jsetsaas jonolnessignicat

www.signicat.com

The Trusted DigitalIdentity Company

What is the future of eID?Jon Ølnes

ID-porten Workshop, Oslo, 10.09.2019

V 1.1

jsetsaas jonolnessignicat

Please note that this presentation is for information purposes only, and that

Signicat has no obligation to pursue any course of business outlined in this

presentation or to develop or release any functionality mentioned in this

presentation.

The future strategy and possible future developments by Signicat are subject to

change and may be changed by Signicat at any time for any reason without

notice.

This document is provided without a warranty of any kind, either express or

implied, including but not limited to, the implied warranties of merchantability,

fitness for a particular purpose, or non-infringement. Signicat assumes no

responsibility for errors or omissions in this document.

Disclaimer

jsetsaas jonolnessignicat

Established2007

#Customers> 600

Revenue 240 MNOK

Prognosis 2019

#EmployeesCa. 150

SLAUp to 99.9%

Y2Y growth40%

Presence2006 - Norway 2008 - Sweden2011 - Denmark2013 - Finland2015 - The Netherlands2015 - Portugal2016 - UK2018 – Germany2019 – Belgium

Certifications

Signicat at a glance

#Transactions180M/year

In 2018

QTSP (eIDAS)For timestamping

jsetsaas jonolnessignicat

Peter Steiner - 1993

“On the Internet, nobody knows you’re a dog”

jsetsaas jonolnessignicat

Dave Birch - 2018

“On the Internet, no-one knowsyou’re a Russian bot that’s hacked a fridge

and is pretending to be a dog”

jsetsaas jonolnessignicat

Dave Birch - 2018

“On the Internet, no-one knows you’re a Russian-hacked fridge pretending to be a

Swedish bot pretending to be a Fox News dog”

jsetsaas jonolnessignicat

Steve Wilson

We hardly ever need to know "who people are" online (or in real life for that matter); we just

need to know certain specifics about them

John Erik Setsaas

… but it must be possible to reveal the identity in case they violate T&C or perform illegal actions

jsetsaas jonolnessignicat

What is digital identity?

jsetsaas jonolnessignicat

Your identity – everything about you

Identity may be the way you

perceive yourself

But in this context how you

are perceived by others and

perceived «by society»

Digital

Photos

etc.

Paper

In the minds

of others,

oral

Lies & rumours

Truths

What you publish about yourself

What others publish about you

Public registers

Health information

Identification• name

• age

• address

• national ID number

• much more...

Newsfeeds and social media

Your digital double – digital identity

And much more...

Personas–different aspects of your double

The tax-payer

The traveller

The banker

The patient

The shopper

The professional

The dater

... and

many more

jsetsaas jonolnessignicat

What is electronic proof of identity – eID?

eID, digital way of proving your identity

Digital counterpart to a

physical identity method

Trust that the person is who they claim to be

jsetsaas jonolnessignicat

The link between you and a persona

The tax-

payer

The passport

and ID card

The bank

customerThe online

service customer

Public eID, issued

or accepted by

government

Biometrics

Or service

specific eID Social

media

jsetsaas jonolnessignicat

Reusable, national eID

Potential downsides

• Monopoly, closed business models

• No cross-border solution

• Privacy, tracking of use

• No targeted eID – same information to all

Service providers

One eID to integrate

Society

Well-known, reliable eID

Consumers

One eID for most purposes

The Nordics is in the lead

jsetsaas jonolnessignicat

Identity proofing for eID

Registry lookup

People Org

Existing eID

Physical meetingOptical scanningand selfie

Proof of address

Possession ofphone

Virtual meeting

Chip in documentand biometrics

Possession ofe-mail

My eID

Combine as needed

jsetsaas jonolnessignicat

eID for all

Leave no-one behind

jsetsaas jonolnessignicat

Nationally

Not everybody has a bank account

Or even a national ID number

Government responsibility to ensure

everybody is included?

jsetsaas jonolnessignicat

Globally – eID for all

About 1 billion people do not have an official proof of identity

May not obtain banking services, health care, education, voting....

Sierra Leone: Biometrics and

blockchain mean just a

thumbprint can open a bank

account

Kenya: Building refugee

IDs with blockchain

UNICEF urges methodical and

wholistic approach in Africa’s race

for digital identity

African Union to Consider Good

Digital Identity Principles at Summit

India: World’s largest

biometric ID system

jsetsaas jonolnessignicat

Authentication

How to show that you are you

jsetsaas jonolnessignicat

- Username and password

- Main challenge: the user⁃ …forgets

⁃ …writes them down

⁃ …uses the same password for different sites

⁃ …shares password

⁃ …uses “common” passwords

Knowledge based authentication

Does not work well

jsetsaas jonolnessignicat

What about biometrics?

- Can be made very secure

- Easy for user, nothing to remember

- Requires a trusted environment

⁃ Fresh measurement from a trusted sensor

⁃ Never assume biometric info to be secret

⁃ Must protect against copy and replay attacks

jsetsaas jonolnessignicat

Biometrics on mobile devices

A dozen different mechanisms

Physiological biometrics

Behavioral biometrics

Are mobile devices trusted environments?

jsetsaas jonolnessignicat

What we really need

- A personal device bound to you as an individual

⁃ That can do crypto processing (which humans cannot)

⁃ That represents you

⁃ That does not put extra stress on the user

jsetsaas jonolnessignicat

Crypto and binding to identity information

Different personas

Targeted identity

jsetsaas jonolnessignicat

The device “knows” that it’s in your possession

John VikingNot John Viking

jsetsaas jonolnessignicat

Example Apple Pay with watch

No need for PIN

jsetsaas jonolnessignicat

Vision for the future of authentication

We are all creatures of habit

jsetsaas jonolnessignicat

Trust score Profile

Trust score

MachineLearning

Fraud

patterns

jsetsaas jonolnessignicat

Authenticate

Transact

Yes

No

Trust score

Risk OK?

Transaction

value

Determine risk

jsetsaas jonolnessignicat

Self managed identities

SSISelf-Sovereign Identity

I am in control of my identity data

I decide what to share with whom

Concept

Data is in my owndata store

I’m the only one with the access-key

SSISelf-Sovereign Identity?

We forget

We lose things

We do not take backups

We are careless

1/3 of all bitcoins (43 BUSD) are lost,

by “trained professionals”

Are people reliable?

jsetsaas jonolnessignicat

People do not even understand passwords

⁃ forgets

⁃ writes them down

⁃ uses the same password for different sites

⁃ shares password

⁃ uses “common” passwords

We cannot give them even more responsibility

People want somebody to call

when they have a problem

jsetsaas jonolnessignicat

-What?

⁃ Manages my digital identity on my behalf

⁃ … while I am in control

-Why?

⁃ Liability

⁃ Somebody to call when I have a problem

⁃ Risk monitoring

⁃ Ensure SLA

Identity custodian – user perspective

- I can choose which to use

- I can move when I want

- I can be my own

⁃ However, I would have to call

myself if I have problems

jsetsaas jonolnessignicat

- Business model

⁃ Trust service

⁃ Banks are under pressure

⁃ User interaction

⁃ People pay for insurance

⁃ Service providers will pay for

validated information

Identity custodian – Business perspective

-Who do you trust (Nordics)?

signic.at/btob3

Signicat research: The battle to On-Board III

Source:

jsetsaas jonolnessignicat

Summary

jsetsaas jonolnessignicat

Vision for the future

- Biometrics & personal devices⁃ Non-intrusive authentication

- Combination of “national” eIDs and targeted eIDs

- Identity custodian⁃ Covering my back (recovery, revocation and next of kin)

- I decide what to share with whom (personas)

jsetsaas jonolnessignicat

www.signicat.com

John Erik Setsaas

VP of identity and innovation

john.erik.setsaas@signicat.com

jsetsaas

Jon Ølnes

Product Manager Nordics

jon.olnes@signicat.com

jonolnes