DIN's First podcast episode - When is 3rd gen identity coming

DIN's First podcast episode - When is 3rd gen identity coming

Transcript

[00:01] Snorre:: Welcome to DIN's first episode in your up and coming identity podcast. Today we will be peeking forward in time of what identity concepts are coming, and we will be talking to our main sponsor, Signicat. So why don't you introduce yourself if you want.

[00:37] Jon: Yeah, I can. So, as you say, I'm work as a tribe lead and product manager at Signicat. Signicat is Norway based but European company and working in all aspects, essentially of the identity space. My main responsibility in the company is for signing and trust services, but I also do a fair amount of work on identity, more general identity topics. So, yeah, that's it. Let's go.

[01:13] Snorre: Thank you for that. I just got curious immediately. You said signing and trust services. What do you entitle around signing and trust services? What does that mean for a normal person?

[01:26] Jon: Yeah, signing means when you need to electronically sign something as a proof of agreeing to something. I mean, you always sign in a process, so it depends on the task, how you need to do it and what you do. But where signatures are used in the paper world, you will have an electronic signature in the digital world, essentially one way or another. Trust services, those are services surrounding signing, mainly like issuing of a certificate for signing, digital identity certificates, time stamping validation of signatures, and preservation of sign documents and signatures. So we do a lot of that as well. So you can sign a document, you can securely store it away, and you can then pick it up years later and you can validate it and say, yeah, this signature was valid at the time of signing, so this is proof of what happened.

[02:40] Snorre: That's interesting because I just wonder if you have a signed document today, where is it stored or how can I take this document and give it to someone else so they can verify that that is signed?

[02:57] Jon: Yeah, you get the signed document. That's usually a signature embedded in the document, right? Or represent it in a way. So can you view it in the document? These days, if you sign a PDF document, for example, which is the most common case, so you can store that away yourself. The company offering with which you sign, I mean, usually you sign the document with some company, like agreeing a loan with a bank, for example. You sign the loan agreement and the bank will store it away. We also got services, so you can store it with us if you prefer, or if our customers prefer to do that. And those are documents that can be sent around to also other parties.

[03:55] Snorre: Well, that kind of a good segue for our main topic here. Our name is digital identity, Nordics. So if you can just briefly try to explain to me what your view of digital Identity today is and we can just talk a little bit about that and then we can kind of tie it together with the signing afterwards just to kind of get that holistic view of it.

[04:21] Jon: Yeah. Digital identity today, if you look globally, if you look at the European perspective, it's a very, very immature area still. And it's a bit strange really, because it's something that it's realized that if you want to digitize societies, you need a really good digital identity system. But still, it hasn't happened in so many countries. If you look at Nordics like Norway, of course, this is another business. We got digital identity, proofs of digital identity, electronic eids deployed large scale in society, like in Norway, everyone has a bank ID and everyone uses that bank ID weekly or so. Same in the other northern countries and a few other countries. But if you look around in many countries, this is not the case at all. You have at best different username password, solutions to access different services and such. So this is changing, touching upon stuff later on in this talk. So you could say that what we have in the Nordics is kind of the first, maybe the second generation of digital identity. First generation is where you have username passwords, different logons for each service you use, and the second generation is where you can use the same service everywhere, but it is exactly the same. So each service provider you interact with will get the same information and the same thing. And then the third generation then will be more target with targeted identity. So you will not be used the same identity information and the same identity and the same information will not be released to each and every service provider you use, but it will be targeted to the purpose.

[06:37] Snorre: Yeah, I would say that today could we also call the second generation Federated in a sense? Or would you say that it's quite centralized in terms of it information lives at bank ID, but it's been able to federate quite well into a lot of different services.

[06:58] Jon: Absolutely. So Federated is a good word, actually. But this depends again where you are. If you look at the Finnish identity infrastructure, there are like 14 different issuers of your ID. If you look at Norway, well, formally there are six issuers, but it's all bank ID. If you look at society and you've got, of course, other actors like bypassing confeders that have a foothold in other sectors, but in the in the in the society, individual for individuals, it's a monopoly situation of equity. There is some thought on the pros and cons of that, of course.

[07:45] Snorre: Would you say that the Nordic are kind of quite leading edge on this identity perspective or I heard a lot about Estonia, but I still feel that in Norway we take a lot of digital identity for granted and it's not like that anywhere else.

[08:04] Jon: Yeah, I think Estonia is on par with the Nordic countries and we have some runner ups like Belgium, the netherlands and the other Baltic countries, but in general the Nordics and Estonia would be the leading countries.

[08:25] Snorre: It's interesting because living in a country as Norway, you just become so used to it and then it becomes expected for us. So when you suddenly talk to people from other countries, you really don't understand how bad it really can be. So you get a little bit brine sided living in a country where you have a very good digital identity infrastructure, I would say.

[08:55] Jon: Yeah, absolutely.

[09:02] Snorre: Now, we heard a little bit about the Norwegian state and European state of identity. We learned about Federated identity and where we currently stand. We're going to transition over to a little bit more of the unique identifications and the story about that, as well as touching further upon the third generation of identity wallets and so on. So please stay put and get ready for some juicy information. So why don't you tell me a little bit about unique identifiers in there? It's core of identity.

[09:42] Jon: How are people uniquely identified in society? Again, for good and bad, we have the national identity numbers, so we are all uniquely identified, which is not the case in many other European countries where you don't have that unique number that would identify you.

[10:02] Snorre: Could you say that having our current birth of our birth number is kind of legacy because we have so much ways of creating yourself a unique identifier that doesn't have to be complicated system around your date of birth, these extra five numbers with depending if you're a girl or a boy and all these kind of things. Like my opinion is that we are carrying along a legacy thing where we could just have given someone a simple unique identifier which doesn't have to have a lot of information inside of it.

[10:42] Jon: Absolutely. And I think this is something that we see changing now. The attitude to that is changing. You could say maybe with a third generation digital identities, this is going to change because most service providers don't need to know your real identity and everything about you. They just need to know that, yes, this is the same person. This is the same person that emerged, that appeared last time and that's it. And you don't need your national identity number, you maybe don't need your full name or anything like that to access such services. You just need to know that it's a real identity here, it's a real identity behind this request and it is the same identity that accessed my service three days ago. And no access is again to follow up. Right? Yeah, so much more privacy aware and what you can call targeted identity where you release only the information needed for a service provider. Yeah, it's moving in that direction.

[12:02] Snorre: So this is going to also segues to my next theme, I would say, if you are able to tell me a simple use case of how we're going to live with the third generation, which in five years, yeah, it's going.

[12:18] Jon: To take a lot longer. And it leads into what are the counter forces to doing it like this? And of course you got service providers that want to ask for much more than they need. They need to ask for everything, right? And that's usually because they need to profile, use and your marketing information or they sell the information back to Google and likes to make them able to advertise to you. There are forces against this, narrating down what you share and how that information is going to be used that will also slow down the process. And of course the big actors are also thinking about their own identity systems and building them. So we see a start of maybe something that's going to be kind of a battle of digital identities going on. But what we would like to see is that I have a situation where I access a service, some service, it will be different. Like if you're entering as a new customer of the bank, they will need your whole personal information, your whole official identity, because they need to report to the government and they need to check you for antimoney laundry and stuff like that. But if I enter an online store then buy something, what do they need? Essentially nothing except I am a real person and I'm going to pay for it. And then maybe also they need some assurance that if I do something wrong and something needs to be reprosecuted one way or another, then they can go back and find out who I really am in those cases. But you don't need to share your name or anything. You need to share exactly the information that is needed and maybe that is some payment information and the address to which the goods are to be delivered. If it's physical goods, that's it. And I think we're heading in that direction that there's more call it consciousness on what we need to provide. In this case, not filling in the form with all my personal information in order to buy something online.

[14:56] Snorre: Since we're now spoken about both federal Identity or Digital Wallet identity, if you could choose not call it Digital Wallet Entity, but more the third initiation where you both control it a little bit more and you get to choose what data you send out. What would be your choice as a person and one that's really interested in identity?

[15:25] Jon: I look forward to using call it Digital Wallet. I mean, that's going to be the buzzword. Although Wallet is just a tool that I have as a user, but I would strongly prefer having something I can control much better. It gets maybe a bit more complex to the user, but still it's assuming the user has an awareness of identity and what to do with personal information, it's a much better tool. Bank Audi is super easy, doesn't require any much thinking how to use it. You just use it the same way all over and yeah, it's okay, but I would prefer a better functionality where I'm more in control of the information.

[16:26] Snorre: Yeah, I do agree. One thing I do see, the good thing about or I see in the digital wallet ecosystem because in Europe where you're currently locked with stuff coming, but other countries in Asia and the US. Having phones that has this biometric capability on it also provides a way to be able to more trustworthy trust that the person behind the phone is the right person. Or you can move a lot of the control, like actually give it to the person that does the thumbprint or the face. ID because you can build quite efficient infrastructure that relies on that acceptance. On the other side you do that bank ID today of course, that you have to when I get the approval of authentication, I just give my print. That's probably also why we have gone away from or going away from bank ID on mobile because the penetration of biometrics on the phone is high enough to kind of turn it off. But now that we have this biometric on a wallet, it's quite powerful to at least give much more trust and safekeeping for the user. Do you have any insights to that or thoughts on that?

[18:00] Jon: For bank ID. I think it's partly also that biometrics can be said to be in some ways if you have good biometric services, it's more user friendly and may even be more secure than using a Pin code. And then regarding the Bank ID mobile, there's also technology development because current Bank ID mobile doesn't work with the Ethios, the virtual sims that are not based on the SIM card, physical SIM card. And also if they can get away from having agreements with each and every telco operator and all that, I think that will simplify business for them. So there are many reasons for them to go towards that base solution. But in general, yes, it's a good move anyway because it's a better solution.

[18:50] Snorre: Absolutely.

[18:51] Jon: But you mentioned the EU wallet, of course, which we haven't talked about so far and that's an interesting move. So in essence you will by law states that each and every member states must issue an identity wallet and privacy preserving one, as we discussed before, that will be available for free to all citizens in Europe or all European countries. And that's a quite bold move and there's a lot to it, pros and cons and whatever not. And it might be a success, it might not be a success, it might be a success in some countries and not in others, we don't know. But what has happened is really that it's taken the lid off the can for wallet based and say self sovereign identity. Maybe some of us feared that self sovereign identity and that way of thinking was a great way of thinking, but it never will leave the lab and no, it will definitely because as you indicated, regardless I think of whether or not the European identity of all it becomes a success. This is now happening because so many other actors are doing the same or similar things. Even governments, commercial actors and the existing actors in the identity industry. Everyone is moving in this direction and that means we are really going into this third generation identity systems. Now it's upcoming. So within a couple of years we'll see really a lot happening here.

[20:55] Snorre: Absolutely. And I'm glad you mentioned it. The only thing I held back on was just because the only con I see is that for example, you're in Norway we wait and wait for the EU to give us some pointers. This is one of the main reasons didn't exist is because I want the ecosystem to be able to flourish without necessarily waiting as we see happening in the US and also happening in Germany and Netherlands. Because when I travel around on these identity conferences I see a lot of these countries there because they again, they don't have that well identity service and they need to jump on find a really good thing without having to drag themselves through building too much second generation identity before they can jump on the third one. But I do think that you are very correct in saying that this train has already started to leave the station and it's going to be very difficult to stop potentially. We just don't know in what way or shape it's going to evolve because we have seen you try a very centralized idea delivery before. So I hope they are able to kind of I think they've done a good job now in terms of saying this is examples and every country has to deliver it and then the country is up to trying to figure out how. But now still they're waiting for certain guidelines. It's at least my impression and everyone is feeling a little bit on the waiting post to figure out what are we actually going to do.

[22:52] Jon: Yeah, of course that's a risk that countries or other actors just wait and see what happens at EU level. And to be honest, not that much will happen within the next two years that we as ordinary users will see in the market. It will be the needle legislation to go through. And then they need to develop specifications, they need to develop projects of developing a wallet reference implementation that can be used when you want to deploy into a country. But this will be way into 2024 before we have anything deployed and it's discussed. The regulation can be approved. Quarter 320 23 was the last date I heard at best. And from there on countries will have been discussed. Will they have the mandate to issue a wallet within twelve months or 24 months? So we're talking and 2024, maybe into 2025 before we really have much regarding the European digital identity wallet. So what happens in the meantime, exactly? Well, Norway, Nordic countries, we use our existing digital identities, the second generation ones, for a few more years, that's fine. But in other countries, maybe nothing will happen. But I think really, when actors in the identity industry are able to take a deep breath and look further into it, I think they will realize that there will be a market beside the European identity wallet. I don't think the European identity wallet will not be the single, the one and only digital identity in Europe. There will be lots of other stuff around, and that space can be filled by other actors. So I think that will be realized also.

[25:02] Snorre: Yeah, I think so, too. I see the wallet thing. It's complicated, but not too complicated to build. But one thing that Norway can do well is to set a couple of security principles to get yourself, call it certified wallet so we can at least have a list of wallets we can trust from a government level, and then the market can just try to move the needle themselves. I would hope that if anyone from the government, Norway, did listen to this, we could potentially have a collaboration of an open source version here in Norway, where we also focus a lot on interoperability. Because I think that's one of the biggest problems we might see if we kind of start diverging a little bit from the EU framework. But if the standards are well written and we focus on the interoperability, then I think this third generation of identity can really blossom.

[26:14] Jon: Yeah, I agree. And interoperability is really core to this because it's not like any single identity solution should have a monopoly and be the only one. It should be different alternatives that can work together. That's really core to all this work.

[26:35] Snorre: Absolutely. So we're getting close to an end. Really great conversation. I don't want to stop, but I also want to make sure that we don't talk to you for too long. I'd rather have a follow up conversation, maybe next year sometime to going to see if anything has moved from our earlier conversation. But is there anything you want to depart this conversation with? Any last words you want to kind of make sure that everyone hears?

[27:04] Jon: Yeah, I think we talk now. We take a European perspective, and we're looking into also mentioning nations and governments in this case. But of course, the other players there are the big techs again. So you already have an Apple wallet, of course, on your phone. If you have an Apple phone, you have similar solutions from all these actors. And of course, identity is going to be a big business area. And of course, also business model of many of these tech giants is to collect as much information they can about you. And sell it for commercial purposes, mention Google collecting as much as they can and taking really possession of the advertising market through profiling and you got all that stuff as a conclusion. You don't want these guys to take control of the identity market. And we see also, EU doesn't want these guys to take control over the identity market. And there are regulations to limit this. But it's not like this is a technology that is national or European or whatnot. There are big players out there also.

[28:37] Snorre: Absolutely. And thank you for sharing that. I do also see multiple security companies stepping into this world, such as Avast and buying up SSI companies because they see there's a shift much probably because of the legislation. So with lots of legislation being pushed from the EU level, companies starting to play ball with this third generation identity, this is really an interesting space to follow in the coming years. This information you can get through us digital Identity Nordics let's thank you one and signing up for the conversation and being Den's main sponsor. It's been a great conversation about digital identity and where we will be headed in the future and thank you to you, the listener, for listening to Digital Identity Nordic's first podcast episode. This is a milestone. Please give us any feedback you might have which can easily be done at Den foundation. Until next time, be aware you don't own your own identity.