You're listening to the identity of the center podcast, this is the show that talks about identity and access management and making sure you know who has access to what let's get started. Welcome to the identity of the center podcast. I'm Jeff. And that's Jim. Hey Jim. Hey, Jeff, how are you? Oh, not so bad yourself. Good, I see. You're recording from a hotel room today. I am courtesy this this episode not sponsored by any one particular, but I am in a
Marriott Courtyard right now. Well, we know what that that experience is like, if your business traveler, I think you've been to courtyards all over the United States or essentially, all over the world. Every one I've been to is pretty much the Same. I think if the consistency that I appreciate the most about it, you book a Marriott Courtyard. You know what? You're going to get. That's right. Yeah. And that there's something to be said for that.
That's I think part of the reason, why McDonalds is so popular, right? Is you had McDonald's everywhere and they're pretty close to the same experience. But beyond that I've been, I had a funny. Thought we do. You remember Jack Handey on worse? Yeah. Jack Handey from My mother's alive, DDOS Deep Thoughts by Jack Kennedy. So I was thinking about verified identities and so that the deep thought would go, not everybody
loves verified identities. For example, kids with fake IDs, do not want those identities verified It's pretty accurate. I would say nerdy but accurate. Well that was yeah that was part of the Deep Thoughts by Jack Handey. That was what it was all about. I can't imagine what he would write at this point. I know I should probably say what he would rather. I don't even know if he's still alive or not but classic for the 90s I guess.
I just assumed that maybe he's moved on but I don't know for sure. Now they're only we had a researcher and you know and it like a producer that we could yell into our ear to look that up. What were the like an intern wherever you say? When you go to look up her ass Jack Handey episodes on or skits and are they still alive? We need an intern Jeff. We do it. Is it it pays - money. You actually have to pay us and it's thankless work.
So if that's not an attractive job offer, I don't know what is. Yes. Exactly. So hey, we've got a couple of things coming up. Do you want to kind of run down the list or do you want me to I'll kick us off? Because you did it last time. We've got a few different things going on. So while you've got more going on than I do, at this point, you've got what next week, actually this week by the time people listen to this. So it'll be September 19th when
this episode goes live. But later on the week, there will be a webinar that Jim is representing us on with one Cosmos and that they tried to fix passwords. But how do we fix MFA, you know, super sexy title? I'm sure be very interesting. So if you want to support the show, go support Jim register for the webinar. I'll have a link in our show notes.
People can check out, but yeah, looking forward to I'll be catching that on the replay because I'll be on a flight back from Las Vegas. Theoretically, at that point. We've also got the authentic eight 2022 conference coming up, put on by our friends, over at Fido. That is October 17th to 19th. We're going to be out there, both Jim and I, and looking to do some, some podcasting. So, Jim has already started trying to fill up our schedule
with the chose to record. So, you know, we'll we'll be looking to do some things. They're, we're also going to be at Octane and November in San Francisco. I think it's November 8th to the 10th. It's kind of like a partner / customer conference. But the idea there is again, we'll have hopefully conversations with folks, in and around sort of the authentication space and Folks at Octane and so forth that I
want everything. I know, I think there's one other one, so we don't know the date for it yet. But friend of the show and friend of ours, Tom Lennon from sale Point has Says to present to the Carolinas identity Roundtable, so that's yet to be scheduled, but it should happen here in, you know, 2022 and just shout out to the Tom for giving us the opportunity. I think it's going to be a fun time. Yeah, that'll be cool.
I don't know what we're going to talk about or how it's going to work, but we're excited to figure it out and so maybe something related to Identity and access management. I'm guessing I hope so. That's the only thing. Well, even that you could you could barely say we're qualified to speak about but we do it anyway but do it anyway. You want to get to our topic for today? Sure. Yeah. And so Jack Handy would be proud of us.
We're going to talk about identity proofing, verified identities and verifiable credentials. And we had a good little conversation about making sure we got that terminology right with us, we have Nishant kaushik CTO with eunuch in former colleague of ours. Back in our adventure biddies. And I'd miss Sharpe was with us last on episode number 73 which was December of twenty 20, Rayven the the peak of the pandemic. So I guess he was not out running around the world at that
point. Like the rest of us we use. He was at home and maybe we don't know. Yeah, I guess, you know, we can, we can introduce him and ask him what he's been up to since the last time he was on the show hidden, Sean. Hey everyone. Hi guys, I have definitely not been running around anywhere even now like I think. Oh the only work-related or
identically trip. I took was when I went to identify verse earlier this year, other than that, I've been pretty much homebound in terms of working from home and focusing on the work we're doing at Seneca. Yeah. And what side is that conference wind up becoming like a super spreader. I think a few people left the Conference and I wound up catching covid shortly after but I mean covid is pretty much everywhere now. So I don't know if you can
necessarily pinpoint. The fact that you were at the conference? Yeah. No I think it definitely happened but it pretty much happened at every conference that took place. So you know it's just the nature of going back to a world that used to exist before but and we're trying to live that same life but you know that world still hasn't come back yet. So, yeah, our say was the same way earlier in the year.
Had I dodged it, but I know a lot of people got got sick and I think I heard to make the identifiers. Jim. I could make a Denver's. It was just terrible timing for, for both of us, were for different reasons. We were at Gartner a few weeks ago, and knock on wood, so far, so good for me. And I haven't heard of any sort of outbreaks, so maybe the same people who were or maybe already had the antibodies through the
roof or something. By the time they got the Gartner Earlier. So maybe that was strategy on Gartner's part yet you let everyone else gets sick, build up the immunity and then you know at their conference after that Sonia Schott we're going to talk about identity proofing today and what we thought would be kind of a good way to start would be to start with the basics of what is identity
proofing. And and one thing I wanted to throw out there is like I had to think of the process the way used to be, which was You know, showing up in person with a passport or and I, you know, like a driver's license or walking license that we used to call him. And I was kind of thinking of a client that I work with, you know, probably eight years ago, that was the University, a large University, in order to get your student ID ID to show up on
campus. Or if there was a remote campus your or your full-time remote, you had to go to Some kind of Licensing station to go and actually go through this verification. That was you know in my mind what identity proofing was, how do you define identity proofing? Well, conceptually it's pretty much what you laid out, right?
The idea there being that as a business as a service, you're trying to verify the identity, the real world identity of a person, whatever real world identity in that context means because it's very context-sensitive context-dependent. But the idea being that you just want to make sure that when somebody is coming in and saying, hey, I'm Jen and I work at a worked at identity. Actually, let me take a different example.
I'm Jim and I used to work at So if I end, that's something that you care about, well, how do I verify that as a business before I allow you to proceed? And how can I trust that? So as you as you pointed out, you know, we're used to these men. These processes proofing processes being real world right in terms of brick and mortar, as we call it in my world, where we're dealing very much with this, in the consumer, a tiny space.
We dealing with it in the context of how do you know People open bank accounts or people register for, you know, retail accounts or and get access to, you know, Airline accounts or health care, whatever.
Everybody cares about the identity of the person and on the other side and that want to figure out today are required level of assurance and that's the key part is this that real person and you have to figure out how you're going to do that and the old way of doing it, which was show up in person and sure document to a human being doesn't work anymore. That's what we're trying to get past.
And so in all the, in the identity proofing space that's literally what's being focused on right now, is how do I digitize the process such that I can take the human being for the most part out of the equation and allow it to be fully self service fully remote, you know? But with this the required level of assurance. Yeah. So we talked about, I think we just laid out they're pretty
well was the verified identity. So in other words, you've gone through the proofing process now, your identity has been verified. We also hear about The right way to say it, I think is verifiable credentials their wrong way, to say, to her. What we commonly hear as shorthand is verified credentials. Yeah. Maybe do you run into do you experience that as well? Hearing people say verified
credentials. Yes, because I think the area of verifiable credentials is still pretty new and unknown to folks, outside of the identity Community people who are dealing with this on day and that they are basis. If you you know, it's really important for a lot of us who work in identity to really, you know, make sure that we acknowledge the bubble we live in. You know, we think of these things and we know what they are and we have huge humongous debates about them when you go
out and talk. Do actual practitioners and business people. They don't really know what it is. They're thinking of their problems that, right? So, you know, I like to, you know, my Twitter by, I put them solver of problems, right? So the point from my perspective, as always, been what is the use case? What are you trying to solve?
And what businesses care about is, the verified identity part, which is I need to know you are, who you say, you are to the level that I require to have trust in that and that changes that's different for different organisms. Ization. Because if I'm a, if I'm, you know, shopping site a verified, any simply, yeah, you're somebody who has an email address that, I was able to send a link to in verify that you had possession of that email address. And that's sufficient for me to
verify that. You are a somebody who wants to be a customer with me. I don't care what whether you use, Joe Schmo, as and as your name. I don't matter later, when I get it to payments, but for now if you just, you know, doing stuff on site, I don't care. But if you're a bank, then a verified at it.
I mean, something very, very different because you're looking at looking at the legal identity and do I have enough information to know that this is a real person to have enough information to satisfy the know, your customer regulations that, you know, have to dare to do. I have enough information to be able to identify whether you try to previously, open an account with the different name. And, you know, you, you're somehow trying to create duplicate account fraud and
things like that. So, So, verified identity from a business perspective, is trying to solve their problem with their very specific point of view. They're very specific lens that they looking at through. Yeah. And the processes that we that I've experienced in terms of going through a identity proofing, process is very device-specific. So, you know, I'm thinking of a specific example where I went through a self-service process to verify my identity.
And use like a basically, a video selfie having me turn my head and things like that and compared it to my driver's license for sure provided copies of in terms of picture. So I'm wondering is that typical workflow? And you know what is and are different solutions, doing it differently and how device-specific it is it because I tend to have You know, higher and devices than the average person. So where does the average person fall? Yeah. I mean it's a very very tricky topic, right?
Because at the end of the day, what you're trying to do is build an approximation for what for what that real-world process, that brick-and-mortar process that we talked about earlier, you're trying to build a digital equivalent for that and that's because people are working from a frame of reference and in many cases that actually constrained by the fact that There are regulatory requirements that I were designed for brick-and-mortar times that have not been updated
for digital times. And there are no sometimes no better solutions that you have available to the best proof of who you are from a legal entity perspective is your physical document, your driver's license, your password, Etc. And there are no widespread digital equivalents so people are making do with what they have and that's forcing them down a path where you said the process you described.
Which is yeah. Take take a selfie, you know, take a, take a picture of your document and you know, oh wait, if you have a passport that has a chip in it or we'll do that's great. We'll do an NFC lead and we trust that even more because now there's some cryptographic Assurance around it and stuff like that.
And that is very much state-of-the-art simply because alternatives are still being developed and still fairly new and they're not widespread enough, and they have enough sort of friction in the process to have an adopter. Problem right now, right? So it's changing, I think this is a space that's very much changing their organizations like better identity Coalition etcetera, that are working on the regulatory side to try and introduce things that could make
some of the stuff easier. But yeah, it's pretty still pretty much. What do we have available to us? That we can make do with and what's pretty much ubiquitous right now is essentially physical documents and digital phones with cameras. That's basically the starting set you up. With. Yeah. And I think that part of what I've heard referred to as liveness detection is part of that process, right? We we want to make sure that we're not just holding up a picture of ourselves to the
camera. And then I guess even there's that next level of the call it like deep fakes where it's like I can create a video that maybe does the things that you're asking for. So I was trying to defeat that ahead of time. Time. We're certainly not the at the point of having droids or, you know, I'll be watching this Captain Picard sequel to the whole Star Trek, the Next Generation, and they call data and the folks like date of the the Bots like data they call him
since. So we're not at that point yet, but yeah, they actually brought up something in that show that got me thinking about the Wife nurse sharks which was that the synths they could create absolute twins. So there's no difference between sin Theta and since B but that twins human twins actually are different even if they're identical twins and if you've known identical twins and you really get to know them eventually they almost don't even look the same to you anymore, right.
They look like two very different people of people seeing them for the first time. I think, oh my gosh, you're stupid. Will that look the same? I'm wondering. Can liveness detection actually detect the difference between Twins? So it's important to understand the distinction between the technical components in the process that we're discussing here, right? So liveness detection enough itself isn't quote, unquote and identity piece. What it is. It's a security peace.
What lyman's detection is trying to do, is ensure that the is person who's presenting the document is the real person associated with that document. So at the end of the day, when you're doing an identity presentation, Of a proven process. What you're doing is you're providing a document and saying, here's my document, that gives you all the data that you can verify whatever process you have for verifying that. And in that document, there is a picture of me essentially, right?
Like and you don't want to say, and by the way, here's a selfie of me and make sure that it's the two people because you want a basic. What you're basically trying to do that is is essentially validate that the person presenting the document, is the person on the document, right? So that's what you're trying to do. But in order to ensure the Integrity of that, you have to make sure the person who's taking the selfie is the real
person. And is not, as you said, a fake, a fake, because they picked up a held up. A photograph, to put on a mask, they played a video or something like that. So what liveness detection is trying to do is trying to determine that this selfie that was taken is taken off a real person, where any thing that would be used to fake, that can be caught so it's a security control around the ability. Selfie taking that you then during the match on and that you know, likeness detection is the
core. The I've said the server a bunch of times in various talks that given the because people talk about, oh my biometric. If my Biometrics stolen is like my foot password, got stolen and things like that and it's not right. The power of biometric is an authentication Factor specifically. But in all of these cases where we were to using it in this context, in the proofing Factor doesn't like in its secrecy because biometrics Or the most part are not secret the life.
The see the proof lies in actually the liveness detection of it. That's the that's the real thing. That makes sure that you have Assurance around the Integrity of the process that you're taking the user through. So that's why it's a really critical component that you really need to pay attention to. So, the satellite just detection, that would tell you the difference between identical twins.
It's something else about that. King process is that an issue within the industry that we're struggling with it with identical twins. It doesn't come up a lot. So I would say it's not really I mean it's a nice interesting example. That always gets used when having a conversation about how good is this process. But in reality, identical twins performing, fraud isn't really a isn't really an attack Vector that we any business is worried about, right? It's not really high.
The few cases where it might be high. Like, for example, if you're trying to commit some kind of, you know, Account takeover fraud, in the context of, you know, I want to take over your bank account and, you know, you know, siblings are falling out when you have a high risk transaction that like that, you don't rely on just that. Then at that point you bring in additional things to validate it, right? So you will do additional
checks. In addition to this you won't you always risk adjust what you're doing. So from that perspective, identical twins fraud or you know, attack Vector is an interesting, you know, theoretical concept, but in practicality nobody really ever. Has to deal with it. What are bigger issues and bigger challenges right now that we see across the board is account takeover fraud, where, because you have identity documents themselves that are easy to spoof and fake.
I can present myself as some as a fictitious person. So it's more akin to the synthetic identity problem or me stealing somebody's a day. Not because I looked like them. But because I took their document and put my likeness on the document. So it's the, it's Jim's document, but it's my picture on it. So how do you catch that? So verifying the document data, but I find that I approve of the identity that you're actually using. That's really where the real
challenges are. Because quite frankly for an industry, where we are, so obsessed and work on standards and, you know, the xkcd article, there's 14 standards and it's not working. So that's figure out how to combine it together. Now, we have 15 Right in identity proofing and the document space is wide open. Like there is no real cohesive standards so when you're trying to do this you have to deal with each Place. Each jurisdiction each geographic region, completely
different. So, when in our product where, you know, rebuilt, we're building the site every platform which does the whole end-to-end security around the identity, right? From proofing, onboarding, authentications Strong authentication account recovery. All of that. We're trying to put it all together into one cohesive seamless flow.
That's what our platform does. And then we dealing with onboarding and, and this kind of identity proofing, we're dealing with you've got countries where they have fully digitized documents. Like, if you go to Singapore, you have sing pass, you have, you know, identity wallets. If you by the government, that can give you verifiable credentials in some sense and so on.
And you have the US where We have passports that have chips in it, but we have, you know, state driver's licenses where every state has a completely different format and structure. And then you have, you know, we dealing a lot in areas like Africa and South America, where you have the gamut. You have really sophisticated chip-based and document but you also have in the same area, same jurisdiction, same population.
People whose only identification is a piece of paper, like literally a piece of A4 paper that has been folded up because it's got stuff written on it. And and and Stuff and your as a business trying to cover the entire population, which means have to do with this in this vast range. That's really the challenge. And I think that's where things like verifiable credentials, Etc. Really are the answers that people are looking for. Whether we get, there is a whole different issue.
Because there's, you know, like I said, other challenges the place, but if you get to the point where you have that, that can really solve a lot of these problems. Because right now, people are dealing with just Goofy stuff. Right? You know, this is not something we should be dealing with but we unfortunately have to deal with because we living in the real world, right?
Yeah. I never really even thought of that fraud use case where you just change the picture on the driver's license and then take a picture of that. Now, I'm comparing my live self to a fake version of the license. If you're able to take that license and somehow verify that it hasn't been modified.
So, give me an example on the state Of all the 50 states that they have some API that you go in here and you can download something that is like a low-res version of the license that you can somehow do a comparison to make sure that it's the same license. I mean how how do you make that work with it? That it would be nice right? But no and again it's not the challenge that we have is it sounds like a nice idea to start getting into the intricacies of Just look at the way you described it.
Or is there an API can download? You know, I can connect to that APN and can download Jim's license and Jim's picture. Wait, what about privacy? What about Jim's privacy, who has access to that API? What are they doing with that data? So there's all these concerns and I want to say, answer your concerns but their envelope and concerns that you have to account for in this kind of thing where you have to worry about privacy after, right? But who has access of data, what are they using?
For who's authorized to use it, you know, should the bartender have the ability to pick up a phone and look you up and get a dress, just take a picture of you, take a selfie of you at the bar as your ordering the drink and get immediately a download from the DMV saying, yeah, this is Jim and this is his date of birth or whatever you don't want that, right? Because that that has huge potential ramifications.
But having those kind of identity Services is actually pretty important when designed correctly and you do it correctly. If we, because like I said, that is what will help us get past the current Log Jam, we find ourself in where one of the challenges we, you often find is, as it kind of what you bought pointed out, right? What is the technology that is available? But the technology default now has become smartphone based.
So what you're immediately excluding from that realm is people who don't have access to smartphones, who are under the tech poverty line, people who don't have, you know, valid, Identity documents which is not as easy to have as you would think like people lose. I Dare You documents all the
time. This is particularly problematic for folks who are, you know, displaced whether it's immigrants or local people, who are displaced, who have lost everything, and they don't have anything anymore. But they need that identity. So they can their identity to get the prove that I didn't. So they can go get welfare benefits. How do you solve the problem?
These are really tricky. Really complicated challenges trying to do all of that and talk about All of that we could be talking for hours and not gonna get into that but you kind of get a sense of what the scope and the, you know, scale of this challenge is as you go that way. For example, one of the things we're working with one of our partners, we dealing with a banking product that is targeted for financial inclusion.
So it's a it's a it's a banking platform that is used for providing services to communities that are that have traditionally been unbanked. And so they end up Having very very unique challenges that we kind of have to figure out that forced us to really rethink some of the ways in which we do stuff from an identity perspective. Then improve enforcement. I feel like everything you've been talking about is these are hard problems to solve the we does the industry.
Draw a line at some point to say here are the things that we can solve and these are the variables that we can count on versus trying to design a system that works for literally Every single person in every single country and every single region by blah blah. Right, even planet right? Ya know how does that work? Like is there a line that basically says okay well you need to be, you know, this tall to ride basically. Yeah. For the identity space. Absolutely.
And I think people draw the line all the time. The challenge I think, right. Now we're facing in the industry which was a key part of the, the keynote I gave it identifies is We've all been drawing that line, kind of arbitrarily and
there are no guidelines. There is no, you know, overarching ethical sort of body or organization or anybody that is saying well no wait that line is drawn way too high or technical side weight that drawn and that line is Runway too low and you just not just never going to get there. So now you just spending a bunch of money and time and effort trying to build something That will never reach us objective Go. I mean, you guys have been doing
I am projects forever, right? You know what it's like right, you define scope but you have to figure out a way to make the scope practical and actually deliverable because go scope creep happens all the time. And the challenge with this is that when you draw the line too high, then you have exclusion problems. And that that's obviously not a good thing especially with what we the role we play, right?
If you know, we don't we say Yeah, you're going to need, you need the latest iPhone or the latest Android. Great technically it works great. But all of a sudden you now build something that up. Huge SEC. Check the population. You say yeah we don't care about you. Plus makes you wonder if we get down to a point where because of the the hardware assisted being fragmented amongst. Let's call it let's call it three major players, right?
Microsoft Google and apple between Windows, the Apple series of of os's and then you've got Android from Google on the mobile device, side of things you know it's taken a while even with the for those three heavyweights who are also browser manufacturers to come to agreement on even a standard like web authentic and the fight.
Laughs, getting involved with that and really making progress, but that took time, I wonder if we get to the point where, you know, it's it becomes, oh yeah, your can be verified, but it's like, the blue chat, green chat, where it only works on iPhone, or it only works on Android or Windows. Hello, only works on Windows right?
Those sorts of things. If we are, we are we destined to basically repeat you know, history and have this fragmentation or do you think that there's hope that we can make? Maybe solve for this ahead of time through more neutral bodies or through third parties that are sort of acting as the bridge across devices. yeah, so I think I would love to say that this is a linear progression towards an
objective and goal, right? Yeah, we see the advances, we see the advances with the mobile plant manufactures, with see how the cooperating, and things like that, and we're working towards something, and we're going to get there. If you keep going down this path, I don't have any faith that that will actually happen. What I do think is actually going to happen, is there's 50 different types of ways.
People are trying to solve this and they're all, you know, trying to solve Sort of in a Jason sees, but with some unique differences, or whatever. But at the end of the day, there are doing this to one thing that has to happen. And one thing that I think will happen, one thing that has to happen is this will require investment from actors that are not incentivized by profit and not incentivized by business is that exercise. It was so. So we've seen. So if you think about it from
that perspective, right? There's a reason why what Singapore did has worked really well because I looked at it and said, we are not. We're looking at it as something that gives benefit to Citizens, right? And so there's a regular, there's a government requirement or government mandate that came in saying, this is helpful, this will unlock a bunch of other things. So it's worth for us to make the investment. We've seen this happen in Canada.
If you've talked to Joey Brennan, who heads diac, she can she's much better than me at explaining this and how she's been able to Wrangle the cats and get things working. To a public-private partnership and getting people on board on board with the idea, but it takes to your point. It takes a lot of time, but without that, kind of driver, it's not going to happen. So, that's the key key piece, right? So, we see in the US, for example, better idea. Coalition is trying to push for
digital identity. Bills is trying to push for government to become an attribute provider and issuer of a silo credentials and things like that. That will that will have Downstream benefits. In our organization, we see in Africa, for example, a bunch of governments are heavily investing in digital identity initiatives because they see that this is a way of really unlocking the potential of their citizenship Citroen citizenry. So that's the thing that has to happen for us to any in any way
shape form, get somewhere. The flip side of that is the thing that makes it will likely happen. Is this going to be something that comes out of nowhere? That we don't predict that the comment down would Killer app or something like that. Something will happen that we can't really see but that will unlock it sort of a methodology or a modality or something. We're always gonna be like, hey,
let's jump on that. And that's that will that will be the thing that unlocks everybody else's ability to say, oh, I can use that, I can use that, I can use that, and that's going to happen. I be seeing that with to a certain extent with how, when Apple and Android start working with with the secure enclave and Paris. Metrics on the device and how all of a sudden that has unlocked a lot of potential around, how authentication is MFA happens and things like that.
Those things will, I think show up and create they will be unexpected sources of advancement, but that when they show up will be like, well, that was totally logical. But we can't see it right now. I'm sure something like that will happen. Yeah, makes me wonder what that killer app will be because I feel like this is not a technology problem per se. It is a mindset problem because I think of anything that The pandemic has taught us is half
the population. Will, you know, do do will make the societal choice and others may not for various reasons, whatever it may be right. What is the killer app that brings everybody to the table. I just, you know, I just moved and had to go in. I spent the day getting driver's license and license plates and things like that, and that was a pain in the butt. Like, this is all stuff. I should be able to do online. You don't make it easy. Things like that and maybe that's it.
Maybe it's, you know, easy access to government services to pay your taxes. Get your IDs change your names, right? All the things that you kind of take for granted. They're like what do you mean this is, this is your 2022. What do you mean? I can't do it online. What do you mean? I have to make an appointment for 3 months out. Not saying that this didn't happen to me then show up and then wait another two hours after my appointment to actually
get in for my scheduled. Like this is it seems, you know, weird to me that we still haven't sort of solve this identity at a macro level of making it easier for the population and it feel like it's not necessarily a technology thing. At this point, we have the tools
I'm wondering what is that? Killer app that will pull everyone to the table and say, oh yes, we are willing to either invest in this, in some way, whether it's investment financially or investment in, you know, the The Privacy components, that might go into either managing that or giving up some level of privacy to be able to take advantage of things like that. It makes me wonder you know when will that happen? I don't know if we have an
answer but it gives no thinking. I most definitely do not have an answer because honestly it is one of those things where you catch me on the wrong day and I'll be like, listen, I've been dealing with this for the last three months. I know exactly what's going on. This is never going to happen. I know the people involved, this is never going to happen.
They will kill this. But then there's other days where I'm like, oh I see people who want to and they're willing to make the investment and you're right, it's not a technology problem. Honestly, you know, and we talked about this in, I am all the time. I'd like, it's not about technology is about process and it's about people. It's actually more than that, right? This is, this is not just about
not even just about process. And people it's about Legacy that or detect that and the fact that yeah, we have the technology but shifting what you have today to the new technologies, just way too complicated. Because nobody figures out how to do a migration correctly.
That's not something people invested, its political, it's highly sensitive and personal like that's one of the things that, you know, both frustrates but also attracts me to this identity thing that we work in which is it's not a pure Tech problem, right? It's not just throw a bunch of cryptography that or, you know, just build build a service and it's fine. I can just, I just need to figure out how to do high availability or something like
that. And configure my network nodes, this is about people and people by definition become nebulous and problematic to figure out because you can't do it one way for across everybody. We were is unique and so you end up with this really challenging in many times philosophical issue. But usually like I said, it's political its Financial, you know, it's just problematic that
way. Yeah, the experience that I went through recently was I was going for a mortgage and had to go and It's some transcripts from the IRS, so it's forced to go through the ID dot me process. It seemed like the ultimate example of a friction user experience, right? We're all shooting for this frictionless user experience. There's a ton of friction to get that verified identity now effort. And if it wasn't that I needed those transcripts so badly, I would have abandoned the
process, right. But there's enough value there that as willing to go through, so to kind of go back to the the killer app to me, what I was thinking was now that I've gone through this now the IRS has my identity verified boy. It would be great if I could use that verified identity Elsewhere for other government services or, you know, be even better if I could somehow stick it in a wallet on my phone and use it to authenticate for high, you know high risk transactions and never
have to go through this. Again, or not have to go through this again for a long time. So to me, it was killer app being that. I go through it one time because I have to but then I get to leverage it for much more. What are your thoughts on that? So, it is precisely, what a bunch of organizations taught would happen, right?
Which is, we just need that one place where there is enough Of an incentive for people to go through a very heavy friction process to bootstrap, they're sort of verified identity system and now you can take that verified identity and use it everywhere else, right? That's the Nirvana. Right? If you will and then that falls, that doesn't fall apart on technical reason. It falls apart. Found like I said, Let It Go
policy controls. Like who else has access to it wherever I'm using it somewhere else, with why using Somewhere else. What if I don't want those, I don't like we saw with the backlash that happened to I eat at me of a huge part of it because this is a private entity. Yes, it's for IRS but it's a private entity. They now have a huge Stranglehold on something that's very valuable and they can do things like I can look across Services, I can see what all
you're doing. There's these are political issues that prevent stuff like this and that's the reason why we folks have been trying to do verify the credentials and do something. Where it sort of dissing disambiguates or this intermediates the whole process. So you can set up a service where you build it, they will verify your identity but then they can issue your credentials.
And then you can take those credentials with you and use them without having the authority knowing that you're using it. And the service provider has a way of using your verifiable credential to it's verifiable because they're getting the credential. They getting the other stations that are in that credential and
saying, well, I can verify this. But I don't have to actually go back to somebody or I have a way of doing it without requiring, the dots, getting connected, the dots getting connected piece is a huge block of in a whole bunch of energy initiatives that show up and that's the flip side of it right there. I use the Singapore example for a couple of times.
The flip side of the sink of example is also an example of the kind of idea that would never work here because it is highly centralized and it is all the dots are connected and somebody has complete visibility on your whole life. And You know, you know, that would never work here. That's the reason why we don't have a single federal identity Federal national ID and all that sort of stuff. So, like I said, it's not that the picture. It's like you said, Jeff I? This is not that, it's a
technology issue. The technology to do many different things exist. It's about, can you do it in a way that satisfies the needs of the various constituents, including the citizen, including the human being? That is part of this process. It sounds to me, like what you're proposing is sort of like this this set of different attributes and their kind of chain together. And then, you know, maybe they're like different shapes, may be just like blocks or something like that.
And then, you know, you somehow leverage. This thing I do, I'll call it Block Chain. Now, that'll be better term. Okay, I got to drop off that. I got to be part of this great job. Let's shift gears a little bit. How to make sure we respect the Sean's time. A few weeks ago, actually probably a couple months ago at this point we asked a bunch of identity folks out there what the difference was between digital identity and identity and access management.
And we had us a show and I think we played like five or six different responses that we got everyone answered it differently. And what I want to do now is I'm going to ask you the shot the same question here. But before I want to get that our friend Alec fry fry identity for those who are in the know, also responded to it a little bit late, but I promised we would get it in.
So I'm going to play it now. It's about three or four minutes, sort of his explanation of what he thinks the difference is between digital identity, and he has some good analogies in there and then what we'll do is we'll just kind of talk about it real quick. So let me play that now, good day, gents for identity here. I'm so excited to say that I have the, the answer, I have the solution to the major.
You know, of I am versus digital identity at first, when I recorded something it was a lot like what you guys said late in the conversation in session. 151, where if you ask what your practice does earlier used to say that you do? I am and recently you would say you do digital identity. And the reason why I think that during the responses from different people where digital identity fits kept flipping from being the umbrella layer above I am and then later Terron being
the lower component underneath. I am, I think the major reason for that is because if I ask you, what does the word football mean? You might tell me. It means a sport. If two teams are people running around on a field trying to score goals against each other or you might tell me it's a little leather ball that's used in that sport on the field and I think digital identity is exactly that. So, earlier on identity and access management in the early days meant as someone pointed,
At user account management. So it means giving users access to systems basically getting their identity validating it with a password or now with MFA or password list, even and and then allowing them access to certain systems. I am kind of became the umbrella term for things that also included IGA. So technically I am is the access and the authentication and IGA is governance of the user the user profiles and everything else. But arguably, I am was kind of you As an umbrella term above
that anyway. So the interesting thing is as you said as well that with Siam now I am is sometimes got an invisible W-4 Workforce in front of it. So again there's not really a new umbrella term to sit over Workforce, I am and Siam then, as we said there's also IGA and other areas. And then as pointed out by Sarah as well, ID proofing, so whole verification of physical. To a user's online digital representation.
Now interestingly, as well, as I think Jim said that when you log into a certain environment, whether it's apple or an online store that you deal with, they have a digital identity representation of you. Similarly, as you said, in the Internet of Things devices, each have its own digital identity. So I think the challenge here getting the terminology sort of sort it out. Out or agreed upon.
I think, as you said, the real challenge is the context in which the person you're talking to is referring to this whole Space, where the umbrella which arguably. For now, let's say doesn't have a proper title includes. I am and Siam and Workforce. I am and IGA, and authentication of, you know, identity proofing and assurance and all those other factors including things like The sea and other areas
that fit in that space as well. And even risk and fraud detection, everything that fits in what's needed to manage user access. And, you know, identifying the correct person making sure the right access to the right systems at the right, time in the right context and everything that we've sort of come to phrase a lot around this whole space. But I think the biggest challenge is that in the last, however, many years now that we're looking at that record that is stored in systems.
Of a user and their habits, and their system access. That's a digital identity and for lack of a better umbrella term, I think I am and sort of more recently. Digital identity is being used as the umbrella term as well because we don't have a great umbrella term for it. So, there you go. I think, at the end of the day football is the whole answer to the question of? What's the difference between I am and digital identity. Hope that was helpful. Thanks bye.
Alright, so that was from Alec Friday. I think you here. Brings up a few different points. For what I'm hearing is, he agrees with sort of my assessment? Is that context matters who you're talking to, how you're using it, the words, I guess and that it can kind of morph around anything in there. Kind of jog, may be a difference of opinion or maybe you want to add on to that in a second.
So I hate this question, just because it's what's good, where you will never have a good, you will never get a good answer because everybody comes That it slightly differently and I'm sure you've seen that with all the responses you got from everybody else. But and I can just hear Steve Wilson yelling at me. No, the we should just ban the word identity, identity doesn't exist.
Everything is about data. Everything is about, you know, got it. What it is, that's rather than some trying to figure out something, but at the end of the day, I think, So I understand all of these perspectives because at the end of the day there is no right answer. It's more about what is it that we're trying to solve? Like I can't like I said, I come at everything from a use case problem and and also an architecture background. So I think about about everything like architect and
architect. And the me I am is simple in terms of a definition and can get very complicated very quickly but it's simple, it's about the tools. The technology is the methodology is the processes around. Managing identities. The word management is right in there, right? It's about managing identities. What is an identity? That's what digital the word, digital item in somebody's as
well as a digital identity. Well, you're managing the digital identity, but what is the digital identity is so nebulous and so directly tied to, who's using it? Not who has, it is not about the individual, but who's using it and what that sort of consuming entity the business, the service, whatever it needs. It defines what? It considers an identity and when it defines what? It considers an identity you then pick what are the I am.
Components tools, technology Etc that you need in order to satisfy that requirement. So for example, you know, it's interesting because obviously I come from an identity management background where I was doing what is called Enterprise identity, which is Workforce identity, etc, etc. But I do not consider, I am to be the silent W, right? For me, I am is encompassing because I very much deal with.
I am even in the consumer space because Consumer space requires, I am methodologies, whether it's onboarding proofing which is essentially what in the Enterprise and anywhere we would have called account registration. User registration is the equivalent thing but they're doing it from a different place. Different requirements, different needs. Do you need IGA in consumer identity, not necessarily, but you do need proofing.
You do need you. A lot of nice people don't think about authorization the vast majority of consumer. I am deployments. Don't care about authorization. Because every user is a customer and they're all kind of the same but then you go to another scenarios. Oh well they end user logged in and I want them to have certain oauth Scopes based on who they are. Certain rules that allow them to do what they can do. Allow them to access certain features that I pray for them.
So now you've got authorization in the space so digital identity. So digital identity itself is nebulous and very much defined by who's using it and because it is defined by who's using it. That dictates what that consuming entity service etcetera will call I am. But at the end of the day, I am just on the ID Pro body of knowledge. There are lots of definitions there. I don't necessarily agree with all of them, but at least with stuff like I am Etc.
It tries to get to that point which is I am is a much much simpler definition because it's mostly focusing on the tools and Technologies and processes and digital identity is in the eye of the beholder. So that's nebulous and that and they're connected. There are talking about the connected so you can't in you can't separate the two. So it's not about umbrella or anything. I've introduced a new dimension right, there are talking to each
other and related, right? Well you bring up, you know, the different definitions even like within ID Pro right, which is made up of a whole bunch of identity people. And I think there's value in that because it's offering different perspectives. And yeah, I don't think will
ever come. I don't know if we'll come to an agreement on the definition itself, but I I think at least understanding the different viewpoints and the context that people might be approaching it from is helpful in the design, the thinking, you know, of both the architecture business processes, cetera things like that. That was I think one of the things I took away at our original episode, we did on this was a damn Michael. He was the only one of the folks that we had kind of played.
He's from Texas A&M and he's in the business. Meaning he's not a identity vendor, he's not an identity consultant, he's running identity, For a very large organization. So his viewpoint on what is difference in the two was completely different than everyone else, not that it wasn't more or less valid.
It was just a different Viewpoint and you're basically looking at the problem and looking at the space and all the answers are probably right to some degree based on the context of looking at it. Yeah, and I'm sure you've encountered this like there's a bunch of stuff that we do and identity that we get pulled into. That from a business, the business doesn't even consider it or think about it as identity. They're like, why are you guys here?
Like this is not anything that you think this is my, you know, kyc project is my fraud. This is a fraud system. Why is the identity folks are like? Well, because we're feeding you the data, that is helping you drive, your fraud and risk decisions. And so you need to tell us what you care about. And so that we can build that into the identity system. Etc. Etc. So, most of the time, the businesses don't even think of this as identity for them is their Core Business.
Well, identities, at the center. Jill, what do you do? What do you think about what Alex said? That's it. I think this is his definition is as good as any that I've heard because I think it's it's kind of a nebulous answer. But here's here's what I'm going to bring new to the conversation. So I had this thought. Recently, which is that? You know, when we went from calling it, I am to some people are now calling you digital identity.
We don't know if that's going to catch on, and everybody's just going to call this space digital identity, and not identity and access management and a year. But or in five years or or any time down the road but it brought me back to the term, IGA the term IGA didn't exist, whatever. It was 10 15 years ago, it was called identity management, right? Then something happened to those
platforms. That someone said these are not like the old identity management platforms out there doing governance right there, a full circle picture of the identity lifecycle. And now we're going to call it identity governance and administration. I think it was identity Administration and governance and first, but that kind of the same thing, right? So actually something change to go from one, you know, identity management, which was, you know, Oracle.
See a son and then sell point and of exit came out and like created this new space and all those other tools that went on to acquire Government Solutions, bolted them onto their traditional identity management system and said you know hey we've got iga2 and everything kind of fell into the bucket but the ones that were truly IJ systems, are the ones that survived in and kind of made it, our hooks that hook So much I know because I was there you wrote Thor but you know then it
got bought by what Oracle, right? Yeah. And then but that's the thing, right? It's like we had a identity management platform which was focused on provisioning and to meet the business requirements. We built-in capabilities for Access certification, a recertification, right? And it was just part of our identity management solution,
right? And we had it, and then we've said, had it and then we all got four in And so son, had it, and then Oracle had it. And then you had the nerve to newer folks short of show up saying, well, we're going to focus on that one feature but saying, you can't raise money and you can sell a product saying, what you're selling is a feature, so they built it better.
But was essentially a super if you think about it, is supercharged version of what, all of these products had where we were sending it. As a feature, they cameras are It's it's own thing and the term identity governance was born out of Marketing. Is my cynical take. That's exactly what I was going to say. It was a masterful marketing. It look it was a masterful marketing move. I wish I had thought of it. But you know at the end of the day why did that happen besides
the money part of it? Is because of the fact going back to this definitions are nebulous and we all keep not working, we don't work of a single lexicon. We don't have a single unified terminology that we all agreed on. So it gives you the opportunity to come in and say I'm going to create a new thing.
So yeah, we're talking about verifying identities and somebody else will come in and say well yeah, that thing is verified that it is his this new thing and it's going to be called something else and people will be like, oh that's its own thing. When it's not, it may just be the same thing in different color clothing, but, you know, you you get enough mindshare and all of a sudden, it becomes a self-fulfilling prophecy seeing this.
And again, I'm not in any way shape, or form trying to denigrate that, it's just the reality of the space. We live in, which is as things evolve people look for ways to stand out and differentiate. It's just the nature of being in product, and business and analysts.
Worlds, right? Analyst Juan To also come up with new say that we look we understood and this is a new thing that is emerging because you need that you need to pay attention to. So there's these there's forces at work that happen in this context that aren't really driven by again. Like I said not, everything is linear things just happen. Sometimes you can only get these hot takes on the identity at the center podcast. Exactly, it's all marketing for sure.
That, you know, someone there are taste makers that are in the space, right? The big analyst firms and they come up with these things to call similar products and it's whether it's IGA or privileged access management or identity threat detection and response or zero, trust the concepts that make those things up are not new. It's just a repackaged, maybe it's better refined message, maybe it is a collection of additional tools.
That maybe weren't quite a long as they were maybe two or three years ago but a lot of stuff does I feel like it does come down to marketing and yeah, it's you know it's how do you get that in front of the potential buyer? Well you got to have something that snazzy new. You can't go off and to your point in a shot say well, we have a whole bunch of features, right? I think that's, I think that's sort of Windows thinking and the early 90s versus apple and telling a message and telling a
story you wanted an iPhone. You didn't Eat an iPhone and I think that was part of the message and I think that's where we saw some of those up-and-comers. Kind of hit at the right time and say okay well we've got this kind of legacy to. He myth this web thing seems interesting. Maybe there's something there.
I don't know right. And you know they rode that wave and you know they've been very successful with it and there will be another thing that comes along that maybe is another killer app and identities based kind of circle back for four. But I think that's, you know, it's like it's almost like a you know, web authentic No one's going to really know what web often is what they're going to know is, oh, pass keys.
I heard that from Apple Windows Google and sort of having this marketing term associated with a very technical term that the fight Alliance came up with to kind of call it. This multi thing which makes a lot of sense to Identity nerds like us. You know. No one else is going to know what though, they're gonna know what has passed keys and that's and I think that's good to some
degree. But when we have this nebulous language, We have, you know, loose interpretations of what, some of these things mean, that's where we get into trouble. And that's, that's generally, writing could get concerned, I see things, you know, everything is zero trust. Now, you know, there's a zero trust IGA, what does that even mean, right? Like, it's just your writing marketing at that point because you're hoping for, I don't know. SEO.
Search engine optimization more hits in your website. I don't know what it is, but it's a component of it, but to say that you are the zero trust solution. Doesn't make any sense in that context. Listen, there's a lot of money that gets raised as a lot of sales that get me. She made, there's a lot of, you know, sales that get could get closer doors that get open, when you have the right Buzz words, it's just the reality of the world. I'm not going to get better about that. It's true.
Like like we do with perception. We deal with. We're dealing with humanity and people, as you said they want stories and thus, it sounds a lot better to spend money on something. When somebody's telling you, it's a product not a feature and then you're willing to spend that kind of money on it. He's already a real things and, you know, it unlocks things as well, right? I thought, I think there's a lot of things that would never have
advanced. If they had stayed in the feature space, they needed to come out of that, right? So we can agree to disagree on specific examples. But in general, I try not to be a stickler for terminology or things like that, except when it causes breakdown in communication, which happens fairly often in our space as well. But I tried not to be a stickler for communication for terminology because I try to say, okay, what is it? You really want. Tell me exactly. See what you're looking for.
Tell me your use case, explain to me what you're trying to figure out, and let's figure out what you need for that. Yeah, I need help with, I am. Okay, what? Part of my act? All right, let's say we've gone a little bit long, but I want to end with something on a lighter note. Something stupid, your Ledger than that better than that, for sure. All right, here's what I've come up with for this week and Nishant, I'll start with you and they'll go to gym Nashawn.
If you could replace all the grass in the With something else. What would you replace it with? No more grass. You can replace it with any other type of surface that you would like hypoallergenic grass. That doesn't require water tank. So I want like AstroTurf basically something like no but it should ask Jeff is not grass that come on but you know if you don't have hypoallergenic dogs, right? So it's like why can't you bring create a great grass? That's hypoallergenic.
I don't know. It feels like it's something that should be able to be done and never has any hot. Never gets weeds. Just all looking. Now, you're making it a certified. Oh no, no, it needs. It should, it should grow. It should be allowed to go wild, you know. So it's funny, right? Astroturfing you don't we talk about because some talked about football and I keep thinking about this like natural is good because I don't want to lose the
natural. I don't, you know, this is a describe your topic for a whole other discussion about metaverse and stuff like that. But I don't want to lose the connection and with reality and the real world and Right. So you know it's it's I hate I don't I don't like when grass causes me to, you know, have allergy reactions to it and everything but I'd like the fact that there is natural grass all over the place. That is something that has existed for a long time. It was probably a better Jim.
What would you replace grass with? So have you ever heard of kudzu? It sounds familiar. Refresh my memory. So you're in North Carolina now so the idea with Kudzu was that it was this plant that could be grown and takes very little resources and it just goes crazy and it could be harvested and turned into fuel. So anyway the problem was it became an invasive species and went absolutely Bonkers and like it's not a good idea.
So, I think that the whole question You know, we could come up with an answer and say, you know, I'd rather have this plan that might cause other Downstream problems. So, I'm just putting that out there. I definitely wouldn't use Kudzu as a replacement for grass. What I was going to say is candy, you know, this is, this is like we, we really can't do. This isn't like a question based in reality. Why should my answer be based in
reality? God, I took like so, what candy You know, I meant like the mood for something like very sugary and so I'm thinking smart, he's just like Laura Smarties, that would grow and you can just pick them off and eat them whenever you want. Okay? So that's so then, at some point in Jim's World, someone will have to go out and buy. I got to go get some nor Smarties boots, it's very deep with smart, he's outside. Gotta get the smarties shovel right, stuff like that.
It's just like you. Fling on somebody, they open their mouth and just try and catch. Catch them in their mouth. Yeah, exactly. Why not a side of insulin for everybody as well? The go on with that. Yeah, we're live again. In this in this fantasy world where we're basically. It's Candy Land living in Candy Land and no one needs known as diabetic and Kendall and I like it, that sounds like, that
sounds like a very happy world. I'm going to go high fantasy and just not even thinking of very, very I didn't think a very very through, or thoroughly Solar panels being able to capture that much energy and have it be able to turn back into something back into the grid. I think would be super cool, I think would be very hot, a lot of services, and we would be walking on glass quite a bit or maybe, you know, thin layers of plastic or whatever. Maybe but yeah.
And and my world, we don't pay for energy. It just it just happens. Yeah, you know in like it in colleges, usually they have signs like Stay off the grass, right? Like, stay on the sidewalk. If you put solar panels there, you wouldn't have to put the signs up anymore. You save so much money in signs. Well, they'd be blocking, uh, you know, the energy production be like, stay off the solar panel.
Yeah. Well, in my college dorm we had a sign that said, keep off the grass because we thought it was funny that, you know, grass is also like the 70s era term for something else. Yeah, I yes, we know what you're referring to. We'll call him. Jim, get off my lawn McDonald. At this point. There you go. All right, let's go ahead.
We've successfully gotten super, super dumb with it here in the last couple minutes, but this shot really appreciate your time and joining us for this week so far. It seems like the Courtyard Marriott Wi-Fi gods have held with us. So hopefully this turns out to be a good recording. I'm sure it was conversation was excellent. Anything. You want to wrap up with Michelle before we Let you go.
And no, I think it was an interesting conversation, that kind of reflects the vastness broadness and nebulous nests of what we do. So I think I will sort of end with saying hey everybody go sign up for Ida Pro. Good one, I like that one. But come on, I deep remember, bring these conversations into the slack Channel. We need more of these. The slack channel was definitely worth the money. All three of us are ID Pro members, the slack Channel, I am, I'm more of a worker there.
But I can go there and post something with a couple times I have. And I get like an answer back in like, 30 minutes. It's crazy. So totally worth it just for that. Yeah, Jim. How about yourself final thoughts for this week? I can't top with new Chandra said, but you know, definitely open to networking. Please connect with me on LinkedIn connect to all of us on LinkedIn. And yeah, I hope to have a chance to, you know, connect with so many people as possible.
It really helped when we were at the Gartner conference because with the show and kind of all the new connections that we've made. I got to kind of meet so many folks in person, it was really great. I really feel like we're kind of building Community with the podcast. Yeah, it is very cool, very happy with being able to even do like that show that we did with, you know, listeners that we hadn't met before.
I was like, hey, let's you know, let's sit down and just talk identity and we turn it into I think I can our episode and we had a good old time doing it. So yeah that's that's the kind of stuff that we're into and definitely will have links to all of our linkedin's the shots, Jim's myself and show notes have a link to Yuna Kim's. You can check out what in shots been working on as well as don't forget to support gym with his webinar later this week and hopefully we'll see people that
sonicate maybe at Octane and we're on the web. Idac podcast.com we're at Twitter idac podcast and we're enough with all that. That promotion. Will it ever let everyone go and call it for this week? Thanks everyone for listening and we'll talk with you all in the next one. Thanks for listening to the identity at the center podcast. If you like what you heard, don't forget to subscribe and visit us on the web and identity at the center.com.