Long reads

Time to understand identity

Andrew Smith

Andrew Smith

Founding CTO, RTGS & ClearBank

Identity has long been a hot topic, but more recently it has become red hot. There are so many discussions, debates, even large sections of events such as Sibos devoted to identity and more importantly, digital identity. However, the discussion is more often than not, a limiting view of digital identity. We end up 'boxed' into a specific implementation, use case, or debating what a digital identity really is. This is making it hard to see just how best to move forward with digital identity, though we can all agree it's needed (whatever it is).

A singular vision

Identity discussions require a singular vision of what you believe identity to be. A common model of identity. What we have to remember is, that just because we have the term 'digital', this doesn’t mean it has to be confined to what we do currently digitally, nor that we cannot leverage the real world. In the physical world, the model of identity has been solved, solved for many hundreds, if not thousands of years, and is simply because in the real world, we don’t limit identity to be just one thing.

Identity is not one thing

All too often, especially in finance, we have a perception of what an identity is, what KYC is and therefore what data makes up identity and what data we need to hold. This then leads to discussions of "we must standardise the data we need from a digital identity to share across industry". I say this is wrong…. Another common issue is that we then have statements made that are along the lines of "I want to be able to use my Apple login to access my bank”, or, “I want to use my bank login to access a service”. We say these things because we also assume that these providers “know” me sufficiently to enable me into another platform…Again, I say this is wrong.

If you are a software engineer, or a CISO, CIO, COO or even CEO within any organisation, you must start to think of identity as a 'domain'. By this I mean your identity is made up of lots of identities. If I were to ask you to open your wallet right now, you will have various forms of identification, each one valid. You may have a credit card, a debit card, a gym membership, your favourite coffee loyalty card, a store discount card, your driving license, all in your wallet. All are a form of identification, but together they form your identity, your identity domain if you will.

In finance we only accept certain forms of identity, typically a passport, driving license and then some proof of address. That’s not to say a gym membership isn’t a valid form, because it is, to the gym that issued it, but not say, for opening a bank account. This is because we 'trust' these forms of identity, not because it has more information in it than another form of identity, or even that it follows a specific standard, no, we accept these forms of identity because we have 'trust' in the issuer of that identity.

TRUST is therefore at the heart of all identity discussions, but, we shouldn’t now get confused and think we can only trust one provider, nor one type of provider of identity information. We need to be able to choose who we want to trust in given situations or use cases and maybe at an industry scale. Note the word maybe.

The identity protocol

If we have a trust framework in place, where the companies that need to verify an identity rely upon a given number of trusted issuers of true digital identities, then the identity data is totally unimportant. There need not be any standard around that. Rather what becomes important is the protocol, the way in which a company requests identification and how it is presented.

This isn’t something that the finance sector needs to solve, not just because its use case reaches far beyond the boundaries of finance, but also because it is solved. The W3C has already published its standard for verifiable credentials and it is these credentials that can hold the identity data we need. The protocol for requesting them is also in place, as is the global infrastructure.

The Self-Sovereign Identity model

To my mind, this is the only viable identity model that we have and should have. Any identity-based discussion cannot take place without this concept. The basic premise here is that the identity owner, owns their identity. Simple as that.

As a company that wishes to verify an identity, you don’t need to go back to a central provider to check their identity, there isn’t one. The identity is a domain, it is made up of lots of issued credentials (just like your wallet is today) from various issuers. To perform that verification process, the identity owner provides 'proof' of who they are, which is made up of information taken from a digital issued credential (think digital issued identity credential) or various credentials. As the organisation requesting the proof, you specify which credentials you are happy to accept, these will be credentials issued from companies and or governments that you trust.

The Self-Sovereign Identity model provides that protocol for not only issuing credentials, but how they are requested and presented. The actual structure of the content does not matter, so there doesn’t need to be a 'standard' for what data is held. Rather those that wish to verify an identity, simply only request proof from credentials they trust.

Now I could go into great detail about how the Self-Sovereign Identity model works, but that can be a follow up article. For now I will point out that this model provides maximum flexibility in terms of its use cases and that the global infrastructure required to make this model work, is already up and running. The world's largest decentralised digital identity network is Sovrin, which is operated by the Sovrin Foundation and the companies that act as stewards of the network itself.

Move from trust to knowing

The challenge for financial services is starting to trust digitally issued credentials, as in which issuers do we trust. This is no different to the situation regulated businesses have today, which credentials do we trust (passport, driving license, utility bill etc). It is a simple case of which digital issuers do we trust.

This may be a simple case, but in a highly regulated industry, trust is often seen as a luxury. However, there are companies out there that are working to bring Self-Sovereign Identity to highly regulated industries, companies like ID Crypt Global. As a steward (a trust anchor, as well as an operator) of the world’s largest decentralised digital identity network Sovrin, ID Crypt Global issues self-sovereign digital identities that can be trusted by regulated institutions.

By following the self-sovereign identity model, ID Crypt Global moves institutions away from trust models towards a model of 'knowing'. This is because the verification process is cryptographically proven. This facet alone shows that self-sovereign digital identity can alter the way in which financial institutions look at customer risk, while at the same time dramatically improve customer experiences. This is just the tip of the iceberg, the potential use cases and opportunities provided to the financial services sector by companies like ID Crypt Global, are vast, all because they embrace the model that is self-sovereign identity.

A broad subject, but identity is about focus

Hopefully from reading this article you see the importance and breadth of identity. It’s very easy to try and boil the ocean, to look for consensus on approaches, look to what we have, what we know, even to look to standards to help bring clarity. However, by focusing on a simple protocol, a common standard for sharing information and maths to prove verification, we see an identity model emerge.

Self-Sovereign Identity is rightfully seen as the holy grail of identity: it enables greater user experiences, ensures greater levels of security, reduces complexities for those that need to verify an identity, while all the time ensuring identity data is owned and controlled by the identity holder. But, unlike the holy grail, it's here, it's already being used and companies are now making it viable for businesses that operate within highly regulated industries, industries such as ours.

Comments: (0)