The Story So Far

Last week I continued to explore the characteristics of the coming generation of identity. In that post, I looked at On Behalf Of and how it is critical to solve not only for AI-related reasons but also for our own mortality. This week, I round things out with an exploration of Proof and Portability.

Proof and Portability

If OBO speaks to who or what is acting on behalf of some other entity (either carbon- or silicon-based), then at some point that thing has to provide proof of who (or what) they are. This brings us to the third area of the new generation of identity: Proof and Portability.

Let’s consider how one proved who they were in the past. That flow goes something like this:

  1. Create credential
  2. Static KBA as a form of a proof
  3. Associate credential with accounts/insurance policies/sensitive data

Now, to be fair, we have innovated beyond that flow. And we have done so on the back of something that also helps define the current generation of identity. [show timeline, add iphone at 2007.] Although the iPhone isn’t quite 25 years old, given the rate of change and innovation (and for the convenient sake of this talk) I am going to include it as part of the current generation of identity.

For some many reasons the smartphone has had and will continue to have an oversized impact on identity. And with the smartphone came a new kind of proofing flow:

  1. Create credential
  2. Selfie + doc -> proof
  3. Associate credential with accounts/insurance policies/sensitive data

However both the old version and newer version of this general business process have problems. First off, the old flow, the one that relies on static KBA as a form of proofing, is both creepy and annoying AF… not to mention increasingly unreliable given how much ‘private’ data is now in the public domain through data breaches, hence easily exploitable. And as one reaches a certain age, static KBA starts to become just plain offensive. Like I remember what the model year of the car I drove 16 years ago was?!… don’t rub my nose in the fact I cannot remember that! You’ll make me freak out that I am suffering (more) cognitive decline. Not cool.

Second, the more modern flow has led to proofing creep. My good friend Andi Hindle writes about Proofing Creep as, “the unnecessary and inappropriate use of, or requirement for, verified attributes… Normalising the sharing of privileged identity information risks eroding not only user trust, but, eventually, the integrity of the identity verification as a system. Regulators, product vendors, and enterprises all have a role to play in ensuring that we appropriately minimise the use of identity verification. Don’t ask for a credit card, or a passport scan, when all you need is proof that someone is over 21.” We find ourselves often oversharing information in government issued documents because it is now trivial to get high resolution pictures of those documents and correlated selfies.

Lastly, and most importantly, these flows result in non-portable outputs. I have to waste my time going through repeated creepy and annoying processes every time I interact with a business that provides some form of regulated services. Now to be fair, some of this is yet another example of American Exceptionalism… we are exceptionally allergic to official national/singular identity schemes and thus have created additional problems for ourselves.

Proofing and portability is a bigger issue than the previous generation realized. Why? AI. If I have an AI-power agent acting on my behalf to perform regulatory sensitive actions, such as shopping for health insurance, it will eventually need to present proof of (my!) legal identity and likely need to present evidence of its own “identity” as well. Similarly, AI powered digital fakes are already overrunning our help desks and HR teams and this drives the need for more stringent forms of essentially the Voight-Kampff test - proof that you are who (and what) you claim to be. There are three major topics within proof and portability with which the new generation of identity will grapple.

First, wallets. Wallets love you. Or at least the EU really wants you to love wallets. There is extensive work going on in Europe to ensure that at the very least individuals can receive and use state-sponsored verified credentials. Along with the credentials are “trusted” wallets. One can expect that there will be at least one wallet per country. I have a guess that despite the existence of state issued credentials and sponsored wallets, no private sector organization is going to issue credentials into those wallets. In fact, I have a suspicion that private sector organizations, especially brand and user experience conscious ones, will not issue a credential into anything other than their own app with embedded wallet-like functionality.

Second, reusable proof. This time it’s going to work… maybe. The ability to reuse evidence that I (or some fact about me) have been proofed with a sufficient amount of scrutiny has long been cited as a reason for large scale identity schemes. The ability to reuse some form of evidence that I have been proofed by Bank A so that an agent on my behalf can open an account at Bank B would be amazing. What I think is likely to happen is in Europe nationally issued verified credentials will serve this purpose. However, in the States we will likely use mobile driver’s license (plus other evidence.)

Lastly, there are new issues in trust. How do I trust a verifier? This, in some regards, isn’t a new problem - the problem of trusting the party that receives information about your digital identity. Sadly verified credentials have, at times, been presented as a privacy cure-all. They have been infused with the magical thinking that by using them we eliminate the chance of customer data breaches. This is not remotely true. What VCs can do is selective disclosure and that is powerful. Selective disclosure can, as the name implies, allow the individual to determine which data elements within a credential are shared. But, and this is important, once the claims have been presented and verified there is absolutely nothing that the VC can do to prevent the verifier from storing what it learned. It might be just the fact that I am over 18. Or it might be my name and address. But I guarantee that the verifier will store something (if only for performance reasons) and that data is thus available to be breached. How a verifier manages the data disclosed to it is one of the problems of verifier trust and newer identity technologies do not, inherently, change that.

And then there is the issue of wallet choice and trust. If the EU is successful there will be a marketplace full of wallet providers providing wallets. I have to wonder if their position and their sometimes subtle, sometimes overt distaste for big tech, especially big US tech, and the wallets they provide is leading to a bad outcome for individuals. What are good selection criteria for wallets? Will I even bother to make a selection or just use the default wallet provided by the mobile ecosystem I bought into or am most comfortable with?