, for all business leaders listening to us now, what is the one actionable idea that they should write on their agendas today? Kalev: Yeah, I think that the message I hope has been quite clear that when building and when asking for technical solution, and especially as we are talking now digital identity. If asking for digital identity, ask: What is the fundamental belief of the environment where you are building it to? Don’t try to change culture through technology. It goes the other way around, culture defines technology. Oscar: Yeah, you said it very clear don’t try to – don’t try to change culture with technology. Yeah, absolutely. Very simply and well said. While hearing you, your explanations, came to my mind that for business when people are – businesspeople are traveling to other countries, there are some books that I, for every or for most countries say “what is the business etiquette” of every country. So, you should read that before traveling to that country. So, there should be a similar book but for the digital identity, right? We should have for every country, what and how you should – “what is the culture in every country in terms of digital identity and identity?” So, we know before doing business. So that’s something that came to my mind when I was hearing you. Kalev: It would be nice if those books exist. Oscar: Yeah, maybe, maybe I think you could be one of the co-authors, at least, you know a lot about this. Thank you very much, Kalev, for this very insightful conversation. So please let us know if people would like to follow this conversation with you, what are the best ways for that? Kalev: Yeah, you can definitely find me through LinkedIn or write me. Our contacts on the skidsolutions.eu site are quite publicly available as well. So, I’m very public person in a sense, nothing is hidden. Oscar: OK, excellent. Again, thank you very much, Kalev for joining us and all the best. Kalev: Yeah, all the best to the listeners as well. Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

Let’s talk about digital identity with Joni Brennan, President of the Digital ID & Authentication Council of Canada (DIACC). In episode 92 Joni Brennan joins Oscar to discuss how the Digital ID & Authentication Council of Canada (DIACC) are working to close the digital identity public trust gap – including the key findings from the DIACC’s 2022 research and how this can inform future policies, the issues with poorly designed solutions and the importance of balancing accessibility and ease with privacy and security within these solutions. As well as discussing how education and awareness can help bridge the gaps and what can be done within governance and policy to support digital identities, transparency and data control. [Transcript below] “So, I think this is a call to action for us to continue to work together to provide people with the option so that they can do what they need to do in a safe and secure way.” Joni Brennan is President of the Digital ID & Authentication Council of Canada (DIACC). Building on 15+ years of experience in Identity Access Management innovation, adoption, and industry standards development. Joni helps the DIACC to fulfil its vision delivering the resources needed to establish a digital identity ecosystem that accelerates the digital economy, grows Canada’s GDP and benefits all Canadians. Joni builds diplomatic and impactful relationships and formalises strategic partnerships. She has participated in influential committees from organisations including: SCC Data Governance Initiative, OECD ITAC, ISOC, IEEE, OASIS, ISO, and ITU-T. Before joining DIACC Joni was Kantara Initiative’s Executive Director driving programs for business, legal, and technology interoperability to connect entities and individuals in a more trustworthy environment. Joni lead Kantara Initiative as the United States premiere trust framework provider. Delivering value to multiple industry sectors. She helped to ensure that the Kantara Initiative program is aligned with multiple eGovernment strategies. From economic regions including: Canada, New Zealand, Sweden, and the United Kingdom. Joni Brennan previously served as the first-ever IEEE-SA Technology Evangelist for Internet Identity and Trust. Focusing on issues of governance, policy, and technology development that touch digital Identity, personally identifiable information, and trust services. When not connecting the digital identity world for the better Joni can be found skiing in beautiful British Columbia, Canada. She can also be found playing flute or synthesizers in future thinking musical collaborations. Connect with Joni on LinkedIn. Find out more about DIACC at diacc.ca or follow it on Twitter @mydiacc or on LinkedIn. Take a look at the Canadian Digital Identity Research 2022 Document, in English or French. Joni first joined Let’s Talk About Digital Identity podcast in Season 1 Episode 6. Why not take a listen to the episode on Building Canada’s Digital Identity Future. We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure! Go to @Ubisecure on YouTube to watch the video transcript for episode 92. Podcast transcript Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla. Oscar Santolalla: Hello and thank you for joining us on new episode of Let’s Talk About Digital Identity and I’m super happy to bring a former guest back, she is joining for the second time. One reason is that there has been released, super interesting results on her research. Especially in a vast country like Canada. So, our guest today is Joni Brennan. She is the president of the Digital I.D. and Authentication Council of Canada, DIACC. Building on more than 15 years of experience in identity and access management, innovation adoption and industry standards development. Joni helps the DIACC to fulfil its vision by delivering the resources needed to establish a digital identity ecosystem that accelerates the digital economy, grows Canada’s GDP and benefits all Canadians. Joni builds diplomatic and impactful relationship and formalises strategic partnerships. She has participated in influential committees from organisations including SCC Data Governance Initiative, OECD, IEEE, OASIS, the ISO, among others. Hello, Joni. Joni Brennan: Hello, Oscar. Great to be back. Oscar: Yes, welcome back. Super nice having you. So again, we are here to talk about digital identity. Even though some of our listeners might have heard you before, I think four years back. Please tell us about yourself and this journey that you have to the world of identity. Joni: Well, thank you so much for the invitation. In terms of my personal journey in the world of digital identity, I think it’s been just a bit over 20 years now, working in this space. And really starting in the, and all of this career, in the non-profit sector. Working with private sector and public sector, helping to develop standards and frameworks. Particularly focusing on risk management frameworks now, that help to contextualise the way that standards and open source have been implemented. To help to manage risks and help decision makers and adopters to make better decisions about which kinds of solutions they would like to adopt. So, it certainly has been a journey moving from classic identity federation and single sign on now to web3 and distributed ecosystems. So, there are some things that have changed, but then there are also some core foundational concepts and thematics that have stayed the same. It’s great to be here to discuss the topics with you today. Oscar: Fantastic. As I said, one of the main reasons to discuss is that there is a very interesting report. Actually, I have it here in front of me, it’s the – title; Canadian Digital Identity Research 2022. Of course, I am sure it has taken a few years to gather and process all this information. It is a very nicely designed document and also many of those findings were like, ‘Wow’. Super interesting how things are going in Canada and I’m sure some of these findings will be similar in some other countries as well. So, we’d like to hear more deeply a few of these findings and what we can learn. If we start telling us some of these key findings from this report. Joni: Yeah, thanks so much. I find the research to be interesting as well. The research – we’ve developed four consecutive years now of research, and so the latest report is the data from 2022. So, some things that are interesting about that, as well, is that we began to perform this research; before COVID happened, during COVID, and now arguably, I would say post-COVID or the next phase. So, it’s been interesting to see both kind of how the space is developed and how people’s perceptions have developed over that period of time. One of the reasons that we’ve done this research is that we found that in the Canadian ecosystem there wasn’t this kind of ‘perspectives research’. We spend a lot of time working together as practitioners, whether we’re working with policy, technology or business processes. We’re often speaking with practitioners that are in the space. So, to have the opportunity to better understand and quantify the perspectives of people, who may not be practitioners. Maybe they do understand the space, maybe a little bit, maybe not so much. So, to have the ability to have a better perspective on what people are thinking, about the work that we’re doing, this is very valuable. And of course, putting people at the centre of the work that we do is a priority. So having these perspectives is quite important. Because we’ve done this research annually over the course of four years. What we have done as well as we’ve asked some questions each year to have baseline, to have trend lines. To know, how has the perception changed, year over year, over the course of four years? Or maybe that perception has not changed, maybe it’s stayed the same over the course of four years. So, we’ve seen that timeline. That’s been an interesting feature. And then each year we have also customised some of the questions. So that, we could ask the questions of the participants that were, maybe, more specific to what was happening in the world at that time. So, I think it’s a great opportunity to see what people are thinking, both at a point in time and in over time. Now, how did we perform the research? Well, the research has been developed through a third-party research firm, so they manage the sample, the participation sample. To make sure that it has diversity and that it’s really asking questions to Canadians across our country, from one side to the other. As well as, we have two official languages in Canada, French and English, so as well as making sure both official languages have been consulted. So, we’ve had some regional findings as well, as we’ve gone forward. With that, maybe I’ll share some of the key findings from the survey. So, what I would say is that when we started this survey four years ago, this research. We asked people, first of all, do they understand the words ‘digital identity’? And I can say that for the first three years, people did not. Less than half felt that they had somewhat understanding of the words ‘digital identity’. So, without assistance, they could produce a kind of, a definition of digital identity. Now, last year, the fourth year of our research, for the first time, we’ve seen more than 50% feel that they have some understanding of digital identity without being assisted. So, while the findings, I would say, are arguably low. Meaning less than 50% had some understanding for years, one, two and three. There is a sign that education, and knowledge, and awareness has been growing over each year. Now with just over half understanding. So, it’s a good trend line, meaning that education and awareness has grown. So, I think that’s interesting. It also helps us to know what kind of language we should be using when we’re speaking with people, what they might understand or where more education. Now, this year we also saw in 2022, we also asked people what was their perception of the impact that digital identity could have on their lives. And I think positive news, the impact more than 55% of respondents felt that digital identity had a positive impact on their lives. And really, this was to manage records, to be able to have electronic boarding passes, things that were really around convenience and doing business anywhere and everywhere. So, this is great news. So, people feel that there is a positive impact, more than half. Now, that said, 23% do remain unsure about the type of impact that digital identity has on their life. And so now we see that the 23% this is a group that we need to focus on. So, they don’t know if digital identity will help them or if it will harm them. So, there we see – okay, this is a place where we can educate that 23% on; What are the privacy impacts? What are the security impacts regarding digital identity? And how can that improve their lives for the better? So that’s a place to spend some time for education. Now, the remainder felt that digital identity had a negative impact on their lives. And we do know, of course, people are free to have perceptions, positive, unsure, negative, as they so choose. But we do know as well in the Canadian ecosystem, there has been quite a bit of misinformation and disinformation, mal information. And primarily that type of information is moving in what I would call unauthenticated spaces. So, Twitter, Facebook, Reddit, places where information can become viral and sometimes that information isn’t verified. Sometimes it’s being spread by mistake and sometimes it’s being spread with bad intent. So, we know that that’s been a challenge in the Canadian ecosystem and that maybe part of the group that feels a negative impact in their lives. So, our focus will be on the 23%. To help them to better understand the space so that they can make better decisions about their perception of the type of impact that digital identity can have on their life. Now, we have also seen, year over year, for four years, we’ve collected some demographic information about the types of people who are responding, and the types of people who are most interested, and feeling the benefits most, and most interested to use digital identity or most interested to also learn more about digital identity. And year over year, the people who are most interested and most looking forward to the benefits that digital identity brings are what we call the caretakers. So, the caretakers tend to be parents who are taking care of children alone or dependents in their home. So, this could also be senior caretakers. Whether they’re in the home or outside of the home. So, these are people who are taking care, really caregiving in all aspects of their life as well as taking care of themselves. So, these people have the most interest to use digital identity to help to manage their care, so primarily tracking health care records and school and government registrations, for example. These are seen as the primary benefits. And these are the people who are most feeling pressure to manage data, to manage access to data, and really need that extra help, that these types of technologies can provide people. The conveniences and the security that can provide people in their life. These are the people that I think is a great area of focus for the work that we do. Caregivers are also workers. Caregivers are also students. And so, in all aspects of their life, they feel that this is something that can help. In the Canadian ecosystem as well, we do have some, what I would call paradoxes. Meaning we do also each year, year over year, ask people their willingness to share personal information online if it makes their life more convenient. And what we’ve seen over time is there has been a slight rise in people’s willingness to share their personal information. And so, for example, in 2021, 75% were willing to share information, personal information for convenience. That went up to 78% in 2020 to be willing to share personal information if it meant that they would have more convenience in their lives. Now, that said, again paradoxically. The same amount of people just around 75% between 73 and 75%, also having the highest concerns about personal information being compromised. So, yes, while people are willing to share information for their convenience. They’re equally concerned about their information being compromised through identity theft or through hacking and through other means. So, we need to be aware that people are both feeling the desire for convenience, but they’re also very concerned along the way. So, when we think about that 23%, again, who are unsure about digital identity. We can help them to better understand where digital identity can help people to manage their information and get convenience while protecting themselves online. I would say that this is a paradox, but also something that we can help. And we can support by working together with more education. Now, year over year, for four years, we have also asked people about their preferences regarding the way forward on digital identity. So, what we’ve asked them is basically three options. Would people prefer public sector and private sector to work together on a framework? On an approach, a collaborative approach of public sector and private sector. We’ve also asked them would they prefer government to move alone and take the lead? Or would they prefer private sector to move alone and take the lead? And I can say that year over year and in fact, we’ve seen growth to 71% of respondents. They believe that collaboration is the best way forward of the public and private sector. And their thoughts on that for why is because they felt that public sector and private sector, by working together, would have more checks and balances on each other. To make sure that each was behaving with the best interests of the client, the customer, the citizen. They really like that collaborative approach, and that’s grown over time up to 71% in the last year. Now, typically year over year, the people who prefer only government to take the lead or only private sector to take the lead has been a bit of a split. Tends to be around 17% wanting one or the other to go the pathway alone. And in this year, this last year we actually saw a little bit of a change in that research where, for the first time, the preference for public sector was private sector. There was a little bit of a lower preference this last year for public sector to go alone. So, the finding was 12% prefer the government only to take the lead, with 17% preferring that private sector only take the lead. And I think this is actually – if people have reviewed the Edelman’s Trust Barometer and trust overall as a trend globally in the public. There does seem to be an erosion of trust in large institutions and in new technologies as well, we should say. So, seeing the trust in government a bit lower this last year, I think maps as well with the global trending lines that we’ve seen in the Edelman Trust Barometer research as well. So not entirely surprising and common with what we’ve seen around the world. Now, unsurprisingly, we’ve also since as we started, we’ve done this research before COVID, during COVID and now post-COVID ecosystem. And while we were in the middle of the pandemic challenges, we asked people if the requirements of the pandemic made people feel that it was more important for them to have access to digital identity that was secure and trusted and privacy enhancing. And people felt absolutely, 66%/67%, over the two years that we asked that question. People thought; Yes, COVID was driving a need for that secure and privacy enhancing digital identity capabilities. So, of course, we think about working from home and social distancing, so people absolutely connected the benefits of digital identity with the things that we were going through at the time. We also have asked some questions, and I’ll share actually what I think is one of my favourite findings right now. And then we’ll talk a little bit more about some specific capabilities. But I think for me my favourite finding over the last two years has been we asked people ‘do they want to have access to personal information that’s issued and collected about them by public sector and private sector, and do they want the ability to use that information?’ So, we’ve asked that question for two years now, and actually we’ve seen the highest numbers we’ve ever seen on our research over four years regarding this question. And so, people responded overwhelmingly, 92%, that they want to know and have access to data that’s issued and collected by our federal government and by our provincial or jurisdictional governments in Canada. And so, what this says to me is that – while the words ‘digital identity’ are challenging for people to understand. What exactly does this mean? When we asked people, do they want personal data control and transparency right away without a lot of education, very high number, 92% want to have access control to personal data. That was followed very closely by 87%. So, they want that same access and control, 87% of data that’s collected by the private sector. So, I think, again, right away, emotionally, people understand personal data control. It’s something they demand no matter what their background, their culture, their politics, their region. Everyone wants to have transparency and control to data about themselves. So, I think that’s just a fantastic finding. And rarely have we ever seen in fact, never have we seen numbers that high in our research. Now, I share this finding because I think it very much sets up some specific capability finding around digital wallets, something that’s an emerging space. So, whether we’re thinking about the concept of the digital wallet or a trusted container of some sort. Over the last two years, we’ve asked questions specifically about digital wallets, concepts around digital wallet to work. There’s a degree of personal information sharing and personal information control that has to happen. So that’s why I wanted to set that up with that primary finding. So, over the course of the last two years, we have seen the familiarity of the concept; What is a digital wallet? We’ve seen that rise. And so, the first year that we asked it was 54%. And it’s actually gone up to 59% in the last year of the research. So, people are understanding the concept of the digital wallet. What it is, what it means and why it’s important to them. When we’ve asked people about their use of digital wallets in 2021, we saw around 38% of people reported that they were using some kind of digital wallet and that rose to 41% in 2022, of respondents saying that they were actually using digital wallets. And so, of those digital wallets, the highest usage recorded was of the Apple wallet. And so, in 2022, roughly a quarter, 24% were using the Apple wallet, with the remainder of the usages on wallets being spread, Samsung Pay was the next highest and then third-party wallet providers after that. Why are people using digital wallets? They really like contactless payment, less clutter and less concerned about losing their cards, their plastic or physical cards. They feel that these are the benefits of using a digital wallet. So again, the setting up this ecosystem for personal data control. So, whether it’s the type of wallet that we might be familiar with, on the phone or some kind of trusted container or network. This all requires the ability to share information and to have data control. This is something that people are demanding without a lot of education. So, all in all for the audience, I would say is – be aware that your customers and your clients, they may be challenged to understand, what those words ‘digital identity’ means. They may have different ideas. Among them, what the words ‘digital identity’ means. And so, there’s some education that can be done likely with your audience, and particularly for us, for our ecosystem. Again, we’re focusing on that 23% and really educating them about the privacy and the security protection that can be found, that can be achieved by using digital identity capabilities. And so that’s the place that will focus as we continue to move forward in our ecosystem in Canada. And I think it’s reasonable to say that it’s probably a similar finding around the world. We might see some differences for countries that are a bit more advanced. But I do think we’re going to find some commonality, in each region around the world. And even within our customers, whether we’re thinking about their personal lives and their personal transactions. Or the way that they manage their data at work or at school. I think these findings are very valuable no matter what the lens or the ecosystem that we’re looking at. So hopefully the audience will find that information helpful. Oscar: Indeed, quite revealing many of the very useful facts that you have. Just share with us. Actually, one of the first one, the understanding or awareness of the concept itself of digital identity. Is quite revealing that you have evidence that it has grown. So people are understanding more. The concept is getting more familiar. So, I don’t know how you ask them, but I guess you ask them to elaborate, right? So, you understand – ‘What is digital identity – and people have to elaborate in their own words. Joni: We just ask them; What do you think digital identity is? So, we ask them to try to produce a definition that the research asked them. And then we measure, were they very confident, were they are able, with their definition, accurate. Or were they not confident and did they need some help? And so, at that point in the research, depending on their ability to answer the question about what they believe digital identity is. There would then be a degree of assistance. If they weren’t sure they’d be provided with a definition, so that they could then move forward in the rest of the research with a common understanding as they answered more questions going forward. Oscar: Very well done. And the other thing you mentioned one paradox, so people are more willing to use the digital identity solutions, but at the same time, I’m more concerned about the privacy issues or protecting their data. So that’s also very interesting is good in old census because people are using more tools, but at the same time consciousness is increasing. Joni: Yeah, I think for me at least, I think that this finding really is part of a call to action to say identity management practitioners who are working together to identify the risks, to mitigate the risks, to provide better solutions for citizens, clients, customers and residents. We really are responsible to move forward together in this space in a way that’s designed around people where benefits, managing their risks and their needs. Because without the work that we’re doing, they’re going to take part anyway. Maybe they’re going to take pictures of their driver’s license or send me an email. And I know I have you’re not supposed to do this. But sometimes when you need to get what you need to get to on the other side of the transaction, you do what you have to do, right? So, I think we’ve all been there. So, I think this is a call to action for us to continue to work together to provide people with the option so that they can do what they need to do in a safe and secure way. Oscar: Yeah, absolutely. In Canada, there is a major public sector within Canada, actually there are two tiers of public sector, right? Provincial and the federal government. So, I understand that each of them makes their own solutions, and there is a private sector. So, there are like, let’s say three main developers, the creators of details in these solutions. Have you found solutions that were not properly designed and what was the effect of those? Joni: In the Canadian ecosystem we do have jurisdictional governments. We have our federal government, which is a collaborative, all of us working together. And then we have provincial governments and territorial governments as well. Then of course as municipalities. So, we have the different layers of the governments and then we have the different private sector industries. And some of those industries are federally regulated like finance, and some are not. So, what makes that space interesting as well is that when it comes to your legal instantiation for who you are, this is really spread out in Canada. And so, if you’re born in Canada, your legal instantiation for who you are is with your jurisdiction where you were born. If you immigrated to Canada, your legal route of your identity sits with the federal government. So really the federal government is in fact a very large customer of digital credentials or digital verification. Unless you’ve immigrated. But if you’ve not emigrated like the majority of Canadians, then the federal government is a customer there to know who you are. So there does need to be a collaborative. And I would say that both in the public sector and in the private sector. It’s very important to focus on all of the element’s – trust and risk management, convenience of use. And if solutions are poorly designed, then it leaves people not happy with the experience and not trusting the experience. So, whether we’re using a solution from public sector or private sector, it’s also very important to do the user testing and the alpha testing and the launch to see how were people experiencing the service? Were they able to produce the information that they needed to produce to take part in this service? Because that user experience, we only have a small opportunity to create a delightful, secure experience with the people that are using the services. So poor design or in fact, it may be great design from a technical perspective. But without doing that user experience testing and finding that people’s – their emotion and how they felt while they were using the service wasn’t there. That can lead to a low adoption, low trust, and people will feel that and they will sense that and maybe they don’t come back to the solution again. Or maybe they feel, ‘oh, this was terrible’ and they tell other people. So yeah, I think it can’t be stressed enough that as you’re designing, public and private sector, to really work with your small set of users to see; how are they experiencing the solution? In addition to, of course, the priorities. Making sure that it’s safe and secure and using data minimisation. And all of those techniques that we would want to use for privacy and have in service. Oscar: Yes and related to that, and checking now the picture. We can see that they said the majority of Canadians believe that both government and private companies should work together to create a digital I.T framework. And I can see in the three years where this survey has been executed, it keeps growing. That’s the feeling of the public. That the collaboration needs to be strong. So how is that resonating with the ones who create the data services? Joni: It is an interesting finding, right? And I do think it’s interesting to how people seem to hold the governments a little bit more accountable. The higher percent. So, 91-92%, they want that access to that data. I was in fact surprised that it’s a little bit lower expectation for the private sector. Around 87%, still close but a little bit lower. And I think what that means is something that we all experience ourselves as well, where one person, no matter what, you know, in our lives, we Oscar is Oscar and Johnny as Johnny. Sometimes our person is work business, school, sometimes we’re a patient with our doctor. So, we have these different experiences within our lives. We are the centre of all of them. Us being at the centre is a priority to making sure that as we move through these different solutions and services, we are the constant. And we can then use data and present data as we’re moving through those contacts of the type of transaction that we’re trying to provide. And so, while let’s say for example, quite often we’re asked to show government issued ID. Now, we know that we need to be able to authenticate, we need to have a verified identity and we need to be able to authenticate in a verified way to government to say, okay, this is data about us, and we want to use that data. Yes, but quite often we don’t log into government necessarily, maybe every day. Maybe if we’re at a certain phase in our life or a certain time of the year, yes, we do authenticate the government, but more often than not, we’re using that government issued data, that government issued credential to open a bank account or to go onto an aeroplane or check into a hotel. So, the areas where the data about us that has different levels of verification, whether that’s our driver’s license, which for us is a provincial or territorial credential. Or a passport, which is a federal credential. Or maybe something like a verified address for the bank that we’ve been banking with over the last five or ten years. Where becomes very interesting is, again, the constant in all of those equations is that there’s one person at the centre of them. And so having that collaborative, it’s very important to bridge the gap to not only are you, as a government, solving the primary use case, that is your most priority. Maybe it’s how do I authenticate the government or you as a bank are solving your use case. How do I authenticate you to access your financial information? Really, people need to traverse across both of those contexts and across many different contexts. So, collaboration is the way forward and people do get that sense. And as you said that desire for collaboration has really grown over time. Oscar: Okay, excellent. So, you are having, say, perceiving that – I’m sure you talk very often with people from all the governments. Plus, people from the private sector then, in the country. So that’s something you are already perceiving. Joni: Yeah, absolutely. And of course, each group of stakeholders. If it’s a good government or like finance or credit networks or other. Each group has their priority use cases. And one of the things that we look at in our ecosystem in the DIACC is what are those common use cases we’re most concerned with. Really, where those ecosystems work together. Where we’re using government issued credentials to open a bank account, for example. That’s a great use case because the financial institutions want to lower their Know Your Customer anti-money laundering costs. We bring these types of government credentials into a physical bank all the time. So how can people use those credentials digitally? And how can each party be sure that the right level of risk is managed? And that’s where we focus on DIACC. So, for us, use cases that centre around Know Your Customer anti-money laundering, they’re very powerful use cases. There is a global framework on Know Your Customer and anti-money laundering, and this is a place where we always see collaboration between public and private sector is an important feature. That’s one of the areas where we see a lot of commonalities, for example. Not the only area, but definitely one of the areas where that commonality exists. Oscar: Yeah, this research is super fascinating indeed. I will ask you a final question, for all the business leaders that are listening to us now. What is the one actionable idea that they should write on their agenda today? Joni: I would say that this research should be used as an additive tool. It’s all available. And so, if you’re an English speaker or a French speaker, it’s available in our website, DIACC.ca. I would also say that one of the things that we focus on within the DIACC. Because we are not developing the technical standards or the technical open-source code for the methodology for how to move forward. What we’ve developed is a very high level and prescriptive risk management framework. And so, one of the things that we see in our ecosystem is that; a single solution that is one size fits all doesn’t map to the ecosystem, really. Ecosystems are living things and sometimes there’s more security needed, sometimes less. There are different conditions. So, I would say for one activity for people, business leaders who are listening today is to; try to evaluate your risk. Maybe you already have. Evaluate the types of risk that you have within your ecosystem. And then look at something like our Pan-Canadian Trust Framework or risk management framework to determine, be sure that you are managing the risks that need to be managed to ensure that there is a duty of care that is set out. How do your customers expect to be cared for? How do your partners expect to be cared for? When they’re interacting with a solution or service. And then make sure you’re mitigating those risks. We provide one tool, The Pan-Canadian Trust Framework. As a tool to help people measure and make sure that they’re mitigating risks in a verifiable way. And this helps decision makers to then adopt solutions today, while looking forward to knowing where and how these solutions might interact. Should I interact with another ecosystem? Are they managing risk in the same way that I am? Whereas the technical solution for; Do I need to transform this data model? The software engineers I have all the confidence and the software engineers to solve. How do we transform from one data model to another? And using tools like risk management frameworks, like the pan-Canadian trust framework. Can help you to know, should you be looking at how you interact with different sets of credentials or different solutions or different ecosystems? So, know your risk, manage your risk. Do your duty to care for your customers, clients, citizens and residents. And the rest of the ecosystem will evolve as it does. And we’ll continue to work together to make sure that people are at the centre. Privacy is enhanced and that people have transparency and control in this evolving and emerging digital ecosystem. Oscar: Excellent and for our listeners, we’re going to put in the show notes, the links to this research. So you can find it from there, from the show notes. Thanks a lot, Joni, it was a really interesting conversation. So let us know how people can follow this conversation with you or find more information all the work you’re doing. Joni: Thanks so much, Oscar. Yeah, it’s been a real pleasure. I’m so glad to be back. I really appreciate the work that you’re doing with this podcast, having very interesting and insightful conversations. For people who would like to continue the conversation with us. You can find us at DIACC.ca. That’s our website. And then we do a lot of sharing and conversations in our LinkedIn group. Which you can find us at The Digital ID and Authentication Council of Canada in our LinkedIn Group, which is quite active. So, we’d love to connect with you and continue the discussion from today. Oscar: Okay. Fantastic. Again, thanks a lot, Joni. All the best. Joni: Thanks, Oscar. Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

Let’s talk about digital identity with Michelle Beyo, CEO and Founder of FINAVATOR. In episode 91, Oscar is joined by Michelle Beyo, CEO and Founder of FINAVATOR. They discuss how Opening Banking and Open Finance is facilitating the future of finance and the role digital identity has within this. Join Michelle and Oscar as they explore what open banking and open finance are, benefits and potential privacy issues. Alongside sharing success stories from around the world and what we can except to see in the future. [Transcript below] “Open finance layered in with a digital identity can truly help us plan better, execute, have better offerings, save money, and be able to plan better for our future.” Michelle Beyo is the CEO & founder of FINAVATOR, an award-winning Payments and Future of Finance Consultancy. She is also a strategic advisor to FinTechs, a Money 20/20 Rise Up alumni, a Global Council Member of Women in Payments, the Membership Chair at Canadian Prepaid Providers Organization, a Payment Advisor at National Crowdfunding and FinTech Association of Canada, and a Board Member at Open Banking Initiative Canada. Michelle started FINAVATOR as she is passionate about payments and financial inclusion. She has 20 years of extensive industry experience driving innovation across the retail and payments industry. Michelle Beyo was named the “Top 30 Best CEOs of 2021” by The Silicon Valley Review and FINAVATOR was awarded “Most Influential Leader in FinTech Consulting – Canada” in 2020. Find out more about FINAVATOR at www.finavator.com or Michelle Beyo at www.michellebeyo.com. Connect with Michelle and FINAVATOR on LinkedIn. We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure! Go to our YouTube to watch the video transcript for this episode. Podcast transcript Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla. Oscar Santolalla: Hello and thank you for joining a new episode of Let’s Talk About Digital Identity. And today, we’ll hear some new ideas about open finance, open banking and definitely a bit more. For that, we have our special guest today who is Michelle Beyo. She is the CEO and Founder of FINAVATOR, an award-winning payments and future of finance consultancy. She’s also a strategic adviser to FinTech’s, a Money 20/20 Rise Up alumni, a Global Council Member of Women in Payments, the Membership Chair at Canadian Prepaid Providers Organisation, a Payment Advisor at the National Crowdfunding and FinTech Association of Canada and a Board Member at Open Banking Initiative Canada. Michelle started for FINAVATOR as she is passionate about payments and financial inclusion. She has 20 years of extensive industry experience, driving innovation across the retail and payments industry. Hello, Michelle. Michelle Beyo: Hi, Oscar. How are you? Oscar: Very good. I’m really happy to have you here in the show. Michelle: Happy to be here as well. Oscar: Excellent. So, Michelle, let’s talk about digital identity. I want to start hearing a bit about yourself and your journey to the world of identity. Michelle: Yeah, I’m happy to share a little bit. I actually spent 20 years in the corporate space. Six years in telco and eight years in online shopping affiliate marketing. Ran Alaska, Lufthansa, Delta, United online shopping mall platforms. I really got to understand the relationship between customer and loyalty infrastructure. And then I moved into the payment space. Working for the largest prepaid company globally, called InComm, out of their international office for 30 countries. And was running sales and marketing, launched their B2B division, got to see what was happening in innovation across these 30 other countries, including Singapore, Australia, UK. Helped launch WeChat in North America at 711 through the Gift Card rail, QR payment system. And truly realised – a little fearful that my kids were going to end up with Asian banking. Due to the advancements, and how far beyond where we are in North America, that Asia basically was from a banking infrastructure set in 2017. And I took a leap into the startup world focused on blockchain digital identity at a startup as a Chief Client Officer in 2018. And after a year with them and helping with Bahama digital ID infrastructure and helping consent on blockchain. I actually won Money 20/20 Rise Up. Where they picked out of 500 women, 30 women to come into the Vegas largest payments conference in the world and have a separate accelerated track. And as soon as I found out that I had won one of this coveted 30 spots, I quit my job at the startup and started FINAVATOR. Which is actually now four years ago in July. And starting this consultancy, did not have any consultancy experience. But did have all of my background, which I felt was touching the future of finance from telco infrastructure to affiliate marketing, online shopping. The move to digital prepaid payment infrastructures, how they were backing all new challenger bank infrastructure, BaaS infrastructure, and then digital ID. So FINAVATOR truly became my ability to try and help banks, credit unions, FinTechs and corporations move to the future of finance. And really have enjoyed my journey out on my own. Oscar: Yeah, definitely quite interesting, because you have been involved in several industries that are pretty different itself. So many are, yeah, oriented to interacting with the customer. So, understanding how the customer – what the customer needs, etc. And then just in the last year, you came to identity. So now you have this amazing experience and you’re doing your own consultancy. As you mentioned, you have been working on a lot of payments and that is leading you to the future of finance. So, the topics we’d like to start addressing today are open banking and open finance. So, if you can give us what are these two terms in a nutshell, what would you say? Michelle: Yeah. I think, at its simplest point – open banking, which started in the UK in 2017. Is a safe and secure way to share data in an ecosystem. So, thinking of back to my telco days, when I started. You would sign up to one provider for three years, and you couldn’t leave. If you left, there was a penalty, and your number was owned by that telco. So, if you went to a different telco because they had a better service, you’d basically lose your identity, which was your phone number. And have to send an email to all of your friends with your new number. And they would have to reprogram your phone number in their phones. There was something called Open Telco. Or at least number portability, that was mandated in Canada and many other countries around 2015. And this allowed to empower the consumer to officially own their phone number. So, if I left one telco to go to another, I didn’t have to lose my identity, which I had built for, let’s say, 10 years. As this phone number represents myself. So, I was able to port it to a competitor to get better service. So, to me, open banking is that same concept of having a safe and secure way to port my data. From one bank to another bank, from one bank to a FinTech, from a bank to a wealth advisor. So really just giving me the freedom that – the information that is mine, that defines me, can be utilised to help me get a better loan. Help me get a better rate, help me get the service that is customised to myself. Based on the data that happens to live with my current bank. So open banking was a regulated movement that started in the UK to force the CMA 9, which is the nine biggest banks in the UK, to create an API that was standardised. To allow for safe and secure data sharing, that was all based on consumer consent. As well as create competition, by allowing FinTechs or third-party providers to hit a certain bar of the certification to be allowed in the system. So, let’s say Revolut. If you were a Lloyds customer, and you wanted to go to Revolut. And you wanted Revolut to have these five pieces of data to offer you a different product that maybe had better pricing. You were able to do that through consent through the Revolut app. And that data was then able to safely port from Lloyds to Revolut. And the biggest point, I think on all of this is – in open banking there is a right to delete your data. So that data can then be deleted and to me, this is creating less data in the world. And having more control over it as a consumer. As well as empowering new services, new offerings, new companies to help serve the underserved and help serve the current market in a better, more efficient way. Oscar: Yes. And I like your analogy. You started talking analogy also in telecommunication in the mobile, consumer mobile networks. The mobile number portability, which is something I think at this point, I’m not sure it’s everywhere in the world. But I think it’s by large in many countries, it’s available and it’s something that today we take for granted. But it was very painful, not long ago, it was very painful as you have described. So just the idea of having a similar easiness in translated to the to the banks sounds like a dream for the ones who still have not experienced. I have not experienced something like that yet. Yeah, so definitely it sounds like a great thing to keep it spreading. And you have summarised saying that this open banking is in a nutshell is securely sharing data of the consumers. So, one consumer can move from one bank to another, or even a FinTech as you mentioned so. Michelle: Yeah, and I think the evolution of that is open finance. Which I would say is a hot topic in today’s market. The UK is moving to PSD 3, which is bringing them to open finance. Australia started with open data as a concept through a Consumer Data Right for all citizens across five industries. Which I think is the most concise vision across all countries. So, they started with open banking, moved to open finance, open telco, open energy, and then they’re going to land in open data. And it’s all centred around a Consumer Data Right across all data. Very empowering vision coming out of Australia, that many countries are just starting with open finance. Turkey, Nigeria, Saudi Arabia, Brazil, just moved to open finance. So just to describe it – it really is, instead of just being banking, FinTech, third-party payments data or bank account data. It’s broadening the spectrum to the insurance, wealth, mortgages. Kind of more of a holistic view of anything that touches your finances. So, it’s really expanding to allow you to port your data from multiple different aspects of finance. Oscar: OK. So, the key here in open finance is that you do similar – let’s say portability. We use it, we use the same word between different services. Not necessarily financial services, but as you said, that touch some financial data, correct? Michelle: Yes. So if you want to use some data from your Lloyds account to help you get a faster, cheaper, better mortgage that’s more customised to you. Maybe that mortgage provider is not a bank, but they’re a licensed mortgage provider that has certified in the system. Then you’d be able to facilitate that data sharing, same example to a wealth provider or an insurance provider. Oscar: Alright. And besides that, benefits of the portability that we can, I can even visualise on my mind. What are the other benefits that there are for both the consumers and for businesses? Michelle: Yeah, I would say one of the biggest ones is – when you think of FinTechs trying to get certain aspects of data. And not having to get data they don’t need – so only getting the five pieces of data, with clear consent from the customer. And the customer not having to screen scrape this data out of their account without their knowledge. So, a lot of screen scraping issues are when open banking first came to fruition in the UK. It’s largely because 1 million UK citizens were screen scraping. Which is a service that is being utilised where it looks like you’re logging into your bank. You’re putting in your passcode, and then it’s giving access to that FinTech to look at your overarching account and scrape the whole data. To only grab the five pieces they need to push it into the system. So, what this does is [A] it’s unsecure. [B] the customer has no idea they’re breaching their bank agreement by using the service. And then the FinTech ends up with all this data that they don’t need, or want. Have to store it safely and securely, when they only needed the five pieces. So, when you get to an open banking system, they request the five pieces, they get the five pieces in a safe, secure type of API. And then, therefore, they’re able to delete those five pieces of data, because the way that it was coded into the system, if so requested by the customer. So, it’s a data management system, all based on consent. Oscar: Yeah, it sounds pretty good absolutely. Because imagine that all my data that is on my bank is passed to the – let’s say insurance. And then the insurance has the duty to delete whatever they don’t need as well, sounds terrible. Because you know, the less data that is transferred, the less data that is stored somewhere, the lower the risk of so many data breaches that are happening nowadays. Michelle: Yeah, on the data breach point, I always like to bring up unfortunately Marriott because they had 7.1 million data breach occurrences at one time, and it was an internal issue. They were like layering in some accounting, or loyalty system and it was an internal data breach. And this was back I think in 2018. They didn’t compensate any of the users. But think about anytime you check into a hotel. At this point, they asked for your driver’s license or your passport, plus your credit card. The amount of data a hotel has on you is pretty concerning, considering they don’t have the data security standards that you would have at a bank. So, if we can get to a world – getting to your digital identity questions. Where a QR check in doesn’t actually have them store any of my data, but just validate I am who I say I am. So that they don’t need to actually hold my actual passport image with all of my sensitive data. In a non-secure, I don’t want to say non-secure, but not highly secure infrastructure. Oscar: Yeah, exactly. Another good example, obviously, the hotels. They will benefit, both the businesses and the consumers would benefit with open finance. And yes, I start – while you explain this idea, I was, OK, some of the data passes from one, let’s say from the bank to the insurance company. But just a minimum should be passing, so that – also thinking from the identity point of view. I’m imagining the federation, right? So, at this point, what is on your view the role of identity on this paradigm that you just described? Michelle: Yeah, I think it’s quite paramount as a base layer to most systems. Because if you can authenticate you are who you say you are, that’s the most important part of any one transaction. Especially a transaction that has to do with your data or has to do with your finances. So, I think it’s quite crucial that we find a way that authenticates ourselves. Especially with AI, and all of this machine learning infrastructure, cybersecurity challenges. How do we ensure that we are the only entity that is Michelle Beyo and that I can then surely authenticate myself? Before I do a data share from one bank to the other, or before I do a financial transaction. And we’re going to have to layer up from our six-digit code being sent to a phone text to authenticate yourself. As we move forward in the future of finance. So, I think digital identity is crucial. And has to be put into a system, in a way that ensures that there’s only one identity for any one person. Oscar: Yeah, indeed. There has to be some level of strong authentication, that that is a must. And as you have mentioned a bit earlier also, always with a consent, inevitably, data sharing transactions. Now, moving into what are the standards to also understand – without going into too much detail. You mentioned that this started in UK and in UK, there more implementations. This is really happening in real, but what are the main standards that are making this possible? Or are going to make this even more possible if we think of open finance? Michelle: Yeah. So you know, what’s interesting is – as you look at the world at the moment, and you look at open banking, open finance. Not all countries have a digital identity infrastructure. So, what that does is makes the open banking infrastructure more complex, harder to authenticate. And I think even more than open banking –  real-time rail infrastructure needs the authentication. Digital identity for any type of fraud reduction of authenticating you are who you say you are, and it’s going to an entity who is authenticated. So that we can remove the scams out of the system. I’d say the best digital identity infrastructure is probably the Indian-based UPI. It was government issued; it was a mass amount of people. And it was done very early on, on a global scale. It’s not the exact model that probably should be utilised for other countries. But they have definitely – through their digital identity framework, have been able to even. There’s homeless people in India with QR codes and a bank account due to their digital identity infrastructure. And when you pass them in the streets or you pass a tiny shop selling something, they have QR-based payment infrastructure that is largely attached to their digital identity. Which creates a more financial inclusive infrastructure. In Australia, they have a digital identity framework but it’s not as widespread to the same degree as India. The UK is still working on their digital identity infrastructure. So not every country has lined up, open banking, digital identity and real-time rail. But these are three very crucial aspects to the future of finance because the authentication from digital ID is a safety point. The real-time rail is the fast and secure movement of the funds. And the open banking is the safe, consent-driven data sharing aspect. So, once you have all three of them, you’re really setting yourself up to be facilitating the future of finance. Oscar: You mentioned one term that maybe is not so familiar, at least for me, you mentioned real, real-time rail. What is that exactly? Michelle: Yeah, they’re real-time rail is an instant payment system, sometimes called that. And the first one ever created was in Switzerland, actually, in 1989, 66 countries have faster payment systems. The UK launched quite a long time ago. But the US just launched their FedNow, that is what it’s called in the US. Which is their real-time instant payment rail, just this year. And Canada hasn’t launched theirs just yet. So, there’s many countries who have this payment infrastructure. When you look at the US last year, or Canada, still, it takes three days, three to five days for bank payments to clear and that’s just the older infrastructure of payment settlement. Oscar: OK, OK. Perfect. Yes, indeed, you have emphasised that all these components needed in, of course, the authentic the national digital identification is a key point. You are correct, not many countries in the world have something, I will say, suitable enough for doing this open finance. I was – in terms also of authentication that reminded me that, for instance, the FinTechs has been for a while. And not long ago the authentication was just username and password, nothing else. So, of course, now, most of the FinTechs have something better than that. But yeah, I can see something that it takes time. All this component takes time to come together to make possible some of these use cases. So, if you can tell us some of these success stories, now seeing from the perspective of use cases. Let’s say success stories from, if you can, from different part of the world also to illustrate it better. Michelle: Yeah, so if we’re talking digital identity, I think Scandinavia has done probably one of the best jobs. I think Estonia was one of the first. The other really crucial part of digital identity is you can’t have CBDC, or digital currency in a very safe and secure way without a digital identity framework. So, I think there’s some great examples down that front. When we’re talking open finance, open banking, the countries I’m most impressed by, obviously, is Australia. They are a country that has five major banks. They are kind of an oligopoly in the sense that those five banks hold quite a bit of the customer base. But they took an initiative past open banking, past open finance, to embed a consumer data rights to every citizen across five different industries with a roadmap to start with open banking. Moved to open finance, open telco, open energy, land with open data, which is really future proofing their country, for the future of the ecosystem. A digital ecosystem, which every business is now turning into a digital business. So, they’re going to have a really great base layer of understanding that the customer owns the data, the customer is able to port the data, and the customer is able to delete the data. So, by creating a data right infrastructure, and then porting it across multiple industries. I think they’re going to have incredible innovation and eyes are definitely on them as they’re enabling this ecosystem. That really is kind of the future of any one country’s vision of how do you enable digitisation of an economy. The other country that I’m pretty impressed by is Brazil. In the sense that in the middle of the pandemic, they made their first move to open banking. They made a 12-month mandate that they were going to hit an open banking live ecosystem within 12 months. And open access to their Central Bank of Brazil. And therefore, by opening the access to registered TTPs, which are Third-Party Providers. Companies, like Pix, were able to create a FinTech that reduced the cost of sending money and took the underbanked, underserved in Brazil, and gave them a digital bank with faster, more affordable payments. And I don’t have the exact number. But I believe they’re past 7 million customers and doing billions of transactions on a daily basis. And I believe they reduced the cost something like by 40%, by being able to have direct access to the central bank and fall directly in line with the open banking system. And after 12 months of being enabled to an open banking system, they immediately started working on an open finance system, and are launching that within 12 months. So, I think the alignment, the passion, and the execution out of the Brazilian market is pretty impressive. And just the pure enablement of new FinTechs that are more affordable services. And finding ways to serve the underbanked, underserved, they’ve done a phenomenal job. Oscar: Yeah, it sounds like that – it sounds definitely amazing. Among all these, well, existing use cases and what comes in the future for open banking and open finance, what are some potential privacy issues that you could tell us? Michelle: Yeah, I think every system has to be truly based in a liability model. This liability model has to be extremely clear to everybody within the system. There has to be protection on that liability model. And I think it’s just ensuring that the certification system that allows for third parties to come into the system is robust, is reviewed, that these parties that have been certified inclusive of banks are always looked at to ensure that they’re continued to be certified to have access to the system. But I do foresee in the future that customers are going to choose to have some type of insurance on their data. That they so choose, just like you have insurance on your travel, or insurance on your health, like actual data privacy insurance. Because – think of the Marriott issue, or gosh, there’s data breaches every day of the week, and none of the data breaches have to do with open banking, open finance, they’re internal data breaches or external data breaches, or hacks. That there’s no real repercussion to the customer, like, or to the actual party who has had this data breach. There might be a fine, but there’s no settlement to the actual end user whose data has been potentially put on the dark web or given to different parties. There’s got to the point where, if we have enough of a safe and secure data sharing infrastructure, we should be able to insure our data and be safe and secure. And if it’s breached, have some type of offset. But we have to get to a much safer secure infrastructure of how data is shared in the first place. So, I just truly see that open banking, open finance is creating the pipes for the water to go through and be able to turn them on and turn them off. And we just don’t have those pipes today in every country. And I think it’s just super important for the next layer of the future of finance. Oscar: Yeah, indeed. Now, if we look at the future, what kind of use cases or what open finance can do in the future? Something that we are not seeing today. Michelle: Yeah. So, in some countries, they started to enable dashboards, like holistic dashboards of your financial health. So, in these dashboards due to open banking, you would be able to see what your mortgage is. And then it would be able to AI predict what other offerings you should potentially layer in. To add to this product, or tell you that your current mortgage is not serving you. And that there’s three or four other offerings that would be a better mortgage based on your current finances, or the market. And then they’d be able to offer you three different companies that you might want to look into. So, what this service can then do is you can actually put in your loans – this dashboard would be personalised, just for you to see kind of your financial health. It would help people have an ability to plan better, understand their finances a little bit better. From that perspective, I think it’s going to also create a whole bunch of things we haven’t even thought of, new services, new opportunities, and new ways to ensure you’re saving for your retirement. Just kind of like round up did in the sense of, you know, if you’re paying for coffee, and it’s $1.50, rounding it up, or if it’s $1.40, rounding it up to $1.50 and then putting that in your pension plan or putting that into a robo-advisor. So that you’re earning money by saving without knowing it, or without feeling it, kind of perspective. So, I think just like the Internet has changed so many ways of what we are doing, and made our lives easier, in many ways. I do think that open finance, layered in with a digital identity can truly help us plan better, execute, have better offerings, save money, and really just be able to plan better for our future. Oscar: Yeah, sounds definitely a lot to expect for the future what open finance will bring us. So, Michelle, last question for you, for all business leaders that are listening to us now, what is the one actionable idea that they should write on their agendas today? Michelle: Yeah, I think what they should write is that innovation is driven by ideas. And that there’s an opportunity, especially now that the world has gone digital, to listen in to panels, topics that interests you, but you don’t have all the details on, similar to this podcast. There’s panels happening in Australia on open finance, or Brazil, that you could listen into. You don’t actually have to travel to these conferences. But you can truly grasp the innovation that’s happening in other countries. And then think about how you can create something for your citizens, for your company. To pivot and start moving towards the future of finance, by learning from other countries who are already there. Oscar: Yeah, definitely, I couldn’t agree more. And that’s really one, learning more about these interesting topics that are going to impact us mostly positively in today, in the future is also one reason why we invited you. So, thank you. Thanks a lot for being with us and this was really fascinating conversation with you, Michelle. If people would like to follow the conversation with you, or know more about what you’re doing, what are the best ways for that? Michelle: Yeah, definitely to follow me on LinkedIn. Simply find Michelle Beyo, follow FINAVATOR on LinkedIn and Michelle Beyo as well as reaching out to us on our website at finavator.com. Oscar: OK, excellent. Many ways to do it. So again, Michelle, it was a pleasure talking with you, and all the best. Michelle: Thank you so much, Oscar. It was a pleasure being here. Have a wonderful day. Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

Let’s talk about digital identity with Magnus Kardell, Product Owner for SignPort, Knowit. In episode 90, Oscar is joined by Magnus Kardell, Product Owner for SignPort at Knowit, to explore digital signatures in Sweden – including the main challenges that public and private organisations face when looking for a digital signature solution, how to solve these challenges and what regulations signatures solutions need to comply with in Sweden. [Transcript below] “It’s demand for high availability, and demand for high level automation. That means you need to be able to validate the document electronically to the person who has signed it.” Magnus Kardell is the Product Owner for SignPort, an IP product developed by Knowit enabling high-security e-identification and e-signatures. He is a specialist in identification and signing services, with a focus on IAM, and SSO federations. Magnus started his career in this field in 2013 and has since gained extensive experience in the public sector, catering to clients with high-security standards and needs. With a strong background in the industry, Magnus is dedicated to delivering innovative and secure solutions to his clients through SignPort. Connect with Magnus on LinkedIn or via email. We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure! Go to our YouTube to watch the video transcript for this episode. Podcast transcript Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla. Oscar Santolalla: Hello and thank you for joining us. As the years have been passing, I have noticed actually that, digital signatures are becoming more and more common. At a time when we need to sign some agreements, electronically or Internet services. So, let’s take some time today and hear what is going on, what the trends are, in the European Union, but particularly, in Sweden, where today’s guest is coming from. So, our guest today is Magnus Kardell. He is the product owner of SignPort, a product developed by Knowit, enabling high security, e-identification and e-signatures. He is a specialist in identification and signing services, with a focus on IAM and SSO Federations. Magnus started his career in this field in 2013 and has since then gained extensive experience in the public sector, catering to clients with high security standards and needs. With a strong background in the industry, Magnus is dedicated to delivering innovative and secure solutions to his clients through SignPort. Hello, Magnus. Magnus Kardell: Yes, hello. Hello, Oscar. Oscar: Welcome. It’s great having you. We are going to talk about signatures. But let’s get started. Let’s talk about digital identity. First of all, we want to hear about our guest, so we want to hear about you. Tell us a bit about your journey to this world of identity. Magnus: Thank you. Yeah, Magnus Kardell is my name, and I work at Knowit Secure Solutions, as Oscar mentioned, and I’m product owner for SignPort, which is an identification and signing service. I started roughly 10 years ago with IT security and at the time we were having, and working with, identity and access management. Providing single sign on and federations between different organisations, and soon after that, we were adding also signature services. In Sweden, there is a technical framework provided by the Swedish agency, DIGG, the agency for digital government. We have always complied to that standard, and that’s where we built our services. It’s mainly targeting public sector, but it’s also good for private sector. And I think in 2016, we made the first signatures, doing it this way and according to this standard. So, we were first with that one. And I’ve been a project manager for establishing about 40 customers in Sweden, in different configurations, and they are mainly government agencies and large municipalities. So that’s basically my journey and where I got my experience in this. Oscar: Sounds great. So magnus, what would you say are the main challenges that organisations, we talk about public and private, these organisations’ face, when they ask you for a digital signature solution? Magnus: When it comes to public sector, you have to consider many things, maybe more than for a private company. For example, to start with, you need to be able to connect to different eID issuers. So, you can’t only have one. In Sweden, BankID is the most common, but you need to be able to connect to different, both for identification and also signing. And also, there is a request for dividing into what we call private eID issuers where we use your personal number, which is more private. But that can also be as an employee at an organisation. So, you have that kind of – maybe you don’t want to mix your private entity and your employee entity, so you have to consider that. And also, international, so you can also identify yourself and sign with an eID issuer that is from another country. So that’s one of the things. The most common eID issuer is BankID, of course, but there is also Freja e-ID, Freja org ID, which is for employees more, and foreign e-ID, that is international. So those are examples, but there are more. So, you need to cope with that, and you need to be able to connect to those. They are also high security when it comes to signatures. It’s level three, which basically means that you need a hardware secure module, where you do the actual signing. So that’s also a bit higher in security than the general need. A signed document must be self-supporting over time. So, you can’t rely on our service later on, it has to be self-supporting. And the supplier of the signature service must be replaceable. That’s not good for us, but it’s good that we are, because well, all companies, they are not forever. So, it’s, we should be able to replace as a supplier. So that would be in our system cemeteries that our customers that they, that the document itself is self-sustaining. And you have different things, in some cases, the documents to be signed are really sensitive, or the content is delicate, so you need to be able to sign the document without the document itself leaving the customer’s IT environment. But some requirements also on the signature service. There are also, in some cases, you need a pure e-service, like signing portal. But in some other cases, the customer probably has their own platform that we would like to connect to our, how to say – signing engine. So, we have to provide APIs for our customers’ e-services– sometimes you have a simple signing portal, and in other cases, you let the customers e-platforms connect to our signing service. So, these are things that they need. And then, of course, going into public sector, there can be really high volumes, when citizens in the country are using the service. It’s demand for high availability, and there is also a demand for high level automation. That means that the signatures need to be – you need to be able to validate the document electronically to the person who has signed it. If you look into the electronic signature of the PDF and read, signed by the supplier of the service, that is a no go, because then you can’t electronically extract what person who has actually signed the document. So, this also put some specific requirements, and this is about the journey to digitalisation, and we’re not there yet. We may be in the beginning, of course, so far, when we sign a document on, electronically, like a PDF, that’s good. But often, it’s human reading it, at the end, at the other end anyway. So, we have replaced the paper, which is good. It’s much smoother. That’s very good. But still, it isn’t, the flow isn’t really digitalised. And if looking at these challenges that our customers have, they need to be able to do this high level of automation, at least have it further on. And then, of course, there are requests for sustainable operations. For example, excess heat in the operation centre should be fed back into the district heating network. So, this kind of, you don’t really think of them, but if looking at society, you need to think about those things to be sustainable. Those requirements I mentioned now, or the challenges there were, these organisations have. Of course, they’re mainly for government authorities or municipalities, but, I mean, it could apply also for private companies. It’s not bad, it’s really good things. So that’s about the challenges. Oscar: Yeah, I can see quite many, different types. As you mentioned, some are purely security, some more like usability, what the user is going to face. What else? And the last one, you mentioned actually, the sustainability side. So yeah, different – and some are, yeah, legal. So yeah, different for different fronts, there are these type of requirements for signature services. And when it’s great that our solutions that, yeah, fix all these together and give a great product to, for us, for the users. So, I would like to hear now, how are you solving some of these challenges? What are the main use cases? Just, if you can illustrate some of those use cases, hot use cases, let’s say? Magnus: Signature service that we provide, SignPort is following the, I mentioned before, DIGG, the agency for digital government in Sweden they put up a framework for how to solve these issues. But there is also architecture or reference architecture for how to cope with these challenges. So, we follow that. And if looking at our service, it’s split up in four different components, mainly, four different components, and it’s a Signing Portal, Support Service, a Digital Signing Service, and Identification Service. So, these are the four different components. And the Signing Portal is like a web page that is an e-service, a service provider. The only thing you can do is to just create a signing assignment. Just to, for example, take a PDF document, drag and drop, and then you apply the email address to the signers, and you send it away, and create the sign message, so that’s how it works. It’s a very simple, but useful tool for just keeping the, having a web interface to the users. Then we have a Support Service. And the support service is basically calculating the hash of the document to be signed, and then the hash is sent further on to the digital signing service. Digital Signing Service is a bit more – has the highest security, it contains these hardware secure modules, etc. That are creating those signings with the highest security. And then we have the Identification Service, which is actually different identity providers connecting to each e-ID issuer. And we’re splitting this up, you can facilitate several things, because the signing portal and the support service is – those are the only components that are hit by the document to be signed, and they are done in a way that they can be installed in our customers’ operations. So, by doing it that way, the document to be signed is never leaving our customers’ IT departments. So, they stay at our customer. That is one thing. And by splitting up, so you have an API towards the support service, you also facilitate the possibility that the customer has other e-services that also would like to use an API for signing documents. Those two parts, the signing portal and support service are rather easy components, that doesn’t contain any hardware or anything like that. So, it’s easy for the customers to install and operate themselves. Some other customers might – doesn’t have that requirement. They want the software as a service solution, and we can provide that as well. So, that’s possible to do it that way. The Digital Signing Service, containing the hardware secure modules, and everything around that, that we always operate ourselves, but that part is never hit by the documents to be signed. And then we have the Identification Service, which is basically SAML 2.0 IDP connecting to, to different. It can be used as a pure identification service only for logging into it, and e-service, for example, but not in this case, also for signing. So that’s how our service is split up with those four different components, and how we can meet all these requirements that we have from the customer. But it is possible to do it this way. And for the signing portal, we – it is a rather simple web page, and it has a basic structure, but we can customise it for our customers. So, if a municipality use that, we can customise it for that municipality; so it states the name and everything. So, the user feels that they are in the same. But when connecting to the support service then the – our customers can fully integrate and have everything that is shown to the users and the e-service that the agency provide. So that’s a little bit how it works and how it’s set up. Oscar: Excellent. Actually, one topic, I think you mentioned a little bit, maybe to understand even better is the self-supporting signed document. Right? So, you said – tell us a bit more about that, how it works. Magnus: If taking a PDF, for example, the standard we use are PDF advanced electronic signatures. When I say that agency for digital government, the technical framework is based on eIDAS. So, it’s international standards that is based on. And when I say self-sustaining, then I mean that it should be able to validate the document to the person who has signed it, using only the document. It isn’t really through, but you don’t need SignPort in order to validate it. You just need the public key from our signing service. And that’s the only thing you need, then you can validate the signature to the person who has signed the document. And the public key is – it can be downloaded, it can be stored, so that you have it. But it’s public service, so it’s, once it’s out, it is possible to achieve later on. But if you have that, you can validate the document to the person. And then you can do, for example, if a government, an agency received a signed document, you can validate it and extract the person, electronically, that has signed a document provided that you rely on our public key. But then you also include the verification list in the document, so you can see that when it was signed, the identity wasn’t revoked. So, it’s sustainable also over time, together with a signed timestamp as well. So, basically, that makes it, self-supporting. There might be other ways to do this onwards, the standards aren’t really set yet. But this is how we do it, in order to achieve this. Possibilities there are very replaceable, but it’s a good thing, I guess, if looking at. Oscar: Yes. You have mentioned also that, a big part of your requirements come from the public service, and you’re following what needs to be comply in Sweden. So, let’s focus on that. So, what are signature service must comply in Sweden? Magnus: It is for the public sector. In Sweden, the agency for digital government, they have set up a technical framework and a normative specification, and this setup addresses all the requirements that I listed above. So, it’s not a requirement on the public sector in Sweden, but it is the recommendation. And if following it, it will be much easier when, for example, different agencies collaborate and send documents between each other, if the signed documents follow the standard, the same standard. And there is also a requirement to connect to foreign eID, eIDAS. So, for example, if you – it isn’t that many countries that is connected foreign eID yet. But, for example, if someone from Germany would like to use e-services in Sweden, it’s possible. Also, Denmark and several other countries, and there are more upcoming. So, there is a possibility to use also within Europe, both for identification and signing. For the private sector, it isn’t – of course, there are requirements that the service has to be easy to use. I think that’s the main thing. But otherwise, there aren’t that, must have requirements as I believe on, when it comes to security or sustainability, and so on that. Maybe companies would like such things, but it isn’t a real requirement. So, you can use more or less whatever signing service you like. And there are many, and that’s OK. So, what we’ve seen in private sector is mainly, we have some customers, but they are mainly connected to either health care or law, when you’re more close to the public sector. So that’s what we’ve seen. Oscar: All right, perfect. Definitely a good overview how signatures have being applied in Sweden. I would like to ask a final question. So, for all business leaders that are listening to us now, what is the one actionable idea that they should write on their agenda today? Magnus: Yeah. I think if you do not yet have a digital signature service, get one. It’s so much more efficient and sustainable than paper. So, if you don’t have one, get one. And when getting one, think about the future, how is the validity of the signed document proven over time? What happens in collaboration with other parties? And also, what happens when replacing the supplier, what’s next? I think those things you should consider when choosing a signature service. Oscar: All right, excellent. Excellent, Magnus, for this final recommendation. So please, yeah, let us know if someone would like to follow the conversation with you, or follow the work you’re doing. What are the best ways for that? Magnus: If you want to reach me, I think it’s easiest on an email address, which is magnus.kardell@knowit.sc, M-A-G-N-U-S dot K-A-R-D-E-L-L @knowit.sc. So, you can reach me there. And I believe we’ll set up a home page for SignPort, there is one, but I think we will update it soon. Oscar: All right, perfect. Again, thank you, Magnus, for this conversation, and all the best. Magnus: Yeah, thanks a lot. Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

Let’s talk about digital identity with Oscar Santolalla, Ann Cavoukian and Katryna Dow. In this latest episode within the Identity Story Series, Ann Cavoukian, creator of Privacy by Design and Katryna Dow, CEO at Meeco, join Oscar to explore the road to becoming ISO 31700 for Privacy by Design. They discuss the importance of Privacy by Design and how it can help organisations protect their customers’ personal data and comply with data protection regulations and the impact of Privacy by Design becoming an ISO Standard. [Transcript below] “If you don’t have a strong foundation of security from end to end with full lifecycle protection, you’re not going to have any privacy.” ~ Ann Cavoukian Dr Ann Cavoukian is recognised as one of the world’s leading privacy experts. Dr Cavoukian served an unprecedented three terms as the Information & Privacy Commissioner of Ontario, Canada. There she created Privacy by Design, a framework that seeks to proactively embed privacy into the design specifications of information technologies, networked infrastructure and business practices, thereby achieving the strongest protection possible. In 2010, International Privacy Regulators unanimously passed a Resolution recognising Privacy by Design as an International Standard. Since then, PbD has been translated into 40 languages! In 2018, PbD was included in a sweeping new law in the EU: the General Data Protection Regulation. Dr Cavoukian is now the Executive Director of the Global Privacy & Security by Design Centre. She is also a Senior Fellow of the Ted Rogers Leadership Centre at Ryerson University, and a Faculty Fellow of the Centre for Law, Science & Innovation at the Sandra Day O’Connor College of Law at Arizona State University. Listen to Episode 73, where Ann joined the podcast to discuss Privacy by Design, and connect with Ann on LinkedIn. “One of the really challenging things about privacy and security is if you don’t bake it in at the lower layers, if you don’t build that foundation, it’s really hard to go back and put it into a product or service afterwards.” ~ Katryna Dow Katryna Dow is the founder and CEO of Meeco; a personal data & distributed ledger platform that enables people to securely exchange data via the API-of-Me with the people and organisations they trust. Katryna has been pioneering personal data rights since 2002, when she envisioned a time when personal sovereignty, identity and contextual privacy would be as important as being connected. Now within the context of GDPR and Open Banking, distributed ledger, cloud, AI and IoT have converged to make Meeco both possible and necessary. Find out more about Meeco at meeco.me. For the past three years, Katryna has been named as one of the Top 100 Identity Influencers. She is the co-author of the blockchain identity paper ‘Immutable Me’ and co-author/co-architect of Meeco’s distributed ledger solution and technical White Paper on Zero Knowledge Proofs for Access, Control, Delegation and Consent of Identity and Personal Data. Katryna speaks globally on digital rights, privacy and data innovation. Listen to Episode 30, where Katryna joined the podcast to discuss Data minimisation, and connect with Katryna on LinkedIn. Go to our YouTube to watch the video transcript for episode 89. We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure! Podcast transcript Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla. Oscar Santolalla: Today we’re happy to bring you a new episode of our Identity Stories Series. Privacy by Design has just become an ISO standard, which we want to celebrate, so let’s go back in time and hear moments of this journey. Let’s first hear from Privacy by Design’s creator herself, Dr Ann Cavoukian. She is recognised as one of the world’s leading privacy experts and she served an unprecedented three terms as the Information & Privacy Commissioner of Ontario, Canada. Oscar: Dr Ann Cavoukian welcome back to Let’s talk about digital identity. Ann Cavoukian: Thank you so much Oscar. It’s a pleasure. Oscar: Use a time machine and bring us to the moment in which you started writing Privacy by Design. Ann: We’ll have to go back to the nineties. So, I was first appointed Privacy Commissioner of Ontario, Canada, and I think ‘97. And when I was appointed commissioner, I joined the office, which consisted of brilliant lawyers, and they took, of course, a legal approach to protecting privacy, applying the law after a privacy harm had arisen. But you see, I’m not a lawyer. I’m a psychologist. I took a very different view of how we should protect privacy in addition to legal means. I wanted something that would prevent the privacy harms from arising. I wanted to have a model of prevention that was proactive, baked into the code, baked into your operations, so that ideally, we can have fewer privacy infractions and data breaches. And this is a very different approach to the legal one. So literally at my kitchen table over three nights, I created Privacy by Design, and then I took it in, and I sold it to my lawyers. And it didn’t take long, but it was a different approach. And I said, look, this will complement regulatory compliance, which is after the fact, applying a privacy law, after a privacy harm has arisen. That’s very, very valuable. But I want ideally to minimise the number of privacy harms that arise. And that’s what Privacy by Design is all about. So, they got that. It was a win-win and they liked it. And away we went. And Privacy by Design has grown dramatically since then. It’s been translated into 40 languages. We’ve had great success with it. Oscar: How was the whole journey since that time until now, 2023? Has the road to becoming an ISO standard been a bumpy road? Ann: It’s always a bumpy road, there’s no question. But I had great fortune. I was very lucky in 2010. Privacy by Design was unanimously passed as an international standard by the International Assembly of Privacy Commissioners and Data Protection authorities in Brussels. So immediately in the privacy community, it grew enormously. And then when, the new law in the European Union, the General Data Protection regulation, was introduced or came into effect in 2018. My Privacy by Design was included in the GDPR as well as privacy as the default, which is the second of seven foundational principles of Privacy by Design. This was huge. It being recognised like that was just such a huge development and it took hold globally because everyone around the world wants to do business with Europe and engage in business and trade with the European Union. So, lots of countries started doing Privacy by Design. And whenever there was a new law that was developed, a privacy law like Brazil last year, they included Privacy by Design in it. So, it really took off. So, when ISO started considering including it as an international standard, that took years in the making. I mean, it just came into effect this year. But my colleague Michelle Chibba, who’s amazing, I mean, she’s been sitting on committee meetings for the past, I don’t know, three, four or five years with ISO in, in an effort to make Privacy by Design an ISO standard. But we succeeded and that’s the whole thing. It is now an international standard, ISO 31700. And it’s all over the world. It’s already becoming embraced by countries who recognise the value of ISO standards. So literally, I’m delighted by this. Oscar: Fantastic. I can hear your, your voice of success when you are sharing this journey. And congratulations for that, of course. Ann: Thank you. Oscar: If you were wondering what are these ‘7 principles’, let’s hear now Dr Ann Cavoukian explaining the 7 foundational principles of Privacy by Design. Starting with Principle #1 Proactive not Reactive. Ann: The first one ‘prevent the harms. You want to be proactive so that you could prevent the harms from arising. It’s very, very clear. The second one is privacy as the default setting. And that’s– I talked about that quite a bit. It’s absolutely critical, in fact, it’s considered to be so important. When they enacted the GDPR in the European Union, the General Data Protection Regulation, they included not only my Privacy by Design, but specifically privacy as the default setting as well. So that’s very important. The third one embedded in design is absolutely critical. If it’s not baked into the code into your operations, it’s going to be overlooked. The fourth one you have to have, what I always say full functionality. Get rid of the zero-sum mindset of privacy versus security, or privacy versus data utility. It can’t be either, or, win, lose. It has to be win-win, privacy and data utility. You make a positive sum, and you get multiple positive gains, privacy and security always intertwined. And the next one talking about security. While the term privacy subsumes a much broader set of protections and security alone, in this day and age of daily hacking and phishing, if you don’t have a strong foundation of security from end to end, with full lifecycle protection, you’re not going to have any privacy. So, start with a solid foundation of security throughout your entire organisation. Give individuals access to their own data. I always say to companies and governments, you may have custody and control of someone’s data, but it doesn’t belong to you, it belongs to the data subject. So, give them the right of access that they have, allow them to gain access to personal information you have on them. And companies actually have come back to me, companies that are certified for Privacy by Design, and they say, “We love this. We love this principle. Because once we give customers access to their own data, they come back to us and say – No, no, that’s no longer the case. That was true about me two years ago, here’s what’s going on now.” So, they correct the information. They increase the accuracy of the information we hold. And it increases the quality of the data we have. So, they love it. And the last principle, keep it user centric. When you keep it focused on the user, all of this flows out. Because it should all be around the individual, when it’s personal information you’re dealing with. Because personal information is about identifiable individuals. So, you have to keep it focused on the user, and what they permit, what they don’t permit, things of that nature. So that’s it. Seven foundational principles by design. Oscar: Despite all the recognition that Privacy by Design has received for two decades, and the influence it has had in regulations such as the General Data Protection Regulation, GDPR, we saw that the vast majority of Internet products and services still didn’t use the seven foundational principles. An urgent push was necessary. What would help us make waves of such magnitude? Nothing better than a global standard published by the International Organisation for Standardisation, the ISO. ISO standards are recognised by governments, regulatory bodies, and industry associations around the world, so becoming an ISO standard would increase the adoption of Privacy by Design and it would be recognised globally. It is not easy to become an ISO standard, with thorough review processes including, expert opinions, public consultation, and a vote by ISO members. On 2018, a technical committee called ISO/PC 317 Consumer protection: Privacy by Design for consumer goods and services was created. Four more years, and all the efforts of this group of motivated and brilliant minds from all over the world came to fruition. On February 8th, 2023, the standard was published with the name “ISO 31700-1:2023 Consumer protection — Privacy by Design for consumer goods and services”. Let’s now hear from another guest a perspective of a tech entrepreneur who has been incorporating Privacy by Design in their products. Oscar: We are welcoming back Katryna Dow, who is CEO and founder at Meeco. Hello, Katryna. Katryna Dow: Hello. It’s nice to be back. Thank you for inviting me. Oscar: Katryna, how has Privacy by Design influenced you? Katryna: Well, I’m very privileged. If I think back to when Ann Cavoukian and the Canadian government were at the forefront of bringing the concept of Privacy by Design into the world. I was the recipient of an early Privacy by Design Ambassador Award and I think that was twofold. One, because after reading about the principles of Privacy by Design, we immediately decided to bake those things into the development of Meeco as a product. So architecturally, to adopt them. And secondly, we were invited, around 2016, to submit a consultation to the Canadian government in support of Privacy by Design, and really in support of why it was important from a technology design perspective and actually how it could make a difference. We all remember, a lot of this thinking was pre GDPR. This was kind of at the forefront of the concept of considering for citizens. Initially, Canadians and now all around the world, this idea of taking a principle of privacy and considering it in every aspect of the design of a product or service. Oscar: Thank you. And on your opinion, how has Privacy by Design influenced digital identity as an industry? Katryna: So, I think it’s an interesting question about digital identity. Optimistically, I guess what we’ve seen with the advent and the evolution and the maturing of Self-Sovereign identity. At the heart of that are principles around human centred design and control. So, I think there are great parallels with Privacy by Design. However, if we step back and look at the whole digital identity landscape, I’m not sure that it has had a wide enough impact in the design of systems. Certainly, large tech platforms or even some governments have not really thought about that human centred Privacy by Design, progressive disclosure, anchoring core part. And as a result of that, I think in the digital identity landscape, we have lots of really great systems and solutions, but they’re not always designed from a human centric or Privacy by Design point of view. And I guess one topical example of that recently with the acquisition of Twitter by Elon Musk and then opening up Twitter blue for everyone and not having a proper process in place for verification or identity protection in any way. We all saw that. That was a very short-lived example of what happens if you don’t understand some of the foundation principles of identity privacy, and if you don’t design from that perspective of understanding, you want to in one way protect the individual, but another way to be able to open up that identity for authentication, authorisation or access to trusted parties in a progressive way. So, I think sometimes that balance, we don’t see enough in the design of digital identity. Oscar: If you have some final idea, you would like to share about Privacy by design? Katryna: I think one of the things that we’ve noticed just recently, being involved in a community project, where privacy and security were acknowledged to be important, but not enough to slow down architecture and design. So, the desire was to be able to build something really quickly and get it out into the community. And one of the really challenging things about privacy and security is if you don’t bake it in at the lower layers, if you don’t build that foundation, it’s really hard to go back and put it into a product or service afterwards. I sometimes think about building a house. You imagine if you, if you didn’t put down a strong foundation and you were building on sand and then you went back later and you wanted to try and reinforce that structure, it’s not impossible, but it’s costly. It takes time and it creates all sorts of adjacent problems, particularly if you’re building a digital system. So, I think I would encourage people to think it may slow down architecture, it may slow down consensus, it may slow down the beginning of a project, but it means you can go much, much faster once you’re up and running. And it also means that you’ve not created technical debt, policy, debt, compliance, debt that you will have to circle back and address later on. So, it’s definitely worth investing that time upfront and building on a strong foundation. Oscar: I couldn’t agree more. There was an excellent analogy in the very visual analogy that help us understand the importance of Privacy by Design. Oscar: The stories that Katryna Dow just shared with us might sound like we’re still in a sombre passage of this journey. But it shouldn’t surprise us. Designing Internet services is only getting more complex: tight deadlines, limited budgets, scarcity of technical experts, all this determines and shapes the outcome. And those new applications are built to help the lives of millions of citizens, students, patients, and people of all ages. At this crossroads, how can we make sure that this ISO standard builds the required momentum so what we’ll see in the next years is an avalanche of services that really protect our privacy? Oscar: So now that it has become an ISO standard, what is the impact of having Privacy by design an ISO standard? Ann: I think the impact will be significant because you see we’re struggling right now at a time where surveillance is mounting steadily mounting on a daily basis. We need massive intervention to put the brakes on it. And with Privacy by Design, being recognised as an ISO standard, that will draw so much more attention to privacy, embedding it proactively into the design of your operations. Into AI, artificial intelligence. We have to embed privacy into this from the beginning in order for it to take. And that’s why I’m so excited about the timing of this, because it will attract a lot of attention to privacy, and privacy forms the foundation of our freedom. If you want free and open societies, you have to have freedom. And this will help to preserve freedom. So, ISO standards, marrying with Privacy by Design. The sky’s the limit – privacy and freedom. And also, privacy and security go hand in hand. While privacy subsumes a much broader set of protections than security alone in this day and age of massive phishing and ransomware attacks, and all this, if you don’t have a strong foundation of security from end to end with full lifecycle protection, you’re not going to have any privacy. So, you have to have privacy and security by design. Oscar: No doubt. Is there something else you would like to tell or share? Ann: And what I want to remind people is please don’t be alarmed by the odds. Meaning people say to me, you know, I tweet every morning, I have a large Twitter following and I tweet about the latest stories of the day. And someone invariably will come back to me and say, Lady, give it up. That ship has had sailed. Privacy is dead. And I go back again. Another friggin ship. You don’t give up on privacy. You don’t give up on freedom just because the odds are small. They’re getting bigger. But you look at what is important to preserve. Freedom is the most important thing to me to preserve. I’m Armenian. I come from a background, in 1915, 1.5 million Armenians were killed. It’s you don’t give up. You know, that’s the whole point. You always come back. You never give up on freedom. And so, I just urge people don’t be alarmed at the odds that it seems to be overwhelming that we can’t do this. Yes, you can. We can do this. We have to do this. We want to preserve freedom for ourselves, for our children, for the future. We must do this. So please stay with me and embed privacy into your operations. And one last thing. If you do shopping, either online or in real stores physically, if you express an interest in privacy, you will get so much more protection. You can imagine I always ask what they’re going to do with my information. I’m at a store, they’re asking for my postal code or this or that, and I say, “Oh, and how will you be protecting my privacy?” The guy I’m dealing with doesn’t know, but he’ll go get the manager, and the manager will say, “Oh, you care about privacy. Here’s what we can do. Boom, boom, boom.” And immediately the protections go up. So just express your interest in privacy and see how much more protection it will lead to. It’s a win-win. Thank you for your time. Oscar: Privacy is not only an Internet issue, a technology issue, it follows us everywhere we go.  From a kitchen table to an ISO standard, the world just saw how Privacy by Design arrived to this elusive, but crucial destination. What’s our next milestone on this journey? The road that will come can be long and bumpy but as Dr Ann Cavoukian said, it’s never time to give up. This was a special story episode of Let’s Talk About Digital Identity. Thank you to our guests Dr Ann Cavoukian and Katryna Dow. The story of this episode was edited by Chloe Hartup with help of me Oscar Santolalla.

Let’s talk about digital identity with Adrian Field, Director of Market Development at OneID. In episode 88, Adrian Field, Director of Market Development at OneID, joins Oscar to explore verifying digital identities with online banking, the importance of online banking-based identity verification alongside it’s benefits for businesses and individuals. Join as they delve into the cross-border challenges that arise from individual country verified identities and how LEIs and UK Trust framework are supporting verified digital identities. [Transcript below] “LEIs have been born out of the financial sector, through regulation. But we do see business use, in all sectors, is useful to be able to enable less fraud within a country, or better and smoother cross-border use cases for companies.” Adrian Field is Adrian Field, Director of Market Development at OneID. He leads OneID’s market development, working with banks, industry groups, Government and regulators to enable the UK market for ID services to grow and succeed. Adrian is also engaged with the Open Identity Foundation developing global open standards for identity, and global projects to connect identity schemes cross-border. Connect with Adrian on LinkedIn. We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure! Go to our YouTube to watch the video transcript for this episode. Podcast transcript Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla. Oscar Santolalla: Hello, and thanks for joining to a new episode of Let’s Talk About Digital Identity. And today we’ll discuss a new perspective on verified digital identities. And for that, we have a special guest who is Adrian Field. He leads OneID’s market development, working with banks, industry groups, governments and regulators to enable the UK market for identity services to grow and succeed. He’s also engaged with OpenID Foundation developing global open standards for identity and global projects to connect identity schemes, cross-border. Hello, Adrian. Adrian Field: Morning. Hi, thank you for inviting me. Oscar: It’s a pleasure having you. Thank you. Let’s talk about digital identity but first, I’d like to hear a bit more about yourself. So, tell us, what was your journey into this world of identity? Adrian: Yeah. So, my background is banking and payments originally, so I spent a long time with one of the card schemes, doing all sorts of things, but learned about the concepts of authentication and authorisation through that process. And then spent a few years at one of the UK’s large banks looking at lots of different innovation topics, but digital identity was one of those. And then I used my authentication knowledge to build on that to investigate more and more about, you know, what is identity? How do you prove that it’s the right person, in a journey, at the right time? Oscar: And to start this conversation with common understanding, for ones who have not heard or is not completely clear. What is the concept of verified digital identity? So, what are we talking about when you use this term and why is it important? Adrian: I normally explain this by going back to the question of, “what is identity?” without the digital part. And for us at OneID this is your, it’s the legal concept of your personhood. So, you are a person which is either a natural person, which is a human, or a kind of legal person, which is an organisation. And if you’re a person in UK law, that gives you certain rights, so you can own things, I can sign documents, I can own property. I have certain rights that non-persons, i.e., objects and things don’t have those rights. So, you get your legal identity by – as a person you’re entered into a birth register, or if you’re an organisation, you get entered into a company’s register or charities register as a legal organisation. And that’s how you get the identity part. That’s what an identity is. The digitisation of that is, how do I securely connect that legal entity or the natural person to that legal identity in a digital process. So, I’ve got to have some way of verifying a birth certificate, or a passport, or a document or some other way to connect those two things together. And then I can store some data, which is the digital part. And I can protect that by providing that person with some secure authenticators, so they can reconnect to that digital identity and use it in other contexts. And that’s when it becomes a reusable digital identity and therefore, it’s more useful and also verified. Oscar: In most of the countries, there are several co-existing identity verification products. There are some based on getting a passport ID cards, for instance, that’s one category. There are some based on mobile subscriptions. And the one I know you and your company, OneID, is focused is the identity verification based on online banking. So, why this category of verified digital identities are needed? Adrian: Yeah, so we looked at the UK market, and we looked at a number of different markets that have digital identity schemes and solutions in place. And specifically for the UK, we didn’t feel the government ID was the right way to go. It was quite hard, because politically, people have looked at ID cards from the government in the past, and they didn’t really want those. Whereas in the UK, we’ve got a very strong financial services market. We’ve got open banking infrastructure, which all of the banks have put a lot of investment into. To meet Payment Services Directive 2 requirements, so some EU legislation. And part of that open banking is all around strong customer authentication. So being able to securely identify that you have the right person in place to prevent payments fraud and things like that. So, we saw that as a very good technical platform on which to build an identity layer, so an identity scheme on top of that. So essentially, it’s a bank ID scheme. So, you leverage the Know Your Customer process that the bank has put you through, so that they know who you are, we can leverage that and make that available in any online customer journey. And it’s a very easy process, because most people in the UK already have the bank app or the credentials that they need to get through our OneID service. And we can enable that for around 40 million UK adults, for instance, already have what they need to use the service. So, it’s a lot less friction for the customers to understand what a digital identity is, all they need to do is click a button and consent to share some data. And we do – there’s a lot of kind of documents scanning solutions in the market and we recognise, and we look at that as a kind of bridging technology. I’ve got to scan my documents which we kind of see that as a digitised identity rather than a digital identity. Because I’m digitising paper into a digital format, as a follow-on step from that I can choose to store that digital format somewhere with a provider to create a reusable identity, and then protect that in in some way. So, we see that as a long-term process as well. And in terms of what the telco sector can bring, there’s a lot of kind of useful signals around telcos in terms of SIM swaps, when was the last date that my SIM was swapped, and where is the phone location-based data, and things like that. We definitely see telcos and banks working together and providing complementary features. Although there are some gaps in the telco market in terms of I could have multiple shared handsets on one account. So, it makes it harder for, to know all the IDs on that account, and pay as you go, for instance. If there’s no KYC on getting the device, then that becomes harder to do identities in that manner. Oscar: Explain us a bit in a, let’s say concrete example. Thinking the user doing some transactions and doing something online in which requires the identity verification, in the case of these online bank base, verify data identities. If you can guide us to a use case to understand how it works. Adrian: Yeah, sure. So, what our corporate customers who we – relying parties, we use that term. They would implement our service as a, we have a software development kit, an SDK. Essentially that they can embed our button within their app or website, so the consumer, as the service that consumers are trying to get to. They would then click that button, and then select the UK bank that they do their banking with. And once they’ve selected the UK bank, we would route them off to either the bank app that’s on their phone, or an online banking login page for their bank. And they login to that and they see what data that the relying party is requesting, they can consent to share that data. And then we hand off that customer back to the original service or relying party that they’re trying to access. So, it’s a three click simple process, and the customer is completely in control and has good visibility of what data they’re sharing. And then through that process, we kind of avoid the need to educate the customer on, “This is a digital identity. This is what it is. And this is how you use it.” Because all you really see is I’m sharing my name, address, date of birth, with – I’m trying to get some car finance or trying to buy something online. That’s a lot easier for the consumer to understand in that context. Oscar: So, so far, it’s already serving different types of relying parties, as you said, or, in practice service provider, or at least the other term just to use that. So, there are many, let’s say type of businesses and also, I guess, government that are already using this type of verified identity. Adrian: Yes, exactly. So, we’re getting some good traction in e-signing, for instance. So currently, when you sign a document, you typically get an email into inbox, you then click the link and sign the document. But if that email goes astray, or if you, as the contracting provider, want to know that it went to the right person, you can insert a digital identity check in that process. So, we’ve built that and partnered with a number of the e-signature market to be able to have an identity and signature flow, which works really well. Another use case we’re looking at is Disclosure and Barring Service or DBS Checks in the UK for employment. We can now do that in 100% digital process that doesn’t need documents scanning. So, it’s a much easier flow for the customer to get through. And final use case is financial services where we’re live in the FCA Regulatory Sandbox working with one of our customers in the asset finance space where we can augment and supply some of the KYC data into their customer due diligence process for money laundering checking. Oscar: And you have mentioned earlier that one of the reasons why this type of verified digital identity made a lot of sense in the UK is because, the UK has open banking among other parts of the system that are already working, working pretty well. So, if you can tell us a bit more about that online banking, how this approach is using or complementing open banking? Adrian: Yes, exactly. So, we’re regulated ourselves by the Financial Conduct Authority as the UK FS regulator. We’re an Account Information Service Provider under PSD2, so we have permission to access all of the banks without permissions or contracts from the banks. But you can only get certain limited data under the PSD2 directive. And it’s, you know, eIDAS is the regulation in Europe that covers identity. PSD2 is just about triggering payments and getting bank transaction data so it’s not about identity. So, we partner with the banks to get that additional information. So, we’re using open banking as technical rails to secure the API connectivity. But we have commercial partnerships with the banks to actually get the identity data. Oscar: And this approach can be replicated in other countries? Adrian: Yes. So, we’re looking at other countries that have, either open banking, and digital identity frameworks. A lot of countries who will have both of those things and talking to other schemes in terms of how– sharing how people do it elsewhere; what’s worked, what hasn’t worked, and what needs to be put in place, if you haven’t got the relevant frameworks or standards. And how we can connect those things to enable cross-border journeys. So, there’s a lot of activity going on. I think there’s something like 60 countries globally have digital ID systems. They’re not all based on open banking, but open banking, online banking is emerging as a good model on which to base your identity for a number of different reasons. Oscar: Coming back to the benefits that verified digital identities have, can you tell us what are some of those benefits both for individuals and for businesses? Adrian: Yes. So, I’ll start with businesses. So firstly, it acts as a key capability within digital transformation. So, understanding who your customers are, and enabling them to access your services in a much quicker way, will lead to increased sales. Basically, you’ll be able to onboard more customers more quickly. They’ll typically spend more with your company, because we find convenience always wins. So, the customers will also use the path of least resistance. If I have one service that is hard to get to and I need to go and find my document and do lots of different steps to get onto that service. Versus one that takes three clicks to get through to the same thing, typically, you’ll find your conversion is better with a simpler service. We also think this will be a cheaper route. So operationally, the cost if you haven’t got – don’t need people checking documents, then it’s a cheaper provision of service. And also, for the business, we think this will lower fraud because we can keep fraudsters out of the loop because they can’t prove that they are who they are. So typically, impersonation fraud, someone’s pretending to be someone they’re not with a different name. If you then ask them to authenticate themselves with their bank account, they won’t have a bank account in that name so they just can’t get through the process. And this will help things like authorised push payment fraud, and other frauds in the ecosystem. And then on the on the individual life. It’s really all about making my life simple. So, make my life easier, and not more complex. If I’m trying to get to a service, when I’m out and about maybe my ID documents at home, I can onboard to service easily just with the phone I have when I’m out. It makes my life really simple. We can actually onboard you to a service provider and also do a login afterwards as well. So, there’s no new passwords to remember. I get to see what data I’m sharing so I can control my data. I consent to share exactly what data has been asked for. I can see what data I’ve shared in the past through another consent service that we offer. And in our model, the data is protected by my bank. So, someone I already have a relationship with, I trust my bank, I trust him with my money, I trust him with my information. And they can help me when it goes wrong as well. So, if something happens and identity is compromised, I can call my bank and say, “Can you help me out? Let’s figure out what went wrong and fix it.” Oscar: Do you see there could be some cross-border challenges that come from specific country based digital identities? Adrian: Yeah. So, a lot of a lot of this comes from, you know, interoperability in the standards space. So, what – how do I actually connect to these services, connecting together to share data from one scheme or solution to another one? What’s the kind of data format, what does the data mean? And then from a governance perspective, what’s the level of assurance that was been through, the checking of that identity before that data was issued? And do I trust that that process was followed properly? So, in the UK, for instance, we have a certification regime set up where I can actually get an independent auditor to verify that I’m safe and doing these things properly. And therefore, you build in different layers of trust in the data that comes out of that ecosystem. And do you have equivalents of those things across different corridors. But essentially, identity, or legal identity always comes from a national authority, so it always will be nation-based. I got my identity from being on a birth register in a country. And then they issued me with a passport, driving license, et cetera, digital identity can be added on to those things. So, I do see we will have 200 plus countries issue identity, and in what format they do those things. And that’s where some of the work I’m doing with OpenID Foundation and others is in terms of; how do we come up with better, easier-to-use standards that can enable, all of these things, to talk to each other. Oscar: And how are this type of approach of online bank based verified identity fits with eIDAS 2.0, if it fits? Adrian Field: Yes, there’s a lot of interesting activity going on in Europe with eIDAS 2.0 with the whole kind of shift to digital wallets and people having a wallet or a container that they can then put digital identity credentials into. What are the kinds of standards and infrastructure that enables that to happen? And how do we give people more control and visibility about what data they have, enable them to choose to share that data with third parties, and a privacy respecting, data minimisation, all of those good things happen through that. And I think that the kind of eIDAS 2.0 framework started to drill down through the layers to say how these things actually going to be implemented, which is really good. And we’ve got four or five large scale projects with lots of different parties involved, with lots of good capabilities. So, we’re watching that space quite closely in terms of what’s our equivalent approach in the UK to digital wallets between the government, the banking sector, us as a provider, how those things work and interoperate together. To be able to securely provision those credentials into the right wallet. And I do think some key challenges are going to be around how do you bind the credential to the wallet? How do you bind the wallet to the device, and the person that owns it, to make sure that the credentials that are being presented actually belong to the person that’s in front of you, or in that digital journey? Oscar: How, first of all, is the UK Trust Framework is supporting verified digital identities? Adrian: I think the UK government is doing really well with the Department of Science, Innovation and Technology. There’s a new department, but they’ve now taken over ownership with the trust framework. The Trust Framework is in a beta version, and we have 36 providers in the UK market that have been certified under a number of different roles within that framework. So, I think the UK government’s work has certainly catalyse the UK identity market and enabled providers, such as ourselves, to be certified for services within that. And also, they have launched – there are three schemes, there’s a right to rent, right to work and Disclosure and Barring Service schemes that have been launched under that. Where if relying parties are looking to buy services from the market, the framework is recommending that they use certified providers because you’ve got that layer of trust that you don’t have with non-certified services. So, I think it’s been a very good framework that’s evolved and enabling the UK market to progress from where it was before. And also, for – we now have a kind of reference point for; anyone that’s doing anything and identity in the UK and point towards the framework and say, “Well, let’s do it this way. We can have that common language between each other. We all know what the inputs and outputs are in terms of a common approach. So, it has been really good. Oscar: Yes, and as you said earlier when I asked you about the, what are the verified data identity? You mentioned very clear there are verified identity for individuals, which mostly what we’re talking in this conversation, but also you mentioned there’s also for the organisations. So, that touches the topic of the Legal Entity Identifiers, LEIs, to go your view how do LEIs are supporting verified digital identities? Adrian: Yes, I think this is – these are essential and the whole, the work through GLEIF and the whole ecosystem of, how do we give unique identifiers to legal organisations globally? That can then be used to create security around who are the business organisations that I’m dealing with, who owns which assets, etc. Who owns – what’s the kind of parent-child relationship, in particular businesses, as well. Absolutely helps understand that kind of transparency and trust of, I know, organisationally, who I’m dealing with, who I’m contracted with. And then we can add in the individual identities from things like OneID to say, “I know who the individuals are, and I’ve verified the individuals.” I can then start to connect those two things together. So, I’ve got OneID for an individual, I’ve got an LEI that I know it’s this particular company. And I can then join those two things together to say, this individual is acting as a director of that organisation. Or it’s the Chief Financial Officer, and they have access to the bank account information. And then you can then start to secure those channels to say, “I’ve only got certain notified people should have access to my corporate bank accounts.” It then protects the corporate bank accounts from fraudulent use of internal people, or the wrong internal people accessing those accounts. And also, when you’re paying other companies, you can then start to verify, “Am I paying the right company? Am I dealing with the right person within that company, in terms of individual identities?” So, it becomes very powerful, the combination of both. Oscar: Yeah, exactly. And I really hope to see this – exactly the use case that you just described I hope to see really in the in the near future. Unless, unless you have already seen them. But yeah… Adrian: And we’re looking at those kinds of use cases as well to say, you know, how can we actually do better corporate identity, and use the LEIs for all sectors, really. So, LEIs have been born out of the financial sector, through regulation. But we do see business use in all sectors is useful, to be able to enable less fraud within a country, or better and smoother cross-border use cases for companies. Oscar: Yeah, certainly. A final question, Adrian, for all business leaders that are listening to us now, what is the one actionable idea that they should write on their agendas today? Adrian: I would say, come and talk to us, so my email is adrian@oneid.uk. Come talk to us, come and engage with the services, come and test and learn and try them out. So, we’re live and we have an easy-to-use API that takes a few hours to integrate. We’re also based on open standards, with OpenID Connect. So, it’s very easy to get up and running with a service and start to consume it, to see what kind of data you get from the service, what kind of assurance, and what certification? How does this interoperate in terms of other things in the market? What kind of solutions are you using today? What kind of problems you have, that these solutions can potentially address? But it’s all ready and up and running, so yes, just come talk to us. Oscar: Again, it was very nice, very interesting discussing with you Adrian and all the best. Adrian: OK, thanks for having me. Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

Let’s talk about digital identity with Henk Marsman, Public Speaker, and Principal Consultant at SonicBee. In episode 87, Oscar is joined by Henk Marsman, specialist and public speaker around ethics of digital identity and Principal Consultant of Identity and Access Management at SonicBee. Henk and Oscar explore why local municipalities may need their own digital identity schemes – including how these local schemes differ from national schemes and how they help people missed by national schemes, alongside some examples of live local identity schemes. They also discuss some disadvantages of local identity schemes and how they could be incorporated into wallet-based identification, like eIDAS 2.0. [Transcript below] “Put the human at the centre, what the individual’s needs, what the individuals want to achieve … and that is basically the ethical perspective, or the value perspective on digital identity solutions that we have in the world today.” Henk Marsman combines deep knowledge on digital identity with an ethical view on the impact on individuals and society of digitalisation of identity. His research on the ‘ethics of digital identity’ is still ongoing. Henk is involved in initiatives related to national digital identity (including eIDAS2.0), municipal digital identity and specifically for undocumented persons. Next to that he’s supporting organisations through his work at SonicBee, a Dutch IAM boutique firm, in digital identity projects. He has worked for 5 years at a top-three Dutch bank (Rabobank) as the global service owner for the Identity and Access Management services, and prior to that was senior manager with Deloitte, leading the Dutch IAM practice. Connect with Henk on LinkedIn. Find his personal blog at ThroughIdentity and other blogs and articles at SonicBee. We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure! Go to our YouTube to watch the video transcript for this episode. Learn about the commercial and technical aspects of Customer Identity & Access Management, at IAM Academy, Ubisecure’s partner training program. Podcast transcript Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla. Oscar Santolalla: Hello and thank you for joining us to this episode of Let’s Talk about Digital identity. And something that we have not talked before is, digital identities in local governments. For that very interesting topic, we have a special guest who is, Henk Marsman. He combines deep knowledge on digital identity with an ethical view on the impact of digitalisation of identity, on individuals and society. His research on the ethics of digital identity is still ongoing. Henk is involved in initiatives related to national digital identity, including eIDAS 2.0, municipal digital identity, and specifically for undocumented persons. Next to that, he is supporting organisations through his work at SonicBee, a Dutch IAM boutique firm in digital identity projects. He has worked for five years at a top three Dutch bank, Rabobank, as a global service owner for the Identity and Access Management Services. And prior to that, he was senior manager with Deloitte, leading the Dutch IAM practice. Hello Henk. Henk Marsman: Good morning, Oscar. Nice to be here. Oscar: It’s great having you, Henk. So, Henk, let’s talk about identity. But very first, I want to hear a bit about yourself and especially your journey to the world of digital identity. Henk: Yes, that’s a good start Oscar, thank you for that. I’ve had several occasions looking back at how I ended up in this world, because there no formal training for becoming an Identity and Access Management expert. For me, it started actually when I was doing a half year of exchange study in Finland. Where a professor, in Turku, with a lot of abbreviations on a slide, and we were supposed to pick one and write an essay on it. And I chose the TTP one, which stood for Trusted Third Parties, and that let me in the world of online trust services / public key infrastructure. So, I did my graduation thesis on the same topic, and from that on I was in Cyber Security and PKI basically, and over the years through planning and through accidents, that was henceforth. I still remember, one time in a consulting firm I was on the bench, there was a project ongoing and there was a free seat at the Sun Identity Manager Boot Camp. Sun was still a company at that time. And I didn’t really want to go, but it was a free seat, so I had to go. And then within half a year I moved over to another company, and it was Deloitte. I accidentally made the remark that I had to do this boot camp on Identity Manager, and from that point onwards I was their Identity Manager Champion. Because as we say in the Dutch, in the saying ‘In the land of the blind, a person with one eye is king.’ So, I’ve been in this area for over 20, 25 years, in consulting. I spent five years at Rabobank, because I also wanted to see the other side of the table, where you actually need to improve year over year, work with teams and the internal politics of an organisation. And then after five years, I decided to move back into consulting again. So, I’m with SonicBee, a boutique Identity and Access Management shop in the Netherlands. And besides doing the regular IAM consulting at organisations, I also spend some time on research and study on Digital Identity and the ethical aspects of it when you look at the digital identity solutions on a national level, sometimes even at the global level. Oscar: Yes, super interesting. And yes, we know that from your research you have been, as you said, exploring the national level of digital identities. But also the local government, which is something particular we are very curious to hear more about that. So first of all, what are local digital and legal identities? Henk: Yeah, I came across that because, as part of my research I was intrigued by the gap between; on the one hand the promise of digital identity – stating that everybody has a trustworthy digital identity, we’ll have inclusion, and we can bank beyond banks, we can perhaps even provide a legal identity to persons, although that’s a completely different topic. And on the other hand, the cases where we saw that digitisation, but also digital identity solutions sometimes enhance exclusion, and enhance the inequalities that are already existing in society. Because when we look at these type of digital identity solutions, it’s no longer in the corporate domain, with the employers, employees and third parties that need access. This is the domain of citizens and residents and how a state provides services to their population. And through my research, I came across the topic of Legal Identity and Digital Identity. And I got in conversation with a couple of municipalities where people were working, on the one hand on smart city type of projects to see how municipal services could be digitised. Which is for most governments, but also for lots of the municipalities, a strategic imperative to also enable their services to the residents and the citizens through digital channels. And on the other hand, also looking at how vulnerable groups in the population could also make use of those services, also through the digital channels, so using a digital identity. And what I’ve seen so far is that, on a national level, there are like, there’s the supranational and the national regulation and the legislation, and there are a lot of national Digital Identity Initiatives. But on the municipal level, you really encounter the community aspect of it. So, where we can say on a national level, if you’re a Dutch citizen and these are your criteria, you can request a digital identity in these and these manners. And then you can file your taxes online, or request a permit for rebuilding a house, or engaging with the government on other topics and aspects. But in a municipal level, you quite quickly encounter kind of the, what I would say is, the messiness of society. So, we can’t get everything in clear boxes. So, on the municipal level, you will encounter the people that don’t fit into the definitions and the boxes, that were created on a national level, to, kind of, organise society, or try to organise society by states. So, municipalities kind of struggle on that mid-level; between the local communities and the people that are actually living there, and the national directives and legislations, and they have to combine those two. And for that you see that, in a lot of cases, municipalities and cities rely on national digital identity solutions. So, for example, in the passports of two of my children are expiring. So, I use my national digital identity, in the Netherlands that’s DigiD. I log into my municipality here and I make an appointment to renew their passports. That is one way. But in the city, there are also people who struggle with those digital means. They sometimes also have an immigration status, which is what they call irregular, or they don’t have the means to do this digitally. And that is where you see that on the city level, there is much more effort and emphasis on also providing a physical interface for those people. Providing the services, to these residents, in the city. And that’s where you see local governments and municipalities also sometimes struggle with groups of people, that cannot easily make use of a national level, digital identity solutions. But they still want to enable them, through digital channels, for their services. And that’s where municipalities try to create city cards or municipal discount cards. And especially, in a lot of cases, oriented towards the more vulnerable group. So, discount cards for groups in a community that live on a certain percentage of the minimum income, or by some other aspect. People who need to put in more efforts to get along in, kind of, regular society. And they get discounts through those type of cards. Oscar: You mentioned, to see a bit of an example. Maybe you can tell me some examples in some cities, but those discount cards, are physical or digital, or there are both? Henk: Most of the cases that I’ve been reading up, they’re physical. Because in those cases also the municipalities make use of the desks in city hall to issue these cards, to identify the people who need them, out of their central administration. One of the initiatives, actually two initiatives, that I’m now involved with – we’re looking at also a digital version. So, an app on your phone or a wallet on a smartphone, that people could use for the same type of functionality. And I think that, that is one of the areas that will be quite interesting to see what’s happening there. Because there are a lot of wallets, the technology is already there. For example, in one of the municipalities, we’re now in the conversation with a coalition of people who are representing more vulnerable groups, but also regular residents in the city. Which you know, the purpose of a digital ID or an identification card, would be to provide a way for people to show their identity. Regardless of their immigration status, because all – we’ll touch upon undocumented persons or irregular immigrants later on – because for some of the services is like accessing a library or a museum, perhaps even opening a bank account, you need to be able to show that you are a resident of the municipality, and not necessarily share a lot of other attributes. And this can be done through a card, but also through a wallet. Of course, then there are other challenges that you need to address as well, because if the solution that is going to help these groups of people is digital, that means that it will be exclusion to people who cannot get along on those digital means. So, there was a case in a city, where they were looking at an app on a phone to register for food and stay in pensions for homeless people. And it turned out that the phone that was used to make use of that app, sometimes was also used as a means for payments or the phone was lost. And then you see that that was kind of a prerequisite or requirement, to make use of a digital version in those types of solutions, there should also always be a combination of a physical and a digital solution. If the purpose is to provide access to public services for the general population in the city. And that is also one of the things that struck me in the research; that there are a couple of angles to this topic of digital identity. And some of them are really coming out of the area of providing services, and they are more the service provider-oriented views. Which, sometimes, tend to be very focusing on, increasing the operating effectiveness, and making the delivery of service more efficient. And the other aspect that, sometimes, is not completely served by the first perspective is that; if you put the human at the centre, they do this human centred development and analysis of what is going on, and what is needed. Then you see, all of a sudden, a completely different perspective. Where there is a huge variety in humans, in the population, in communities, especially in municipalities that cannot always make use of a digital ID. So, these two perspectives are also sometimes in tension with each other, and the research shows that the purpose or the overarching objective for a digital identity solution for a great extent, determines the success of this and the outcome of this. So, going quickly back to a country level, but where one country deploys a digital identity solution out of surveillance purposes. So, they want to make sure that the people in the country are really citizens, not just residents. And it’s really focussed on, border control so, making sure that we don’t get the wrong people in. And that can be criminals, can be terrorists, but it can also be people who basically have no reason in this country. Such a solution will be designed on surveillance and monitoring, and more on exclusion, keeping the wrong people out, than inclusion. Whereas if you set up a system like that to provide the basic services to all residents in a community, or in a country. And such a system will be much more designed and implemented based on inclusion, and will serve somewhat different purpose. Oscar: So, this you mention, physical, digital, sometimes both – this discount card or this wallet, that for these people becomes the main document, correct? Henk: For some people as well, yes. So, if I take my situation, I’m in the luxury position of, at least in the Netherlands now, I have a passport, I have a Social Security Number which we call Citizen Service Number. And in the Netherlands, the government has made the legal arrangements in such a way that, basically, all the primary or basic services that you can have here. So that’s health care, education, that is legal support, etc. They are connected to its legal rights of being permissible in the Netherlands, or being allowed to be here legally. For people who do not have that for various reasons, that makes it really difficult to get this health insurance, to visit the hospital, and get medical assistance, for example. So, the cracks in the system is where this legal framework cannot cover every situation, and groups of people who are falling in those cracks. So, for example, undocumented persons, who do not have a Dutch passport, sometimes they have a passport from their home country, but they don’t have the residency status in the Netherlands. For these groups of people, a municipal identity or a city ID, could be a solution in situations where they are struggling now very, very much. And they struggle, for example, in what I mentioned, that’s accessing healthcare, because in the Netherlands, when you visit the hospital, you need to bring your insurance card. In order to get your insurance card, you need to get that insurance, and to get that insurance, you need to identify and have this Social Security number or a Dutch citizen number. Well, if you don’t have that, then the house of cards comes falling down. But for these people, in some cases, they are also unable to identify them according to the regulatory framework. For example, when they’re on a bike at night, and their light does not work, and the police stops them. And in the Netherlands, you are not obliged to carry ID documentation, but you are obliged to be able to show it when police ask for it. So for these people, that’s a very scary moment, because if they can’t show the proper identity document at that point in time, because their bike light was broken, then they are at the risk of being detained under the laws for immigration and other people staying in the Netherlands, for example. And the last example here, is that there is a universal human rights described that provides the right to education for minors. So, in this case, in the Netherlands, if a minor does not have this Dutch Citizen ID, the Social Security ID, they are still able to go to school up until they’re 18 years of age. But it gives still a lot of trouble in the administration, and after they are 18, the day they turn 19, they’re struggling with access to higher education. That is where you see that kind of, the national regulatory framework covers about 95%, maybe 99% of all the cases. But there’s still a lot of people in this country, who do not, are not getting covered by the legal framework. And in the Netherlands, that can go up to 80 or 100,000 people. Of course, because in the case of undocumented persons, they’re not documented. So, we don’t know exactly how many there are, but it’s a significant amount of people. And they also play a significant role in in, for example, the great economy. So, nannies and housecleaning. Now if you – during Corona that became very apparent, if you’re really forced to exclude them from society through these measures, then it has, of course, to a certain extent an economical impact. But you also push people out of the society, where their basic human rights are guaranteed. And that is for me personally, one of the triggers to say, well, let’s get engaged on this topic. Because I can walk into a hospital with a stomach-ache, and they will see me, and my expectation was that anybody in my country could do that, and it turns out not to be the case. Because of all kinds of regulations and identification, being able to identify yourself, whether it’s with a physical card or digital, is one of the stumbling blocks in that process. So besides doing well-paid consultancy at large corporations on Identity and Access Management. I, but also my employer SonicBee, really sees this as something to engage in on society. To also and where we can make the growth a little bit better. How ambitious, or how almost over the top nice that seems, but that being part of society for us as well. Oscar: Yes, absolutely super important and you have been illustrating very well both of the problems. So why it is needed? Why there’s motivation from the local governments? And how is it affecting is helping some people? But some people are still underserved, as you say. If you can tell us, some examples from some cities, how has it been done? Henk: Yes, there’s actually quite a lot of examples of cities who are already providing a city aid to their residents. And one of the most striking I found is the one in New Haven in America, the United States of America. That is a community with a large number of immigrants, and in the United States, the whole system of federal law and local law works slightly different than what I’m used to in the Netherlands, or we have in Europe. The problem they have in that community was that these immigrants just had regular job, sometimes making a lot of money, but because they had struggles with identifying themselves, they could not open a bank account. So, they walked around on the street with sometimes a lot of cash that led to robbery and mugging, that led to unsafety in the community. So, the New Haven City Council said we need to address this, because these people need to be able to open a bank account in some way, so we can make the community as a whole safer. So, they issued the Elm City Resident Card, as they called it, and that really was designed to protect those 10 to 15000 undocumented immigrants. And that has been evolving over time. Something similar is present in New York, where they have the ID New York that was started in 2015. Also, to provide access to city services, especially for vulnerable populations. And the trick they did there is that they did two really good things, in my opinion. Well, in the opinion of most of the analysis reports that I’ve read on it as well. They did it through a coalition, so instead of designing it for people, designed it with people. So, it was a broad coalition of representatives out of these vulnerable groups. And the other thing is also that it was not restricted to those vulnerable groups. So, it’s a generic city ID that was created there. And it showed also by the uptake because in one and a half years they had 800,000 users or holders of these cards. With the vulnerable roots, one of the safeguards there is that it’s only for identification. In 2018 / 2019, there were two challenges to this is city ID or to ID New York solution. One was the change of administration, and the new administration had a completely different focus on immigrants and immigration and wanted to use or abuse their system. To find immigrants and deprive them of some of their rights that they had at that moment. And the other challenge was that financial service providers said it would be a good idea to connect financial services to these identity cards. And that was stopped, that initiative, because the coalition stood up and said, well, you know, financial service providers have different incentive than a city council providing public services to the residents, in the community. And also, for those financial services who will start gathering data, sharing data, analysing data to, you know, get the best financial offer to this person. But a lot of these people are in vulnerable groups and providing them really nice discounts. But then making them pay the credit rate for the next five years is not in their best interest. So that is not something that we want to do. So, one of the lessons learned from that New York initiative was also to keep it with identity, do not combine it with other services like financial services. Because then you get different incentives and different players in, kind of, the ecosystem of search in municipal ID. And also, one of the things that New York does is that they destroy all evidence of the initial registration within two years. To also make sure that privacy of these people that that register, and you can register, of course, with a U.S. passport, but you can also register with less, I would say, assured identity documents. So, all the way up to if you’re homeless, with a homeless residence will vouch for you and will provide you with a document stating that you have been staying overnight in their homeless residence for at least 15 days. That will make you eligible to apply for the city ID. And with that city ID again, you can identify yourself, access to basic services. And one of the things that really also showed in New York was that besides enabling vulnerable groups to access services, it also gave them a sense of belonging. So, it also did something in that community where identification was a prerequisite for services, and through that connecting with society and being part of society. And there are quite a few others, there’s also one in Zurich, Switzerland. Where they started specifically for people without identity documents. So they call this Sans-Papiers, paper people without papers, without documents. And there, for example, you saw that they took the space there was between; what the regulator on a national level stated, and what their responsibilities as a municipality are, to provide these people with a card for identification. To make it easier for them to participate in society, to get specific discounts, etc.. And again, they’re a coalition working on this ID, where in New York they also worked closely together with the police department. It was also the case here, and together with the Red Cross and other actors in the city trying to figure it out. What are the stumbling blocks for vulnerable groups in our population? Can we provide them with an identification solution and can that identification solution also be in the form of a digital identity? And I think on that aspect, in these situations, I’m not 100% sure to what extent there are already digital. I’ve seen in my conversations here in the Netherlands in a number of municipalities that, digital has some benefits in this case, so, an app or a wallet on a smartphone, because a lot of people have a smartphone, but not everybody. So, on the one hand, again, you have this perspective of let’s get everybody this wallet and they can use it everywhere and the world will be a better world. On the other hand, such a perspective bypasses the fact that a community of people is very diverse. And if you, we actually had it with access to health care, we said, you know, talking to some health care providers, some GP’s saying, what if we create this this city ID card in an app and it would allow people, undocumented persons to identify. And their response, as practitioners in the field working with these people, said ‘That’s a great idea. But for that very small group of people who cannot do that because they’re not digital literate or they don’t have a smartphone, or it won’t be even more exclusionary to them.’ And that got us thinking and saying, if the objective is to work on the community and include people to a larger extent, then you need to really look at the idea identification and not focus only on the digital art of digital identification. Although it’s a fascinating topic, it’s a cool development. With eIDAS 2.0 we’ll see a major changes in the next two years, in Europe. But the design principles should be human centric, and I love the quote of one of their one of the NGOs, one of the civic institutes working on it, says ‘Nothing for us, without us’. Because identification can become really core to travelling the society, and the municipality, and being able to access services or not. Oscar: Absolutely. In these very clear now you have a explained these specific example in United States, Switzerland, also earlier in the Netherlands, they are definitely filling the gaps. Excellent outcomes. But could we also think if this type of local government ID have also some issues, some disadvantages? So, by what you see. Henk: I mean in the sense of the challenges for these local initiatives, think one of the challenges or potential issues is of course, that when an administration changes or a national law changes, that means that you could be forced to adjust locally, especially if you provide a digital identity solution for vulnerable groups. Those principles of privacy and data control and data storage are critical, so that can be a challenge there. And that is kind of, I think, also to check that it’s a municipality or the community in the population, but it’s also a highly political environment. Of course, in a city council. And one of the other challenges that we’ve seen here is that the idea is very appealing to provide everybody and methods of identification, regardless of what the national legal framework says. As the national legal framework may tie ID to immigration status. Well, some of the rights people have are not tied to immigration status, but that does leave the question of who will identify a person. So in the case of one of the cities that I’m engaged with now, we’re having that question saying, well, there are, for example, homeless people or undocumented persons or people who do not have this national ID or citizen ID. So who is going to vouch for their identity based on what? And will this identity be added to the national identity register? Because in the Netherlands we have a person’s registration, and we already know that. The last question will be definitely a no, because that would be creating a backdoor in our national identity register. And of course, that would be very interesting for people with malicious intent. So, you would get a lot of fraud attempts there. The question before that is basically if we can enable people to get access to all services they are entitled to. Even when they lack a national identity documents, then the challenge that we had of accessing the services actually moves upstream in the process to the question of, okay, so now they connect to social services, but who is actually identifying them? And does that need to be a city like a city council, or can it be a civic organisation? Or should it be a combination of both? And what are the minimum criteria? So, within New York there are a number of requirements that you can use to get this ID, but for example, if you a slightly different focus, but it’s top of mind for me at the moment. If you look at Aadhaar the biometric national identity solution in India, which has been quite successful, they have a list of over 32, what they call breather documents. So, registering in the system, you have basically 32 options which range from passport to drive for license. And if all else fails there, if there is no document, then you can get two officials from your village, or your city and when they vouch for your identity, you will get registered. Those type of questions then come up and you’re basically working on the; on the one hand, working on the fabric of society. So what does this notion of identity mean for society, and how can we make sure that it’s, on the one hand formally properly arranged, but on the other hand flexible enough? Because we are dealing with humans and once we start excluding them, then we really are sometimes violating basic human rights. With what I’ve also seen in my research that is actually happening various instances around the world. So those could still be challenges and of course also expertise around this topic, which is something that a local government would need to build up and sustain over time. Oscar: Yes indeed, thank you for explaining that. Absolutely, there’s still a lot of work to be done. One more question related to, you mentioned eIDAS 2.0, especially the wallet that has been in many people’s radars. How would this type of identity, local government identities, can be incorporated into wallet-based identification? So, other existing, let’s say, or already planned, like eIDAS 2.0. Henk: Yeah, I think that question is, I think there are two questions in there. One is, can you use a wallet? And I think there are many wallet types or hold type solutions already available in the market. So, in that sense it’s in that area, it will be more a question of, you know, which technology, which solution do we select and is it safe and also privacy safe? What is happening in, on a European level with eIDAS 2.0. So, the ambitions for a European digital identity, based on a wallet solution, is that ties into the national governments because they have the – the national government has the authority over their citizens and their residents. So, eIDAS 2.0 is putting down a legal framework that ensures that there is a legal backing for a national digital identity, in a wallet. So, for example, the Dutch government is now working on – how are we going to get our national identity? So, the National Identity Register enabled for an identity wallet under eIDAS 2.0. They are also working on a wallet solution, so that in two years’ time everybody who is a Dutch registered citizen can download the app, download the wallet, basically stored their national identity data in there, of course, are some questions around identification and authentication in that process. And then use it in the Netherlands, but also in Germany and in France, because the eIDAS legal framework will provide the legal backing for that cross-border order acceptance of those solutions. It can also be used on a city or municipal level, except for those people who are not part of the National Identity Register. And that’s where it comes back to vulnerable groups in the community, where on a state level or a national level, I have this feeling that it’s easier to stick to general classes, and order, and regulations. Whereas on a municipal level, you really need to work on the translation to society with all the variety and all the and the people, the individuals and the groups of individuals in there. Even though on paper, on a national level, there are solutions for them, and they should be either out or in. You find that in reality some people are in-between and on a city level you need to deal with them because they still have basic rights, that you need to provide them regardless of whatever status they hold. And I think for that, the eIDAS 2.0 will – well, my question is, whether eIDAS 2.0 does will make that a better world or not? Because again, this is a solution that is based on a national identity registers. Well, at least the aim is to make it an easy-to-use solution, but it means the majority of people using it will rely on it. That also means the majority of service providers will accept it, and perhaps move to a direction that they prefer that specific type of use. So, there is the risk of enlarging again, the inequalities that you have in society there. And there have been cases already also where we’ve seen that these types of solutions, although they start as an option, as a voluntary solution, and you don’t have to join. Once you get into an ecosystem and other services are built on it or connected to it. So, kind of the generativity kicks in, of these types of solutions, then it becomes increasingly difficult to opt out. And I think as a commercial service provider, there’s a different perspective, different values at stake than as a public services organisation like a municipality. Oscar: Indeed. Final question for you, Henk. For all the business leaders that are listening to us now, what is the one actionable idea that they should write on their agendas today? Henk: That’s a good question. I think if I could give one actionable item is; put on your calendar to take on whatever digital identity solution you’re working. Take 5 minutes or maybe 10 minutes and basically take the perspective of the individual human. Realise that there is a huge variety in individuals. Everybody is unique, so generic solutions will only go that far. And if you put the human at the centre, what the individual’s needs, what the individuals want to achieve. And that’s, for example, not only access to a bank account, but it is also independence, autonomy, agency, free will, also living a life that’s worth living, being able to flourish. Just spend a little bit of time on that perspective and then go back to everyday work, but take that perspective in mind that especially around identity solutions and also digital identity and digital identification in the end, there is a person on the other side of the line, which is a human, a flesh and blood, And that perspective, I feel, needs to be included more in the solutions that we build. And that’s also why I think we should have more conversations on the values that are at stake, the impacts of the solutions that we built. And that is basically the ethical perspective, or the value perspective on digital identity solutions that we have in the world today. So I would put that on the calendar, take 5 minutes picture the human and what they need, what they want, what they are entitled to, what their privileges are, what their duties are, what their virtues are, maybe even. And then continue with the important work that I think most practitioners in this field are doing that. Oscar: Great reminder. Thanks a lot, Henk, for this super insightful conversation. I commend you for all the work you’re doing on this. Please finally, let us know for the ones who would like to follow the conversation with you, what are the best ways? Henk: Yeah, I’m quite active on LinkedIn, so I post a lot there and I like a lot there on this topic. That also has a link to a personal blog site of mine, which is henkmarsman.wordpress.com. I call it ThroughIdentity, because in my when I started on my research, I came across a lot of identity solutions and I thought we need to think these things through, right up to the end. So it became, thinking through digital identity, and that ‘thinking through digital identity’ in brief is now ThroughIdentity. And also, on sonicbee.nl or just SonicBee sites itself, there are blogs and articles by me and by colleagues that people can follow. And those are the 2 or 3 main channels. Oscar: Excellent. Thanks a lot, to Henk for this conversation and all the best. Henk: Yes, Thank you to Oscar. Thank you for having me. And all the best also, with the blogs and with Ubisecure. Do you want to learn the nuts and bolts of how customer identity and access management can help your business? IAM Academy is Ubisecure’s partner training program where you will learn all about commercial and technical aspects of Customer Identity and Access Management. IAM Academy has courses suitable for both business and technical people. Enrol today at http://www.ubisecure.com/iam-academy/ and join hundreds of professionals who have graduated from IAM academy. And now are working in leading digital transformation projects in their own industries. You can also find more information on the show notes of this episode. Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

Let’s talk about digital identity with John Jellema, VP of Product Management at Ubisecure. This is a special, bonus episode on Hybrid IAM, in the lead up to the Gartner Identity and Access Management Summit 2023. Oscar is joined by John Jellema, VP of Product Management at Ubisecure to explore the hot topic of Hybrid IAM including what is meant by hybrid IAM, why and when to consider hybrid IAM, benefits and drawbacks and considerations for orchestration between different clouds. [Transcript below] “Where I think identity access management is going, growing, and continuing is around the areas of security.” For more from John take a look at his blogs or contact the team. Find more information and resources on our Hybrid IAM page. Join us at the Gartner Identity and Access Management Summit, on the 6-7th March in London. Find the booth and session details or book a demo with the Ubisecure team. We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure! Go to our YouTube to watch the video transcript for this episode. Podcast transcript Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla. Oscar Santolalla: In the lead up to Gardner Identity and Access Management Summit 2023 in London. The Let’s talk about digital identity team have released this special episode to discuss Hybrid IAM. A trending topic in the identity management industry, IAM stakeholders are increasingly interested in understanding what Hybrid IAM really means, how we can solve modern ID challenges, and how to evaluate whether Hybrid IAM is a suitable business choice for their current identity projects. For today’s episode and to help answer those questions, I am joined by John Jellema, Vice President of Product Management at Ubisecure. Hello, John. John Jellema: Hi Oscar. Thanks for having me on the podcast. Oscar: Very welcome. So, John, let’s talk about digital identity and as usual we want to hear a bit more about our guest. So please tell us about yourself and your journey to this world of identity. John: Sure, absolutely. I started in a very old Internet company back in the United States in 1997. Moved over to Amsterdam, where I became a product owner on several security services for Verizon, the global telco. The last of which was operating an anti DDOS platform, so to ensure availability of circuits all over the globe through some of the largest DDOS attacks. Ran that platform for about 15 years and then I came over here to Ubisecure about five years ago. I’m intensely interested in the personal access, the capabilities and the dynamic future of identity management. As we move from employee identity management into true global functioning personal identity management. That’s why I’m here at Ubisecure. Oscar: Excellent. So, John, to get started with talking about Hybrid IAM. What do we mean when we talk about Hybrid IAM? John: It’s a good question. It’s confusing a lot of times. There’s a lot of material out there if you search for the term hybrid IAM, what different folks are referring to or meaning. In practical terms, it’s using two dissimilar services or two dissimilar location areas to have a service deployed at the same time. So, a lot of organisations – I mean we’re 20 – 25 years into this thing called ‘the internet’ with user accounts, and there are lots of legacy systems. That’s a term that is widely used for employee identity and access management, or your log on service that you do, or your access when you sign into your laptop or an internal machine. It’s functionally – a legacy IAM is functionally, a server or a private cloud, at this point in time that a corporation or an organisation runs for themselves and hybrid IAM is linking that legacy service with a cloud-based service. So, something that is on a public cloud like Azure from Microsoft or AWS, Amazon Web Services, where you can get compute functionality from one of the larger providers in a dynamically scalable environment. So, it’s kind of old school and new school coupled together and that gives you hybrid. That’s the functional area of what hybrid IAM is. Of course, the detail is, why would anyone want to have a hybrid IAM? Why add complexity? Those kinds of pieces. And the answer is, you really have different use cases. So, your legacy service like I suggested was a B2E, so business to enterprise or business to employee. Where your public cloud-based service, that is the new component in hybrid IAM, is really you’re reaching out to consumers or citizens or business partners. So, you’re doing something that’s kind of different to what your existing business was doing, and you don’t want to have the complication of trying to onboard lots of non-employees into your employee IAM system. Oscar: Yeah, indeed. Often, I talk with customers and they have those requirements. They might need hybrid. One might think but why don’t you stick to on prem or why don’t you do only cloud, but often both requirements are needed and hybrid IAM is what is needed. When could you consider choosing hybrid? John: For myself as a legacy networking individual, I would consider hybrid at any moment in time where I could make a logical DMARC. So, I’m trying to make a division in between which systems are running. It’s true, like you suggested, Oscar. You could have two implementations of your legacy stack running on your own prem, and you could say one of those is for internal and one of those is for external. The driver or the key would kind of be, well does your legacy stack IAM actually do all of – does it serve all of the use cases? Does it do all of the functions that your new users are looking for? So, how do I integrate with a business partner or how do I offer services in a consumer way or a citizen manner? If you’re a government organisation, you don’t necessarily want to expose all of the details or run the risk of co-mingling use access for everyone. So, putting an easy demarcation point, a DMARC point, in between the two services is key, and it will be a use case that kind of drives you to look out towards a public cloud. And it is that merging of the public cloud, that new service somewhere out there in the cloud infrastructure, along with your existing on prem legacy service or private cloud service, that really makes you hybrid. There’s another aspect that people will, or organisations will oftentimes look at when they’re considering choosing hybrid, and that’s cost control. Your hardware or your legacy stack is expensive to run, operate. It takes your IT team an amount of time to manage and keep it going, to keep it secure, even for your employees. And you say, well, is there a way or a method to actually get all of this service function without having the core obligation. The core liability, the security risk of actually running things on prem. Starting with B2D or a B2C out in the cloud. So, making an initial hybrid implementation that does a new feature for you, is a good starting point or a stepping off point. Where an organisation that has an existing platform, a legacy platform, can start looking in solving the question of going out to a hybrid and then eventually a full public cloud environment. Without going through the organisational trauma of completely upsetting everything. Or trying to make a dramatic shift of every use case all at once. So, considering hybrid cloud can be for a couple of different reasons. Cost control, it can be new features, new functionality, and it can be along the general migration path, a growth path that an organisation is doing. Oscar: Yeah, absolutely and if we go to see the benefits. Because also, mostly when we have an organisation that has to make a decision, do we go for hybrid, do we stay as we are? It’s important to know clearly, what are the benefits of choosing hybrid. So, for you, what are the main benefits of choosing hybrid IAM? John: For me and as the head of product here at Ubisecure, it’s the same kind of decision we make in our own roadmap. We look at the use cases that customers are bringing forward in RFP’s. That’s reflective of the benefits or the benefit decision making process that we see a lot of companies doing, and that is, really a generational change. They can be looking to utilise their IT staff, in more effective manner than managing this internal identity access management. There can be challenges with a merger acquisition, so if the company is actually considering expanding or being taken over. How do I actually make sure that my existing business partners, if I’m calling them internal at this moment, utilising my legacy stack of B2E for my partners, how can I do more for those external users? And the more is, security as a primary driver. One of the big benefits of choosing a hybrid IAM is, like I’ve said, this big DMARC between your existing service and the new things that you’re trying to do. Or the better improved, more improved security that you’re trying for. It’s easier to implement multifactor for external users, if you’re on completely a new platform, you can multifactor that user in, and get good control points very easily. And then only with OIDC compliant tokens come back and process the specific pieces of information or specific access to your internal applications, that you might want to be giving to your partners. So really using the public cloud, and that is the hybrid IAM, as an extra security layer or an extra layer of an onion, if you know that classic security model. That’s from my view, one of the largest benefits of choosing a hybrid IAM, you get more functions, different functions, altered functions that you don’t have to attempt to build into your legacy service. So, there’s no existing corporate disruption, while you’re growing your business, and that can be organically as your business grows or in-organically through merger and acquisition. Oscar: Yeah, exactly. And do you see any drawbacks or downsides, that can be considered in [Hybrid IAM]? John: You know, any time you add a complication right, and a hybrid IAM is a step function, you’re adding a complication, you’re talking about adding a second system. That can be considered to be a drawback. But if you consider the direction of IT in general, there are fewer and fewer prem based installations. More and more services that your corporation is using, whether that’s ticketing, whether that’s mail services, whether that’s applications for data processing or anything, more applications that we use are going towards the cloud. And there’s good reasons for going towards the cloud, that is public cloud, for all of these kinds of applications. It’s much easier to ensure security. So, there can be security patches and feature additions that happen on a cloud environment in a much, much faster timeframe compared to what it takes to for all of us to, for example, install the latest image, latest security patch on our laptop or make a generational shift of our laptop. When all of the applications we’re using are out in the cloud, again the public cloud, then the world is just about access, and you can access those applications from anywhere you’re qualified to access them from. So, bring your own device and as long as I can securely identify yourself or myself, then I should be able to use that item or that application. Again, be it email or be it our internal ticketing system, as an example. That’s a clear directional move that the entire world, not just identity and access management, but the entire world is moving. Saying, we no longer desire to have machine rooms in an office cabinet, or in a closet, in every office building, for every company individually. Those are costly, they have a lot of Capex cost and it’s much easier to grow, scale, and use what you need in a public cloud offering. Starting with hybrid IAM, you get the benefit of having your existing platform being not disrupted. But you have the complication saying, now there’s this external or this additional application that your IT staff or your operations team, at least, have to pay attention. That you have internal users, Oscar and John log on to Ubisecure and you have external users, customer A, B or C logs on to our IDaaS platform. And there is extra work while corporation or organisation is going through this transition from legacy to public cloud. This transition is really hybrid IAM. Oscar: Yeah, we can see there are many, many benefits a few, of course, drawbacks, especially complexity. If someone who is now considering, maybe already, this person made the decision that yeah, we’re going to do hybrid IAM. So, to try to visualise that – how to start the project, what happens at that moment? How to start the project? So, what are the goals or outcomes that will need to be achieved by the organisation? John: It’s always hard to know, when starting a hybrid project is a good idea. Or replacing your existing service is a good idea. It’s best for every organisation to consider it, before they have a traumatic event like a security breach. Security breaches would be an obvious consideration or a security audit, which is one step back from a breach. Where your auditor says – hey, you’re not doing a very good job keeping your legacy system up to date. Or when you did this merger and acquisition, or integrated a business partner as B2B, or reached out to consumers or citizens as B2C, you’re starting to take on lots of liability, because you’re building a user database that’s incredibly huge. And GDPR says I should have a right to forget. So, you have a lot of liability coming in there that you have to manage. Instead of waiting for a traumatic event, again, like a security breach or an audit event where suddenly your company is thrown into, again, a light state of trauma. Where they’re saying, I’m not going to pass my security audit next year, if I don’t resolve this kind of thing now. We should all be kind of looking and saying, is my existing stack of software doing everything that I want? Does it serve all of the use cases that I want? Would it scale dynamically, if the marketing department said let’s go get a million more customer leads? So, could my platform scale, if we change business focus. Does it actually serve where the corporation is going, and does running internal services – is that a key function to my business? If it’s not really a key function to your business, it’s a historical thing – you started in a B2E, so an employee or an internal enterprise-wide identity and access management platform. If you have one of those, and you’ve always had one of those because you think you need one of those, now is a good moment to actually look and say, do you really need one of those? Can you look at Microsoft or Amazon services, here in Europe. Which are incredibly secure and incredibly compliant with all of the legislations and start to utilise hybrid to meet one of the use cases that your current platform isn’t able to do very quickly. And this for me, would be the motivation to start a hybrid project. Is there a use case, is there a group of users that you’re not servicing very well? Is it for diversity, equity and inclusion, right? Your current UI isn’t compliant, or doesn’t look as nice as it should, or isn’t as accessible as it should be? That could be a good moment for considering, how to start a hybrid project. Can I get a different UI as something that’s available? And again, a merger and acquisition, it’s a good kind of consideration. If you’re merging with a peer company, that same size, you don’t want to get rid of your application, they don’t want to get rid of their B2E application. Well, that sounds like the definition of a hybrid. You need a centralised point where everybody can agree. So, there will really be obvious use cases. I think for all of our listeners, anybody who’s following this podcast, will understand that there’s a use case, that’s sitting on their desk, that isn’t being met by their current organisation and maybe can’t even be met by their current organisation. It’s really hard for the current IT, or developer team to actually resolve and that’s going to be the genesis of the start moment of where to consider a hybrid project. Again, you don’t have to do a complete lift and shift, that’s the pure definition of a hybrid project. You can keep your existing platform, that runs, is very stable, services every use case that you currently have. And only use the hybrid public cloud service, for fulfilling those new use cases, or those difficult use cases, the ones that you aren’t currently able to do. That to me would be the starting moment for nearly all of our listeners. Oscar: Yes, and yeah, it makes sense. And it’s a concept that actually, in this conversation with you, I’m hearing repeatedly so absolutely agree with that. How to use hybrid in order to implement, to deliver, these use cases, which are underserved by either the private cloud or the on prem. And that could be much easily and even more securely, probably more securely, delivered by using a public cloud based CIAM. Would you also see some possible complications? Just thinking of, again, starting a project like this. Starting a project, project is having some progress – so what could be some possible complications here? John: Absolutely. I mean there are complications when you’re putting on a second system. You do need to find a public cloud-based identity access management platform, an IDaaS service, that is secure, that is qualified to meet the use cases that you’ve identified. The reason to start the hybrid project in the first place. So that in and of itself is work, you have to go out and look for vendors. And an RFP for an element like this can be cost to an organisation where you don’t have manpower, or time to actually cover that cost. So, you know, all of the organisations, all of the listeners should look for an IDaaS service that can make quick, easy trials. They ought to be able to very quickly demonstrate the security additives that they bring to you. They ought to be able to demonstrate the use cases, fulfil the use cases, and it should be easily consumable for you. It shouldn’t be overly complex to try and consider how to add this layer. There are still disadvantages – you do have extra cost. We are talking a second system that’s actually running, and any time there’s more, more systems, more anything, there’s going to be more cost. Now, if it is in your organisation’s corporate transition to go from your own servers to a public cloud, and most corporations at this point have the gradual transition to cloud somewhere on the roadmap, a hybrid IAM is a good way to start learning how to move the organisation forward. But there needs to be budget for that, there is cost inside those elements. You will have the integration complexities, so your prem based service or your existing service has to be able to be integrated with a public cloud. Your existing applications need to be compliant to some degree, or you have to have an engine that will actually take your non-standard applications and make them standard. Whether that’s SAML or whether that’s OIDC, you have to be able to integrate and that’s oftentimes a challenge. Knowing what your applications are, being able to do a site survey of what your applications are versus your new use cases and being able to carry out that integration is complex. That’s the reason ourselves, as a vendor, and others in the space exist. Because it is complex and there are vendors out that can help you with this, with this kind of review or integration capability. And one of the final pieces it’s got to be latency. So, it’s not a huge factor if you’re operating inside, for example, all inside Europe here. But you need to consider – is your transaction whatever is going on or takes place with that, new user coming on to the hybrid cloud platform, way out there someplace. And then coming through, authenticating themselves with whatever public service they’ve authenticated themselves, and then coming back into your infrastructure – is your application tolerant of that amount of latency? So, there can be gaps or difficulties, complications, even if everything looks right on paper. Even if the IDaaS service functions well, there can still be difficulties with the application or the latency in between the two clouds, as it were. The public of the IDaaS and the private of your current service, and whether that’s prem or whether that’s your server is running out on an EC2 instance in AWS for example. Oscar: Yes. It’s definitely good that you mentioned all this, possible scenarios like latency, different potential complications. Some might happen, for instance if the company has, let’s say, office in every continent. But if that’s not the case then it’s not a complication. But there are many scenarios, as you say that has to be taken into account. When you mentioned earlier about mergers and acquisitions, one thing that came to my mind immediately was, okay, of course. I think if there’s a merger or acquisition, I think almost for sure that a hybrid IAM project is born. It’s almost for sure that. What if one of the, let’s say there are two companies only, what if one company uses one type of cloud, like you say Azure, and the other uses Amazon Web services? They are based in, both are Cloud, they both have their identity and access management. What about this type of orchestration? Coexistence between different clouds. John: I mean functionally, in the very early days of a merger and acquisition, you’ve got to decide who gets an account on both platforms. Right. Your IT staff are suddenly going to have two accounts, and they’re going to have to manage two accounts, one in Azure and one in AWS. That’s for simple access, administrators are always over – your IT staff are always overburdened with too many systems to run. As a company you’re going to have to decide, and maybe many companies already have, having gone through the COVID pandemic and everybody’s starting to work remotely. But you’re going to have to decide how to authenticate a human being onto a platform that isn’t on your premises. So, the laptop isn’t plugging on to a LAN, whether that’s wireless or whether that’s cable. They aren’t plugging onto a LAN in your office building, so they’re not behind your firewall, you can’t identify them as easily. And in any good zero trust policy, you shouldn’t necessarily trust anything from out there, in the open Internet. That’s the kind of merger and acquisition problem you’re running into where you say, I’ve got a thousand-person company on AWS, I’ve got a thousand-person company on Azure. How do I actually pull these two together? A hybrid solution can be, you know, very easy to say – well, I don’t want 100% of the applications from company Azure versus company AWS, I don’t want to give access to everything yet. We’re only in the early days of merger and acquisition, oftentimes in an M&A, there’s staff reduction. So, you don’t necessarily need two HR departments, you don’t necessarily need all of the sales staff. That’s not always true, you could be growing, but you’re going to go through an alteration of your corporate structure. And you can use a third platform. So that could be either on azure, or on an AWS, or somewhere else. You could use a third identity and access management platform to say – Oscar, let’s all, you and I can all, you know, identify ourselves on this third platform. And that third platform has equal access back into specific applications found within company on AWS and specific, similar, applications found on company inside Azure. Again, it’s more complex. It’s not a straightforward kind of way, but that’s one of the easiest ways. Again, introducing a hybrid is one of the easiest ways of saying, I’m not going to immediately merge or try and slam the two corporations together. I’m simply going to set up another platform, that handles the who gets access to what, who is identified as what. It’s actually not as strange as it sounds. Oftentimes when companies merge, you’ll see company John, company Oscar, and now we have the new company called Oscar John, right. You’ll merge the names of the company; your domains will merge and it’s a very easy transition. Saying we’re going to set up another platform. Again, could be a second one on AWS, could be a second one on Azure. Doesn’t have to be overly complex. One of the IT departments is going to have more work, both of the IT departments are going to have access control work to do. But it shouldn’t be difficult, it shouldn’t be difficult for any company going through an M&A. Oscar: Yes, indeed, John, we are going towards the end of this conversation with you about Hybrid IAM and for a closing question. A question that is always targeted to business leader, decision makers. What would you tell us, why should hybrid IAM be on their agendas? John: It’s a good or a key question. It’s one that we’ve been thinking about here, inside Ubisecure for a couple of years now. Trying to resolve, how to best serve what we think the use cases are. The gradual migration from. I’ve said it a few times in the podcast – but the key point would be, a gradual migration from prem services to more secure cloud services. That ‘cloudisation’ or that migration towards cloud is going to be one of the drivers, and hybrid IAM can be an easy uptake. So, it can be a way you’re – the executive management team as well as the top end of your IT team, can start to get experience with things that aren’t their own, right. How to get onwards, how to move your company forward into a public cloud scenario. You might already be doing this with using Office 365, and for example, not even realise that what you’re doing is, you’re taking your local Active Directory and you’re using it in a ‘clouded’ environment. Accessing all of the Microsoft applications or the Google applications, if you’re on on G suite. All the Google applications, out there in cloud, you’re not installing them on prem. A second key driver would be for me security. Where I think identity access management is going, growing, and continuing is around the areas of security. We’ve all seen that passwords aren’t secure. You should have a fairly simple, good, memorable password that’s extremely long. For lots of, so for the big three ecosystems, those are all moving towards passwordless for the end user, which is fantastic. It makes it easy for me to log on to my phone or my laptop. Passwordless or Fido2 whichever ecosystem you happen to be most interested in. But when you’re talking about business to business, or business to consumer, there’s the extra need of MFA. So, you need to have multi-factor authentication, you need to consider other areas of security, risk-based authentication on top of it. What your what your security stance is, how to see who is accessing what and block unneeded transactions or unwanted transactions very quickly. And moving towards a hybrid cloud again offers a good DMARC, offers a security point. Where you can lay or layover or add on multi-factor authentication for a user who is not in your system, is not identified in your system. And probably one of the last pieces but it’s really important, especially for all of our European listeners. Is the European Union’s eIDAS project. The idea that myself as a European resident, will be able to have a digital wallet on my phone where I can conduct a majority of business with just about any organisation, public and private, anywhere on the continent. That means I can identify myself in a very strong manner, very easily, and I can chain or remain in control of all of my personal details. And that in and of itself, that kind of legislation is the clear driver that the digital world is moving. So, you don’t want to necessarily have all of your consumers, or maybe even all of your employees, identifying themselves off their username and password and the MFA that you have on your local legacy implementation installation. You want to start considering how to move to a hybrid cloud or a full public cloud, hybrid being a good step. So, it’s on your digital path, it’s going to be more secure, and there’s new technologies or legal requirements that are coming to your organisation. So those are going to be the three key drivers for, I think, any of our listeners. Oscar: Yeah, definitely. Thanks a lot, John, for enlightening us about hybrid IAM. Tell us, if someone would like to follow this conversation with you, what are the best ways for that? John: I think if anybody is interested in discussing hybrid IAM, they can reach out to anyone here at Ubisecure. We’re all very conversant on it, we – it is an opinionated field, and we’re happy to have the conversation to work through your use cases. Your specific areas of interest or your question on something that I might have said, and potentially you might disagree with. Reach out to us and we’re all available, you can find us that our ubisecure.com or reaching out to sales and we’re happy to have the conversation. Oscar: Perfect, Again, thanks a lot John, and all the best. John: Thank you very much, Oscar. Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

Let’s talk about digital identity with Petri Heinälä, Security Offering Architect at Fujitsu. In episode 85, Oscar is joined by Petri Heinälä who’s aim is ‘bringing digital identities closer to businesses and real life’. In this episode Oscar and Petri explore the importance of organisations understanding and embracing digital identities and identity solutions, including what needs to be considered when investing in identity solutions, how a lack of understanding can put the project and company at risk, as well as discussing how to get businesspeople more interested in identity. [Transcript below] “Because people are part of the business, so are identities.” Petri Heinälä works in global Fujitsu as Security Offering Architect and his area of specialisation is Digital Identities. His aim is to bring Digital Identities closer to real life and businesses with common sense thinking and talking less technology language. He noticed throughout his long career that the only permanent thing is change and understanding that has helped Petri keep up with the development and changes of life, business and technology. Connect with Petri on LinkedIn. We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure! Go to our YouTube to watch the video transcript for this episode. Podcast transcript Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla. Come and meet the Ubisecure team at the Gartner Identity and Access Management Summit, in London, on the 6th and 7th of March. To find out more, take a look at the Ubisecure events page – https://www.ubisecure.com/events/. Oscar Santolalla: As our slogan says, the podcast Connecting Identity and Business. We know very well the importance of putting ourselves in business people’s own shoes when we discuss both the challenges and solutions in this identity world. So, today’s discussion is going on deep dive about that. And we have a very special guest who is Petri Heinälä. He’s working in Global Fujitsu, a security offering architect, and his area of specialisation is data identities. He’s trying to bring other identities closer to real life and businesses with common sense thinking and talking less technology language. Petri has noticed in his long career that the only permanent thing is change and understanding that has helped him to keep up with development and changes of life, business and technology. Hello, Petri. Petri Heinälä: Hello. Oscar: Great having you here. So, let’s talk about digital identity. Let’s start hearing about yourself – about yourself and what was your journey to this world of digital identity? Petri: Yes, I’ve been quite a long time in the IT industry, over 25 years in Fujitsu and I have helped multiple other industries with technology solutions during that time. And I started as a software developer and architect and then step by step, moved to service and offering development. And also, during that time moved from the local level to the regional and now global level. The meaning of security and identities has raised dramatically during that time. And in early days in my career I, when I developed banking ATM software, I learnt that the user experience is everything and there is a strong relation in security and user experience and users, and their digital identities have a centric role there. So, step by step, identities had a bigger a role in my work and I have learnt more and trying to share my learnings to others now. Oscar: Yeah, excellent. So, starting from developer, so a very technical role of course. And now we are going to discuss about business, the business side of this world of identity. So, I imagine a big shift through, through the to these years. Petri: Yes, yes, yes. Very big shift. And when I talk about learning – so, there have been the failures also, more than the successes. Oscar: Oh, yeah, I’m sure. Definitely. We want to hear more about that. So, when we discuss – why are digital identities important for organisations? In organisations, we normally think of businesses, companies, but it goes beyond that, as you know, sometimes government, can be education. So yeah, what would you say? Petri: My learning opinion is that digital identities are part of pretty much everything and should not be treated as a separate work of identity. Even the podcast name is the word – Let’s talk about that. But I think they are part of everything. So, people, processes, and data, are the elements of almost every business function. But what we have – it was earlier people process and technology but nowadays we have to understand that business is more data driven than technology driven. Technology is a business enabler and underpins people, processes, and data. Digital identities represent people in digital world and today, when our businesses are more and more digitalised, identities play a very important role. For example, how our customers and partners experience our business. How our employees experience their work. How smoothly our customers and employee’s engagement processes are, how we onboard them in our business and how we know our business stakeholders and enable access to them and how we ensure that outsiders can’t have access. So, for example, these kinds of things are included in that. So, I like to keep this message as simple as possible and avoid technology jargon and unnecessary complexity. So, I say that identities – because people are part of the business, so are identities. Oscar: Yeah, exactly. Identities are everywhere. Yes, and you say there should not be distinction that – this is correct. They are so – well I’ll call it embedded, into any process, any business, any, anything we do today. If we see from the perspective of organisations, when they need to invest. Because at some point someone will tell them, someone typically come from the IT or compliance a bit more technical side, that yeah – I need to invest in identity solutions. So yeah, what organisations need to consider when investing in identity solutions? Petri: Like everything else, I like that top-down approach. So, in other words holistic approach, is a good starting point. So, we’ll need to ask what our main drivers are if we invest. What we’ll want to fix or improve – is it customer user experience? What is the solution coverage – is it all customers, employees and third parties? Do we want to improve and enhance productivity, or improve security and compliance, or something else? What is the, our main driver, what we want to do and could be the multiple of these. Then we need to find the balance between those things. For example, sometimes, user experience and security improvements are not going to get there in the same direction. So, that makes things more complicated. So holistic approach helps us to avoid investments, to point solutions that won’t integrate easily and cause more harm than the benefits in the long run. So main thing what I want to rise is that holistic – see the big picture. Oscar: Exactly, yeah. See the big, exactly. When investing identity comes to the table, will think of a holistic way, right? Not only trying to solve – trying to believe that it will solve a specific thing in the in the organisation. Petri: Yeah. Yeah. Because identities are everything, everywhere. Those integrations are needed before the identity solutions. So, that means that – understanding the big picture and what the business drivers are and so on. Oscar: Exactly, and now how we make that businesspeople from organisations, get interested in digital identity. So, what is needed to get their interest? Petri: I like to keep the discussion in a practical level, because the businesspeople are not interested about the technical details. They are interested to, how we can help their business to success, to be more effective and profitable, to be more resilient and trusted. In the eyes of their customers and perhaps the owners of the organisation. This sounds simple, but it’s not that simple, in fact, in practice. So, quite often the technology vendors are using huge amounts of money to make their brand and technology known in the markets. That’s very, very understandable. It easily drives a discussion in technology level I like and themes like zero trust, identity governance, or privilege access management, etc. So, these themes have multiple acronyms we are using, are not so familiar to the businesspeople. So, if we talk about like technology jargon, we put them in the, outside of their comfort zone, and they lost their interest easily. So, they need to start the discussion in very high level, find out what are their pain points in their business. Very often these pain points are identity related and then we can focus on how we can help them. So high level and then drill down through the pain points, that are identity related solutions, how we can help them. Oscar: Yes, it’s true, is all you say. Most of, so many technology companies that are building the products, and others who are integrating the solutions, are talking about in this jargon. Talking about the acronyms, as you said. The trendy words like zero trust, for instance, or many others that come and go. And it’s kind of like, the battle is there, in that language and the battle is there. But very few people, I think, speak in a business language, right. Okay, what are the business benefits or those innovations, because of course innovations are necessary. But I think few people are speaking in the language that businesspeople would understand. Petri: Yeah, and I think that the trying to find those pain points, what’s the everyday problem in their business and then figure out, how – with our technology solutions and a consultancy, how we can help them to avoid those problems and to improve their processes and business. Oscar: Yeah, exactly. So how should we speak identity to businesspeople? You just mentioned starting with a pain point, so that’s how you would start a conversation? Or what else is good for speaking identity to businesspeople? Petri: Normally I start with a story that way – why identities are important, so they understand the relation, people and identities and that, what digital identities are, what they represent in their business. And then practical things, how you feel that your customers built your business? Do you have escalations or reclamations a lot? Or what kind of feedback you have got from your customers, from your employees? New employees, how they got their – when they started the organisation, how they got their credentials, and was it the easy to log in and start to work in the organisation and so on. These kinds of practical things and then see how, fixing those possible problems, what is the effect to their business? How much they save money, how much they improve their customer experience and get them more business and better reputation in the market, and so on. This kind of discussion. Oscar: Yeah, indeed. I think it’s a good approach to, to start good questions, simple questions, as the one you mentioned. You mentioned, what the customer says, for instance, and when they communicate to the customer service department, for instance. That’s already super valuable. And how the newer employees, the newest employees, they find it easy to get onboarded into the organisation, so that already could tell a lot. How things are, in terms of their internal identities in that case. If you could now share some stories, some concrete examples, personal stories, or you have heard some examples in. For that lack of understanding of digital identity can really put in risk, not only one project in particular, but also, as you mentioned, see in a more holistic way, the whole organisation, the whole business. Could you share some, some examples. Petri: Yeah, I have a couple. So, one example is that if the organisation is doing the investment from security and compliance perspective only. So, for example, organisation invests into privileged access management solution, but they administrators and maintenance people are using – should be used, but the reason to invest, was that they had a compliance requirement. So, they need to have at that control – who is accessing their systems and infrastructure, and investment was made only from that perspective. So, they deployed from very quick, strictly from security and compliance perspective and then in paper everything looks good. But people who need to use that privileged access system, administrators s and maintenance people, were not informed and trained and they couldn’t access to the needed assets. They did maintain easily, because of these delays when they are accessing or they even lost, their access. This cost the service breaks and other incidents, but these maintenance people couldn’t fix, and these service breaks then affected directly to the business and their customers. So, these kinds of examples have been in – for example, in the financial sector. So still from security and compliance point of view, everything looks good. But admin people need to find a workaround to do their work and then this, very expensive solution, was bypassed. And they continue to do their work as earlier. And then their unused solution they waste the investment, and they still have a same security and compliance problem. Additionally, they caused the business losses, because the service breaks and so on. So, this is a quite common example of how if we do the investment from the one perspective, like in this case security and compliance. Oscar: Yes, that’s definitely a very good example, because yeah, it might feel that is the right way to do it. Right. So, you got the requirements from IT, Security, it comes from compliance. It sounds reasonable, we need to invest in that, good technology. Then make the investment, but yeah, forgot to make this holistic approach of involving everybody, who. Yeah, many more stakeholders who might be, of course not the whole company might be involved, but many more teams or organisations inside the company. Petri: True, and then a second example is that we invest in a point solution, that cannot be integrated. So, for example, one part of organisation has immediate need to manage subcontractors’ identities and they buy the solution for that part of business. So, they buy the separate solution for that and fix the problem. And little bit later, another part of business solves the same problem with a different solution without talking again to each other. Then the organisation, for example, consolidates their internal services and they released a common service for all business parts. And it could be HR or could be ERP or CRM or whatever. And then these two business parts should use the same service and also the subcontractors and then adapting this both point solutions to the new situation might be difficult or even impossible. Anyway, it causes the delays in operations and extra costs. So again, communication within the organisation and the holistic approach helps here, to avoid these kinds of situations. Oscar: Yeah, exactly. That’s another really good example, right, kind of – trying to try to find a quick solution from one part of the organisation. Without thinking at that time when the decision was made that, yeah, the whole organisation should have visibility. So, if someone else in organisation needs the same, well there is already a solution so. Petri: Yeah. Yeah. And these point solutions quite often store the identity information in the one place and then there will be several places where the identities are. So, then the consolidation of those will be another project. So that would be the costly also to clean up everything. Oscar: Yeah, absolutely, consolidating is costly, and it’s more time because there’ll be one project to do that, in order to get that done, and in the meantime, they’re security aspects right? Having more, more isolated data repositories, that is a bigger risk from a security perspective. Petri: Yeah. Yeah. And also, the privacy issues are there and these kinds of things. Then I have a third example. So, quite often in the organisation they are thinking that, identities are responsibility of only one department of organisation and often that responsibility is given to the IT organisation. And the expectation is that IT solve all identity related issues on behalf of other parts of organisation. Then IT people to their job from IT perspective and then it’s also often technology oriented, because IT people are technology oriented. And then to bunch the tender resources, then IT specific, and with those resources we cannot cover all needs that organisations have. So, solution will be optimised from IT point of view and for example, issues in employee onboarding won’t be solved without human resources engagement. So, learning here is, that within organisation you need to involve all related parts and that responsibilities is a higher level, not in the one organisation. Oscar: Yeah, exactly. Yes. Another good example this or this different really good example, quite simple and I’m sure they happen all the time. Petri: Yeah. Yeah. That happened quite often. And when people think that technology solves their problem, quite often it makes their problem even bigger than it was in the beginning. Oscar: Indeed. Because yeah, you will create a new project. New project to be done. Petri: You need to start from thinking about the people, processes and data, and then technology helps to solve those. Oscar: Yes, super interesting, having all this perspective from the business owner, businesspeople, as I said, own shoes. So, it’s an excellent reflection we have had. So, I will ask you finally, for all the business leaders who are listening to us now, what is the one actionable idea that they should write on their agendas today? Petri: Hopefully this is actionable enough, but people do business with people. Your business, your customers are the most important thing. And second comes your employees and other people who works for your business. Focusing on their well-being in the digital world, will accelerate your business in many ways and create the many, many benefits and simple. Oscar: Well-Being in the in general. I mean, in the physical world or as you mentioned, virtual. Petri: Physical world is handled quite well, I think, that’s the important thing also. But the well-being in the digital world, and that means; how their identities are handled, how they get access and how they are onboarded, these kinds of things. And I call it well-being in the digital world. So, how they experience themselves in the business systems. Oscar: Yes, exactly. Yeah, I agree. I haven’t heard the term – well-being in the digital world. So yeah, I agree. It’s something that the organisations have to help with their employees and also in their partner, customers, to have that well-being in a digital world. Well thank you very much Petri, for sharing this very important reflection and sharing your stories. Excellent, concrete examples, that we discussed, I’m sure have been very often. Hopefully less often, it’s less and less often nowadays. But yeah, if someone would like to get in touch with you or find you on the net, one of the best ways. Petri: Yeah, if somebody wants to discuss about this, please contact me, via LinkedIn, is a good way to contact me. Oscar: Perfect, let’s find Petri Heinälä on LinkedIn. And again, thanks a lot Petri, for this very interesting discussion and all the best. Petri: Thank you very much to you. Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

Let’s talk about digital identity with Jenny Radcliffe, The People Hacker. In episode 84, ethical burglar for hire, Jenny Radcliffe, joins Oscar to discuss the importance of educating your staff to help protect your company against social engineering attacks – including the main vulnerabilities that social engineers exploit, how individuals and businesses can protect themselves online and how user authentication technologies can help, as well as how ransomware links to social engineering. [Transcript below] “So, two factor or multi-factor, in any form, is always going to be a good thing. It’s better than, like you say, one thing, which can be found out or hacked like a password.” Jenny Radcliffe is a world-renowned Social Engineer, hired to bypass security systems through a mixture of psychology, con-artistry, cunning and guile.  A “burglar” for hire and entertaining educator, she has spent a lifetime talking her way into secure locations, protecting clients from scammers, and leading simulated criminal attacks on organisations of all sizes in order to help secure money, data and information from malicious attacks. Jenny has received many industry awards and was most recently inducted into the prestigious InfoSec Hall of Fame in 2022.  She has also been named as one of the top 30 female cyber security leaders in 2022 by SC Magazine, one of the top 25 Women in Cyber by IT Security Guru, and as a Top 50 Women of Influence in Cyber in 2019.  She was nominated in seven categories for the 2021 Security Serious Awards in 2021 including the prestigious “Godmother of Security” award in 2020 winning the “Most Educational Security Blog” for her show The Human Factor podcast interviewing industry leaders, bloggers, experts, fellow social engineers and con artists about all elements of security and preventing people from becoming victims of malicious social engineering. Jenny is a sought-after global keynote speaker at major conferences and corporate events and is a multiple TEDx contributor. A go-to guest expert on the human element of security, scams, cons and hacks, she has appeared on numerous television and radio shows, as well as online media and traditional press outlets, and helps create unique content for international brands and organisations. An experienced podcast host, panel chair and interviewer she hosted the live weekly cyber talkshow “Teiss Talk” for two years and is frequently asked to chair live events for clients both virtually and in-person. Jenny’s upcoming book “People Hacker – Confessions of a Burglar for Hire” will be released in February 2023, published by Simon and Schuster. Connect with Jenny on LinkedIn or Twitter. We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure! Go to our YouTube to watch the video transcript for this episode. Podcast transcript Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla. Come and meet the Ubisecure team at the Gartner Identity and Access Management Summit, in London, on the 6th and 7th of March. To find out more, take a look at the Ubisecure events page – https://www.ubisecure.com/events/. Oscar Santolalla: Hello and thank you for joining a new episode of Let’s Talk about digital identity, particularly for us, myself, working on companies that are building technology products to protect, secure people on Internet. It’s always surprising when we hear stories, when there are people, they just get tricked by other humans and voila, the result is – the company is hacked. Today we’ll hear fascinating stories about social engineering, and for that we have, special guest Jenny Radcliffe. She’s a world-renowned social engineer who is hired to bypass security systems through a mixture of psychology, con artistry, cunning and guile. Jenny has received many industry awards and was most recently inducted into the prestigious InfoSec Hall of Fame 2022. She has also been named as one of the top 30 female cybersecurity leaders in 2022 by SC magazine, one of the top 25 women in cyber by I.T. security guru and in the top 50 women of influence in cyber in 2019. Jenny is a sought-after global keynote speaker at major conferences and corporate events and is a multiple TEDx contributor. Jenny’s upcoming book People Hacker Confessions of a Burglar for Hire will be released in February, this month, published by Simon and Schuster. Hello, Jenny. Jenny Radcliffe: Hi, Oscar. How are you? Oscar: Very good. Happy to talk with you. This going to be super, super interesting. Jenny: It’s great to be here. Oscar: Fantastic. So, we would like to start hearing more about yourself and your journey to what you do today. Jenny: Certainly. So, I’m a social engineer and I specialise in the human side of security, and that means non-technical hacking. So, my two specialisms are psychology of scams and cons and fraud. But also, physical infiltration, so that’s the kind of red team tests that help us to infiltrate buildings and client sites for educational purposes. So, I’m an ethical burglar for hire as opposed to just a burglar for hire. And then we educate for awareness exercises and to harden the security for our clients. Oscar: Fantastic and I understand that you started very early in your career, correct? Jenny: Yes, it was something that – we didn’t used to call social engineering, social engineering. You know that term is relatively new and I’m older. But yes, when I was little, I had a group of cousins and family around me who looked after me, but they also enjoyed urban exploration. You know, and that means getting into empty, derelict buildings, looking around, not to take anything or break anything, but just to look around. And you learn very quickly when you do that kind of job to – a little bit about alarm systems and locks and things. But also, how people work, so that we have to talk way in or, you know, instead of breaking something to get in, a lock or whatever, it is easier to talk your way in. So that’s where I started and pretty quickly it led to some paid work. And then with the dawn of cyber and cyber security, it was actually the cyber community that sort of told me that there was another name for it and that there were more people than me that did it. So, I’m always grateful to the cyber community for doing that because it gave the jobs. Made it legitimate, and it made me realise that there could be a business in that and a career. But I’d done it since I was really small. Oscar: Yeah, fantastic. Super interesting and yes, you said, I don’t know how – you have said that the social engineering term is relatively new. Yeah, I hear it for the first time around 2005, I believe. So, I don’t know how long it has been for that – Jenny: It’s nearly 20 years, Oscar. That’s the thing, time flies, but it’s still quite new, you’re right. Oscar: Yes, yes, yes. So since then, to now, has it changed? What you would say is, what would define social engineering today? Jenny: I think today, firstly, in the industry, in the security industry, it’s a really well-known term now because we’ve realised that a lot of the security problems that companies face and that we face as individuals come from our own human characteristics and ways of thinking. And so now it’s incorporated into lots of pen tests, but also a security awareness training for teams of for staff is so big. And because social engineering is at the heart of almost everything, you know, so all the cyber – the breaches, the phishing, the phone, scams. A huge proportion of those are down to people being manipulated or making mistakes. So, I think what’s changed in social engineering now, is that it’s a widely known term and that it has shifted the emphasis towards humans. But of course, humans can only do so much. And so, we need tech as well to do kind of the heavy lifting, to block as much as we can and to stop people being in a position where they have to make a decision as to whether to trust someone or click on a link or open an attachment. So, it’s changed that it’s more widespread but also, it’s now in a nice marriage with technology, which is, which is a good thing. Oscar: And as you say, your story – you started the with like a playing with entering into houses, abandoned housing, some property. Then it became like a real job entering into properties. Now you have moved to, from physical, good doing these physical attacks, intrusions. To online attacks, you are now online hacker, as that’s my understanding. So, how enjoyable has it been for you, this switch? Jenny: I mean we still do have to do some physical security. I do less of it now because I’m older and I have a team that, that would do that instead, that I put together a lot of the time. But I still do a few of them because there’s nothing so, so good at proving to a client that there are some issues, than showing them how something was done, you know. So, we do what the bad guys would do, up to the point of harm. So, we still do some of it. But you’re right, a lot of the job now, did move online because so much of what we all do is remote. And so, the persuasion techniques, the influence techniques, the look – you know, the understanding of human psychology, is very important in terms of what happens with phishing emails or with business email compromise, scams, and breaches. So, we do a lot of those kind of, crafting those messages to show how criminals might do that. And then it’s part of education and awareness to say, well, this is how you might be caught, and this is why it works. So that if people understand how it works, they might be able to protect themselves against it. But you’re right, so much more of it now is online than it used to be. But I don’t think the physical side will ever go away completely. Oscar: And is it still fun doing that? Jenny: It is fun. You see, that’s the other thing Oscar, I’m always going to tell you I still do it because it’s still fun. It’s more fun than sitting at a computer but it’s scary as well. Whenever I do a talk or an interview like this, you know, I get lots of DMs from people, lots of emails saying I want to do that job. Can you train me? Can I work with you? Because it does sound like fun and a lot of the time it is quite fun. But it is also dangerous and it’s very hard work. So, to do it properly and professionally requires a lot of research online, and a lot of planning. But I think, people sometimes think, you know, we just tailgate and walk in. And we do that sometimes, but mostly it’s a lot of planning. Oscar: Yeah, a lot of planning, that might not be the funnest part. Jenny: No, it really isn’t the fun part, but it’s necessary to do the job properly. I think that’s the thing that, I just need to emphasise in the interviews I do, is that it is a professional part of security. It’s just that it sounds and is more fun than the hours we all spend looking at logs and, you know, sitting at the keyboard. But yeah, it’s still a professional part of the business. Oscar: Yeah, absolutely. You already mention email, which seems to be – that’s my impression from hearing so much – that it might be the top way of getting hacked today and you know better that. So, why email is still one of the ways to get hacked? Even though there are so many advanced email protections, so I hear for instance, there is nowadays advanced filter, an artificial intelligence protection. A lot of these things that are being added to the mail systems, email system. Yeah, but besides that, there’s so much being hacked. Jenny: First of all, we all receive so many emails every day. So, email is a huge part of our professional and personal lives and that means that we are – it is necessary for all of us to click on links and open attachments and join conversations with people that we’ve never met before, legitimately, as part of business. The technical tools that help with blocking malware and, you know, emails that carry payloads or that will take us to sites that carry payloads, that’s great and it does block a lot of things. But a technical solution has to be looking for something technical to block, the reason emails still get through and are so effective in social engineering attacks, is because that email may not necessarily contain a malicious file, but it might be the opening of a conversation and that’s difficult to detect with technology. So, if you look at something like business email compromise, which is when, you know, a criminal will infiltrate someone’s email, pretend to be the boss or the finance director or someone we know and ask them usually to transfer money. That will not necessarily have any viruses or malware in that email. But it’s still an attack because they’re asking that person to do something criminal. The problem is, is it’s difficult to detect because it’s words, it’s language, its persuasion, it’s influence. And, you know, the criminals know that, and they know if they get the tone right, if someone has not been trained properly or if what they say is something that resonates with the target, that there’s a chance of that getting through. So, I think the technology is, you know, amazing these days to help us with emails and to block some of this malicious files and malicious emails and we need it. We need that tech to do it, so that when we see an email that does get through. We’ve not got 15, or 50, or 500 emails to make decisions on whether or not to follow them up and to engage with the with the person. We’ve only got a few and it’s only on a small amount of emails that we really need to worry about people making their mind up about. So, the tech is brilliant because it’s preventing so many things from getting past. But we still need humans to understand what a malicious approach looks like. And that’s where the awareness and everything still comes into it because they still get through despite the technology. Oscar: Yes indeed. As you said, if they, if that first email just passes, doesn’t have anything of, anything malicious at all, it just passes that level of trust – that okay, I trust in this email I continue the conversation in. Jenny: But you know, just to say is – so for example there are systems and there is technology in place that for example, will block key words as well. So, it might block invoice. And so, I had a colleague who hadn’t been paid by a client and when they followed that up, it was because his email with ‘invoice – to be paid’ as the title, their sort of filters caught that and stopped that getting through. But that was a legitimate email, and this is the problem, right? The problem is, is that, of course, criminals are going to use language that we need to use to carry on with our business. And sometimes we have a sort of a false positive and a genuine email get stopped. But actually, it’s probably better that that’s the case, than have all the bad ones get through, you know. Oscar: Yeah, certainly. That’s why, as you mentioned, education many times is focus key of this helping us. If you move to authentication – thinking of a password. A password can be stolen there, you know, there are many ways to steal a password, if the protection is only based on password. Okay, you steal a password, and you get in. So, it’s hacked. But nowadays with more advanced technology standards, multi-factor authentication you have here, of course, WebAuthn, Fido. These more advanced authentication techniques. Are people less vulnerable, what would you say? Jenny: Yes. I mean, I think technology helps massively, you know, and things like, let’s say like FIDO and WebAuthn. All of those things are an extra layer, and the more layers that a criminal has to get through, the harder their job is and that’s what we want. But I think for me, the sort of physical security keys that are in the marketplace, they have a sort of a another positive to them, which is – if you are using one of those things every time, you need to plug that into your machine, every time you touch that, it’s reminding you that security is something we need to be aware of. So, I love the idea – I think anything is bypass-able, you know, because we can always get the person who’s holding the key or using the technology to go around it. They can be persuaded. But in and of themselves, it’s an extra different type of security that people are using and therefore I’m all for it. I think it’s a great, a great thing to do. Nothing. Nothing is bullet-proof, but it’s a very good start. And two-factor or multi-factor authentication, is one of the things that I urge everyone to talk to teams about, to talk to their families and people outside of the business about. Because although it can be bypassed and got around, it would stop an awful lot of individual attacks and sort of misery. So, two factor or multi-factor, in any form, is always going to be a good thing. It’s better than like you say one thing, which can be found out or hacked – a password. Oscar: Yeah, exactly. If you see from the perspective of companies like Ubisecure, and many other companies that are building technology products, security products, identity products. What is your best piece of advice for the ones who are building these, these tools, these cybersecurity tools? Jenny: My advice would be, you have to make them easy to understand and use, right? It has to be easier for a person, a customer, to use your security product, whatever that is, than to get round it and forget about it. People, if something is difficult and it’s easy to do the wrong thing, they will always do the easy thing. So, people need to understand how to use them. It needs to be as straightforward as possible. And then we need to tell them the why. You know what this prevents, why it matters and why it’s important. And then we need to trust that they will do it, you know, and check-up occasionally, of course. But that’s the key. The key is – make it easy for them to do the right thing and let them understand why it’s necessary. Now, let me give you an example of something that’s not always good. If we look at one of the things, we tell people in security is to use VPNs, right? Because of course, we know in the business, in the industry that a VPN sort of protects your traffic to the Internet. So, people can’t do man in the middle attacks and things like that. And again, not completely impenetrable, but very good. But if you ask people and I just mean normal people on teams, not normal people in the street, if you ask them about what a VPN is, it’s hard for them to explain what it does. But then also when you load those up onto your devices, onto your phone and your laptop, you know, this often problems, technical problems, VPN sometimes block websites people want to use. And I’ve had that myself, where I had a VPN on a phone I used, and I couldn’t use the phone because it was so secure that it was stopping me from doing normal things like internet shopping and banking. So, in the end you switch it off and this is the problem is unless people can use that easily, they will just eventually just ignore it. So, my advice to anyone who makes this type of product and provides these services, is the most important thing is the UX, it’s the user experience every time. Because then they will adopt it and eventually hopefully become advocates for your product. But if you make it difficult, they will abandon it. Oscar: Yeah, that’s the worst that can happen of course. That you have the best possible tool, but people abandon it because, as you said, it’s not simple enough. Jenny: Right. Oscar: Besides email, email phishing. I think, one word that comes up all the time, when we talk about, we hear about hacking breaches is, ransomware. So, what is the link between social engineering and ransomware? Jenny: So, there are really two, I guess. Ransomware obviously is, gets onto someone’s system becomes a problem through the social engineering methods that we’ve already talked about. So often, these things start with an email, or they start with access escape because someone doesn’t update software. And then, you know, the attackers get onto the network and become, you know, and sort of sleep on the on the network for a while and spy on you and then a ransomware attack is then initiated. But I think the real link to social engineering is, the key emotions that are used in ransomware, even if no conversation happens between the criminals and the target. Because what ransomware really depends on, are the things that malicious social engineers use all the time. You know, fear and shame are two of them. So, you know, we’re on your network, we’ve got your files, we’re going to delete them or release the data. Well, people will – that’s a scary thing for a business. It makes your emotion high, your fear high and also, that fear that, you know, this will affect our brand, we’ve missed something on security, we’ve been sort of lax on security and, you know, that will be a problem. So, it relies on a very human emotion in order to make people want to comply with that. And then there’s that very clear business decision of, you know, do we pay this, because it’s cheaper and easier to pay it than to go through all the problems that might cause if we don’t pay it. And in security, we always say, don’t pay, but it’s not always that simple. For a small company, they might be covered by insurance, pay the ransom and be able to get on with their business in a day’s time, which is a tempting thing. So even though we in security know you should never do that, it’s hard for people in reality to make that decision sometimes. And it also relies on a big psychological tool, which is urgency. So, you know, typically ransomware, you have a time frame in which to pay the ransom. Usually, they add sort of psychological elements, like you will see counters and, you know, messages telling you the time is running out. And all of that kind of stops us making rational decisions because it’s hard to make good decisions when you’re worried and frightened and anxious about the business and, you know, the time is the factor. So, it’s important for all those reasons, I always say that ransomware is a big part of social engineering – well, social engineering is a big part of ransomware. In as much as however distant and remote the attacker might be, even if there’s no conversation, the attack, by its nature, is a social engineering attack. It’s putting a human being or a group of human beings under pressure to do something that is not in their interest and that makes it pure social engineering. Oscar: Yeah, very interesting that viewpoint, you talk about. The ransomware, it shows why many people are unfortunately paying and that this type of criminality continues. I’d like to hear how, I guess some time you have been – someone has tried to social engineer you, I guess. If you can tell us if that happens, if that you have ever felt that you were close to, to fall and how you protect yourself normally if someone wants to attack you this way. Jenny: I get lots and lots of attempts at social engineering. Obviously, because it would be great to catch me out, as I’m the person that talks about it, probably, or one of the people that talks about it the most. It would be great. So, I get lots of attempts that are very obviously social engineering and particularly the ones that use all my advice or examples I give in keynotes. That’s actually quite strange. I’ve been caught out a couple of times, one time was, I was at a conference and there was the guy at the conference who I knew, and his wife was pregnant, and she was heavily pregnant. So, she, you know, he was sort of on standby to go home in case anything happened. And he came to me, and he said, my phone’s died, I got a call from my wife, can I borrow your phone? I need to call straight back, because I knew both of them. And then he took my phone and took a picture saying I hacked Jenny’s phone, you know. But, you know, he’s dead now. No, I’m joking. So, there was that. But no, I get quite funny attempts from kids. So, I think children sometimes see me on social media, maybe. I’ve done a few sorts of shows on social media that – I did an interview for LadBible, which is a quite a big platform. And someone had chopped up the interview and put it on TikTok and of course all the kids watch TikTok more, more I think than adults, right. And I started to get these emails that were, that were really quite funny. So, it was like – I got some that were just threatening, so it was, but really obviously a kid. So, it was like, we’re going to get you through social engineering, click on this link and quite a lot with QR codes that led to the Rickroll, I got those. Which we open on our dirty machine in the office that we can open things on, and they were quite funny. And I knew they would be Rickroll’s before I did it, but still. I get things like that, and I also get things that try flattery, you know, so, we’re such big fans, and we took a photograph of you at an event, do you want to see and there’d be a little link, you know. And I kind of, when I know it’s just people sort of trying to catch me out and it’s not really malicious, it’s sort of a joke because it’s me, I don’t mind that. And then I think the rest of the time when they are serious attempts by people who are criminals, I hope I catch most of them, but I would never say I caught all of them. None of us ever do. And that’s really the message is always – it doesn’t matter who you are, if it’s the right script at the right time, we will all fall for it. However alert you think you are, we’re all human and there are times when we just – our guard is down. So, people do try all time, in person I don’t think they try very much, I think probably I would know they were nervous, you know, I’m just thinking of a few times. And they probably know that. But you know, again, you can’t always say it. Oscar: Yeah, super interesting. Yeah, of course, everybody has to be well protected and as you said, it’s a lot about getting educated, really understanding, how real hackers are acting. Final question, for all business leaders that are listening to us now, what is the one actionable idea that they should write on their agenda today? Jenny: So, I’m asked this a lot, you know, and there’s lots of advice that we give. We can talk about the red flags of social engineering. You know, I mentioned a couple of them, you know, getting your emotions high, urgency. We could talk about cyber hygiene, we’ve spoken about that, you know, have multi-factor in place, use good tech. But the key really for me, the thing that I want businesses to do is – you’ve got to know your people better than the bad guys. And what that means is, a really serious attack on a business will look across all of your teams, all of your operations, your network, your architecture, and they will really dig into that to find the best way to get to you. And if we understand that people are probably the easiest way in, a lot of the time, what we have to be able to recognise is when someone is behaving strangely or has done something wrong – and that means a culture of acceptance and of understanding and of education. So, we need to know those people, that work for all of us, have to feel confident that they can come to you and say, I think I clicked on a link that might be malicious. I think I forwarded money to someone that might not be the finance director or the CEO. I feel that – I’ve been talking to someone on social media and now I’m not sure whether they’re genuine. So, know your people well enough so that they feel they can come to you and not get into trouble for falling for a con by professional con artists. And if you can put those things in place, we know when someone’s worried, we know when someone is scared or when someone has made a mistake, then we can help prevent it. Because what criminals are relying on, a lot of the time, is isolating their target within a business and making their target too scared to really ask for help and to tell people this might be an issue. And that’s something that is not easy, because it requires – especially in a huge company, that means line manager level, you know, your level, knowing the people, knowing your team, looking if someone is stressed, helping someone if they’ve got issues outside the workplace, and also knowing if their behaviour is different online and in-person as well, you know, is there a break in the pattern? Are they downloading files, are they being blackmailed into helping someone from the outside? And to do that’s not easy. It requires time and focus and a genuine interest in your people, but it doesn’t require necessarily lots of money. And I think that’s the thing. I would say, do not think you can throw money at the problem, and it be fixed. Get good technical products, good technical services. Make sure that you have the best technology that you can afford to protect your business, but at the same time, work in harmony with your people so that they are the eyes and ears for your organisation and for their security. Oscar: Yes, I couldn’t agree more. It’s a really very good reflection and thanks a lot, Jenny, for telling us your stories. Educating us a lot about social engineering and getting protected. Please tell us, how people would like to know more about yourself on the net, how they can find you. Jenny: It’s been such a pleasure chatting to you Oscar. If people want to find out more about me, I’m known as the People Hacker online and that’s Jenny Radcliffe. You can find me mostly on LinkedIn and Twitter and Instagram and my website’s humanfactorsecurity.co.uk and as you say the books out in February 2023, and it’s called People Hacker and you should be able to find it at most, at this point, in Europe. So, the EMEA countries; Europe, Middle East and Africa. The distribution’s a little bit weird, but you can definitely get it in the UK and then soon to be the US and further afield. So, if you keep an eye on my post, you’ll definitely see me shout about that. Oscar: Excellent. Definitely will read your book. Fantastic. Jenny: Thank you, Oscar. Oscar: Again, Jenny. It was a pleasure talking with you and all the best. Jenny: Thank you, Oscar. Goodbye. Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

Let’s talk about digital identity with Dr Mark van Rijmenam, Founder and Future Tech Strategist at The Digital Futures Institute. Dr Mark van Rijmenam joins Oscar to discuss the importance of Self-Sovereign Identity in the Open Metaverse – including his definition of metaverse, derived from his interviews with entrepreneurs for his latest book, the motivations for entrepreneurs to be building assets in the metaverse, the role of identity and its importance in the open metaverse. [Transcript below] ” I think it’s crucial that we own and control our own data, that we control our own digital assets, and that we control our own identity and reputation.” Dr Mark van Rijmenam is The Digital Speaker. He is a leading strategic futurist who thinks about how emerging technologies change organizations, society and the metaverse. He is the founder of the Digital Futures Institute, with a mission to ensure a thriving digital future for business and society. Van Rijmenam is an international keynote speaker, and 5x author. His latest book is Future Visions, which was written in five days in collaboration with AI. Find his articles and books at The Digital Speaker. Connect with Mark on LinkedIn or Twitter. We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure! Go to our YouTube to watch the video transcript for this episode.   Podcast transcript Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla. Come and meet the Ubisecure team at the Gartner Identity and Access Management Summit, in London, on the 6th and 7th of March. To find out more, take a look at the Ubisecure events page, www.ubisecure.com/events/. Oscar Santolalla: Hello and thank you for joining us to this first episode of Let’s Talk About Digital Identity in this New Year, 2023. And we want to start hearing very futuristic things about a future, very futuristic. We have a really amazing guest to start this year. Let me introduce you, Dr Mark van Rijmenam. He is the digital speaker, he is a leading strategic futurist who thinks about how emerging technologies change organisations, society and the metaverse. He is the founder of the Digital Futures Institute with a mission to ensure a thriving digital future for businesses and society. Van Rijmenam is an international keynote speaker. He is five times author, and his latest book is Future Visions, which was written in five days in collaboration with artificial intelligence. I definitely want to hear more about that. Hey, Mark, welcome. Dr Mark van Rijmenam: Thank you very much Oscar for having me on the show. It’s great to be here. Oscar: Yes, definitely our pleasure. Well, happy New Year. Mark: Happy New Year to you, too. Oscar: Yes, we are still in the beginning of 2023. Please tell us about yourself and how – what was your journey to this world of identity, metaverse and everything that you are doing today. Mark: I’m sure it sounds good. Well, obviously you already gave a very nice introduction, but I’ll add some things to it. So, I’ve been a keynote speaker for over a decade. I am a strategic futurist, so it means I really think about emerging technologies, and I try to understand what these technologies, these emerging cutting-edge technologies mean for you and me, for organisations, for society, and how we can benefit from them. Because these technologies are constantly evolving. So, I’ve been doing this for over a decade. I’ve been speaking all around the world about that. I’ve been, as you said, five books. And I really try to always practise what I preach. And so that means that I – when the pandemic hit, I created myself an avatar, created myself as a hologram to deliver keynotes as such. I’m currently working on building a digital twin of myself to understand – what are the consequences of creating a digital twin of yourself? A synthetic human, so to say. And how does it influence whatever we do? And I am very much involved in, you know, big data blockchain, artificial intelligence and the convergence of these technologies, which we are all coming together in the metaverse of, which was my fourth book, Step into the Metaverse, where a big part of that is also focused on identity. Because I believe that the metaverse will unleash a sort of a Cambrian explosion of identity, and it’s very important how to deal with that. I’ve also been involved in a start-up, which unfortunately failed, but that’s the start-up life. Focused on identity, focused on fighting misinformation with reputation-based system. It’s very challenging to do anything in this space because we are very much used to a certain identity system that we have in our society. And shifting that is quite challenging, but I’m sure we’ll get to that during this episode. So yes, that’s basically what I do. And yeah, indeed, my latest book, Future Visions, written, edited and designed by AI, I’m sure some of you have heard of ChatGPT, which is taking internet by storm. And the moment it arrived, I thought, I’m going to grasp this opportunity to write a book with it. So, I literally wrote it in five days, and I didn’t change a word. I didn’t – I maybe like five or ten words that I changed myself, but the rest is exactly written by AI. And it was an experiment for me to understand what is possible with off the shelf technology, and it’s quite surprising how good it is, but also how not good it is. It’s not the Holy Grail. It’s fantastic technology, but there are definitely some caveats. And it was a fantastic experience to do. Oscar: That, that sounds very interesting. So, you wrote a full book just using the ChatGPT that many people are talking about these days for the last, at least, last two months, I would say – quite a lot about that. And yes, super interesting journey you have had. One of the last things you said is about the misinformation that – every time I hear that word like, we really have to do more about that – and it’s not easy, right? It’s definitely not easy. That will come also on the metaverse, which is actually the main thing we’d like to discuss with you. So, it’s skimming through the pages of your last, second book, Step into the Metaverse, How the Immersive Internet Will Unlock a Trillion Dollar Social Economy. So, I read part of your book it is very interesting, so let’s go into that – to start with a common idea – please, could you give me your definition of metaverse? Mark: Yes. That’s a very good point to start because the metaverse is a very, very abstract concept which many people have different perspective of what it actually is. And for the book I did about 100 in-depth interviews with the stakeholders who are building the metaverse. I did about 150 surveys, and interestingly enough, I got like almost 250 different definitions of what the metaverse is, which sort of shows you how difficult of a concept it is. I sort of derive my own definition from this, and to me, the metaverse is the next iteration of the internet, it’s where the physical and the digital world are converging. And where the physical moving to the digital the digital moves into the physical. Now, that’s a lot of information there. And so, we can briefly unpack it a little bit. So, if we start with the first one, you had a physical move into the digital. Basically, this conversation that we have, you could argue, is part of a very, very early phase of the metaverse because you are physically in Finland. I’m physically in Australia and we are digitally connected through our computers, and we have this conversation. It’s a 2D connection. So yes, our screens are 2D. These are not immersive. But you could argue this is part of the metaverse. Other parts of the metaverse are, which I think are very, very important, is, for example, digital twins now. Where we create a digital replica of a physical asset that we can interact with in the digital world and we can just monitor it, or we can actually interact with it and then any changes that we make in the digital world, we will have an effect in the physical world. And that’s also part of the metaverse. And often people think that virtual reality is the most important part of the metaverse, but to me it’s only one channel to access the metaverse in an immersive way. The other part, the other channel so to say, is augmented reality, where basically which means that we bring the digital into the physical world. I think that part is going to be much more important and much bigger because it allows us basically to create like infinite layers on top of reality. And this layer can be for entertainment, so you can have a flying purple dragon above the Opera House here in Australia, or you can use it to understand when you’re driving to have, augmented reality where there’s a parking space available or whatever you can come up with. And I think that’s also a very, very important part of the metaverse. I think in the next decade or so we will see that computers will disappear, smartphones will disappear, tablets will disappear. They will all be replaced by headsets at first, augmented reality headsets I think, they will become a miniaturised, very sleek glasses that you can wear. And you don’t need a laptop anymore, you don’t need a smartphone anymore because you have it all in front of your eyes. So, the metaverse is the immersive internet, and this internet will become as pervasive as the air we breathe. And it will mean it will move from making a conscious decision to go on the internet – so, if you want to go on the internet today, you have to grab your phone and start doing something. And it will switch to being “in” the internet. So being fully immersed and being part of the internet. By the internet being as pervasive to the air we breathe or energy that we use. This internet will be 3D, and that’s much more in line with what we humans are used to because we are 3D humans. So, we thrive in a 3D environment much more so than a 2D environment. So that’s sort of what’s going to happen. There’s a lot of information, but in short, it’s where the physical and the digital world are converging, creating this immersive 3D internet that we can connect with and can be part of. Oscar: Yes, you said that for writing this book on the metaverse. You have interview at least 100 of entrepreneurs who are building some their metaverse versions or some product related to the metaverse. So, I like to know from those conversations that you have had – so what has been their main motivation, why they are spending their time building those and not something else. So, what are, let’s say, the main motivation did you find in common amongst these entrepreneurs? Mark: Well, I think it’s a very good question. And I think what I noticed is that everyone that I spoke to, understands that the metaverse is the next iteration of the internet. It is the future. Whether we want it or not, whether we believe in it or not, it will define the next ten, 20, 30 years, if not more. And so, any smart entrepreneur should dive headfirst into that because if you would have done that in the 1990’s, you would have been, you know, had a good chance to be the next Amazon. And that’s what I think is happening here because first we had one, then we had like sort of the mobile app with the launch of the iPhone. We had the social web, with the launch of all the social media platforms and now we move to the immersion web. So, there’s a ton of work to be done. There’s a ton of money to be made because, you know, several banks and a major strategy consultants say that by 2030, the metaverse will drive between 5 and 13 trillion dollars for the global economy. Personally, I think it’s going to be a lot more, simply by looking at the impact that the internet had already on our society. So, it makes just good business sense to dive into the metaverse to see what you can contribute to this next iteration of the internet. Besides, firstly, I think that the metaverse is a fascinating environment to work in, because it’s all novel, it’s all magical, it’s all – all the things that can become true in the metaverse. There are no laws of physics in the metaverse, so you’re not – we don’t have any restrictions on what we can build in the metaverse. And I think we can create this magical world, this magical virtual world, with these magical augmented digital experiences that are not possible in the physical world. And I personally find it fascinating. So, I really enjoy being part of that. And I think over time when – the more we step into the metaverse, because mind you, the metaverse is still a few years out. The more a society steps into the metaverse, the more people will experience this magic as well. Oscar: So different motivation. It sounds to me – it’s most like, I know there will be this new paradigm so that the technology is coming anyway. It sounds like that, and the entrepreneurs have to be there. Sounds like those are the main motivations. Mark: Yeah, I want to add one to that because it’s – so my book has been, I’ve meant it as a blueprint for an open metaverse. And an open metaverse is really focused on – how can we create a metaverse that’s there for us, for you and me, consumers. And that’s owned and controlled by us and not necessarily controlled by big tech or very, very tiny elite who controls whatever we do online, which currently the current internet is like that. We don’t control our own data; we don’t control our own digital identity. The internet is basically controlled by a handful of very, very powerful, very big technology companies. Now, with the metaverse, with the amount of data that you create in this immersive internet, which will be 100 times more than we do today, if not even more. I think it’s crucial that we own and control our own data, that we control our own digital assets, and that we control our own identity and reputation. Because we don’t want to live in a world where the Zuckerberg’s of this world can decide whether or not you have access to this immersive internet or not. And I think that’s something really, really important. Of course, we have to build it in the correct way, because you know, with building something decentralised also come a lot of challenges. But that’s what I did for the book and most people that I spoke to, they tried to do that as well. So, for a lot of people that I spoke to, they’re driven by this quest of building an open metaverse that’s there for us. And to change the paradigm from a centralised internet to a decentralised. Oscar: Yes, that’s something I read in your book, the concept of the Open Metaverse. So, it’s great that many of these entrepreneurs have that in mind. So, something else that you just mentioned is – it’s about, of course, identity. Again, thinking of the companies who are now building the metaverse. How in top of the mind is digital identity? So, it’s a component that they are thinking every day, like yes, this is part of metaverse or something that is neglected? So, what would you say? Mark: Well, I think that the digital identity is a very, very important part of the metaverse. And it was also confirmed, to the very people that I talk to. Simply because, as I mentioned in the start in the metaverse, we can be whomever we want to be, whether that is, I don’t know, a flying dragon, whether that is a walking piano, whether that’s a talking mushroom, it really doesn’t matter. You can literally be whoever you want to be. And identity in the metaverse is really, really important, much more important than we think today. And if we ask Generation Z, those born after 95 or Generation Alpha, those born after 2010 to them, and this has been done to them, their digital identity is as or even more important than their physical identity. Let that sink in a bit because that’s the paradigm shift. Your digital identity being more important than your physical identity, completely shift of mind and mindset. And therefore, we see that in the metaverse, digital fashion is really important because just like in a physical world, you want to dress a certain way to showcase who you are, to display your identity. You also want to do that in the metaverse. So digital fashion is a multibillion industry of for people to do that. Now, what research also has shown is that the moment people can be whoever they want to be in the metaverse, they start experimenting with their identity. And there’s research that people switch gender just to understand what that means. There’s also research which showed that if you are an introvert person in the physical world and you use an extrovert character in the metaverse or in virtual reality, and you play with that character for a couple of hours. Then you will continue to display those extrovert characteristics in the physical world afterwards. Fascinating I think, how that works the digital, our digital identity can affect our physical identity. So now, of course I think when we talk about identity in the metaverse, we also have to think about the challenges that come with it. Because if you can be walking a piano for that matter, how do I know that that walking piano is Oscar, you know, how do I know that? How can I be certain that I’m not dealing with this with someone else who has stolen your identity? So digital identity or in this case I would argue Self-Sovereign Identity is very, very crucial for a metaverse, especially in open metaverse. Less so a closed metaverse, which is controlled by companies because they can do your identity check and they can verify that you are a real person. Your identity can still be hacked and be stolen, but that it’s more easy to control it. That’s also has problems to it. In an open metaverse self-sovereign identity is really, really important because it allows us to control who has access to our data, for how long, to which data, and have full control over assets and our identity. So, I think if we think that identity is important on the current web, we have to think twice because it will be a lot more important in the metaverse. And for many millions of kids and teenagers that digital identity is already more important than the physical identity. Oscar: Yes, that thing that you just said for a second time. It’s very, very important to think about because we need to protect those identities. Because the big bunch of the people who are going to be in when metaverse is more ubiquitous, as we call it, in the next 10/ 20 years. Will be using heavily, and we have to protect those, those identities. Another thing you mentioned is if you have some of these, what example? Like a flying dragon, for instance, Oscar is a Flying Dragon in some metaverse. Right? So, people who are inside a metaverse will see the Flying Dragon, my name, maybe. But how do I enter to this metaverse? So that’s a point that many people don’t think right? I should have been, call it, logged in or authenticated properly in order to enter to that that metaverse. Mark: Well, that’s a major technical and cultural challenge that you just mentioned, because what we don’t want is that if I go to Fortnite and into Roblox, into Decentraland and into the sandbox and to whatever other virtual world. That I every time I have to recreate my flying dragon, every time I have to create a new account, just like we do in the real world, actually. So that’s not what we want to happen. Now in order to achieve that, we need interoperability. So, you need to be able to have an identity that you can take to a place just like you take your identity to a pub or a restaurant or club or whatever, in the physical world. So, we need to have that same approach. But there are some companies are working on this. Ready Player Me is a company that’s building an avatar tool so that you can create your avatar ones and then you can use that avatar in over a few thousand platforms already. So that’s a start. It’s a centralised company’s nothing self-sovereign identity with it, is nothing blockchain, nothing decentralised. So, you actually don’t control your identity, but at least it’s the first step that you create one account to do this. But we already have that in the 2D world, which is called a Facebook login in or a Google login, you know. Login with Google account, login with your Facebook account, which by the way, I would recommend not to do. Because yes, it is easy, but it also means that your data goes to Facebook, goes to Google, and they have even more access into what you are doing. So please don’t do that. I know it’s easy, but just don’t do it. And so from that perspective, your identity is really important and we need to be able to build this interoperability so that you can take your avatar, your identity, that you create – yours, your flying purple dragon that you’ve created to all these different platforms and all these different platforms have different graphical requirements, different computational requirements, which makes it really, really challenging to do that. You know, if you go to platform A, it might be hyper realistic and your dragon looks really, really hyper realistic, but then you go to a platform like Minecraft or Roblox is very, very blocky, and how do you adapt that? How do you have that one identity work in both worlds? That’s a massive technical challenge, that’s definitely not solved yet and that does require probably quite a bit of work to achieve that. But yes, what we need to have is interoperability, that you can take your avatar, you can take your flying dragon, and you can fly from one world to the other. Oscar: Yes, exactly. Now mentioned flying from one world to the other. How open these companies, like Fortnight, say Disney or whichever is the other, Minecraft, no? Are they open to that interoperability? What do you feel that they’re open, to have that? Would they prefer to have it closed? Mark: Well, most likely they will prefer to have it closed, which I think is a very short-sighted approach. Yes, having a closed network offers you a lot of value. We can only have to look at a mobile, a mobile messaging. WhatsApp was sold for $19 billion in 2014 for a reason because it’s a closed network and you can’t send a WhatsApp message to your signal or to your telegram. In Europe, that’s going to change with the new laws. Investor rule probably not. So, we are very much used to not having this interoperability because for such large companies it offers a lot of value. If we do have that interoperability for society, it brings a lot of value. We only have to look at email, we are able to send an email from a Gmail account to a Hotmail account. Imagine that would not be possible or imagine that we, we don’t have interoperability for websites that you can only build a website for, I don’t know, Chrome and then you have to build a completely new website for Internet Explorer, and you can’t just switch between. Imagine what that would mean for the world, it would just ruin the internet. And email is so successful because I can use Gmail, you can use Hotmail and we can communicate. So, I think it’s very short-sighted for these companies – I understand why they think like that, but I think it’s very short sighted and very selfish almost, to work on value extraction instead of value creation for society. So, interoperability will add a lot more value to all these platforms. If you really make it easy and make it nice and easy for people to come and also leave, you will see that if you offer the best product, the best service then people will still come, and you will still make money. It’s a different approach, it’s approach from a short-term share approach to a long-term societal stakeholder approach. And I think as a society, we need to make that shift from a short term to long term. And I argue and I call every organisation to, to make that shift. However, I’m also a realist and I know that that’s not very likely and that most likely regulation will have to step in to force these people because they probably will not do it by themselves. Oscar: Yes. I couldn’t agree more with this point about that, and I hope they are listening to. They are listening to Mark and everyone else who is. Mark: I hope so too. Oscar: You already mentioned self-sovereign identity. Would you say that this is going to be the dominant paradigm in the metaverse? Mark: Well, I hope so and I think it should be, because it’s a way that we control who has access to our data. And the best example here is, of course, if I go to pub and I need to show that I’m over 18 currently in the world, I have to show my driver’s licence. On my driver’s licence there’s a ton of information that’s not relevant for the question. Are you over 18, yes, or no? Which is a, just a very simple question and a self-sovereign identity allows, would allow us to answer that question, that we can trust, without providing all that information. And I think as a society, I think we should want it. We should be able to live in a world where we are not controlled by a centralised entity because generally centralised entities, they corrupt or they get if they become too powerful – in terms of countries, democracies change to non-democracies. So, I don’t think that’s the right direction. So, for me, for a humanity perspective, I think a self-sovereign identity is the best approach. Now obviously there’s also a lot of challenges to it because if you own and control your own digital identity and it works with the private key and public key, and your private key is 128 bits, whatever, or even ideally more whatever. And you’re going to lose this long string of numbers because people lose passports and smartphones all the time. How are we going to deal with that? That question hasn’t been answered yet and people will lose their private key. And if your self-sovereign identity is everything that you do and you lose it, then you are in really, really deep trouble. So, we need to solve that. It hasn’t been solved and we need to – because it’s almost an oxymoron. You know, I am I going to store my private key with a centralised entity. So, then your private key is, you know, your self-sovereign identity is no longer self-sovereign. And we saw that with that with the collapse of the various crypto exchanges, if you don’t own your private keys, the money is not really yours. Because it can just disappear. And so, this is self-sovereign identity, very, very important. It hasn’t been cracked yet and there’s still quite some technical challenges that we need to resolve here. Oscar: Yeah, I believe so. It’s super important to solve that problem. Absolutely. We’ve been talking about – you illustrate very nicely all these scenarios mostly for individuals, I would say. But if we now focus our attention a bit more into businesses, even government, for instance, organisations just in general. So, what are the opportunities or some scenario you can see the metaverse for, yes, for organisations and businesses? Mark: Well as I mentioned earlier, you know, the metaverse will contribute trillions and trillions of dollars to the global economy. So, there are enormous amount of possibilities. There are possibilities for consumer B2C, digital fashion, multibillion dollar industry, entertainment, immersive sports, watching sports or using augmented reality to bring a TV show into your living room. Well, Disney recently released a sample of that, which looks amazing. Education, you know, if you can learn something, immersive world, if you can walk around Rome for your history classes and pause whatever is happening to have a discussion with your teacher, that, of course, is a lot more powerful, but also from an enterprise perspective, you know, if I am able to collaborate in a virtual world, in a world that works, in a 3D world that’s a lot more intuitive and much, much more logical for us humans to operate in. And that will have a big, big impact. Early last year in 2022, I was part of a training done by almost a dozen police forces around the world. And they were doing an exercise in the metaverse, in virtual reality and working with, you know, physical evidence and digital evidence. Everyone was in their own location in Singapore, in UAE, Bahrain, Senegal, France and several other countries. And they were able to, to solve this scenario, which was a terrorist attack in a hypothetical country. And they all said afterwards that being able to collaborate in a virtual world is really nice and it’s really easy to get along with and also because there was no hierarchy, because all the avatars look the same that help the police forces are very hierarchical that, of course, and that really helped as well. So, there are a lot of benefits to this. You also see it, for example, in design companies, car companies Volvo is doing a lot by using virtual reality or even mixed reality to design cars with remote teams. So, sort of building a claim model in a physical location, you build a digital model with your design team just living or working anywhere in the world. It doesn’t matter where they are. All these things will have a big impact. And that will also have a big impact on society because, you know, if we think that the pandemic changed working from home, the metaverse will enable working from anywhere and where you can be literally anywhere you want in the world and eventually in early next decade, I have the feeling as if you are physically present in the office by but you are on a tropical paradise in the Pacific. And that that’s something where we are going to still far, far away. Oscar: Yes, from sounds nice. Final question, Mark, for all business leaders that are listening to us now, what is the one actionable idea that they should write on their agendas today? Mark: Educate yourself and because the world is changing so fast at the moment, if you blink your eyes, you’ve missed a train. And we could have seen that. We did that with the AI, all the generative AI stuff that is happening at the moment, even for me. And it’s my job to be in to know what’s going on. Even for me, it’s sometimes difficult to understand and to follow and to be up to date of what’s going on because the developments are going so fast. Now, if this is not your core job which for 99.99% of people, it isn’t. And it often ends up on a very long to do list at the bottom. But you need to understand what’s happening and you need to understand ideally as an organisation, I would also start experimenting with this stuff, small experiments, just to understand what’s happening. And then you can, you can take it from there. Oscar: Yes. Excellent. And as you say, your, um, you do what you preach. So, like your last book, just in doing your due diligence, doing this kind of stuff. Yeah, I think I have to do some experiments like that myself. Mark: Well 100%, and for me doing these experiments, they help me to understand, to better understand these technologies. And so, if you want to understand what technology, X, Y, Z means for your business, start experimenting with it. Oscar: Excellent. Well, thanks a lot Mark. What’s been really fascinating conversation, going for moments very deep into the digital identity, which is something that we are very passionate about, that. And you gave us really good ideas and updates what’s going on. But let us know if someone would like to follow the conversation with you or get more about what you’re doing. What are the best ways? Mark: So, I’m pretty visible online, so the easiest ways to go to find me on my website, which is thedigitalspeaker.com, you’ll find my books there, my academic papers, my videos, my articles. I have almost a thousand articles about these topics all available to consume, feel free to email me, connect with me on LinkedIn, on Twitter. I’m happy to connect with anyone. Oscar: Fantastic and again, it was a pleasure talking with you, Mark, and all the best. Mark: Thank you very much for having me, Oscar. It’s been a great conversation. Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.