Envisioning a future where human-centric identity solutions revolutionise our digital landscape

‘The important thing is not to stop questioning. Curiosity has its own reason for existing.’ Albert Einstein

There were two woodcutters who began their day by cutting wood. One of them tirelessly swung his axe, never taking a break, while the other would occasionally step away from his task and then return after some time. Surprisingly, by the end of the day, the woodcutter who had taken breaks had cut more wood than his nonstop counterpart. The diligent woodcutter couldn't help but wonder how this could be possible. Curious, he asked his colleague for an explanation. The response was simple yet profound: every time he took a break, he would sharpen his axe, making it easier to cut through the wood efficiently.

The moral of this story holds true for all aspects of our lives. We must all strive to sharpen our metaphorical axes, enabling us to find better solutions and unleash our creative ideas in both our professional and personal endeavours. It requires us to break free from narrow thinking and embrace an open and alert mindset, actively observing what others are doing and staying attuned to the world around us. (Thank you, Kay Chopard, for sharing the story)

Events like the European Identity and Cloud Conference 2023 (EIC 2013) serve as catalysts for this sharpening and polishing process. They provide a platform for individuals to expand their knowledge on topics such as identity, identity wallets, verifiable credentials, MFA, standards, governance, and the possibilities technology brings. In early May 2023, enthusiastic learners and knowledge-sharers embarked on a journey to sunny Berlin to attend EIC. With 54 partners, over 270 speakers, and more than 1,300 on-site attendees, it was the largest and most vibrant EIC gathering to date.

I must admit, as someone with a background in the humanities (and a touch of finance), the initial immersion into the world of countless acronyms for solutions (IAM, PAM, CIEM, IGA, etc.) and standards (NIST, Fido, OpenID, etc.) was overwhelming. Still, I soon realised that stepping out of my comfort zone was an essential part of refining my knowledge. It required me to focus more, make connections, and learn beyond my familiar domain. This principle applies to businesses as well if they want to remain relevant to their partners, workforce, and consumers while ensuring profitability. Embracing a certain level of risk, experimenting with the new, learning from mistakes, and seeking wisdom from peers are all crucial steps in the process of evolution and growth.

The role of digital verification is pivotal in various areas such as decentralised healthcare, finance, the metaverse, and the interaction between digital and non-digital objects in the spatial web, also known as the ‘Internet of Everything’. These decentralised approaches rely on age verification that can protect children underage from online threats. They also incorporate decentralised reputations, which provide a transaction history that establishes trustworthiness. In decentralised healthcare, for instance, verification based on documents and reputation is used, enabling decision-making for individuals over the age of 18 who are incapacitated due to injury. This process leverages documents, reputation, and advanced governance.

According to Scott David from the University of Washington, at this stage, generative AI can be seen as a zygote, the very incipient phase of a body’s development. To better comprehend how this technology will unfold, we can examine the influence of Moore's Law (the principle that the speed and capability of computers can be expected to double every two years, because of increases in the number of transistors a microchip can contain) on risk growth. However, individuals can enhance their ability to navigate the realm of generative AI with greater effectiveness and responsibility by incorporating practices such as analysing anomalies, collaborating with accountants to gain financial insights, adopting robust risk management strategies, and fostering a curious mindset towards risk.

Other unknowns mentioned at EIC included topics such as: how exactly should an identity wallet look like, how to detect and fight deepfakes in the age of AI, and others.

Believing in the absolute value of decentralisation/ centralisation and user control over their identity and privacy can also pose certain risks. In a 19-minute session, Vittorio Bertocci from Okta delved into the concept of verifiable credentials, shedding light on the true nature of identity, and dispelling several common myths related to it. These myths included the belief that central databases would disappear, that the user would have complete control over their identity, and that privacy would significantly improve.

The concept of identity has long been a complex and multifaceted one. Identities exist within sociocultural and organisational contexts, as well as in technical realms. In addition to individuals, both organisations and non-human entities possess identities, particularly within technical contexts. Throughout history, identities have faced threats, initially involving the theft of individuals’ physical world credentials like credit cards and passports. However, these threats were relatively limited in scale. The advent of digitalisation has brought about a drastic shift in this landscape. Now, social engineering, phishing emails, and the illicit trade of credentials on the dark web pose significant risks to both individuals and businesses. These threats have further escalated with the increasing number of attacks targeting identity infrastructures, ranging from corporate directories to government eID systems.

During the EIC, other various risky aspects were highlighted. These included discussions on insider threats within financial institutions, as presented by Elimity, Silverfort, and Saviyint. The topic of identity wallets also emerged, emphasising the challenges that arise from different interpretations of this concept and the complexities it poses for establishing effective digital identities (the diversification of the digitalisation process of driving licenses across different states in the US, known as mDL, showcased the need to address variations and harmonise approaches). Another significant area of focus involved examining identity and privacy in isolated contexts and exploring strategies for building identity bridges to connect these two domains.

Digital sovereignty has emerged as a crucial consideration for individuals, countries, and businesses, enabling them to operate within a trusted and controllable environment. Maarten Stultjens and Benoit Jouffrey from Thales explored three dimensions of digital sovereignty, specifically focusing on identity-related aspects:

• The sovereignty of the individual - the protection of individuals has led to the implementation of privacy laws like GDPR and the emergence of solutions such as Self-Sovereign Identity (SSI) and identity wallets.

• Geopolitical sovereignty – it highlights the notion that data concerning citizens should be subject to the laws and governance of the nation or state to which they belong. Compliance with regulations regarding cross-border data transfers has become increasingly vital in this context.

• Organisational sovereignty - organisations must also navigate the complexities of complying with diverse data sovereignty laws across different countries. This gives rise to inquiries regarding the whereabouts of data, access permissions, and data custodianship.

The current governance framework of eIDAS, which governs digital identity, is fragmented across different EU countries, leading to variations in regulated markets. Identity provider solutions in sectors like finance and healthcare typically rely on centralised approaches for identity management and consent within highly secure data centre environments, utilising legacy standards such as OIDC and central public key infrastructure. In contrast, eIDAS 2.0 aims to establish a unified identity ecosystem across the EU by introducing new standards, involving new stakeholders, and emphasising the use of mobile devices. While the existing roadmap allows for a transition period of three to five years or more, navigating this transition and implementing the eIDAS 2.0 identity ecosystem poses numerous challenges, requirements, opportunities, and practical considerations that need to be addressed.

In 2022, Yubico received a request from their authentication partner, Hideez, seeking assistance in safeguarding critical infrastructure in Ukraine. In response, Yubico decided to contribute by donating 20,000 YubiKeys and providing technical support. Over the following weeks, these keys were distributed to numerous government agencies and companies responsible for critical infrastructure. Yubico extended its support further through the Secure it Forward program by donating YubiKeys to assist hundreds of local journalists and humanitarian organisations. These individuals and groups have been dedicatedly sharing crucial information to ensure the safety of their communities. Yubico's contribution aims to empower these professionals with reliable authentication tools, enabling them to continue their work with digital security.

Banks play a crucial role in combating fraud and money laundering, but they face various challenges in leveraging technology, addressing sanctions screening, and ensuring cybersecurity. One solution that can help address these challenges is IAM (Identity Access Management). However, implementing IAM effectively requires careful consideration. Swedbank shared some valuable lessons learned from their IAM transformation in the banking sector. Some of these lessons include:

• Emphasising that IAM is not just an IT upgrade but a business concern, showcasing its value in enabling the business, boosting operational efficiency, and adopting a cloud-first approach.

• Performing maturity assessments to identify blind spots and mitigate potential pain points.

• Recognising that legacy issues extend beyond tooling and involve a mindset shift.

• Avoiding the sunk cost fallacy by discarding ineffective elements and processes.

• Being mindful of invisible legacy systems and dark data.

• Prioritising maturity before automation, as automating inefficient processes only leads to automated inefficiency.

• Creating a well-thought-out plan, acknowledging that unexpected challenges may arise, and being open to seeking assistance when needed.
  
  

Adopting open technical standards (e.g. OpenID), open source software (the OpenWallet Foundation), and open governance (the Open Identity Exchange - OIX) enables the democratisation of the digital wallet creation and avoids monopoly in this market. According to Daniel Goldscheider, the Open Wallet Foundation has a clear mission: to develop open-source software built on top of open standards, that ensures the seamless functionality of digital wallets. At the core of this openness, lies the concept of the identity fabric, which has emerged from the very essence of identity management. This fabric serves as the foundation, encompassing the APIs that users can leverage and interact with. According to Martin Kuppinger, it is both a strategic and technical component, providing a blueprint that demonstrates its practical implementation.

Some important points stressed by Women in Identity on the stage of the EIC addressed how to avoid bias in identity systems to ensure fairness and equal opportunities for all users. By incorporating diversity and inclusivity in the design process of products, biases can be mitigated. Integrating digital identity into product development is essential to create inclusive and user-friendly products. Considering identity factors from the early stages prevents exclusion and barriers to access.

To effectively address the challenges of identity management, it is crucial to adopt a unified IAM approach that encompasses both human and non-human identities. As highlighted by Eve Maler from ForgeRock, employees should be treated as individuals, like consumers, and their devices should be considered as part of the equation. Additionally, the scale of consumers’ identities presents an attractive business opportunity. In today's landscape, the most significant threat comes from third parties, emphasising the interconnectedness of people and things. Protecting all identities is essential to combat these risks effectively. Without a unified identity framework, achieving strong security, privacy, and user experience becomes a daunting task.

In conclusion, the opportunity to engage with brilliant minds and pioneers in the field of identity management has been a true knowledge feast. Uncovering the essence of identity from its source has revealed the intricate nature of this field, highlighting the importance of embracing complexity to build robust identity systems.

Stepping out of our comfort zones and embracing new challenges is instrumental in refining our knowledge and broadening our perspectives. This principle of growth and evolution extends not only to individuals like me but also to businesses striving for relevance and profitability. By taking calculated risks, exploring new avenues, learning from mistakes, and seeking wisdom from our peers, we can forge our own path toward success and sustainable growth.

We express our sincere gratitude to KuppingerCole for organising EIC 2023 and inviting us, and we eagerly anticipate the next edition, EIC 2024.

About Mirela Ciobanu

Mirela Ciobanu is Lead Editor at The Paypers, specialising in the Banking and Fintech domain. With a keen eye for industry trends, she is constantly on the lookout for the latest developments in digital assets, regtech, payment innovation, and fraud prevention. Mirela is particularly passionate about crypto, blockchain, DeFi, and fincrime investigations, and is a strong advocate for online data privacy and protection. As a skilled writer, Mirela strives to deliver accurate and informative insights to her readers, always in pursuit of the most compelling version of the truth. Connect with Mirela on LinkedIn or reach out via email at mirelac@thepaypers.com.