Let's Talk About Digital Identity

LET’S TALK ABOUT DIGITAL IDENTITY WITH CRAIG RAMSAY, SENIOR SOLUTIONS ARCHITECT AT OMADA. What is Identity Governance and Why is it important? Craig Ramsay, Senior Solutions Architect at Omada joins Oscar to explore all things Identity Governance including – the role of Identity Governance in compliance with regulations and standards, how it affects security and risk management for organisation, alongside some real-world examples of Identity Governance in use. [Transcript below] > “We’re still trying to shake off the thing that – security is a barrier to efficiency. There’s an old adage that ‘efficiency is insecure, but security is inefficient’. But I don’t think that’s true anymore.” Craig Ramsey [https://www.ubisecure.com/wp-content/uploads/2024/01/craig-ramsey-photo-linkedin.jpg] Craig Ramsay, Senior Solution Architect at Omada, from Edinburgh, Scotland. I have worked at Omada for 3 years and have previously worked at RSA Security and different financial services organisations in the UK within their Identity functions. Outside of work my main interests are hiking and travelling. Connect with Craig on LinkedIn [https://www.linkedin.com/in/craigramsay86/]. We’ll be continuing this conversation on LinkedIn using #LTADI  [https://twitter.com/hashtag/LTADI?src=hashtag_click]– join us @ubisecure [https://twitter.com/ubisecure]! Go to @Ubisecure on YouTube [https://www.youtube.com/@Ubisecure] to watch the video transcript for episode 102 [https://youtu.be/YIwH2MMnaa0]. PODCAST TRANSCRIPT Oscar Santolalla: This week I am joined by Craig Ramsay from Omada, here to discuss the importance of identity governance and how it is helping to solve problems in real-world. Stay tuned to find out more. Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar. Oscar: Hello, for today’s episode about Identity Governance and Administration, mostly known as IGA, we have invited a super interesting guest who is Craig Ramsay. He is a Senior Solution Architect at Omada. He’s from Edinburgh, Scotland. He has worked for Omada for three years and has previously worked at RSA Security and different financial services organisations in the United Kingdom within their identity functions. Outside of work, Craig’s main interests are hiking and travelling. Hello, Craig. Craig Ramsay: Hey, Oscar. How are you doing? Oscar: Very good. Nice talking with you. Craig: Thank you, you too. Oscar: So, let’s talk about digital identity. As usual, we want to hear more about our guests. Please tell us about yourself and your journey to this world of identity. Craig: Sure. So, I mean, thank you for the introduction. And I guess, in terms of my journey into identity, it was a little bit by fluke rather than by design. I studied Computer Science and when I graduated, I joined an operational IT graduate scheme. They had recently started a new IAM project, because I think back in 2008, identity and access management, identity governance wasn’t as mature as it is now. It was still kind of seen as an operational IT project rather than an information security principle. So, the drivers there were more about the efficiency, automated provisioning and stuff. But yeah, they were looking for a graduate on that project. That was me. And apart from a few years where I decided to try what it was like being a policeman, I have worked in identity ever since either for, as you said, financial services organisations doing the work at the coalface or for vendors, either in project delivery or, and you know pre-sales in my solution architect role. Oscar: Excellent. So, let’s go first with the basics. We have not talked about IGA yet in this podcast, have not focused on that. So, tell us, what is that? What is Identity Governance and Administration, IGA? What is important? Craig: Sure. So, I mean, identity governance, when you focus on it, at its core, it’s a solution that will ensure the right individuals have the right access for the right reasons at the right time in your organisation. So, it’s protecting the authorisations or the resource assignments within your organisation. And that’s often policy-driven to ensure that all of, and I think the important distinction here when we talk about IGA, that’s traditionally your internal identities, maybe your third parties and contractors. And then in terms of the overall importance of identity governance, as I said, it’s evolved over the years from being primarily driving and focusing, looking at the provisioning element of things. But as governance has become more and more important, as we start to take a more holistic view at identity, when you look at the adjacent technologies; privileged access management, cloud infrastructure and tailored management, user endpoint, behaviour analytics, identity governance is now really being seen as the kind of control plane across that identity fabric. So, I think it is becoming crucial. And there’s a lot of visibility on the importance of identity now, right up to C-level and maybe wasn’t 10 years ago. Oscar: You mentioned this concept about identity fabric. Could you also explain a bit more about that in this context? Craig: Yeah, sure. So, I mean, identity fabric is a term that’s been coined in the last maybe few years by a lot of industry analysts out there. It’s maybe a new phrase, but I think the concept isn’t necessarily that new. So, I think we also hear people calling it an enriched security ecosystem. So, it’s where you look at these solutions in the PAM space, UEBA, your SIEM solutions, etc. Those traditionally have worked in perhaps a bit more of a siloed manner. And the integrations have been maybe limited and not as seamless. Whereas now, I think this concept of that enriched security ecosystem, that fabric is that these things should be joined up and they should be – the convergence of intelligence and data between those solutions, I think is becoming more and more important so that you can take a holistic approach to reducing your identity-related risk. Oscar: It is very important, as you said, because there will be anyway, other solutions working together with IGA. Yeah, absolutely. What are the main problems, just – I’m sure there are many, but what are the top main problems that IGA solves? Craig: Yeah, so from a business problem or business challenge perspective, I think the main thing that we always focus on when we’re helping people build their IGA business case, is that we focus on security, compliance and efficiency. So, it’s looking to increase the efficiency and productivity of your end users and their experience, all whilst ensuring that you’ve got increased compliance, increased security and reduced risk. So, when we look at that, some of those common challenges and problems within that would be reducing the attack surface in the organisation. So, removing unneeded access, adhering to the principle of least privilege, making sure that your identities only have the access they should. I mean, combining those two things is going to reduce the likelihood and the impact of a potential breach in the organisation. It provides you with a unified view of access across the organisation, which a lot of people often haven’t had previously. So, understanding who has what access. And then there’s the automation around identity lifecycle management. So that’s reducing the time taken to provision your joiners, your movers, your leavers. You’re putting governance and auditing around all of these processes too. So, when people are requesting access, you’re ensuring they’re getting it for the right reasons with the appropriate approval. And you’re cutting down on things like rogue IT administration and stuff like that. So that’s high level, there is more obviously, but I think those are the high-level ones that we see frequently when we’re speaking to prospects out there in the market. Oscar: It’s a security compliance, and efficiency. Yeah, we’d like to talk about this. But before actually it will be interesting to – so people can understand the broader concept, how we try to imagine in their minds. If you can see in a real-world example, how work for a typical corporation that uses IGA. So, tell us what are these main processes that you say, mostly employees, right? What are these main processes? Let’s say a new employee goes from beginning until the end. Craig: Yes. I mean, if we’re going to talk – the phrase we kind of, is from hire to retire. So, when I try and explain this to my friends, maybe aren’t so technically minded when they ask what I do, I sort of give them an example. I say, OK, you join an organisation, and you are working in their HR department. So, from day one, you should have access to be able to log into the network, an email account, access to various file shares to do with HR to enable you to be productive from day one. So, the IGA solution will help you identify the policies to automate that process, to make sure that you are productive and also make sure that you’ve only got access to what you should. So, if you’re joining HR, you shouldn’t be getting access to any file shares to do with finance, R and D, anything like that. And then as you move around the organisation or your needs change, you should be able to request access that goes through the appropriate channels. It should be reviewed regularly to make sure that it is still appropriate as you go through your life cycle as an identity in the organisation. If you are promoted or changed departments, that should change automatically in line with those policies too. And if you either leave the organisation, be it permanently or temporary for maternity leave, garden leave, that kind of thing, your IGA solution should then disable or provision that access in a timely manner too, to make sure you’re reducing risk. So, I mean, those are kind of some of the high-level things that it’s that right access for the right people at the right time for the right reasons is kind of trying to, in a nutshell. Oscar: Indeed, that was in a nutshell, very, very easy to understand. Thank you for that. Some of these at least main problems and how these are being solved. But IGA, let’s start with security as you put security first, how IGA is helping with security? Craig: So, in terms of how it contributes to, you know, maybe security and risk management, I think, it’s providing stronger access control. So, it’s starting to limit access to your sensitive and privileged information. So, when you start to look at either personal identifiable information, financially sensitive information, or privileged access, so this is when you start to look at integrations with adjacent technologies in the PAM space, you’re ensuring that the access control is limiting that access. Reducing risk. I already talked about the fact that that principle of least privilege means that if there is a breach in the organisation, the identity of the account that’s breached should have only the access needed to do the job that it can, and it shouldn’t have any elevated permissions permanently. The ability to traverse the network or to have a much more impact on that breach should be reduced. You’re also reducing the likelihood by integrating with identity providers to perform strong authentication. And those unneeded accounts or unwanted accounts or unused accounts have been removed over time as well. So that should be helping you reduce the risk and then improve your security posture. In combination with that as well, if you look at some of the real-time monitoring and identity incidents or detection and prevention you’re starting to see integration with abnormal access patterns, maybe you know impossible logons, for example, we integrate with the Azure identity risk subscription so that’s looking at – user logged on from Edinburgh one minute and they’re trying to log on from Beijing the next. That’s impossible, so that may be an indication of compromise. And then your IGA solution could lock down that account. So, there’s many ways you could do that and it’s obviously a maturity journey, you need to crawl before you can walk before you can run. But it’s a maturity journey you go on to take a holistic view in reducing your identity related risk. Oscar: Yeah, indeed. From basic essential functionalities of security to much more advanced like some of the ones you described. The second one is, of course, we’re interested about compliance is very common that someone comes, start to ask someone from Omada, or from another company even Ubisecure, we also do identity access management and one of the key drivers for them is compliance especially in some industries, it’s more important that. So, tell us about compliance. Craig: Yeah. So, I mean, when you go out there in the market and you’re speaking to organisations like more and more and more we are speaking to organisations that operate on a global basis. So, you’ve got country or region-specific things like GDPR, SOCS, HIPAA, PCI, DSS etc that are external regulatory compliance frameworks that you must comply with. And you know we keep a track on with things like Schrems II as well. We’re always keeping an eye on that to ensure that the solution we provide is compliant with those things. But then we’re also helping our customers comply with how they are storing, processing and managing the data in relation to those things. So, if you look at what I often say is that an identity governance solution is a technical translation of your business processes. I think you always have to look at making sure your people process and technology are working in harmony with each other. Technology alone will not resolve your problems. So, I think as part of a wider identity information security strategy you should ensure that your internal policies and standards are created in such a way that it will help you comply with those external regulations if they apply to you. But you should always look, I think it’s a healthy thing for any organisation across any vertical to have these well-defined policies and standards and ensure that they can comply with those. And as I said that’s where identity governance comes in, because it helps you comply with those things by defining policies that can detect when you’re non-compliant, you’ve got that audit trail. So, it offers – you’ve got transparent auditing for your internal and external users to prove compliance. You will go through regular recertification, attestation, reviews, whatever you want to call it. But that also ensures that you’re demonstrating regular compliance. And then we already talked about risk management as well, but compliance and risk often do overlap each other. So, you’re identifying and mitigating compliance risks through the definition and enforcement of these policies as well. Oscar: Indeed. So, there is some reports that can be directly created, right, from the IGA system. And that can be directly taken by the compliance officer or whoever requires it, right? Craig: Yeah. Oscar: The other you mentioned there was the operational efficiency, right? So, as you mentioned, it’s one of the three main problems. Let’s – I’d like to hear more about that as well, how IGA helps. Craig: Yeah. And I think that’s one of the things that I think separates IGA and the information security market sometimes. That it’s not always focusing on risk reduction and things that are maybe potentially seen as negative. So, you talk about fear and certainty and doubt within the sales process, etc. When you’re doing that, it can often be quite a hard sell because it’s hard to quantify the risk. We can’t help with that. There are formulas out there of calculating the impact of a risk based on, you know, and the likelihood, the cost of the actual breach, etc. But to bring it back to what you actually asked about from an efficiency perspective, if you look at – if organisations are still heavily manual in their provisioning and their processes, there’s a huge cost to that from areas like your service desk, your operational IT administrators. And often it leads you to the potential for human error as well. So, if you start to automate those things, you see a reduction in numbers of calls to the desk, a number of manually created events and things that are being done. And you can put a pound, euro, dollar sign against that clearly from an efficiency and a cost reduction perspective. From an end user perspective as well, I mean, it’s always, I think there’s – we’re still trying to shake off the thing that security is a barrier to efficiency. There’s an old adage that I keep using for it regularly that ‘efficiency is insecure, but security is inefficient’. And I don’t think that’s true anymore. I think if you correctly apply your policies in a way that apply the appropriate level of risk, your users – to them, it should be seamless pretty much all the time. They shouldn’t see these processes as an action. They should see it as; they request the access they need, it gets granted to them in a timely manner. When they move around the organisation, a lot of that should happen automatically. Overall, you should see an increase in productivity. Your line managers aren’t getting frustrated when people join the organisation and they’re having to submit 10 different requests to get them functioning from day one. So, it’s overall operational efficiency and cost reduction. But the productivity. And end user experience of it as a result of a well-delivered IGA program, I think is clear to see as well. Oscar: Yeah, cost reduction is clear and is a great reason to buy a product like IGA. Absolutely. Well, if you quantify that to a buyer, it’s like, wow, you can convince him or her very easily. Yeah. At Ubisecure, we are working with CIAM, and I experienced directly that sometimes requests come from potential customers, and they are looking for identity and access management. And when we review closely, we see that sometimes what they need is IGA or what they need is both IGA and customer identity and access management. So, and in those cases, the customer will need to deal with these two types of system, right? The IGA and CIAM. So, what is your perspective from your experience working integrating these two types of tools? What are the main things that a buyer bought from business and technical perspective should know at least? Craig: Yeah, so, I mean, funnily enough, I have worked on a couple of opportunities where Omada and Ubisecure have been working together on those kinds of joint proposals where people are looking for IGA and CIAM. And I think it’s interesting because you can make a very strong case about where the overlap is, but you can also equally make a very strong case about why they should be separate because of the nature of the requirements. From a CIAM perspective, you’re looking for that seamless, really quick response for all your consumers. And then you should be able to deal with high demand periods when you’re very, very busy, when your consumers are consuming your services. And from an IGA perspective, you’re very much looking at the internal and the control and the level of these privileges that we’re talking about. And there are similarities in the capabilities in terms of, you know, being able to provision in a timely manner, deprovision in a timely manner, ensuring that it’s the level of appropriateness. So, if you look at it from an integration perspective, a unified management of the identities, I think, could be important whilst treating them differently. I think your end user experience again should be important. So, you’re balancing security and efficiency for your internal and external customers. And then you should be able to have that from a scalability perspective by seeing those things integrate well with each other as well. I think what is important when you’re speaking to people, understanding their requirements is crucial. So, when they’re talking about, you know, B2B or B2C capabilities and requirements, it’s OK, well, how do you manage your B2B and B2C use cases? Because I think if you take software or technical organisation where their consumers consume their services in a far, far different way to maybe a retail bank or a supermarket. The requirements for end users from that perspective, they’re opening up a loyalty card in a store and you’re processing their personal data in that manner is very, very different to maybe a software company where people are having accounts created and consuming those services. So, as you can probably tell, not an absolute expert in the CIAM space, but I think whenever those opportunities arise, I think the first important question is why? To understand what it is exactly they’re trying to achieve. And then you map the use cases to the functionality in each of the appropriate solutions to make sure that it’s well matched. There will be overlap in some cases. But as I said, there’s a strong case for when there’s similarities and when they should be managed separately. But ultimately, it’s part of that wider identity fabric we mentioned earlier that it’s kind of all identity in the end, I guess. Oscar: Yeah. Indeed. As you say, you put it very clear, the importance of really knowing very well the requirements because in a conversation, they might tell you we need this one, two, three, five things and can be also in a written Excel file or whatever. But then you have to go deeply to understand what they meant by saying this B2B or anything, right? So, yeah. Indeed. Thank you for sharing that. Looking now at the present and future, let’s say, because IGA, as many other types of products have been evolving, are evolving all the time because there are different needs. So what customers are asking today when they are clear that they need an IGA software? What they’re asking today and what are these new problems that need to be solved, are being solved now and need to be solved if they are not solved today? Craig: Yeah. So, it’s a very timely question. To be fair, we recently released a State of IGA for 2024 report [https://omadaidentity.com/resources/analyst-reports/state-of-iga/] at Omada and we did a webinar discussing the findings of it and it did exactly that it looked at how seriously people were taking identity. And then as you said what are they looking for currently and what are they looking ahead at as well. So, and we just talked about the why and the use cases, so I think, number one that we still see is that the solution they’re looking at adapts and meets to their changing business needs. So, the requirements they have now and the requirements they think they’ll see in the future, it’s the core capabilities must adapt and must comply with that. We’re seeing an increased importance being put on the ability for the solution to integrate as part of that security ecosystem we talked about. So being able to play nicely with the adjacent technologies across the identity fabric. And then from a connectivity perspective, I mean I talked earlier about a unified view of access across the board, the nature of organisations has changed massively in terms of on-premises systems to a lot more cloud services being consumed. So the ability to extend and integrate with a growing list of different target systems is important for them. Looking ahead, we do see AI and Machine Learning coming up again and again. And I think when we see that it’s important to take those as separate things. So, from ML perspective, you know, if you look at kind of the role mining capabilities that have been there for some time, recommendations during reviews, recommendations for decisions or decision support for approvals, that stuff has been around for a little while. From an AI perspective, I mean there’s a huge buzz around what’s happening in AI. Just now Google just released their Gemini Chatbot to rival Chat GPT and that the generative AI stuff and the practical uses of that are going to start to be seen. So, you know integrating generative AI, we have stuff where it’s looking at… you can ask questions about the documentation. So, like what is this object in Omada and like what’s the difference and it’s starting to respond to that so we’re in the process of testing and releasing that. And then looking further down the line, it’ll be generative AI within the solution. So, user logs in and it says, “What are you trying to do today?” “I need the same access as my colleague Allison.” And it’ll say, “OK she’s got this, this and this. Maybe this is what you need to request.” Or it’s becoming more mature and more complex or sophisticated in what it can do. So, I think ultimately what people are looking for is ensuring that the solution they have can do what they need to do today and can do it well, it’s scalable, it’s easy to upgrade, it’s easy to maintain. They’re reducing the complexity of management of it so they’re simplifying it from that perspective. But looking ahead they’re needing that generic connectivity that can allow them to connect to any of the systems they have now and ones they want in the future. And then being able to take advantage of the advances in the AI and ML space to improve end user experience and also the maintenance and administration of the system itself for their administrative users. Oscar: So, you believe that machine learning and the other what we call artificial intelligence is going to be used. It’s to be solving those problems that today customers are bringing up. Craig: I think it’ll augment, and I think – because that’s the thing people get worried about AI replacing us and whatnot. And maybe somebody using AI more efficiently than you might replace what you’re doing but AI itself can’t and I think any algorithm that – it does do in the output of it still needs human validation particularly in a field like IGA where OK it’s taken a huge amount of data, provided this output and most that might look OK. There’s probably some human context in terms of exactly what that business does that’s needed to say, “Yes I’m still OK with that.” Because ultimately the human’s going to have to be accountable for the decision that’s made. I don’t think and I don’t think we’re going to see algorithms being fined or sent to jail for data breaches you know, I mean. Oscar: Yeah, a human will go to jail anyway. Hopefully not. Hopefully that doesn’t happen. Craig: No, hopefully not that’s what we’re trying to prevent. You’re right, we’re trying to prevent that but yes. Oscar: Exactly, exactly. Yeah, yeah definitely. Also, one thing you mentioned, it comes back to what we discussed earlier these identity fabrics. Yeah, the way to coexist all this all these tools, IGA, PAM, CIAM all together that’s also, as you say, it’s something that is becoming more important because the environments are getting more complexes. Final question for you, Craig. For all business leaders listening to us now, what is the one actionable idea that they should write on their agendas today? Craig: So not to spoil the magic of the podcast but we’re recording this just before Christmas towards the end of the year and I don’t know when it’s going to be released but that’s always a time for reflection and looking at where you’re at and where you want to be going. And I think for any business leader right now, I think conducting an identity maturity assessment is something that you can do actionably right now. So, look at where you’re at from an identity maturity perspective and identify gaps that you need to start filling, or priorities looking ahead and aligning that with your business goals, your business risks to ensure that your information security strategy, your policies and standards support your overall business objectives. And then from that, building a plan of continuous improvement, some milestones as well. And I think any well-delivered IGA project should be doing that. It shouldn’t be looking to boil the ocean or deliver everything at once at big bang. It should be continuous improvement and continuous demonstration of value. So, I appreciate that might be – that’s not something cutting edge or brand new or innovative, but I think it is really something actionably you can do now to take a step back, assess exactly where you’re at and then build that plan and start to try an action that. Do that at the end of the year, at the start of the year. There’s never a bad time to take a step back and reflect and put that plan in place. But I think that’s definitely something actionable that they could put on their agenda right now to do from today. Oscar: I couldn’t agree more an assessment, absolutely. It’s something needed. Yeah, it takes time. And it’s very actionable, as you said. Yeah, thank you very much, Craig, for having this very interesting conversation about IGA and other topics, related topics. So, let us know for people who would like to continue this conversation with you, or follow you, or find out more about what you do, what are the best ways for that? Craig: Yeah, absolutely. So, you can find me on LinkedIn, Craig, I think my username is Craig86. Obviously, I work at Omada Identity, but that’s, again, if you search for Omada, you’ll find us there. I mentioned our State of IGA 2024 report [https://omadaidentity.com/resources/analyst-reports/state-of-iga/], you can download that free from omadaidentity.com. And there’s also an on-demand webinar where myself and Rod Simmons, our VP of Product Strategy, discuss that report in-depth. But yeah, please do feel free to reach out and connect. If you want to chat about all things identity or just want to know a bit more about Omada or myself. But yeah, it’s been a pleasure talking to you, Oscar, as well. Thank you. Oscar: My pleasure as well. Well, all the best. Happy New Year. Now, this coming the new year, 2024, I wish you all the best for you, Craig, Omada, and everybody who is doing all this great job in the identity space. Thank you. All the best. Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

LET’S TALK ABOUT DIGITAL IDENTITY WITH JESSE KURTTO, DPO AND DATA SCIENTIST AT UBISECURE. Is now the right time to invest into Identity and Access Management (IAM)? Join us for episode 101, as Oscar is exploring why now is the right time to invest into IAM with Jesse Kurtto, DPO and Data Scientist at Ubisecure – as they delve into the current economic situation and some of the key factors of investing into identity management. [Transcript below] > “Digitalisation is ongoing, it’s accelerating, it’s unstoppable.” Jesse Kurtto [https://www.ubisecure.com/wp-content/uploads/2023/12/Jesse1-e1702464324187.jpg]Known as the guy who shortened the world and lived to tell the tale, Jesse’s career is gradually arching from the Wild West world of finance to his current position as the DPO and Data Scientist at Ubisecure. Learning to program before learning to read Finnish and visiting 25 countries before 25, he’s no stranger in exploring uncharted waters and discovering connections that others might miss. Surrounded by a delicate balance of the latest technology and dozens of carefully tended houseplants, his secret hobby is putting the hiking boots and RPGs aside for a moment in order to write to his beloved snail mail friends across the world. We’ll be continuing this conversation on Twitter using #LTADI  [https://twitter.com/hashtag/LTADI?src=hashtag_click]– join us @ubisecure [https://twitter.com/ubisecure]! Go to @Ubisecure on YouTube [https://www.youtube.com/@Ubisecure] to watch the video transcript for episode 101 [https://youtu.be/lmm4aIkQCcE]. PODCAST TRANSCRIPT Oscar: Is this the right time to invest in Identity and Access Management? This week Jesse Kurtto from Ubisecure has joined us to answer this question and discuss the current economic situation. Stay tuned to find out more. Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla. Oscar: Today’s guest is Jesse Kurtto. Jesse’s career has gradually arched from the Wild West world of finance, to his current position as a Data Protection Officer and Data Scientist at Ubisecure. Learning Program before learning to read Finnish and visiting 25 countries before 25. He is no stranger to exploring unchartered waters and discovering connections that others might miss. Surrounded by a delicate balance of the latest technology and dozens of carefully tended houseplants, his secret hobby is writing to his beloved snail mail friends across the world. Welcome Jesse. Jesse: Thank you for the invite, Oscar. Nice to be here. Oscar: Great having you, Jesse, definitely. We’re going to have a super interesting conversation about the market in Digital Identity and Identity and Access Management. First of all, we always want to hear more about our guests. So please tell us a bit about yourself and your journey to the world of digital identity. Jesse: All right. So, like many or even most of us in the digital identity field, I actually never really actively sought to be a specialist, IAM specialist, on purpose. And my personal background is actually nothing technology even, but in finance and investing more specifically. So, a chance encounter and I liked the people who interviewed me and decided to stay for a while, and that while has been over seven years now. And I’m still learning something new every day, checking out how we really the world of digital identity like and frankly haven’t ever regretted decision. No two days have really been the same and the field continues to evolve and develop quite a bit every year. Oscar: Yeah, excellent and definitely hearing at Ubisecure, we definitely appreciate having this – well call it, like a blend of knowledge – the financial market, not lesser than what you bring with the security and digital identity knowledge, very practical knowledge you also had. So, it’s always super interesting having those conversation with you. And for the first time here on the podcast, we are going to have that, a bit more financial touch on that – What is coming, especially in this well this year, and I think also the years to come. The previous year and the year to come I think, we are already end of 2023 in which – well the financial situation is not good we’re going to talk about. But of course, no matter how the economy is, the companies organisation has to protect their services, have to upgrade the services, maintain them, so they have to invest some money in that. So, from the perspective of companies who today need to upgrade their digital capabilities, what would you say is the piece of the current macroeconomic situation that they should know well? So that was at least what they should know well, from what is happening now? Jesse: Well, first of all, we all know the macroeconomic situation hasn’t really been dancing on the roses over the past few years. But first, we had a massive shock with the COVID pandemic starting from spring 2020. Then we got massive economic stimulus to recover from that slump. And right after we were starting to climb up, then the war in Ukraine saw that all kinds of new problems everywhere around the world seemed to emerge just within three or four months. The energy uncertainty in Europe and the economy went down the drain, and macroeconomic in quite a difficult situation here in Europe. But we would actually want to have some kind of stimulus in order to recover. But at the same time, we are suffering from quite persistently high inflation, which makes any kind of stimulus package basically equal to pouring more gasoline to the flames. So, the European bank is really between a rock and a hard place here. And I can only look over the Atlantic to the States and be very jealous how they are able to both fight inflation and with high interest rates, five and a half percent this talking and meanwhile still have a blisteringly red-hot labour market all but there. So, my first point would be that not all markets are equal. And the second important point is that now is actually a really great time to invest in any digital capabilities, including digital identities. Because now, we are in the middle of a small recession in Europe and investing in recession has historically been the very best time to invest in growth. And if we think for a while, it actually makes perfect sense. After all, the alternative is to invest in the middle of a growth season when everybody else wants to invest in growth as well. Pushing prices even higher and reducing the availability of experts to help with these transformation projects. But now it’s still for a while kind of a buyer’s market. So best time to invest in future growth is now. Oscar: So, time to invest is now. Jesse: Yes. Oscar: Okay. So, let’s go into what – because there are many things that the company can invest now and many things that many companies might need. But if you were one of the – chief executive, like CISO, or someone who is top decision makers in companies and there has to be some budget for digital identity. Thinking of – first of all broadly. Broadly but in digital identity, what would be the most important products that today would be the top priority for buying now? Jesse: Today I would say that the absolute top priority would be – to establish really low friction user journeys from the very beginning account registration to the actual purchase, including solid online self-service. And now this low friction user journey is no way exclusive with security or compliance, but it is actually reaping the benefits of digitalisation. Digitalisation is ongoing, it’s accelerating, it’s unstoppable. So, the question is for every organisation – should they try to fight this change to the last or embrace it and be among the first to actually reap its benefits. It’s actually interesting because my background in finance, the many finance sector operators were among the first to embrace digital identities, but they kind of stopped it halfway there; “Okay, we can build self-service portals for our users, but for many, many procedures we still require hand signed paper documents being sent via physical mail.” And this is really only reaping a very small part of the benefits of digitalisation. So, there is plenty to go. Oscar: Yeah. Interesting what you say in finance services. That’s correct. For reasons of security had to be always in the latest of technology for security. But some of the process has been, as you say, very old fashioned like the old school, many paper fax I think still use or cheques. So, these kind of. Jesse: Oh yes, those ones to. Oscar: Still alive. Jesse: Yes. And it truly hurts the user experience a lot. It even causes direct missed opportunities. Let’s say new bond is coming to a market and you wish to buy a piece of it and participate. But if it takes three or four days just to do all the paperwork, then the opportunity has simply passed. Oscar: And indeed, the price changed completely. Okay, so you say that the top is to – the user journey has to be digitalised. So, what is the category of products that address that? Jesse: Would say a real CIAM system would be the one to go here, and not try to build the user journey from, let’s say 4 to 6-point solutions and then somehow glue them together. I think the best solution would be an IAM solution that’s designed for a whole user journey from the scratch and not something homemade or batched together. Because when business grows, as it will eventually grow, no recession will last forever. And to user numbers pick up and suddenly there’s a nightmare of issues of having 4 to 6 different vendors and trying to keep their products up and running with ever increasing user numbers. And that again, is doing digitalisation the wrong way, if I may say. Oscar: Yeah. CIAM being – so how, well the evolution of the more broadly speaking, Identity and Access Management. Maybe you can give us an overview of that evolution of the Identity and Access Management, what – how we started and what we have today. Jesse: Yeah, that’s a very interesting topic. Through the IAM are from big enterprise internal needs at once to employee numbers just grow to a certain level, they can’t be managed with excel sheets or pen and paper before that. But these kind of internal IAM solutions scale and fit really badly for end customer facing journeys. Internal users can always be taught how to use some kind of system, even if it’s not immediately logical or it feels unwieldy. But for the customers, it’s not realistic to expect that they would spend tens of minutes or even hours to learn how to use some kind of system to log in. And no, they would simply instead put down their laptops, pick up the phone and call your customer service. So, it will actually just cost you more money to have this kind of system. And now, in the past ten years, there have been massive uptake of different CIAM systems. And lately, let’s say after the pandemic, it’s interesting to see that now the full circle is coming back towards internal users with remote working. Remote working, different kind of partnerships, there are more kind of internal and kind of external users than ever, and trying to keep these as fully separate groups is very challenging. Oscar: Yes. So, what about the investment of a company in Identity and Access Management? So what does that imply if the company does not have even, let’s say, a first personal CIAM or open source, something that they started, if they if the company really doesn’t, which actually to me surprise me that, you discover companies don’t have it, don’t have it, almost anything like identity access management and they are looking for some solutions or they are or they know that they need it. Maybe the decision has not come. So why would you say is important for the buyers to know about the product, the Identity and Access Management product? Jesse: That’s an interesting detail what you said that there’s still about 20-25% of companies in Europe that do not have any kind of Identity and Access Management system in place. So, one could argue that every IAM’s companies’ worst competitor is doing nothing. But to the question at hand, I’d say scalability is one very important thing, and compliance. If one doesn’t have any kind of identity management system in place, then it’s extremely hard to tell where and by who are the user identities actually stored. And of course, that is a massive no in the eyes of the GDPR and this kind of adventures just don’t usually end up well. So first job would be to map out how many identities there are in the first place, how it has evolved over the recent quarters and where they are located, how many systems actually are connected, including partners, including systems like let’s say payroll providers, insurance providers, and usually the number is quite surprising. It can often be more than ten individual systems. And now managing all these identities from a single centralised place is frankly a godsend compared to trying to manage this and plus sprawling network identity some here, some there. And of course, it also brings centralised identity management, also brings massive security benefits. For example, if you wish to revoke the access for, let’s say some external consultants that have already finished their projects, you only have one place to do it or you can even automate it. But if the identities are in ten systems, 15 systems, then it’s really easy to forget just one. And who knows, maybe five, ten years later, one of those passwords will get breached and now the attacker gets to your system for free. Oscar: Yeah, what is normally called silos, identity silos. Having so many data repositories and it’s -through the years it’s easy to forget at least couple of those are forgotten but they are still there somewhere in there in some machine, in some server. So, the data is there. Jesse: Yes. And of course, I’ve heard many times the counterargument that it’s not wise to put all eggs in one basket, but when it comes to information security, we as the defenders must secure every single system that we use. But the attacker only needs to find one weak system to exploit. Oscar: Yeah, yeah, exactly. They can just find the forgotten one, the one that nobody remembers that. So, what the company – the buyers should ask for a technology vendor? So, for a CIAM vendor? So, what are the most important things that’s should be – has to be asked to the vendors? Jesse: I would ask them to demonstrate the self-service capabilities first. What exactly the users can and cannot accept less without external help? Meaning customer service assistance. Because that sets quite stringent limits on the benefits of digitalisation. And of course, all the usual user journeys should be handled by the system automatically. So, I would guess that any IAM project touches deeply. So, I would first describe the challenges we are facing. And then I’d ask vendor to explain, just in plain English, that – how does the solution work and how does it actually solve the challenge that we just presented? And after all, one should never invest in anything that one doesn’t understand. Another point I would like to address early in any IAM project is to what is actually included in the price and what isn’t. In order to actually accurately measure the TCO and how it would evolve as internal and external user base grows. And for example, there are many vendors out that charge ten to even hundred times for internal users compared to external users, and that’s not usually put on a large print on the front page. And finally, I would discuss any coming changes in legislation because I would be very interested to know whether any changes will be covered under the current proposal or will it occur additional project and additional costs in the future. Change is, after all, inevitable. Oscar: Yeah, I think that’s very important. We know in – in the European Union it’s coming the digital wallet that’s going to come in. Well, how many years do you predict at this moment? Jesse: I’m optimistic and say late ‘24 launch for some countries. ‘25 mass adoption and hopefully organisational identities soon after. Oscar: Yeah, and that’s something that I think very few people would argue that that will be – that will not have some considerable success because there’s a lot of time invested in people preparing all these new standards in this part of the evolution. What we have been seeing before with Self Sovereign Identity (SSI), the wallet itself is something that is already becoming very popular in the commercial side. So that will come in. Similarly, in other geographies, there will be similar initiatives, there will be new regulations. So that, through all this, the vendor has to offer that, has to tell whether we offer or not. So that’s definitely a good, good aspect you mentioned. Jesse: Yes. And the commission has made clear goals here to avoid repeating the mistakes of the eIDAS 1.0, that was supposed to bring cross-border digital identities to Europe. Well, we all know that it was a commercial failure, but they have really learned from that, and I have great hopes for the EUDI. Both for personal identities and for organisational identities, and especially for the latter one. I believe that the market is currently suffering from a kind of chicken and egg problem here, that everybody’s waiting for cross-border organisational identities and not building services because they aren’t here yet. So, we might see the floodgates open in the late 2020s. Oscar: Yeah. I also believe that as a lot will change in more or less like the, as you say in the next 12-24 months is going to change a lot, in a good way I believe. So definitely exciting to be at this moment. We’ve been talking a lot about Identity and Access Management, other aspects, other type of technology that are also in the minds of the executives who are going to upgrade their technologies. We hear a lot about passwords in the last year. Well, ‘cryptocurrencies’ is getting a bit more quiet. Today we hear a lot about artificial intelligence. Would you recognise some technology that is actually underrated, that not many people are talking about? But these business buyers should be aware, because the impact will be even bigger than those buzzwords. So, what would you say? Jesse: I would say that the coming EUDI and its principle of Self-Sovereign Identities is something that might cause quite big ripples in the identity landscape. The very basic idea that it’s the end user themselves who collect attributes and control to whom and when they release those attributes. That that is very different from the usual data repository centric view that – okay, we have this database, and we control everything here. Everything is set in stone. But when the end users actually decide which attributes to release and which not. Then one can’t take for granted that, “Okay, we always have every single field in our database field. Every user record looks similar in a structural level.” That is no longer true and that might cause some changes. As for technology, I have great hopes for machine learning and especially how it can help accomplish not zero trust, no. But zero friction user journeys. And I don’t mean a strong AI that is still decades into future, if ever. But simple things like; is the user using a different device to log in or the same device as before? And so on. For example, I have a recently having a quick holiday in the US, and I was frankly quite shocked when I logged into some financial services – using a completely different device that I had never used, on completely opposite time of the day. I was even physically located on a different continent. And no MFA prompts, nothing. Just inputting my password, I was in. And that’s a lot of missed risk management there, for both parties. For me as an end user and for the financial service provider. And I believe this is something that will change sooner or later. And of course, I would like, as an end user, for this to work for the opposite way as well. That if I’m logging in using the same device, about the same time of the day, from same city that I’ve done it for hundreds and hundreds of times – then perhaps I could be spared the MFA fatigue and just get in with my password managers embraced password. Oscar: The technology doesn’t bother you when you are in the habitual way of interacting with, let’s say, the banks. Jesse: Yeah, exactly. It should take always the context of the transaction into account. And frankly, what I would like to see many companies to do is; do a more thorough risk analysis at what they are actually trying to defend against. I can give a real-world example. About a month ago, I drove to a gas station, put my car to charge, decided that I’ll have a coffee there. Opened the app and saw, hey, there’s an offer for a coffee and a doughnut €1 off. Great. Okay, it seems that first, I needed to update the app to actually buy. Okay, well, I’ll do it. Then they wanted to add the credit card directly to the app, alright. Got an MFA from that. Then when I actually wanted to make the purchase, I got yet another prompt and confirmation, this time from my bank. That – ‘Hey, in order to buy this €3.50 product, would you please update our app again, and use it as an MFA to confirm this purchase’. For the third time. And by that time, I already got notification that, ‘hey, your car has charged’, and my coffee was called by then and left it there. So that was the opposite of Zero Friction. That was more of a zero trust like game. But the security solution that’s very fitting for, let’s say, authorising nuclear missile launch, is very different than the security that’s needed to confirm a €3 coffee purchased at the gas station. And as discussed earlier, I believe this problem stems – that solution was built from very small parts and every individual vendor only looked after their own interest, only want to save their back in case of any kind of misuse. But nobody took a step backwards to actually see; What we are trying to defend against here? What is the attack vector here? That okay, somebody misuses this app and clones this coupon and gets two coffees and doughnuts for a €3 each. Okay, so how much is an attacker willing to put time and money into such attack? I guess nobody stop to think about it. And as a result, the whole user journey was just failure. Oscar: Yeah, complete failure indeed. Very good way to bring back the very first thing you said, User Journey. Yeah, that’s a specific example how things can happen. Sounds like a marvellous opportunity, not to get a deal nice and then becomes complete failure. Jesse, one final question I would like to ask you is – for all business leaders listening to us now, what is the one actionable idea that they should write on their agendas today? Jesse: I would dream that every executive would dedicate one day, one whole day to actually be an end user for a day and go through their company’s entire flow. All the way from account registration to actually purchasing to product or service that they’re selling. And if there’s time trying out things like forgotten password resets. And then the next day repeating the same procedure for the top competitor and even more importantly, their newest competitor, because that is where the threat of digitalisation is coming. Oscar: Going to be very revealing. Jesse: Yes, and it’s important to go through the entire journey. If one, simply takes it piecemeal. And of course, every piece may look perfectly fine. Okay, this works like this. It has confirmations like this. Great. Next piece. Next piece, Next piece. All right. Everything looks fine. But then actually going through the process, one gets hit by four or five different confirmations, forced updates, all kinds of non-user-friendly things, and that won’t fly. Oscar: Yeah, definitely a very good experiment, actionable idea. Absolutely. Well, thank you very much, Jesse for telling us all this about the – how the companies and why companies should invest in the digital identity and why today. Let us know why people would like to get in touch with you or follow you or learn more about what we are doing. What are the best ways for that? Jesse: All right. Thank you. First, I would ask everybody to check out ubisecure.com [http://www.ubisecure.com/], and see how we are approaching these problems on the market. And if needed, I would be very happy to have a chat, over a virtual or real coffee, and I can be contacted at jesse.kurtto@ubisecure.com [jesse.kurtto@ubisecure.com] at anytime. Oscar: Excellent. Again, thanks a lot for joining us, Jesse, and all the best. Jesse: Thank you, Oscar. Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

LET’S TALK ABOUT DIGITAL IDENTITY WITH HEATHER FLANAGAN, PRINCIPAL AT SPHERICAL COW CONSULTING AND DAVID BIRCH, PRINCIPAL AT 15 MB, AUTHOR, ADVISOR AND COMMENTATOR ON DIGITAL FINANCIAL SERVICES. This is the 100th episode of Let’s Talk about Digital Identity – in this special episode two of our most popular guests, Heather Flanagan and David Birch, rejoined the podcast to explore what is exciting them in passwordless, identity wallets and digital money. [Transcript below] > “Passwords have got to go. As we’re moving to passkeys, I think there’s always room for improvement on – even on them. If nothing else, focusing a little bit more on the user experience so that people will have a better understanding of what this means.” Heather Flanagan [https://www.ubisecure.com/wp-content/uploads/2022/08/Heather-Flanagan-scaled-e1701087584323.jpg]Heather Flanagan, Principal at Spherical Cow Consulting and choreographer for Identity Flash Mob, comes from a position that the Internet is led by people, powered by words, and inspired by technology. She has been involved in leadership roles with some of the most technical, volunteer-driven organisations on the Internet, including IDPro as Principal Editor, the IETF, the IAB, and the IRTF as RFC Series Editor, ICANN as Technical Writer, and REFEDS as Coordinator, just to name a few. If there is work going on to develop new Internet standards, or discussions around the future of digital identity, she is interested in engaging in that work. Listen Episode 74 [https://www.ubisecure.com/podcast/making-identity-easy-heather-flanagan/], where Heather discusses Making Identity Easy for Everyone or connect with Heather on LinkedIn [https://www.linkedin.com/in/hlflanagan/]. > “The thing that’s broken in digital money at the moment, is identity, not the payment bit.” David Birch [https://www.ubisecure.com/wp-content/uploads/2022/09/David-Birch-Headshot-3.png]David G.W Birch is an author, advisor and commentator on digital financial services. Principal at 15Mb, his advisory company, he is Global Ambassador for the secure electronic transactions consultancy, Consult Hyperion, Fintech Ambassador for Digital Jersey and Non-Executive Chair at Digiseq Ltd. He is an internationally-recognised thought leader in digital identity and digital money. Ranked one of the top 100 fintech influencers for 2021, previously named one of the global top 15 favourite sources of business information by Wired magazine and one of the top ten most influential voices in banking by Financial Brand, he created one of the top 25 “must read” financial IT blogs and was found by PR Daily to be one of the top ten Twitter accounts followed by innovators (along with Bill Gates and Richard Branson). His latest book “The Currency Cold War—Cash and Cryptography, Hash Rates and Hegemony” (published in May 2020) “paints a fascinating and stimulating picture of the future of the world of digital payments and its possible impact on the wider global and economic orders” – Philip Middleton, OMFIF Digital Monetary Institute. His previous book “Before Babylon, Beyond Bitcoin: From money we understand to money that understands us” was published in June 2017 with a foreword by Andrew Haldane, Chief Economist at the Bank of England. The LSE Review of Books said the book should be “widely read by graduate students of finance, financial law and related topics as well as policy makers involved in financial regulation”.  The London Review of Books called his earlier book “Identity is the New Money” fresh, original, wide-ranging and “the best book on general issues around new forms of money”. More information is available at dgwbirch.com [https://dgwbirch.com/] and you can follow him @dgwbirch on X [https://twitter.com/dgwbirch]. Listen to Episode 75 [https://www.ubisecure.com/podcast/digital-currencies-david-birch/] with David discussing Digital Currencies or connect with David on LinkedIn [https://www.linkedin.com/in/dgwbirch/]. We’ll be continuing this conversation on X using #LTADI  [https://twitter.com/hashtag/LTADI?src=hashtag_click]– join us @ubisecure [https://twitter.com/ubisecure]! Go to @Ubisecure on YouTube [https://www.youtube.com/@Ubisecure] to watch the video transcript for episode 100 [https://www.youtube.com/@Ubisecure]. PODCAST TRANSCRIPT Oscar Santolalla: This is episode number 100 of Let’s Talk About Digital Identity. And for this special occasion, we have invited back Heather Flanagan, and David Birch. Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla. We have invited back to the show two of our most popular guests. So, these two guests, let me introduce them is Heather Flanagan. She is Principal at Spherical Cow Consulting and Acting Executive Director for IDPro. Hello, Heather. Heather Flanagan: Hello, Oscar. Oscar: Nice having you back. And our second guest is David Birch. David Birch is an author, advisor and commentator on digital financial services. He is Principal at 15 Mb, his advisory company. Hello, David. David Birch: Hi. Thanks for having me. Oscar: It’s a real pleasure having you both for this special episode, a bit different style, so being out of our usual script. But yeah, hearing a little bit more about yourselves. So, I’d like to hear something in particular, because we want to hear something – a moment in your lives. So, what I want to hear – think of one specific moment in your career in which you told yourself, “Yes, this is why I love working in the identity industry.” Which moment would it be? Who wants to start? David: Well, and it’s a bit self-centred, but probably when my publisher agreed to publish my first book. I thought I had some interesting ideas about identity – I mean you always think that your ideas are – but when you get that kind of validation that your ideas actually are interesting to other people. That really did change my career. Yeah, otherwise, I probably would have just carried on being a pretty average consultant and carried on in payments and banking. So yeah, it’s – but I put it all down to my publisher. Oscar: Which one was this book? Tell us which book was this. David: Identity is the New Money. It was Diane Coyle, the Economist, who encouraged me to publish it. So yeah. Oscar: Fantastic. Heather? Heather: I don’t have anything. I’ve been actually thinking about this question for a while, and it’s really hard to point to any one thing, because there were no lightning from the sky moments. It’s just, it’s always been such a foundational aspect of everything that I’ve ever done since I started in tech in the mid ‘90s. Where the first question was always – when you’re taking over something from a bulletin board system to an email server, “Who can access this? What permissions do they need to have? How do you set up accounts for them?” That was where everything always started. So, no one moment, it’s all of the moments. Oscar: Well, that’s great that there are several exciting moments. I’m sure for all of us, it’s been like that. Several moments in which we feel that this is exciting to be in this industry. But thank you for sharing that with us. Being already towards the end of this year 2023 – so there are some keywords which were buzzing in the last years. But some of these buzzwords today are more reality, we have access to those. What do you think, what you feel about these technologies or techniques. And let’s get started with passwordless. So, if I ask Heather, what excites you today about passwordless? Heather: I’m really excited about the fact that the technology itself is solid, the standards themselves are really, really well-done. But as excited as I am, I am concerned. Like at all the new modern technologies, I look at them and go, “Wow, that’s really cool.” and little anxiety making because for passwordless, what I observe is when you actually get out of the tech field and talk to my mother, she doesn’t trust it because it’s too easy. And so, I do wonder about as bad as passwords are, the friction that they add, it’s something that people can wrap their heads around. Whereas they don’t understand the magic that’s happening behind the scenes that makes passkeys better. And if they don’t trust it, they won’t use it. And if they don’t use it, we lose out on all the benefits. So, one of the things I’ve been trying to think about for you know, the future is OK passkeys are amazing, but how can we make them less magic scary? David: I’m a bit frustrated with it really, because I’m extremely lazy. And so, you know, like eBay, for example, uses passkeys, the whole thing works perfectly. So as soon as I go to a site, as in fact I just did 10 minutes ago to look at something and it’s log back in. I’m like, “What I have an account? I didn’t even know I had the account.” And then I had to remember the password. And of course, I didn’t get it. So, I had to click on, I forgot my password, and then I got the password reset. And then I put in the new password. And it said, “You can’t have a new password that’s the same as the old password.” And we just go around in this loop. And it drives me crazy. I’m like, “Why can’t you just all implement this?” Despite the fears of your mom, which I mean I can’t discount those because they’re real. The sooner we make people stop using passwords, the better. I was reading a fantastic story in the Insider this morning. Did you see this story about the Zelle fraud on Insider? It’s typical kind of thing, you know, guys getting some work done by a contractor. The hackers get into the contractor’s email account, they send him a thing to send money to a different account, which is the hackers’ account. And they make off with all of the money. And so, they go and talk to the contractor and said to him, “You know, did you know that your email has been compromised, you should change your email password.” And the guy, it says in the article, “We may as well have been speaking Romanian.” The guy had absolutely no idea what they were talking about. Because he’s a normal person. He doesn’t care about all of this stuff. You don’t say to people, “Oh, here’s a car, would you like a seat belt with it? Or would you like a piece of string that you could attach in, you know, particularly opt in place.” You know, as a society, it comes to a point where you say, “I’m sorry, not wearing seatbelts, there’s just too many people dying. So, cars have to have seatbelts. And you have to put the damn things on. End of story.” And I sort of feel we’re getting to that point. Fraud and scam, it’s just so completely out of control. And this thing about whether you know, you need to put people in charge of their own data and so on. I just don’t believe that for a moment. I just don’t. Most people don’t have the persistent competence that – including me, by the way, I’m not casting the first stone, I’m one of those people that lacks the persistent competence to make this happen. There are reservations but passkeys are a billion times better than passwords, and we should make people use them. I’m sorry, you got to stop pandering to populism. Heather: No two ways about it – Passwords have got to go. As we’re moving to passkeys, I think there’s always room for improvement on – even on them. If nothing else, focusing a little bit more on the user experience so that people will have a better understanding of what this means. And when they click this button, why would they click this as opposed to clicking something else that might be a phishing site that they wouldn’t recognise. So, it’s an ongoing education. David: Then you sort of think of contactless as the, you know, in the early days of contactless people, “Oh, it’s too scary.” And in some parts of the world, it appears to be witchcraft, that you can pay for things by not touching it with your card and this, people are going to come and steal all the cards. And there are going to be people of Eastern European origin on the subway system, putting their hands inside your clothes to read your cards and all this. Remember all of this stuff that was going on? And now, you walk into a store, anywhere in the world. I’m not talking America, I’m talking about developed countries, of course. You walk into a store anywhere in the world, and there’s that little contactless symbol and you pay, and you go, and no one thinks anything about it anymore. It’s a bit different in America. In America, you have to look for the till and where’s the sign? And then you have to press some buttons. And then sometimes you have to sign something as well. It’s baffling. I don’t understand any of it. Heather: Oh, the day you understand what happens in the United States will be a marvellous day. Because nobody understands what happens. David: No, it’s mysterious. But the point is, generally speaking, you know, we came up with this symbol, and everybody knows, you tap your card there, and it works. And guess what? All of your money isn’t stolen by Eastern European fraudsters. So, they’re not all Eastern European, obviously, other fraudsters are available. Because the corollary is going to be basically, people like us will start using passkeys, and so all the fraud will transfer onto people like your mom. That seems a little unfair to me. Oscar: Yeah, seeing that you are excited indeed with passwordless. But of course, there are some concerns and some things to improve. Absolutely. Interesting what Heather said that, yeah, some people have been using password for so long, but that anything else feels like how do you say the… David: An improvement? Real security? System-wide integrity? I don’t know, what’s the word you’re searching for there? I don’t know. Oscar: How you say the… Heather: Magic. Oscar: Magic. Yeah, magic. David: So, I’m excited as Heather is, I’m probably just a bit more militant on how quickly we should be pushing it out. Oscar: Yeah, we’ll see what comes in the next year as how it really rolls out. But the next one is about identity wallets. So, what excites you today about identity wallets? Heather: Oh, I have a list on that one. I’m particularly excited over how – as much as I worry about people not understanding the magic, they do understand the concept of flipping through a wallet to get to the right card, the right credential, the right thing they need and then using it and giving them that level of control is a vast improvement, I think over some of the other technology has been going on today. I’m watching what’s happening in Europe quite closely because I think that – how the governments are handling digital wallets and digital identity is a very interesting model. I will be curious to see how other countries do it. How they do it well, how they do it poorly. And if there’s some way we can actually – I’d love to standardise ‘what’s a wallet’, you know. That’s one of my little pet peeves, there is no standard for a wallet. There’s standard for credentials, but there’s not a standard for ‘what is a wallet’. David: I mean, it’s interesting to see what the Open Wallet initiative and various other people are doing in this space. I agree with Heather. I think as much as the technology is important, and certainly, in technological terms, the wallet is the sort of crucial pivot between the kind of online and offline world. It’s very central to the next phase of evolution of commerce. A lot of it has to do with – in fact, we won’t even call our wallets now identity wallets, we just call them wallets. But if you actually open up my wallet, I mean, I won’t do it over there. If you open up my wallet, it has no money in it. Everything is in my wallet, it has to do with identity, driver’s licenses and loyalty cards. And my wallet is already an identity wallet, we just don’t call it that. So, extending that wallet across sort of virtual and real world seems to me, pretty straightforward. But of course, that does rather interestingly open up what I think will be quite a vicious battle about who’s actually going to control those wallets. Because certainly, Heather mentioned kind of the European approach. They’re very, very unhappy with the idea of big tech controlling those wallets. We’re very unhappy with the big tech or big government controlling the wallets. People like me will prefer that it was regulated institutions – banks primarily, that control those wallets. Other people think banks should be absolutely the last people to have any sort of control over those wallets. So really, I’m not smart enough to figure out like the end dimensional gameplay as to how this is going to work out. But it’s pretty serious. It’s pretty serious. Heather: Yeah, people understand the concept of a wallet. But what we’re talking about in today’s world is that, you know, “how many wallets are you going to have to carry?” Because there may be one that’s issued by big tech, perhaps via your browser or via your mobile device. But then, you know, as governments are saying, “No, we’re going to issue something that’s completely separate and have its own app, and what is that going to look like. And then how are people supposed to be able to find the credential they need across 2, 3, 5 different wallets? David: No, I agree with you completely on that, Heather. But I think there’s another level of complexity there as well, which is – because is the wallet going to be like if you imagine there’s some kind of standard wallet, is that wallet the app? Or is that wallet, essentially the underlying SDK the apps plug into? So, my British Airways app and my Barclays Bank app, they’re all actually the same wallet underneath. They’re all plugging into the same wallet. But is it going to be like that? Is there going to be like a travel industry wallet? Or is British Airways going to have its own wallet? That’s really hard to know. I would think, and this comes from kind of what I think is a reasonably rational calculus. The credentials that are going to be in those wallets are the embodiment of individual reputations. My British Airways credential is the embodiment of my relationship with British Airways, that I want to take and show to other people. It’s not obvious to me that British Airways would benefit from owning the wallet, because they’d have to maintain it and upgrade it and whatever. They’re having enough trouble just with their own website to do that. On the other hand, I can see why they’d be nervous about just handing the whole thing over to Apple and Google, because then they’ll end up paying a tax, which I’m pretty sure they don’t want to do. So, I don’t know how that’s going to work out. But I listen to a lot of smart people about this. It’s a very fascinating topic to me. Heather: I talked to Don Thibeau and Juliana Cafik and a couple others about “what was the Open Wallet Foundation trying to do?” And they’re trying to work towards interoperability in code and maybe a standard will come out of that someday when they see what works and what doesn’t work. But at the moment, they are not standardising wallets. They’re just… David: No, that’s true. There’s… Heather: They’re just putting together a platform to try and make it work together. David: But as you pointed out earlier on, some of the components are standardised. We have VCs, we have MDL. We’ve got MDL 7 and 9 coming in a few months, a year or something. So I mean, there is some pretty useful standardisation going on anyway. Heather: Yeah, more in the credential format space. David: Yeah, yeah. Yeah, absolutely. That might give us enough interoperability to get started. Oscar: We’ll see. Indeed, it sounds like it’s… David: I’m a naturally simple and optimistic person. Heather’s looking at all the nuances here. And that’s why she’s so, that’s why my superficial, cheery approach to this – it’s not washing with her I can see it from her face. Oscar: You seem to be both excited about identity wallets, I think. David: Yeah, I think wallets are really interesting topic for the coming year. Heather: Huge potential. Oscar: You, David, mentioned that as far as I understood, you don’t carry cash anymore, that was my understanding how you have your wallet, your real wallet without cash. David: No, actually, I mean I don’t carry my real wallet, it’s in the drawer over there. So, I had an interesting conversation with somebody last week about premium cards. That’s how interesting my life is, Heather. I just, I benchmark, I had an interesting discussion with someone else last week about premium cards. This is a tragic trajectory of my life. But I have this fancy new American Express Platinum Card, which is made out of some sort of metal. I don’t know if it’s actually platinum, but it’s sort of metal. And it’s really fancy and heavy and solid and whatever. And I couldn’t even tell you where it is. It’s in the house somewhere. I haven’t the slightest idea. Oscar: Don’t activate it. David: No, no, because as soon as I got it, it’s on my phone. I only ever use it on my phone. I don’t know where the actual card is, I have no interest in that. I’m going into London in a minute, I have a ring. So, the ring I use for getting on the subway and bus because I don’t always want to take my phone out. But if I’m paying in a restaurant so I got to use my phone. I think the days of physical wallets, I mean, lots of people keep saying, well, there’s going to be a backlash at some point, and people are going to want to use cash, sort of the way they want to use vinyl records, I suppose. But I think that will just be like a few hipsters. I don’t think it’ll be the rest of us. Heather: I don’t trust having network access consistently enough to go without some kind of physical something. Do I use my wallet on my watch and my phone more often than not? Well, when I’m in Europe, yes. When I’m in the US, maybe. I don’t count on it. I don’t think I can count on it yet. So, there’s always the physical components that I think I have to have. David: Yeah, I mean, I would say that’s an interesting argument in favour of using offline verifiable credentials. And it’s also a crucial argument in favour as to why Central Bank Digital Currency should operate offline. So, I mean, I agree with you about that. As to the state of things at the moment, well, if the transit gates fail and can’t go online, they have to fail open, it’s a public safety issue. You can’t fail transit gate shut. So, they have to, they should have – I can always get home, you know, but it’s never happened. But when push comes to shove, I’ll get home, so I’m fine. Oscar: Yes, and that related to my last question, but just to hear what you liked the most. So, what excites you about this digital money that we were already starting to discuss? David: I’d say there’s probably three things. I mean, Heather’s going to disagree with me on every single one of them, which is why it makes for an interesting conversation. But I’d say there’s probably three things. So, the first thing is digital money, well, certainly digital currency is the subject of irrational delusional comment by conspiracy theorists, which makes for entertainment. So, I get emails, “oh, you know, Central Bank Digital Currency is the mark of the devil. And we know this because Bill Gates implanted microchips in us through the vaccine, and the microchips are going to steal the digital currency from unvaccinated people and send it through the 5g towers to Satan.” Or somebody, I can’t remember exactly, I don’t remember. But you get emails like this, which add to the gaiety of the nation. So, the first thing is, there are parts of America where non-existent digital currency is already being banned. So, this is all getting a bit, sort of witch trail-y, so that’s quite entertaining. The second thing is, and I wasn’t joking about that offline point, which is any scale digital currency in any developed country, even where you have networks and infrastructure has to work offline. It’s the crucial design requirement of it. If you’re going to have a cash substitute, it has to work offline. And that, for me, poses very interesting technological problems, all of which I think, have already been solved. But nonetheless, it’s really intellectually interesting, so I sort of like that. And the third thing is, I think a lot of people look at digital currency as ‘the thing’. Like, you know, we need digital currency. And that’s it. I mean, what we need is a platform for innovation and development. Digital currency in itself is sort of not that interesting. As we’ve just established, I can already buy milk in the supermarket without using physical cash. So that’s not, but this idea of permissionless innovation that you could bring into our space from the cryp– because digital it doesn’t involve any credit risk, you see. So, you could imagine a situation where as long as you’ve got an approved chip in your iPhone, or something, they’re certified as being capable of storing digital dollars or something like that, then you can use the API to do whatever you like, there’s no credit risk involved. So, allowing people to experiment with interesting new things – micro payments, and Escrow and blah, blah, blah. On top of it is really where it’s at. And that’s why, you know, I get it a bit when people say, “Well, what are the sort of key uses?” Well, I don’t know, I’m too old. Give it to some kids in a garage and let them come up with something. Heather: OK. So, for one thing, I really want to see your emails about this because they sound hilarious. I admit, I’m absolutely a digital currency sceptic. For one thing, as David has said, right, you don’t generally need to carry cash now anyway, so what is it getting you? And everything I understand about it is like, “Well, yes, but then you’ll be able to transfer money quickly without the bank getting in the way.” And I’m like, “Hmm, you say the bank getting in the way and verifying the transaction is a bad thing.” “Oh, but it’s expensive.” And I’m like, “Well, that’s a different problem, not just because the banks are charging a lot.” So that’s like a completely different problem to solve that it’s not a technology problem at all. So yeah, I’m definitely not convinced. Having the permission to innovate and work with this kind of currency, to me in a way, that’s like saying, “Yup, let’s turn this into a barter system, except you’re bartering these digital currency components.” “OK. Go for it, go to town.” That’s just people agreeing with each other. And it’s a completely different system in the same way that a barter system is completely different with my cash system. David: That’s a really interesting point. And I don’t mean that in any sort of patronising sense, I really mean that because you’re right, of course. And what that means is, if this stuff worked, then downstream you could imagine an environment where if you and I engage in some sort of transaction, right, I’m going to pay you to write something or you’re going to pay me to come and speak or something like that. My, you know, supercomputer at the end of a wire, it can be a through my mobile phone, my giant killer robot artificially intelligent wallet will negotiate with your super intelligent giant killer robot Terminator wallet to exchange baskets of tokens to an agreed – The idea that you would need money as an intermediary when you have that kind of barter that works. I think that’s really, that’s as a very interesting point. So, if our super computers could agree on these baskets of assets to exchange, which sounds weird when its people talking about it, but it’s a few nanoseconds for super computers. Why would you turn those assets into dollars or something in the first place? Why wouldn’t you just swap the assets around? So, I actually rather agree with that point. But I think that’s much further downstream. I think, in the short term, you see the demand for dollar stable coins in particular, as an indication to me that a lot of people around the world and in America, for that matter, wants to hold digital dollars. They would find digital dollars useful to do things with that you can’t do with regular dollars, and I sort of agree. So, I can see sort of both things. But to me, the short term and the long term are quite different there. Because I probably do drink my Kool Aid, and I’d probably do think that that’s kind of a stupid expression actually it’s, don’t drink that Kool Aid because everybody that drank the Kool Aid died, didn’t they? Or am I getting the stories mixed up? Heather: I wasn’t going to say it. David: Yeah, no, I think they did. OK, that’s a bad example. But the point is, I think in the long run, you might well be right. I think in the short term, digital currencies, I think would add to the net welfare. I mean, I can imagine, you and I agreeing to something, and the money just goes from my digital wallet to your digital wallet. It never goes anywhere near the banking system. It just goes over Bluetooth or whatever but yes. It is exciting. That’s true. Oscar: Heather, what’s not so exciting to digital money? Heather: We’ll see. Oscar: We’ll see. We’ll see. Anything else that it’s for you is exciting? David: What’s not working digital money, you know, these answers are intertwined, because the thing that’s broken in digital money at the moment, is identity, not the payment bit. Like the reason why you’ve got Zelle frauds and authorised push payment frauds and these massive crypto scams going on all the time. It’s because nobody knows who anybody is. It’s not because the payments don’t work properly. It’s because identity doesn’t work properly. If the identity, you know, I’m going to sound like a broken record on this one for the teenagers there. I’m going to sound like a vinyl implement that used to go around whether it has a scratch in it. So, this sort of needle would prompt up, down and come back to this, I have to talk them through this metaphor. But I’m going to sound like a broken record on this. Because if you fix the identity problem, payments are easy. If you know the reputation of all of the counterparties in a transaction, then pricing the risk in that transaction is easy. And that’s kind of what we should be aiming for. The next phase of evolution is really about identity. It happens that I think, and I can’t prove this with any kind of actual analysis, this is just my sort of crackpot theory about this. But actually, if central banks do drive forward with digital currency, digital currency doesn’t work unless you have digital identity. You can’t give people wallets unless you know who those people are. You can’t maintain limits on personal holdings unless you know who’s got the wallets. There must be an identity system for the currency system to work. So it could be that Central Bank Digital Currency actually turns out to be a vector for people like Heather to actually get something done about wallets and digital identity. So, there’s an interesting interrelationship there. Heather: They are certainly tied together. There’s no two questions about that. Oscar: Anything else that you think that is exciting today in the identity world that we have not covered? David: Well, there’s two things I’m excited about today. I can tell you what I was doing before I came on this call. So, one is – I’m very excited about only because I’m not a normal person. I’m very excited about ultra-wideband technology. So, all iPhones for a while, you know some of the top end Samsung’s you know Apple Air Tags, things like this, they all have this thing in them called you UWB, Ultra-Wideband which a lot of people kind of overlook a little bit because we focus everything on Bluetooth and Wi-Fi. But when Bluetooth and Wi Fi came out there were actually three wireless standards. There was Bluetooth, UWB and Wi-Fi. And UWB never really got used because the Wi-Fi chips got cheaper much quicker, and everybody just started building Wi-Fi into things. And meanwhile Bluetooth ranges went up. But ultra-wideband, which is short range, medium speed that uses this pulsed radio. Because of the way it works, it can only tell where things are, this is how Air Tags work. But it can also tell whether you’re moving towards something or away from it. So, this idea of having a phone that knows you’re walking up to the point-of-sale terminal or knows you’re walking up to a door. And the way that Apple are part of this digital car keys alliance, which I’m very interested in with Google, and I think BMW and people like that. So, this idea that you have one technology like this, which locates you, you’re walking towards the POS terminal, and then it flips to Bluetooth to execute an actually secure transaction with real cryptography, and real keys. I’m really interested in that at the moment for a variety of different ways. So that’s the first thing. And the second thing is, and I think we have touched on this before, we think of identity as being about people. But actually, everything needs identity. And when everything has an identity, working out how to get both privacy and security in that environment is really rather complicated. It’s very intellectually challenging. And that’s what I’m spending the rest of my time on with another startup at the moment. So yeah, there’s no end of things to be excited about in this space, honestly. And frankly, figuring out how people can log into their bank account without password is the least interesting of the things that’s going on at the moment. Heather: Probably the most interesting thing that I’m trying to stay on top of right now is watching the standards development space, because that is like one of my favourite things to do. Because I might also be a little bit of a strange person. So, standards development space, seeing how ISO, the IETF, the W3C, as well as some of the smaller standard’s organisations like the OpenID Foundation, the Decentralised Identity Foundation, Trust Over IP, how they’re all circling closer and closer to each other and sometimes hitting each other, bouncing off. You know, it’s becoming a really dense space to try and follow and understand what’s happening with W3C verifiable credentials? How do those relate to the ISO MDOC standards, and what’s happening with the IETF’s OAuth and CBOR and you know, all of these different standard’s groups are all starting to get closer and closer at nibbling down this problem. And they’re never going to succeed because they’re reaching the point where it’s not a technical problem anymore. It’s a societal problem. And the regulators are starting to move ahead of them and saying, “No, this is what, you know, we need to happen. And it’s not about technology, as much as it is sometimes about the society and the cultural requirements.” So, seeing these organisations tighten up, it’s pretty cool. David: I was just going to ask you, because I’ve sort of lost the thread on this a little bit, because unless you follow it with minute detail every day, you don’t. I wonder if the whole kind of MDOC thing doesn’t have its own momentum. So, in other words, in a lot of circumstances, you can see why people are going to go to MDOC and MDL part 5, even for something that’s not a driving license, just because. It reminds me a little bit, and here’s another one of the teenagers, it reminds me of X.500. Because having spent part of my young life, she doesn’t even know what X.500 is, how he’s been part of my – X.400 was the ISO messaging standard that existed before the internet and that no longer exists. And X.500 was the directory standard for that. And that no longer exists. An X.509 was the standard for exchanging public keys in that directory. And X.509 version 3 is how everything works on the internet. So, the whole of X.400 has disappeared, the whole of X.500 disappeared. And I just wonder if MDL isn’t going to be in the same place, like people are going to end up using MDL just because it exists. It may not be the optimum for a lot of the appli– but it doesn’t matter. The format exists. Wallets can understand it. Apple and Google Wallets can understand it. The MDOC stuff will carry on standardising, and I think maybe a lot of stuff will just get sucked into that. Heather: What’s getting complicated about it – is the MDL standards. They are in their own way the X.509 to the modern world. They’re specifying a credential. This is a discrete concrete, and this is what this is supposed to be used for. It is your driver’s license. It is your identifier. Verifiable credentials using W3 capital V, capital C verifiable credentials. That’s not what they are really, those are much more generic thing that’s actually more an authentication thing. So, the fact that they’re hitting each other in the ways that they are is very interesting and a little disturbing. And the fact that the browser vendors are debating within themselves, which one they’re going to support when ultimately, they serve different purposes, I worry that we’re going to be driven towards… David: No, no, I… your analysis is spot on. I agree with you completely Heather. I’m just saying that in practice, what seems to be happening is like people like me would say, “Well, actually…” you know, use the canonical example going into the bar, you know, people like me would say, “Well, you should be presenting an ISO W3C verifiable credential that says that you’re over 18 or over 21. So, I’m going…” But that doesn’t exist. The standard for the credential exists, but the contents, whereas on MDL, OK, that’s not really what it was meant for. But actually, demanding to see your MDL driver’s license, I can do because the standard exists. And I, you know, so I agree with your analysis. I’m just saying I wonder if actually, well, Trust Over IP and all these other things are kind of circling around, bumping into each other. MDOC is just steadily progressing, you know. Heather: Told you Oscar, I told you, you’re going to have all sorts of fun things to talk about. David: He’s going to get very bored on our – just our island, Heather. Like after the plane crashes, we’re going to be fine. He’s going to be, I don’t know what he’s going to do all day, making those little token at men or something. Oscar: Yeah, fantastic. Hearing all this from you. You’re definitely super passionate about – many of these things that you’re talking about, frustrated about some of them, but yes, super excited about most of them. So, thank you very much for joining us in very special episode for us. So, thank you very much. And please tell us how people can learn more about you, Heather? Heather: Oh, easiest thing is – go to LinkedIn and find me there. I check it every day. It’s one of my major social media accounts. David: Yeah, I mean, I spend more time on LinkedIn now since Twitter kind of went all weird. So, I mean, I’m on LinkedIn too. But it also you can just look up www.dgwbirch.com. Oscar: Excellent. Well, thank you very much. So, let’s see how exciting comes the next coming months, years and yeah, how all the things we were discussing today will roll out. So, again, thanks a lot and all the best. Heather: Great. Bye David: Bye guys. Talk soon. Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

LET’S TALK ABOUT DIGITAL IDENTITY WITH GAUTAM HAZARI, MOBILE IDENTITY GURU, TECHNOLOGY ENTHUSIAST, AI EXPERT AND FUTURIST & IS THE CTO OF SEKURA.ID. Join this episode of Let’s Talk About Digital Identity where Gautam Hazari, mobile identity guru, technology enthusiast, AI expert and futurist & is the CTO of Sekura.id joins Oscar to discuss the missing identity layer of the internet. Gautam shares details about what the missing identity layer is, more about mobile networks as well as discussing Gautam’s TEDx talk. [Transcript below] > “Internet did not have that identity layer. So what did we do? We created a trust-less model.” Gautam Hazari Photo [https://www.ubisecure.com/wp-content/uploads/2023/11/Gautam-Hazari-Photo.png]Gautam Hazari is a mobile identity guru, technology enthusiast, AI expert and futurist & is the CTO of Sekura.id, the global leader in mobile identity services. He led the implementation of the mobile identity initiative – Mobile Connect – for around 60 mobile operators across 30 countries. Gautam had also been an advisor to start-ups in digital identity, healthcare, Internet of Things and Fraud and Security management. He is a thought leader for digital identity, advocating solving the identity crisis in the digital world and speaking on making the digital world a safer place. If you ask Gautam, “What is the best password?” you’ll always get the same answer: “The best password is no password”. Connect with Gautam on LinkedIn [https://www.linkedin.com/in/gautam-hazari/]. We’ll be continuing this conversation on Twitter using #LTADI  [https://twitter.com/hashtag/LTADI?src=hashtag_click]– join us @ubisecure [https://twitter.com/ubisecure]! Go to @Ubisecure on YouTube [https://www.youtube.com/@Ubisecure] to watch the video transcript for episode 99 [https://youtu.be/2UIT7nZXclI]. PODCAST TRANSCRIPT Oscar Santolalla: On this episode of Let’s Talk About Digital Identity we are joined by Gautam Hazari, from Sekura.ID as we discuss what is the missing Identity layer of the Internet. Stay tuned to find out more. Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla. Oscar: Hello and thank you for joining us, a new episode of Let’s Talk About Digital Identity. Today’s guest is Gautam Hazari. He is a mobile identity guru, a technology enthusiast, artificial intelligence expert and futurist. And he is the CTO of Sekura.id, the global leader in mobile identity services. Gautam led the implementation of the mobile identity initiative Mobile Connect for around 60 mobile operators across 30 countries. He has also been an advisor to startups in Digital Identity, healthcare, the Internet of Things and fraud and security management. Hello, Gautam. Gautam Hazari: Hi, Oscar. How are you? Oscar: Very good, happy to have you here in the show. Gautam: My pleasure. Thanks. Oscar: It’s going to be super interesting. Now, we are focusing on mobile – mobile initiatives, like the one you are working with, can help us to solve the identity problems we usually discuss in this show. First of all, I would like to hear a bit more about yourself. So, if you can tell us your journey to this world of digital identity. Gautam: Sure. Thanks, Oscar. I have been in the identity space for quite some time now. And it started in the telecom world and that’s why I talk about mobile identity a lot. So I spent many years of my life in the telecom, so I worked with the Vodafone group for nearly 14, 15 years. What I realised is that there is one thing that the mobile operators have done quite efficiently is solving what I call the identity crisis of the internet. I started to talk about it quite passionately in different forms. And in 2013, end of 2013, GSMA approached me. GSMA as you know is the GSM Association which is the trade organisation for the mobile operators. So the GSMA board was discussing that there were some assets within the mobile operators which can actually help in solving the identity crisis in the internet. Then they approached me that, “Hey, you were talking about this identity thing for quite some time, do you want to come and join?” And that’s when I joined GSMA to do the initiative for mobile operators to solve the identity crisis of the internet. Then I led the technology for what was known and still known as Mobile Connect Initiative. I was the Chief Architect for Mobile Connect. And then me and my team created the reference architecture, the specification. And then of course, that’s not enough, so I went around the world, worked with the mobile operators to implement it as well. You know, at that time, there were around 62 mobile operators around the world who implemented it. And they did very passionately and this is where I met some of the founders, Mark and Keiron, in GSMA, working with the same team. And then I’m taking that journey forward in a much more accelerated and commercial way in Sekura.id. Oscar: Yeah, excellent. Well, definitely a lot of your journey is in identity already and mostly in mobile, as you said. Before we start going to what you are doing in Sekura.id and we definitely want to hear more about that. I know that you have a special experience which is you have even a TEDx talk. So if you can tell us a bit of that experience. Gautam: Yeah. Thanks, Oscar. It has been a fascinating experience actually, while preparing for the TEDx talk and also after that. So I was invited to do this TEDx talk to share my vision and dream of a world without passwords. I have been talking about these things passionately and that’s kind of my personal journey has been as well. So, I had a lot of learning, you have to compact all that you want to talk within 18 minutes and that’s very interesting, right? If you have a free floating, I mean I’m really, really passionate about this identity thing, I can keep talking for days. But if you need to give your message within 18 minutes that’s quite interesting. So I learned how to deliver the message in that concise way. And after delivering that, and once the TED organisation published the video in their YouTube. Interestingly, they didn’t actually remove any part of that, generally they do some editing but they didn’t do that for me. I’m really thankful to TED on that. So it happened end of last year. It’s been just one year completed and it has been viewed more than 157,000 times. And I have been receiving some very, very interesting messages from all around the world. From identity enthusiasts to security specialist, and also, from general public as well, saying that awareness is important. And we are having some inertia, right? We have been using passwords since, you know, 1961 actually, even before the internet was invented in 1989. But we don’t actually think that we are actually using it, and the complication that it brings too. I have been fortunate enough to hear lots of personal stories as well. These viewers, they have been sharing their personal stories related to passwords, and discussing what is the solution that can actually solve this. Yeah, so it has been a fascinating experience and I’m really, really thankful for all the viewers who have been watching it and also most importantly, interacting with it and sharing their stories. Oscar: Yeah, excellent. Yeah, I also watched and as you said, the way you explained also definitely appeals to the general audience which is of course what mostly TEDx is about, reaching wider audiences. So it’s definitely a good job you have done there. And I am happy to hear also that there have been a lot of conversation because that’s also important that people not only hear the stories or the ideas but also get involved in, spreading those problems, sharing their own pains, et cetera. Gautam: Thanks, Oscar. Oscar: I also know that you have written, of course, you write blogs, particularly, I read the you talk about the missing identity layer of the internet, missing identity layer of the internet. Could you tell us what is that? Gautam: Yeah, absolutely, Oscar. I mean it’s extremely important that we acknowledge and realise that. Let me go back to when the internet was invented, right? Let’s face it, the internet was never designed to identify the human users. It was designed to identify the computers, right? That’s why there are IP addresses. Fortunately, or unfortunately, we humans don’t have IP addresses. So, in the initial days of the internet, if you remember, all we used to do in the internet was browsing, right? We used to browse AOL, we used to browse Yahoo, different stories within Yahoo. So, it did not matter if for me, Gautam, is browsing AOL or Yahoo, or it’s Oscar browsing, or there’s fraudster who is browsing, right?  Because all we did was browsing the internet. Yes, the returning user needed to be identified, not as Oscar or Gautam but whoever was browsing, right? So that’s why cookies were invented just to provide a continuity of the experience, right? But then we started to do interesting things on the internet. We started to do commerce on the internet. We started to look for things on eBay and started to pay for those things. We started to do banking on the internet. We started to interact in the social media in the internet. And then it did matter whether it’s me, Gautam, doing that commerce transaction, whether it’s me, Gautam, who is doing that banking transaction or it’s you, Oscar, or it’s the fraudster. Or, in the current days, if it is that AI chatbot who is doing that transaction, right? Internet was not designed to do that. Internet did not have that identity layer. So what did we do? We created a trustless model. So, if I want to pay for some things that I found on eBay, or if I want to do a banking transaction, my bank will say, “Hey, you cannot do that, because I don’t trust you. First, I’m challenging you to prove that you are Gautam.” That’s what we created, because the internet didn’t have that identity layer. So how did that challenge happen? And they initially did this, this challenge happened in the form of user ID and password, right? And again, we all aware of all the complications related to password from convenience to security, right? Then we said, “Hey, passwords are not enough. Let’s add other things.” So, we started to talk about MFA, Multi-factor authentication, we added SMS OTP, right? And again, OTP, the last P is about password, right? Just changing the acronym doesn’t change the problem. But then again, they said, “OK, maybe that’s not enough. Let’s add the biometrics on top.” But again conceptually what we are doing is, we are creating a trustless model where these services are challenging me and the human user to identify myself, right? And whenever the human user is involving in providing a response to the challenge, for example in form of I need to type back the password, or I need to provide back the OTP, however I give, whether by typing back the OTP or some auto read happens. Or even if I do this, let’s say, biometrics in the form of facial recognition and so on, I, as a user, is the weakest link in the chain. I do something wrong, which is perfectly fine because me, as a user, is not a security architect. As a normal user, I am not aware of all those security complications that can go away, right? And that’s where all the problems that you have seen and again, why? Because the internet was not designed to identify this human user. Internet never have the identity layer. It still doesn’t have. But we almost ignored the fact that almost at a similar time, there was a parallel internet that was getting created. So, as you know, I’m actually using the world wide web as synonym to internet, so when I say internet, it’s actually the world wide web, right? So, 1989, this wed, world wide web or internet as we call it was invented. In 1991, there was a parallel internet that was created. And we never call it the internet, we call it the mobile network, right? The first SIM-based GSM mobile network was used in 1991. And that parallel internet worked completely differently. So, as we discussed, in the traditional internet, if I want to do any interaction, where I, as a human user, needs to be identified, I’ll be challenged, right? My bank will challenge me, my social media will challenge me, my e-commerce provider will challenge me, even my grocery store, online store will challenge me, right? But this parallel internet, which we call mobile network, worked completely differently, still works differently. If I need to make a phone call, receive a phone call, send an SMS, receive an SMS, it doesn’t challenge me. My mobile network doesn’t say that “Hey, I don’t trust you. First, you prove that you are Gautam, then only you can make a phone call.” It doesn’t work that way. It just knows that it’s me, who is Gautam. So how did they do that? They actually created this identity layer. They actually created a mechanism which identifies this human user from day one, since 1991. But we know this. How did they do that? They did that using this small gadget that we always carry in our mobile phone, this is the SIM. We almost forget that I, in the SIM, stands for identity. It’s Subscriber Identity Module. SIM was created to solve this identity problem in that parallel internet, which we call the mobile network, right? So, isn’t that a solution? We were just ignoring it and also, just unfortunately, these mobile operators knowingly or unknowingly, kept this with themselves, right? What we are doing at Sekura.id, I’ll just mention here, that we are bringing in that identity layer from this parallel internet which we call the mobile network into this traditional internet so that we actually solve the fundamental problem rather than keep creating technologies on top like password, like SMS OTPs, like biometrics. And that is what will solve the problem from its root and bringing in an identity layer from this parallel internet to the traditional internet. Oscar: Thank you for the explanation, of the lacking, missing identity layer of the internet. And then you put a parallel, I haven’t thought of it in that way, the parallel of the mobile network which always had this identifier of the subscriber. As you say, even in the term it’s subscribe, the SIM card. So, I understand that Sekura.id solution is primarily based on the SIM card. Tell us a bit more how it works and if you can give also how it works, Sekura.id besides being based on the SIM card. Gautam: Sure. So, GSMA doing this Mobile Connect, the conceptual idea was very similar, right? It’s to utilise the assets from the mobile operators, not just the SIM card. SIM card is a cryptographic engine. But there’s a lot of data available with the mobile operators which can help to identify the human user without challenging them.  And also, protect them without putting a hurdle for the user, like what user ID, password, OTPs or biometrics are. They are hurdles, right? They are actually saying, “Hey, you cannot access the service until you pass that hurdle.” This is where Mobile Connect started and this is the journey that we are continuing in Sekular.id as well. So, in Sekular.id, what we do is, as I say, the SIM is a cryptographic engine. And now, in the digital world, there is realisation that all the different, let’s say, identification and authentication methods where the user is actively involved, which means the user is challenged to prove who they are, or authenticate themselves, that is a limitation. A limitation in the form of that you know, if let’s say the user has got an OTP they have received, these fraudsters will always call this user and say, “Hey, I’m calling from your bank, or I’m calling from the government, you have received an OTP, can you hand it over, right?” If the user is not involved, right, these fraudsters can call the user but they have nothing to handover. So in that case, we solved this problem of all the fraudulent activities that’s going on. So now, there is a realisation in the digital world as I was seeing that we need to avoid involving the user. So we need to do passive authentication. And how do we do that? Cryptographic authentication is one way to do. So, Apple last year in WWDC announced these passkeys which is basically based on the FIDO, the Fast Identity Online mechanism, where this is reliance on cryptography and cryptographic key on the device. And then that’s how we identify the user, right? But exactly same mechanism is what happens in the SIM. And it is happening for the last 30 years. There is a cryptographic key which sits in the SIM which the user is not even aware of. And that’s an important thing. The user is not aware. As soon as the user is aware, or the user is involved in that awareness, OK, all these problems will happen because these fraudsters will approach the user and try to do some funny things, right? And that’s another aspect that we say that here, this cryptography is humanised. If the user is not involved, it just happens behind the scene. In that case, this technology is humanised. Invisibility is more humanised. Steve Jobs used to say that technology should either be beautiful or it should be invisible. So here, this technology is invisible so that makes it much more humanised, right? So, at Sekura, we’re utilising this cryptography in the SIM to seamlessly, invisibly authenticate this user. At the same time, there are a lot of what we call signals associated with the SIM which can help protect the user, at the same time, identify the user. For example, one of the largest fraud happening in the digital space right now is SIM swap fraud, right? If we can identify that hey, is there a recent SIM swap happen? By recent, I mean in the last few hours, for example, to one day. If there is a SIM swap happen, in that case, that’s a red flag, that might mean that the user who is in the transaction process, who is interacting with the digital service may not be the genuine user, it could be a fraudster who have got access to the phone number of the user and using their own SIM. That’s one data signal that’s there in the mobile, with the mobile operator, that doesn’t need to involve the user to ask if something has happened or not. Similarly, setting up a call redirect, right? The fraudsters can actually setup a call redirect for my number calling up the operator, doing some mechanism, some process there where they can say, “Hey, I have lost my phone, or I left my phone at my home and I’m expecting an urgent call from my family who is in the hospital. Can you please redirect all the calls to my number to this?” If I can convince the operator, in that case what will happen is, all calls, SMSs will be redirected or forwarded to me as a fraudster, right? So, if we can actually identify, is their call forward active for this number? That data itself can protect the user, again, without involving the user. So, we have identified 66 such potential data signals which can invisibly protect the user and their identity. And that’s what we do at Sekura, working primarily with the mobile operators. Oscar: I like the idea of this invisibility because from the beginning you started that the human side is going to make security fail, right? But if the human doesn’t have to be involved, yeah, I’m sure, there will be less hacking. So that is definitely the concept, it’s very interesting. Gautam: And just to add there, Oscar, you know, of course, there is this identity protection, there is this authentication without involving the user. That element is there. At the same time, it is allowing these good guys to access the service, right? So, as I was giving that example, it’s me, right? I’m not the fraudster. It’s me who wants to pay a particular merchant online, right? And I’m assuming I’m the good guy, right? And I want to pay. In that case, there shouldn’t be a barrier for me, right? And it’s good for the business because the business will get me to pay them. That’s what they want, right? So, in that case, it’s important that the good guys should sail through, right? For them, there is no barrier. If we make it invisible for the user, in that case, these good guys can actually access, you know, without any trouble. At the same time, because it’s invisible, we can actually protect this user behind the scene as well. What does that mean is – it’s not just helping out with the identity verification, security and authentication, it’s also getting better business. Because if we put barrier to the good customers, good users, in that case, there are dropouts happen. We have been told by our clients all around the world that on an average globally 20% of the users dropout due to all these, let’s say, challenges. They say, “Hey, I’m not going to use it.” SMS OTP is needed to do our transaction or to pay and OTP doesn’t get delivered or it is delayed, the user say, “Hey, I’m not going to pay now, right?” So that will direct 20% on an average globally, dropouts happen. Here, if you make it invisible, you don’t have any dropouts, right? Because there are no barriers. There is no door which is closed that needs to be opened. So, in that case, the businesses get 20% more conversion, so that’s more business, more revenue. So that element is also there, if you make is invisible using the mobile operator’s asset like the SIM and all the data. That needs to be considered as well alongside security. Oscar: And what if, myself as a normal user, I want to try Sekura.id, how can I use it already? There might be some services which is already available? Gautam: Yeah, absolutely, Oscar. So one element here is you know as you can understand, this is B2B service, right? So the businesses are using us. Businesses are protecting that. All our services are, you know, they go through one single API, right? So, it’s not the user who is accessing our services directly. As I was giving the example, I, as a user, accessing my banking service, right? And my banking service is using the Sekura.id services through the API, right? So that’s how I, as a user, as a consumer use it. Not directly through Sekura, through my services. And then again, I may not be even aware that that service is getting used, right? Because this service, as I said, for the human user it’s invisible. So majority of our clients right now are mostly from the financial services, so the major banks in the UK, they are using our one or more of the services like Barclays is using our services, Virgin Money is using our services. In the US as well, Morgan Stanley, they are using our services, Flora Bank, they are using our services. But again, just to reiterate, it’s not a B2C service, right? So it’s not that me, as a consumer, is using the Sekular.id services. It’s my business who is using the service to help me as a user getting protected. And at the same time, no buyer has been put by the businesses to access it. And we are actually expanding globally. As I mentioned to you earlier, I was in India, I came back yesterday, we are actually launching in there. We have some very, very exciting discussions happened across the use cases there, not just in the financial sector, beyond as well. And then we will be announcing those pretty soon. Oscar: OK,as soon as they are launched, it will be interesting to know what are these use cases. So, very interesting initiative that you have in Sekura.id. So what happens for instance if – because this depends on people having good mobile networks and good phones, so what happens if that’s not available in some regions in the world? Gautam: That’s a very important question you ask, right? And there are two elements you said, one is good mobile phone. One of the thing that we really passionately believe in Sekura is inclusiveness. And that’s very important for us. We have a mission statement for identity for all and everything. So no one should be excluded from identity protection, right? And this is why we tackle it from multiple angles. So for example, we have platform that we have created from ground up based on all our learning from the GSMA and also my learning from Vodafone. That platform can integrate with any mobile operator in the world, right? Because all mobile operators are different. There are 700 plus mobile operators there. Right now, we are connected to around 75 mobile operators globally and we want to connect to all. Why? Because we don’t want any operators to be excluded because if we exclude that, their consumers or their users will be excluded. So, one example is in India, one of the phone smallest operator is BSNL, right? It’s government-owned operator. They are quite small. They don’t have platform. And they were actually not included in this identity space. So what we have done is we have provided our platform to them so that, that platform can actually connect to that mobile operator and then it can actually expose their services, right? So that we don’t want to exclude their users. At the same time, it is important, as you rightly asked. What happens if I don’t have a good phone? So, this is where the principle that we use in all our services has got two major aspects. One, I already talked about – not involving the user because if you don’t involve the user, we increase the security, because user is the weakest link, right? And rightly so. And the second thing is not depending on the mobile device, because that’s extremely critical. Because let’s say, if the user can afford an iPhone 15 right? Of course, that’s extremely secure. The key chain there where the keys are stored is a hardware, right? That’s an HSN. So, it will be extremely secure. But what about the user in let’s say Southeast Asia or in Sub-Saharan Africa where it’s a sub $10 phone? That may not have that much security. So, it’s unfair on the user because they cannot be pay for that advanced phone, they are getting excluded from security and identity verification. At the same time, it is unfair on the businesses, they cannot rely on a security because the user cannot afford that high end phone. That’s why that’s the principle we use. We don’t rely on the mobile device. What do we rely on? The SIM. The exact same SIM is in the iPhone 15 or any of the high-end devices or in the low-end, not so expensive phone and provides the exact same security, right? The cryptographic security that I talked about doesn’t differentiate whether it’s a very high-end, expensive phone or not so expensive, much simpler phone. So that’s an important element here, right? So, our services don’t rely on the device. It doesn’t matter what device the user is using. Secondly, all the data elements that I talked about is in the mobile network. This is completely independent of what device it is. So that way as well, all those data elements that I talked about, all those 66 potential data elements are independent of the device. So, that’s how we use the service and then make it inclusive end to end, for any user, right? The other thing you asked about is what if there is no mobile network? It doesn’t really matter. So, the way to look into this thing is, we are relying on the mobile network. But the user doesn’t have to use the mobile device even at that moment of time for majority of the services. For the authentication services, the mobile device need to be in the network. But again, if the mobile device is not in the mobile network, it is connected to Wi-Fi or any other networks, in that case, we have fall back mechanism because we cannot really, rely on the mobile network because the device is connected to Wi-Fi, still we have a fallback mechanism. And in some regions, like in US, we have worked with one of the large mobile operator there. Where we have worked with them to utilise the SIM, even if the device is connected to Wi-Fi. Because even if the mobile device is not connected to the mobile network, still there is a SIM there, right? If you can reach out to the SIM, we protect the device anyway. And the other thing I was talking about, all these 66 potential data signals, they are available at the mobile operator’s secure CRMs, CVM and all the OSS, BSS system, right? So they don’t need the user to be using the mobile device at that moment of time. For example, if there is a SIM swap that has happened in the last few hours, the mobile operators databases, they already are aware of that even if there is no network. So, all our services other than the authentication service which we call SAFr Auth, all our services are data-related or signal-related services where these businesses, let’s say, this is a bank or an e-commerce provider or even a social media provider, their server makes the API call to our platform to get this data signal. So the mobile device is not involved, mobile network is not also involved there. Because again, we want that inclusivity for every user to be involved in there. Oscar: OK. Well, definitely very novel way of addressing these problems. So I’d like to ask you one final question, Gautam, for all business leaders listening to us now, what is the one actionable idea that they should write on their agendas today? Gautam: Thanks a lot Oscar for asking that. The most important thing to add into their agenda is an acknowledgement that the internet doesn’t have that identity layer. Because that’s a fundamental problem. Because if we start to add technologies on top to fill the gap, that will not solve the problem. And we have seen over the years, right? We have seen user ID password, they didn’t solve that, SMS OTP or any form of OTP, they didn’t solve that. Then we added all sorts of other OTPs, right? TOTPs, authenticated apps, we even used those RSA tokens that we used to carry on. Then we evolved into biometrics. And by the way, biometrics, I’m sure your audience is aware of this, after Generative AI, every form of biometrics is challenged. And then actually, you know, interestingly, LexisNexis, which is one of the largest fraud management provider on app based in US, their CEO of the government affairs came to the press. This person gave an interview to Fox News in June, saying that we are so much relying on these biometrics and after Generative AI revolution, there is a financial impact in the industry and then that impact is around 1 Trillion USD because every form of biometric is challenged through this Generative AI. Not just through deep fake, through all sorts of mechanism. I mean you can actually search the internet on those kind of fraudulent activities happening on almost a weekly basis. So, let’s acknowledge that there is a fundamental issue with the internet and that’s no one’s fault because internet was not designed for that. If you acknowledge that, then we can solve the fundamental problem, right? And that can be done through the already existing identity layer which is existing in the mobile operators. Let’s work through that and solve the problem forever. So, basically, what I am saying is, let’s bring in that identity layer from that parallel internet which we call mobile internet into the traditional internet. And let’s solve that problem at the root. And that’s what we are doing in Sekura.id. And that’s what we would invite all the leaders in the digital space to look into and solve the problem. Oscar: Thank you very much, Gautam, for this very insightful conversation. And let us know if people would like to find more about you on the net, what are the best ways for that? Gautam: Thanks a lot, Oscar. Thanks for inviting me. I am on LinkedIn. Please connect to me. It’s Gautam Hazari, G-A-U-T-A-M H-A-Z-A-R-I. If you Google me, you will find me there as well. And also, please visit Sekura.id, S-E-K-U-R-A.ID. You will find insightful solutions there and also we post lots of insightful stories, articles, blogs and what the future is looking like. Recently, one of my article is published in Forbes, I’m calling it Internet of Thoughts, where the future is coming and where, if you don’t solve this identity crisis in the internet it may create more issues. So, please reach out. Please look into Sekura.id and let’s solve this identity crisis together. Oscar: Yeah, of course. Again, thank you very much Gautam for this conversation, and all the best. Gautam: Thank you very much Oscar for having me. Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

LET’S TALK ABOUT DIGITAL IDENTITY WITH RUSS COHN, THE (GO-TO-MARKET) FOR IDVERSE. In episode 98, Russ Cohn the Go-To-Marketing for IDVerse joins Oscar to explore Generative AI within Identity Verification – including what is generative AI and deepfakes, why deepfakes are a threat for consumers and businesses, and some of the biggest pain points in the identity industry and how generative AI can support this. [Transcript below] > “It’s very important that we understand these threats and start to mitigate and create ways of helping to support and stop these practices.” Russ Cohn - IDVerse [https://www.ubisecure.com/wp-content/uploads/2023/10/Russ-Cohn-IDVerse.jpg]Russ Cohn is the (Go-To-Market) for IDVerse, which provides online identity verification technology for businesses in the digital economy. Russ has spent more than 20 years scaling businesses of all sizes by delivering successful growth strategies across the UK, EMEA & US markets within fast-paced and high-growth online media, fraud, identity, SaaS, e-commerce, and data-driven technology solutions. His strong tech knowledge is coupled with deep operational and commercial experience building teams within SaaS, advertising and marketing technology-driven revenue models. Russ was previously a key early member of the Google UK leadership team who grew the team from 25 to 3,000 people and the revenue from £10m to £1billion during his tenure. He brings deep experience supporting international technology companies and has a passion for marketing development, startup growth and technology solutions. IDVerse empowers true identity globally. Our Zero Bias AI™ tested technology pioneered the use of generative AI to train deep neural network systems to protect against discrimination. Our fully-automated solution verifies users in seconds with just their face and smartphone—in over 220 countries and territories with any official ID document. Connect with Russ on LinkedIn [https://www.linkedin.com/in/russ-cohn-447165/]. We’ll be continuing this conversation on Twitter using #LTADI  [https://twitter.com/hashtag/LTADI?src=hashtag_click]– join us @ubisecure [https://twitter.com/ubisecure]! Go to @Ubisecure on YouTube [https://www.youtube.com/@Ubisecure] to watch the video transcript for episode 98 [https://youtu.be/CCs77CZT-L8]. PODCAST TRANSCRIPT What is generative AI? This week Russ Cohn, from IDVerse has joined us to discuss generative AI and deepfakes and the threat this imposes on businesses and consumers for their digital identities. Stay tuned to find out more. Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla. Oscar Santolalla: Hello and thank you for joining a new episode of Let’s Talk About Digital Identity. Artificial Intelligence, in particular, Generative Artificial Intelligence is a topic that has been, I believe on most of our radars in the last 12 months, particularly. And there are amazing things going on. But also, we know that the bad guys are also using those tools. And one of those is related to deepfakes that are being used to cheat the identity verification system having existing until now. So, to see how we are going to solve those problems in identity verification, these newer problems, we have a special guest today who is Russ Cohn. He is the go-to market for IDVerse, a company which provides online identification technology for businesses in the digital economy. Russ has spent more than 20 years scaling businesses of all sizes by delivering successful growth strategies across the UK, EMEA, and US markets, within fast-paced and high-growth online media, fraud, identity, SaaS, e-commerce, and data-driven technology solutions. His strong tech knowledge is coupled with deep operational and commercial experience building things with SaaS, advertising and marketing technology driven revenue models. Hello, Russ. Russ Cohn: Hello, Oscar. How are you? Oscar: Very good. Happy to have you here. Russ: Thank you. Very glad to be here. Oscar: Fantastic. It’s great to have you here. And we’ll talk about the deepfakes and how the newest practices in identity verification are solving these problems. So, let’s start, let’s talk about digital identity, Russ. So first of all, I would like to hear a bit more about yourself, your story. Tell us about yourself and your journey to the world of identity. Russ: Absolutely. I am fairly new to identity. I’ve only really started in the industry probably just over three years ago. I was the first international employee of OCR Labs, which is we recently rebranded to IDVerse, but I joined about three years ago. We’ve since then built the international team to over half the company, and we continue to grow in EMEA and the US. As a background, I’m a marketer, a commercial leader, investor. I’ve spent probably over 20 years in technology-driven companies of all sizes. And I was lucky enough to join Google very early on, and there were 20 people in the UK, and 600 people around the world. And I grew up with them a little bit, and I left there with 65,000 people. So, I’ve got a fairly good experience at scanning companies and have invested and advised companies since then. I’m now, as I said at IDVerse. And I’m focused on the go-to market. So, helping them globally, to take our products and execute them in the best possible areas and help our customers with the most cutting-edge technology to drive identity verification, make it effortless. Obviously, through the use of our sophisticated technologies and techniques, including Generative AI. I’m excited about the opportunity for identity verification, as the need for verified trusted identities has grown exponentially, globally, really, since the pandemic. And with digital growing at such a phenomenal rate as well, we’re now living in a mobile-first world, and we need the right kind of identity verification to support that growth. Oscar: Indeed. So, let’s go to some basics. For someone who has heard about that term, Generative AI and still is not so clear what it is, particularly. Could you tell us what is that? What is Generative AI? Russ: Yeah, sure, I think, you know, everybody is talking about ChatGPT and Bard and it’s brought these techniques, the AI techniques to the public, and we can’t get enough of them. But everyone is using ChatGPT and Bard, etc to learn more, do their jobs better, find new facts. It’s pretty addictive and very, very useful but still at the at the fairly early stage. So Generative AI, short for Generative Artificial Intelligence refers to a class of artificial intelligence systems and techniques that focus on generating new content or data rather than simply recognising patterns or making decisions based on existing data. Now these systems are designed to create original content that resembles human created data such as images, music, texts, videos, and more. I use Spotify extensively. I’m sure most people do. And I’ve got an AI system on there now a couple months ago that’s going through my music catalogue in my background and choosing the right music based on my tastes. Generative AI models are generally trained on large datasets, and they learn to understand the underlying patterns and structures within the data. So once trained, they can produce new examples that are similar to the data they were exposed to during their training. These models are capable of generating content that didn’t exist in the original dataset, making them a very powerful tool for creative tasks in content creation. Now at IDVerse, we’ve been doing Generative AI for a long time, probably since the start, seven or eight years ago. And we use a technique, a very familiar technique called Generative Adversarial Networks or GANs, I’m sure a lot of your audience will be familiar with. Now GANs, just to go back to basics, consists of two neural networks, a generator and a discriminator. These are trained together in a competitive manner. The generator creates the synthetic data, and the discriminative task is to differentiate between the real and the generated data. So, the competition between the two networks leads to the generation of increasingly realistic content, which we see everywhere in videos, photos, documents, et cetera. Now, we’ve trained millions of synthetic and real documents and millions and millions of synthetic faces using these techniques. For us, just to be clear, we only use ethically sourced or fair source data for face biometric, particularly in the training. This refers to the facial recognition datasets collected and used in a manner that upholds strict ethical standards and respects individual’s privacy, consent and fairness. Such data is obtained transparently with informed consent, minimal intrusion and efforts to mitigate bias. So, these measures ensure the responsible and equitable use of biometric technology. In the context of facial identity verification, training data refers to the specialised datasets of facial images used to train the machine learning algorithm, or deep neural networks that are responsible for recognising and verifying individual’s identities based on their facial features. So that’s quite a mouthful. Hopefully, that gives you some context. But this is how we look at Generative AI in identity verification. Oscar: Yeah, thank you for that introduction. Of course, in one of the products of this type of Generative AI, in related tools are deepfakes that we are seeing more often, sometimes we saw that only for, like, say celebrities or famous people. But now, they can be used to attack me or to attack you, actually anybody right? So, tell us how the use of deepfakes is a threat, a real threat for both consumers and businesses? Russ: Yeah, absolutely. I think they are a massive threat as the rise of Gen AI, and you touched on it,  fraudsters use the same if not better techniques than we do, or many companies do. And they are very, very good at surging ahead of these technologies and finding ways to create very realistic synthetic identities to both impersonate real people, as well as to create brand new identities of people who actually don’t even exist in real life. And so, while that’s exciting as we talk about Web3 and avatars and these opportunities and possibilities, I think both consumers and businesses will continue to fall victim to many of the risks out there, unless measures are taken to prevent this. Now, I just want to highlight a couple of examples of these like disinformation and fake news, right? So, creating videos of public figures, you can grab off Facebook or YouTube, and replicate those and make them do things that they never did. That can be exploited to spread false information. This can incite conflicts and it can really manipulate public opinion. For us, we see and obviously, we’re very close to and care a lot about frauds and scams, so businesses and consumers of course, can – in the UK particularly we have a huge fraud problem. And we see a lot of deepfake base scams that can impersonate company executives, trusted individuals, they can deceive employees or the customers who can make them reveal sensitive information for financial transactions. We’ve seen some of that just recently with MGM in the US in this recent breach. We don’t know it exactly, but we do know, I think somebody, an employee was actually targeted. This can cause you know I think like reputation damage of people, you know, politicians, businesses and people, fake videos and audio can be created. To endorse a product or not support it and that can create problems. And of course, the things we care about a lot of, identity theft, right? And deepfakes can be used to impersonate individuals leading to identity theft. This may result in unauthorised access to personal data or systems. And of course, manipulation in financial markets, personal bank accounts, breaches of banks. So, this can cause big issues like privacy concerns, security threats and erosion of trust, through the wide use of this, and internal security problems for businesses, and privacy for people when they violated, and their identities are stolen. So, it’s very, very important that we understand these threats and start to mitigate and create ways of helping to support and stop these practices. Oscar: Yeah, indeed, you already explained some cases in which these criminals are already targeting the identification system that has been existing in the last years. If we focus on these services that are today and have been protecting us or helping us in identifying people in the last years. So, what are these – the biggest pain points or the weaknesses that they are being attacked by these criminals? Russ: Yeah, look, I mean, there’s a lot of weakness in existing systems, which can come across in the fact that vendors don’t disclose, for example, that they don’t use their own technology, and they can’t always deliver on their promises. So, I think a lack of global document coverage, old style techniques like templating exclusion, like racial bias, gender and age in these poorly designed systems can cause huge problems. And systems that don’t have the ability to understand where these attacks are coming from with these synthetic IDs. We create all of our own tech in-house. So, we don’t use external vendors to drive our fully automated solutions. So, we feel pretty confident. But they are, as you mentioned, these legacy systems that we’ve relied on, that aren’t necessarily up to speed. We’ve seen, from a pain point of view, is badly trained human spotters in remote locations, for example. So, some people in the industry and vendors use those, this can cause slow response times, and they can’t keep up with the standards and the technology that’s being used to identify fraudulent documents. And also, the biometrics of people that are not real. So, it’s very difficult for them to keep up. And then, we’ve seen an issue around a lot of bias or differentials in the natural bias that’s in previous ID systems designed by, traditionally older white male engineers. And that’s a problem because these biases are built into these systems. And the humans who are evaluating physical documents, depending on where and how and what can inflict their own biases on age, gender, and race as well. Now, this can slow down experiences for customers, as they take a lot longer. And of course, they aren’t as accurate, you know, humans can’t scale. And so, technology can do a lot of that heavy lifting, and can solve a lot of that. And you can still have humans for critical tasks, but it’s important that you use technology to identify these gaps. In fact, we ran a study a few months ago with an external testing company called BixeLabs of 1500 subjects, male, female and transgender, across eight regions in the world for our facial biometrics. And we came back with zero bias on either race or gender on the facial biometrics. So, it’s pretty important that businesses start to use, and people start to get comfortable with one of the strongest, probably the strongest biometric there is for lots of actions that we do take in our everyday lives, whether it’s on a personal or work basis. And I think that the other things that are challenging for us in the identity space is we see a lot of unethically sourced based biometrics, right? And that can refer to the acquisition usage or distribution of these, that can violate privacy, I mentioned earlier consent or ethics. And these practices really can result in privacy infringements, discrimination, social harm and legal issues. And some examples of that are data scraping and profiling, lack of informed consent, data breaches, of course, we’ve seen that recently and frequently, deepfakes as we talked about and manipulation of people, government surveillance, employment discrimination. These are big issues. And I think the lack of unified government standards around these things is also difficult. And it’s important that people use the latest technologies like computer vision and Generative AI to start, to be able to scale and address some of these issues and keep users and businesses safe going forward. But those are definitely some of the issues that we’ve seen accumulate over the last few years. Oscar: Yeah, yeah, I can see there are quite a few. And how these more recent generation of identity verification system that are working together with Generative AI. So, if you can tell us a bit of the how, how they are different to the previous products, and how they are tackling these problems? Russ: Yeah, as I expressed in some of the technologies that we use, I mean, training data for Gen AI, for example, if you think of it, if I can frame it in like nutritional labels like food, right? So, you’re feeding a machine, essentially. And so that training data should come with some sort of nutritional label, and to know what the macro nutrients will affect performance. So, you know, it’s important that when using Gen AI, you understand that the nutritional makeup of their training data, supply chain transparency, where do you get their data from, for example. But it’s important, these techniques are able to detect the proliferation of these fake documents. I think digital identity is becoming more and more, of course, prolific and governments are starting to bring onboard connectivity into these digital identity databases that are able to verify customers in a much more robust way than potentially documents were. So, I think we’ll see that constant trend of digitisation of technology, mobile-first, wallets, and of course, documentation that will become digital will make life a little bit easier. But, in order to protect themselves, consumers and businesses really need to think about what they can do to stop and be vigilant, right? So, I think consumers need to educate themselves. They need to use things like password protection and protect their devices and be aware of things like phishing tactics in social media and email. So, we can do as much as we can for businesses, but I think businesses need to invest in these systems because they are stronger, the security measures are stronger, and will help protect them and their customers ultimately. I think the differences that we see, we believe facial biometrics is a very, very strong and has been proven externally through, you know, NIST iBeta certification, for example, we have a 99.998 certification of liveness biometrics, I mentioned the inclusion and lack of racial bias. If you want to capture and work with people of all races, all genders, all colours across the world, it’s important to use systems that are inclusive, otherwise, you’ll end up discriminating and losing customers. So, it is important to make these investments into these systems to help protect your business and help protect the consumers behind that. But ultimately, consumers have to also be educated themselves. They have to think about what they’re doing and be aware of things that are out of the ordinary or suspicious, unsolicited requests, for example. And then lastly, I think, you know, government needs to engage in some sort of public dialogue as well to help consumers about understanding what they’re doing in these initiatives. And government needs to work with business as well to inform the public about things like biometric technology, ethical implications, and why they should be using these. But ultimately, there should be some ethical guidelines and review boards to be able to support the usage of this new technology that’s coming at us at such a pace. It’s really strong, really powerful and really useful. But there have to be some guardrails around that, and I think it’s going to take a collective effort from consumers, businesses and government to get us there. Oscar: You mentioned, for instance, a liveness detection that is one of the ways that this identity verification tools are checking that the person is a real person moving in front of the camera. In terms of the end user, so when the end user is in front of this identity verification system that are based on Generative AI, so let’s say user experience is similar, is so how transparent or is different? Russ: Yeah, I think, look, with facial recognition, for example, and the techniques we use in identifying people when they’re going through the process of verifying themselves or for account access or re-authentication, no personal data is stored. So, the use of those biometrics is the ability to give people a robust way to prove themselves and their proof of life, if you will, when doing a particular action. And I think what’s been missing in the past is people have accepted a document which could or could not belong to that person to be the valid form of identity. The reason why identity documents around the world had been the standard is there was always a picture of your face on that document. So, you had a passport or driver’s license, you could see it was you in a sense. So, with liveness, people are protected the same way as using phones to open up access to your phone and to those systems. But these systems are tested and there is no personal data. People should feel very comfortable that the data that they’re using to generate that action is protected and their own in terms of doing that. We’re just using technology to be able to verify that that person is live and present, and is not a deepfake, was not a synthetic ID. Because what we see a lot is these presentation attacks when people are using video footage that are grabbed from external sources, for example, to try and fake systems or try and trick systems that they are actually live and present. But we are able to detect these digital footprints and be able to detect using multiple sources of multiple techniques on the mobile phone that we build software for that that person is live and present and is presenting the document that they say they are in order to verify themselves. Oscar: Thank you, for explaining better how it worked for users. So, it’s simple for users. It’s not more complicated. Russ: Simple and seamless and quick as well. It’s not more complicated. It’s less complicated, in fact, right? So, when you presented with it – there has to be a trust of course in the environment that you’re doing, and then providing your face to do that. But ultimately, it’s safer and quicker, and ultimately more secure than any sort of biometric that they might have used previously. Oscar: Yeah, it’s true. You mentioned also faster sometimes I think, being in front of these systems and yeah you are, waiting a little bit in front of the camera, right until it processes. Russ: Yeah, look, it depends on the speed and the connectivity in the region you’re in, and it might be the phone and your mobile network, for example. But we account for all of that in the software that we design in helping people to process that. So, we shoot like a live stream video, and we take the best shots out of about 100, 120 frames that we shoot out of that video. It’s a very quick two or three second capture, and we’re able to compare the best quality face to the document that’s presented in this process. Now, we can account for age, facial degradation, loss of hair, glasses, et cetera because we are looking at the underlying structure of someone’s face when doing that. So, we’re 3D mapping essentially that person’s face, and are able to then tell against the original document that’s presented if that person is the same person. And that you can’t do, it’s very hard to do with humans, for example. And that’s why technology can do a lot of this lifting very, very quickly. We can do it in seconds and verify the person against very old very age documents or changes to their facial structures. And so, we’re very excited about how these techniques can verify people to the grade that I mentioned before. Oscar: Yeah, indeed, it sounds like there’s a lot of innovation hearing what you’re talking, you are describing. So, what we say looking at the future, so what is the future of Generative AI in identity verification? Russ: We were excited about Gen AI’s ability to create these huge datasets of synthetic personas, because it’s going to help prevent fraudsters trying to use this synthetically created people and documents that they create to trick and penetrate low grade systems. And the more people we can support, the more businesses we can get our technology into, the more we can stop this the synthetic IDs and penetration attacks that are happening. And we’ve seen the velocity of these increase as we see better and better tools and faster processing time to be able to do this. So, the ability to cover the identities of the world’s population through technology and creating inclusivity for all ethnicities, all genders, means that people can be granted access regardless of where they live, what device they’re using, what colour they are, what gender they are. So, we’re very excited about how Gen AI can train and help people. And again, this is all ethically sourced data, right? So, we didn’t go and grab it elsewhere. It’s very hard to get in front of tens of millions of faces of variations of age and, again, colour, ethnicity, gender, et cetera. So, Gen AI really helps us to do that, I think detection tools. So, developing and using advanced technology like Gen AI to detect this deepfake content can be crucial to mitigate the potential harmful effects that might come from that. Authentication mechanisms. So, implementing strong authentication, like facial can help, again, verify the identity of individuals and reduce that risk of impersonation. So, trust has to be ensured that it’s in place there. And of course, eliminating frauds and scams, so businesses and consumers fall victim to deepfake base scams and others every day.  For instance, a scammer can impersonate a company executive, as I said, and deceive employees into revealing sensitive information or maybe making financial transactions. So, we want to stop fraud at the door. We want to stop fraud internally, externally. And we want to help protect businesses and their customers, whether their business or consumers from the rising threat of what’s coming on synthetic identities and the scale of using Generative AI at the fraudster level. Oscar: Sounds good. Final question, for all business leaders that are listening to us right now, what is the one actionable idea that they should write on their agendas today? Russ: Yeah, look, there are a lot to choose from. I think the one action from my opinion, maybe is – you’ve got to think like we’re living in a mobile-first world, right? And Gen AI solutions, as we’ve talked about are surging. So, the action I would take is take the time to speak to your fellow executives and to the teams and to the people inside your business and understand how identity is currently viewed in your approach to your people, your processes, your security, your products and your customers. Where I sit and where we sit, is we are seeing the velocity increase of identity usage across the world. Governments are enforcing and implementing more and more identity standards in order to control obviously, governmental services. And so, it’s important that people think about identity for their own businesses. It’s going to become critical to protect them and their customers. They need to think about everything from employee onboarding, how well you know your employee and your customers. And of course, ultimately, what we’re all achieving, or trying to achieve in digital is improving user experiences, anything from onboarding to account management, to customer services interaction. So, it’s everything that your customer, your employee might touch within your business, potentially has something to do with identity. And the better you know the people in your business and your customers, I think, the better positioned you’re going to be to be able to not only stop these threats but take advantage of beating your competition by staying ahead and knowing your customer much better. Oscar: All right, thank you very much, Russ, for all this very interesting conversation about how Generative AI is going to help us for the identity verification now and in the future. So, for the ones listening to us who would like to know more about you or get in touch with you, what are the best ways for that? Russ: Yes, thank you again, for the time letting me talk about something we, you know, and I’m very passionate about and obviously we’re very passionate about fraud and particularly technology. If they want to get a hold of me, I’m on LinkedIn, you know, Russ Cohn, C-O-H-N. IDVerse.com has a repository of amazing content and information and thought leadership around a lot of these areas, so please take your time to look across the site. And if you want to get in touch with us, there’s lots of ways to do that on the site. So, look forward to seeing and speaking with anybody who’s interested in learning more about IDVerse and about – chatting about fraud and identity. Oscar: Perfect. Again, thank you very much, Russ. And all the best. Russ: Thank you, Oscar. Appreciate the time. Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.