We have evolved to three identity models. A colleague of mine in a complex IT project, along time ago, stated “We have three options, one of them must be right”. Fortunately he was right – I hope the same holds for Identity.

The Problem

Let’s just remind ourselves that Identity is a problem due to poor solutions and a lack of solutions:

1. Accessing online services is a painful Multi-Factor Authentication (MFA) hell.

2. Account opening requires the use of complex and time-consuming Identity Verification solutions (i.e. Anti-Money Laundering, Countering the Financing of Terrorism solutions).

3. Simple legal approval processes (e.g. approve a bank signatory for a charitable trust) face the same requirements.

4. Fraudulent scams exist as there are limited ways to authenticate an organization.

5. A lack of age assurance causes social harm (social media, alcohol sales, adult content, and gambling).

And Reusable Digital Identity (RDI) could solve them all. While we have Digital Identity (all those servers with all that data on you), we struggle to re-use it and often we fall back on physical documents. So what are we doing about it?

Three National RDI Models

As the great Identity evolution rolls on, there are three promoted national RDI models:

1. Networked Identity

2. Decentralized Identity

3. Credential Identity

Networked Identity

In this model, identity data is held in central registries and is made available through networks.

Networked Identity is operational to varying degrees for 50% of the planet’s population. The major players are in Asia with Aadhaar in India and the Chinese solution. Other high-profile solutions exist in Scandinavia and Estonia.

This model has emerged in countries with strong personal national identity number structures because Networked Identity is just easier if everyone has a number. But, that does not mean Networked Identity is impossible in countries without personal national identity numbers (my approach, General Identity Protocol, solves that problem).

Note that governments all over the world provide access to government services through a networked model, but they do not necessarily extend this to be an RDI which is more a quantum leap over simply offering your own services online.

Networked Identity, by volume the most successful model, is evolving incrementally. India is a useful example – Aadhaar, an amazing accomplishment that registered a population including biometric data, is beginning to develop services based on the established data.

A common and completely erroneous criticism of Networked Identity is the ‘conspiracy theory’ that Networked Identity must result in population surveillance and some sort of dystopian society in which all personal freedoms are lost. Yes, China controls its population, data breaches occur, and social media giants misuse information. But India is a wonderful example of a country that effectively guards against such abuses, governments rarely, if ever, lose their population’s data, and data misuse has been minimized through privacy laws.

Central registries are a core component of tax systems that finance countries, welfare systems that provide pensions, education systems that record qualifications, and health systems that monitor people’s well-being over time. These are necessary and useful tools for a functioning society that wishes to avoid anarchy. Lambasting them as the cause of all societal problems is just silly.

Networked Identity is established and working – the questions are how far can it go functionally and will it extend to other jurisdictions?

Decentralized Identity

Decentralized Identity is both an ideological movement and a technology model. Ideologically, Decentralized Identity means putting power into the hands of the individual rather than relying on the state or commercial entities. This is the Self-Sovereign Identity (SSI) approach in which every individual, presumably, is their own sovereign. While the name itself begs the question ‘who wants to be the sovereign in a land of a single individual?’, the movement has attracted support for 20 years at least. The Internet Identity Workshop formed in 2005 is a leading player, as is W3C, and the Sovrin Foundation.

The movement had a lot of impetus at the time when blockchain solutions were emerging, and utilizes cryptography to support the decentralized model. Initially DIDs, or Decentralized IDs, were the answer but were overtaken somewhat by Credential Identity (see below).

Now Decentralized Identity seems to be having a sort of revival. The State of Utah has legislated State-Endorsed Digital Identity described in this overview from 17 October 2025:

“This reflects the founding idea of the United States, that all just powers of government derive from the consent of the governed. SEDI recognizes it is the role of the state to act as a trusted endorser, verifying an individual’s asserted identity and then issuing an endorsed credential mathematically bound to a digital identifier that the individual alone controls.”

That is, government powers derive from the consent of the people, so the state should cryptographically sign an individual’s identity data. The leap from the basis of government to a technical solution is quite something, but is not uncommon in Decentralized Identity.

Whether SEDI is truly decentralized will become apparent in the future, but it certainly looks like quite a different approach from Credential Identity considered below.

Credential Identity

I call this movement Credential Identity for brevity as it could be more correctly called Verifiable Credentials / Digital Wallet Identity. The major movement is the EU that embarked on its EU Digital Identity Wallet (EUDIW) project in 2021 with large scale pilots rolling out from 2023 onwards. Now this approach is being followed in many countries, including New Zealand where I live.

Credential Identity focuses on, well, Credentials. Credentials are both verified and verifiable. That is, some reliable party signs cryptographically and other parties can then verify the signature.

Even though on hugely different scales, the EU and New Zealand are following similar paths of building the infrastructure to issue credentials and store them in a smartphone wallet in the hope that, in the future, parties will develop solutions to utilize these stored credentials.

The challenge for Credential Identity are manifold (see my previous newsletter Seven Challenges for Credential Identity). One of these challenges is how to authenticate a person. I have asked leading proponents of Credential Identity this question, and they either recognize the issue or suggest that it is all being designed. As I have previously written, there is a distinct possibility that authentication will not make it into the solution which will devolve in Distributed Digital Documents (DDD). And DDD is not RDI (I promise).

Summary

So there it is, after twenty years a big problem and three options!

Personally, as per my previous newsletter, Identity Starts with People, I think that people want utility, people trust governments, and that therefore we should deliver identity through Networked Identity. It seems the only pragmatic solution given that we have centralized personal digital identity data which we can re-use.

Instead we pursue a immensely complex and probably unimplementable Credential Identity or an ideological-based Decentralized Identity that is simply a theoretical pipe dream.

But the tech world wants to play, so the story will go on!

regards

Alan

Identity starts with people. People are what it is all about. People’s views, wants, and expectations should be the starting point for Identity.

Too often, people are deliberately misrepresented by ideologically and commercially-driven technology interests for their own gain. This needs to stop.

Here are my four people propositions based upon:

• my understanding of the current identity world and

• my reasoning for the conclusions I make.

I invite you to invoke your own understanding and reasoning as you read these propositions.

People Trust Government and Organizations

So much of Identity development is influenced by the bizarre notion that people do not trust governments and organizations. Of course, people do not always like or agree with these bodies, but the big question is how people perceive of their trustworthiness. And they TRUST them!

I base my proposition on our current reality. Today, people trust governments to keep track of citizens. Today, people trust banks with their identities and their money. Today, people trust organizations with personal information. Today, people empower organizations to act on their behalf financially.

Today, that is what people do. We do not see street marches protesting against government managed identity. We do see most people engaging with identity services provided by governments and organizations.

We do not live in a world of distrust of governments and organizations. People have trusted these bodies for a long time and there is no indication that this is about to change, no matter how many misleading and inflammatory surveys are done.

Don’t believe me? Ask yourself.

People Expect Governments and Organizations to Maintain Our Identities

Yes, that’s right. People do not want to be responsible for maintaining their own Personal Identity Information (PII) – they EXPECT governments and organizations to do that for them!

This PII is held centrally in large IT systems and locally as physical documents issued to individuals (passports, drivers licenses, university degrees etc). For an individual, being responsible for the security of these physical documents is neither a rewarding nor edifying experience. The perceived value of the documents means that storing them and carrying them involves some risk we would be better off without.

So, the idea that we now go to the next step and ask the public to manage the original copies of their PII, the source of truth, is ludicrous.

We know that is what governments and organizations are there for! That is what they are good at. Ok, I feel the ‘but the data breaches’ brigade reaching for the reply key, but such breaches are extremely rare for governments, are not as prevalent as reported for organizations, often involve information that was publicly available, and the situation is improving as one should expect.

We know PII is important and we expect others to maintain it on our behalf. Is that your experience?

People Want Utility

That’s right, UTILITY is what people want – functionality that is easy to use and achieves its purpose. For example, the ‘identity hell’ called Multi-Factor Authentication (MFA) wears people down. It is frustrating. People want a better way. The lack of age assurance is problematic. People do not like what is happening to young people because we lack online age checking. People are scared of being defrauded of their life savings – they want a solution that authenticates those claiming to represent organizations.

These are all examples of utility and are what I want, and I expect that others do as well. It seems relatively straightforward, but the accepted view of what people want is skewed by biased surveys. Asking an individual if the security of their identity information is important will elicit a positive answer. Ask them if they want to be in control, and they will answer yes. Asking people about the integrity of big business is likely to evoke negative responses. But this doesn’t mean that people want self-sovereignty. That extrapolation is just dumb (who would really like to be the monarch of a realm of one person?)

In the end, we just want it to work! Do you?

People Will Expect Perfection From Identity Solutions

It needs to work PERFECTLY, that is 100%. As the world moves to forms of Digital Identity re-use, will 99% be ok?

Payments and Identity are two very similar processes and the public judges them in a similar manner. How would you feel if payments were correct 99% of the time and 1% of the time you were charged the wrong amount?

For Identity, think about age assurance. Imagine if your 13-year-old beat the age check for buying alcohol only 5% of the time. It is only about one weekend every six months. Happy with that?

How about on-line fraud? What if only 0.1% of people looking to invest are fraudulently robbed of their life savings annually? It is probably only 0.1% of the population trying to invest, so in NZ this is only 0.1% of 5,000 or only 5 people per year! Is that acceptable?

Would you accept 99%?

Summary

Identity is about people, and it should be driven by people:

1. people trust governments and organizations with their identity

2. people expect governments and organizations to manage their identity

3. people want utility

4. people expect solutions to be 100%

There are no technology imperatives in any of these propositions - technology flows from what people want from Identity.

What do you think?

Addendum - Fallacies

To highlight these propositions, here are some fallacies:

1. people don’t trust organizations so we must develop other solutions

2. governments are untrustworthy so we must remake the Identity world

3. people want full responsibility over their identity data

4. small steps in Identity will be fine, just make it a little bit better

Are these just some shame justifications to the right-handside in the graphic immediately above?

What do you think??

The Bottom Line

Identity development should be based on people and on our current Identity context.

Do you agree?

Regards

Alan

Whoa – where did that idea come from?

Identity discussions revolve around competing designs, especially Centralization vs Decentralization. But it is Centralized and will aways be so!

Yikes – is this Identity’s The Truman Show moment?

Dang.

Read on.

Identity is Centralized – now and forever

Yes, you betcha it is.

By centralized, I mean that an individual’s Personal Identity Information (PII) is held in central databases by central government departments, local government, corporations, companies, societies, and other organizations. The Identity source of truth is the PII in central databases – we are given physical copies of that PII to use in the form of passports, birth certificates, drivers’ licences and the like.

And I clearly do NOT mean that there is one big brother database. Don’t throw that one at me.

I mean the customer databases that we have today, now, currently everywhere.

This is fairly mundane so far, nothing controversial here, but wait for it…

Identity will remain centralized – no radical change

Really and truly. No kidding here, serious stuff. Why? Because:

• People trust organizations with their PII (don’t get off your horse yet - I’ll cover this sacred cow in my next newsletter).

• Organizations need PII to operate.

• People expect organizations to use their PII effectively to provide services.

• And the big secret here is that organizations do that job quite well.

• People expect organizations to respect their privacy and abide by privacy laws and, as we all know, they mostly try to and mostly do.

• Protecting PII is getting better, and organisations holding high-level assurance PII data are very good at it (e.g. central

Sure, we have short-term operational problems (i.e. 10 years of increasing friction over 50 years of Digital Identity) but the fundamental design of Centralized Identity is working, it’s been here for a long time, and it’s not going to change.

I don’t care how much the anti-establishment ideologues tell me that the mythical centrists are fundamentally flawed bad people, I don’t believe the techno boffins have a wonderful solution that will make decades of worldwide infrastructure irrelevant, I don’t think that the blockchain will revolutionize Identity, hackathons will not be drivers of long-term Identity development, and ideology will not triumph over the currently installed Identity base and economics.

We have Centralized Identity and we will continue to use it as a basic building block of our society. Decentralized Identity will not replace Centralized Identity

The question is how to extend and utilise current infrastructure to provide effective Centralized Identity re-use.

So the question is centralized digital identity reuse

And this means, of course, how to get a piece of PII from one centralized data source to another (i.e. Identity Provider to Relying Party).

Do you know what I mean? The question is NOT how to build a new Identity system! The question is how to build a structures that allow current Identity databases to be reused by sharing data.

And we know that is not easy as we are still relying on physical documents. I’ve written a lot on this, but now I frame the question differently as ‘finding the best way to enable the re-use of Centralized Digital Identity’.

See the difference? This is not a question of building something completely standalone and new. It is how to extend what we have.

And there is an easy way and there is a hard way

1. Networked Identity – extend current networking technologies to cater for the complexities of Identity and base this on lessons from operating solutions in Estonia and Scandinavia.

2. Decentralized Identity – create billions of PII copies housed in apps on countless varieties of personal digital devices, that are fully secure, supported by multiple asynchronous processes and evolving crypto-based technologies, with additional techniques to ensure credentials are up-to-date, and with subsystems to verify organizations etc.

Think about the size and complexity.

How much should you need to build to move some PII from here to there!

Alan

An Admission

I originally wrote this newsletter about what I termed, at the time, Decentralized Identity. Developments since September 2025 show we have three different architectural models and this newsletter better pertains Credential Identity hence the revision. See my later newsletter for an in-depth discussion of the three models.

Credential Identity

Credential Identity is what the EU is promoting through the EU Digital Identity Wallet project. Others will call this the Verifiable Credentials / Digital Wallet Identity model or similar.

For brevity and as the central component of the model is the Verifiable Credential, I call this movement Credential Identity.

Challenge 1: A Verified Identity

Centralized systems sit on national infrastructures, good quality identity profiles, and long-standing processes. Credential Identity has no verified people so they must be imported. You could run Identity Verification (e.g. KYC/AML), but the question remains: was it good enough? Or, you could import profiles from a centralized system. And will wallets all behave differently.

For Credential Identity to flourish, it will need to determine where identities originate from and will need to enforce common standards across all wallet providers.

Challenge 2: A Secure Platform

Identity wallets will be targets. A smartphone is a personal digital device. It is not like a government server with firewalls and teams of security experts to protect it. A smartphone in the hands of the bad guys is all alone and vulnerable.

People I have talked to, who are working closely on the issue in Europe, do not rule out a hardware solution: 5,000,000 hardware devices for New Zealand, please! Obviously this is unlikely, but Credential needs to describe how a secure platform can be implemented (we are waiting!).

Challenge 3: Ability to Authenticate

Let’s assume that we have the person embedded safely in a smartphone. We need to authenticate them before letting them receive and distribute their credentials. Centralization is not a model solution here either—primarily because it’s not easy.

But authentication is still inherently challenging and Credential Identity needs to converge on a consistent and secure authentication approach. Surely we cannot put up with Multi-Factor Authentication hell?

Challenge 4: Ability to Load Credentials

Just a bit of data transfer? Not quite. Whenever Personally Identifiable Information (PII) is augmented, there should be a check that the new PII is for the same identity. That is what we expect centralized systems to do, and clearly Credential Identity will need a method for doing so.

Given that the credential is likely to be a verifiable credential, which field(s) will be used to match against the identity stored on the smartphone? This may have been settled in some designs, but we have yet to see a complete design; hence I keep asking these questions.

Note also that if there is one credential that identifies a person, will that become a default national identifier?

Challenge 5: Distributing Credentials to Relying Parties

Who are they, these relying parties? For Credential Identity, those other relying parties may appear as an app on a smartphone—how can the app, and thus the organization, be authenticated? Currently we lack the ability to verify organizations and so Credential Identity will need to be the first to solve the problem. Credential Identity aims to avoid ‘big brother’ solutions, so a central register should be out of scope? So how will they do it? And then, of course, a method is required to exchange credentials but that should be something can be resolved with the use of good standards.

Challenge 6: Keeping it Up-To-Date

The best use case to think about is drivers’ licenses. If we put a copy in a Digital Wallet, how do we know it is up-to-date? If a license is revoked, clearly this must be reflected when the credential is shared. I remember the bad old days in banking with ‘hot card files’ and similar technologies. It was purgatory!

Of course, there is always the possibility of online checks but if a many-to-many network is to be envisaged, there will be issues of contention etc. When suddenly everyone relies on everyone, there is significant risk that we all look rather embarrassed. Maybe implement a switched network, but isn’t that what Credential Identity wants to avoid?

Challenge 7: Recovery

Smartphones are lost regularly - a recovery process is essential. The more credentials that Decentralized supports, the harder recovery will become. Think of rebuilding a wallet with credentials from 5-10 sources! Perhaps we could have a central recovery service, but again isn’t that exactly what Credential Identity aims to avoid?

Summary

Credential Identity aims to replicate or replace centralized identity.

But Credential Identity is a complex solution with many moving parts. This complexity and numeracy creates many challenges.

To commit to Credential Identity, we need to see a plan to solve the seven challenges above (and probably a few more as well). Such a plan must include functional design, systems topography, systems architecture, and development feasibility.

Without a plan, we risk everything.

Regards

Alan

With New Zealand’s premier identity conference, 2025 Digital Trust Hui Taumata, happening within 2 weeks, I thought it would be useful to report the plummet of Decentralized Identity down to Distributed Digital Documents. To put this plummet into perspective, I have written a report card for Identity for the last 50 years. Identity only gets a C-, and my analysis that follows describes this major contraction reusable Identity to digital documents.

Lifetime Achievements: C-

In the last 50 years Identity achievements are:

1. Paper-based identity records have been replaced with centralized digital identity databases.

2. Physical identity documents are created from these databases for in-person identity.

3. On-line identity started on the Internet with username/password and evolved to Multi-Factor Authentication (MFA).

4. Federated Identity emerged a) to support integrated online government services, b) in the corporate arena as the Identity and Access Management (IAM) industry, and c) as a method of leveraging the large identity databases maintained by social media and big tech

5. Identity Verification, based on physical identity documents, was developed by the Know Your Customer (KYC) industry, a response to Anti-Money Laundering / Countering the Financing of Terrorism legislation (AML/CFT).

What has not been achieved is:

1. Secure in-person Identity (e.g. a secure Covid passport)

2. Secure and easy to use on-line Identity

3. On-telephone Identity

4. Low-cost solutions

5. Age Assurance to protect youth from social media, adult content, gambling, and alcohol sales

6. On-line authentication to protect individual from fraudulent financial scams.

Identity development has been haphazard in the last 50 years – it has lacked an overall design and any consolidated direction. We still use physical documents. On-line Identity is a mess. The social harm due to a lack of Age Assurance is not imaginary – it is happening right now, and solutions are limited. Simply put, we lack the reusable digital identity that everyone desires (except the incumbent KYC industry which would be marginalized if there was reusable digital identity).

The outliers to all this are the national Identity solutions of Scandinavia and Estonia. With the advantage of compulsory personal numbers, these countries have developed common second factors of authentication (2FA) solutions and the sharing of basic government data. While not reusable identity, these solutions are highly effective and meet many of the identity needs of their societies.

But overall, Identity’s grade is C- at best. So, what is Identity doing to solve it?

Current Activities

Simplifying in the extreme, I see the major courses being pursued now as Decentralization, Distributed Digital Documents (DDD), Probabilistic Models, and Legislation.

Decentralization

I have written many newsletters on the challenges for Decentralization: securing data on personal digital devices, establishing initial verified identities on these same devices, exchanging credentials in multiple environments, recovery processes for lost devices etc. These many challenges are probably why, 20 years after the Internet Identity workshop started promoting Decentralization, there is no implementation of decentralized reusable Identity. We have had a series of technologies including DIDs, Digital Wallets, and Verifiable Credentials but no decentralized ecosystem design. We have technologies, but no functional solution. Decentralization has not delivered reusable Digital Identity.

Distributed Digital Documents (DDD)

What is coming to fruition is Distributed Digital Documents, this being Verifiable Credentials stored in Digital Wallets. Essentially this replicates physical identity documents in physical wallets but with better verifiability of the documents. MATTR’s recent announcement, that it had been selected to provide a credential SDK for the New Zealand’s government’s app, highlights the utility of this solution: “It marks a major step toward Kiwis being able to carry trusted digital versions of their credentials (like driver’s licences) in their own digital wallets”.

But note that there is no mention of reusable Digital Identity. Because Decentralization is so complex we have descended to a lesser deliverable – DDD (maybe we can call this triple D). And note that the descent is huge, from an ecosystem to a digital copy, hence the use of the word ‘plummet’.

Probabilistic Models

Due to both the need for Age Assurance and the weaknesses in current Identity solutions, Age Estimation and Age Inference have emerged. Both are based on probability – that people who look and move like this are normally a certain age and people who have a certain digital footprint are normally a certain age. But, of course, they have inherent error rates, and you do not know when an error occurs. While these techniques may have applicability for statistical analysis of behaviour, they are unlikely to be the answer for high assurance Identity.

Legislation

We have legislation that:

1. proscribes KYC processes creating Identity Verification

2. establishes national trust frameworks but without any tangible results

3. establishes customer data rights but without any delivery to date

4. proscribes an EU Digital Identity Wallet that has given rise to a pilot industry

5. regulates age assurance resulting in rushed low-quality solutions (e.g. UK) or the shutting down of services (e.g. adult entertainment in some US states).

Legislation is clearly important to a society, but it has yet to deliver a Digital Identity ecosystem and is unlikely to do so. Why not? Because it is there to regulate what society produces, not to dictate what society produces.

The Plummet

50 years of below-average performance has left us with physical identity documents, on-line federated identity, and an incumbent KYC industry. We have no reuseable Digital Identity ecosystem.

In the last 10 years, Identity has disappeared down a series of ideological and technology rabbit holes. Decentralization, driven by an ideological distrust of central control and fuelled by a cryptographic industry, has failed to deliver and has plummeted to Distributed Digital Documents.

Side bets, probabilistic identity and legislating solutions into existence, have not and will not work.

After 50 years, we can now put a digital version of an Identity Document onto a smartphone. That’s right— what we digitized 50 years ago can now be put on a smartphone. Gee whiz.

The dream of a Digital Identity ecosystem is yet to be realized.

Alan Mayo

Age Assurance is the big Digital Identity issue right now. The Australian Government has legislated that Age Assurance for social media must be in place by December 2025 and are running an Age Assurance Technology Trial. In New Zealand a members bill may also legislate Age Assurance. The French President Macron is demanding social media controls for those under 16, and the US Supreme Court has supported state age-based restrictions on access to pornography in Free Speech Coalition, Inc. v. Paxton. By any measure, Age Assurance is the hot topic in Identity.

So we have demand – do we have a solution?

Hardly. We have underestimated the national importance of this opportunity and we lack understanding of the challenging context? Because of this we do not ask the correct questions. In this newsletter I describe why Age Assurance

1. is a strategic national issue,

2. has an extremely challenging context, and

3. must answer some extremely difficult questions.

A Strategic National Issue

A national digital infrastructure is as important as national physical infrastructures.

We spend more of our lives in the digital world than we spend driving our cars.

Digital Identity is central to a national digital infrastructure (the above diagram does not aim for completeness, but it shows Digital Identity as being the missing piece of the puzzle). Other digital infrastructure decisions, such as the nature of digital communications and the design of the Internet, have been made by technology companies, but decisions about Digital Identity are likely to be made by nations. And Age Assurance, a subset of Digital Identity, is the first major Identity decision for many countries.

Such Age Assurance decisions will either:

• set a future direction for Digital Identity and digital infrastructure,

• if narrowly focused, delay any progress on a broader Digital Identity solution, or

• create chaos if unsuccessful

And it is decision time right now!

The Challenging Context

The context is hugely challenging:

Significant public issue. Identity processes are frustrating for people and costly for organizations. But these problems have been tolerated for a long time. Now the major problem is a lack of online identity services that results in social harm and fraud. Social harm results from a lack of online age assurance for social media, alcohol sales, and adult entertainment, and fraud results from a lack of online organisational authentication services for investment schemes. These are not just frustrations. This is a crisis.

Size! While this might seem like stating the obvious, size is important. Take the Australian Age Assurance example – there is an expectation that this solution will enable around 25 million people to continue to use social media while keeping the under 16s safe. Note that means that the 25 million need to prove they are over 16. That is a lot of users, a lot of education, and a lot of infrastructure. These are not trivial decisions – the scope is all of society.

No obvious solution. Identity is not simply an issue of applying a technique we know to new subject matter. Rather, Identity is a problem we are still struggling with. At its very basis is an individual proving to an organization who they are. Most other IT challenges involve collection and manipulation of data. Identity it is different – Identity is an inherently difficult problem.

High Performance Bar. As I previously described in my newsletter Why Identity Systems Might Collapse, Age Assurance failures will not be tolerated. Even if a death is statistically negligible, if the solution that allowed it is perceived to be functionally negligent, then all hell will break loose and the discredited solution will be turned off. I agree – solutions cannot have error margins that allow for and expect collateral damage. That does not mean that age assurance solutions must be perfect, but it does mean that solutions must be designed for optimal performance.

Immature Technology Environment. How mature are Identity technologies? As per IT’s general modus operandum, we are regularly bombarded with tales of brilliance and breakthroughs. Notwithstanding all this good news Identity is, by any count, an immature technology environment that lacks any common language and lacks any agreed approaches. For example, the Australian Age Assurance Technology Trial names possible technologies of Age Estimation, Age Interference, and Age Verification whereas New Zealand’s avowed path is Decentralized Identity. What a strange dichotomy. The EU is hoping that its Digital Identity Wallets pilots will converge on a common solution but it looks more like a fishing trip than a technical strategy. Apologists will find ways to justify the lack of a common language and suggest that current developments try to solve the same problem, but where is the compelling design? Identity, currently, is more noise than substance.

Evolving standards! Why does a majority of the tech world now think that standards breed solutions? For discrete problems, such as USB standards, an industry can jointly design a solution. For complex problems, commercial players develop solutions and the industry later converges onto standards (e.g. payments). But for a large systemic problem like Identity, committee approaches are fraught. Trying to arrive at a design through standard development is simply nuts. For example, the travesty of mDLs (mobile Drivers Licenses) that do not include an authentication method! Standard-based approaches simply make Identity development so much harder. Standards do not breed solutions!

Profitable incumbents. The Identity Verification industry (Know Your Customer / Anti-Money Launder / Countering the Financing of Terrorism) are established and profitable. Cash cow? They have no need to change. They are comfortable with their cashflows – a reusable identity solution, one which would solve the Age Assurance problem, is not desired. Identity incumbents will resist change.

Big Tech is hovering. One cannot ignore big tech, as the major players have huge identity databases (mostly unverified) and control the technology base of Identity. To date, their initiatives have been restricted to leveraging their databases for low assurance identity (federated identity) and extending the reach of device-based identity for authentication (passkeys). While it is difficult to see how big tech can provide an optimal solution for high-assurance application-level Identity, they will no doubt try to extend the influence of their user databases and device/OS control. This is a question of sovereignty, and clearly every nation should be aiming to keep control over its citizens’ identity information. National control of identity is at stake.

So there is a large, societal crisis requiring a high-performance solution. There is no obvious solution and an immature industry that is either entrenched in current methods or bumbling around in standards while Big Tech waits for an opportunity to take control over critical national digital identity infrastructures.

The context is challenging!

Decision Questions

When making a strategic decision, keeping all these contextual issues top of mind is not practical, so I refine the context down to some practical questions that can focus minds and that are sufficiently representative of the context. So this is a restatement of the context in questions:

Is a national Identity infrastructure possible, and if so, is it desirable?

Currently the assumption, which I think is correct, is yes. But the question should be explicitly considered to ensure that nations do not simply unknowingly fall into a national infrastructure scenario that cannot then be exited.

Can an Identity solution be rapidly implemented for a country?

Age Assurance cannot evolve like Payments has over 50 years – we have a crisis and we need a revolution. And revolutions must happen quickly to be successful. No matter what political pressures exist to start a project, taking 5 years to implement a national solution to a current crisis is not acceptable.

Will the solution last?

2 years, 5 years, 10 years, or more? Considering the opportunity cost and development cost, surely 10 years is a minimum. Countries do not go through such major changes very often, so it needs to stick.

Will the solution be both useable and secure?

The current Identity scenarios are zero-sum trade-offs. That is, if you want security, then you take a less useable process. And if you want a highly useable process solution, you accept lower security. Age Assurance will require highly useable processes and high security. Solutions now need to provide both aspects.

Will the solution be publicly acceptable?

And still there will be a question of public acceptability. The question needs to be asked: ‘will the public accept this?’ And if the answer is no, then do not proceed!

How will the industry be organized?

Possibilities are 1) technology focused (e.g. Passkeys), 2) a central controlling membership body as there are for credit card schemes, and 3) every variant in between? This is a non-trivial question and needs to be answered up-front. It may be that a magic technology solves everything, but I do not remember this ever happening. So we will probably need some form of organizing.

How will the Government be involved and will it actively manage the solution?

Unfortunately, in many common-law countries, Identity development has started with the Government creating an Identity regulatory framework based upon the assertions that 1) a regulatory framework will lead to solutions, and 2) a regulatory framework can be devised that efficiently covers all possible solutions. Both assertions are obviously wrong. However, if the question is asked once a solution has been designed, the role of Government can be defined.

Is the solution a long-term strategic Identity solution or a short-term tactical Age Assurance solution?

This question is placed last in the list but should be a standing question throughout any design and development process, allowing the flexibility to both aim for a long-term solution and to revert to a short-term solution to meet the current Age Assurance Crisis.

Decision Makers – Here are your questions to ask

I started this newsletter by stating that we lack awareness of the national importance of Identity and the Age Assurance opportunity, and that we lack awareness of the current context.

Let’s hope that we can get past lame positivity and move on to pragmatism and critical thought. Let’s hope that decision makers include these questions:

1. Is a national Identity infrastructure possible, and if so, is it desirable?

2. Can an Identity solution be rapidly implemented for a country?

3. Will the solution last?

4. Will the solution be both useable and secure?

5. Will the solution be publicly acceptable?

6. How will the industry be organized?

7. How will the Government be involved and will it actively manage the solution?

8. Is the solution a long-term strategic Identity solution or a short-term tactical Age Assurance solution?

All the best

Alan

“Too big to fail” is something we all know, but will identity ecosystems be “too big to succeed?”

Some may succeed, but every aspiring identity ecosystem faces two brutal realities:

1. A single security failure can mean extinction

2. They will be relentlessly targeted by technologists, hackers, and the media

Extinction

Any transactional ecosystem has a value proposition based on the performance level it provides to consumers (e.g. service level, response time, security, cost). If an ecosystem has a high value proposition, expectations will be sky high. A single security failure will likely bring the whole edifice crashing down.

Think currency! Currency has real value and is expected to be 100% secure. What happens when a currency can be easily counterfeited – mayhem. If it is generally easy to print your own money, no one will use the real stuff. It has to be foolproof. If counterfeiting became endemic, the only viable approach would be to reissue the currency. That is why countries stay ahead of the game and don’t wait for the problems to occur.

Age assurance using a driver’s license does not have the same high value proposition. It is accepted that it is not 100% Yes, some fakes are made and some people abuse various systems using them. But the costs of the negative outcomes is not so high. So we tolerate them and the ecosystem remains operating.

Identity ecosystems occupy a unique space — not quite life-or-death like medical infrastructure, but close. They are foundational to trust, access, and legitimacy in digital interactions. If there is any question about an identity ecosystem’s trustworthiness, the fallout will be cataclysmic.

The best identity example I know of is Estonia, the poster child of good identity. But in August, 2017 a vulnerability was found in the smartcards that were central to the Estonia identity solution and it was effectively shut down. Fortunately, the cards themselves didn’t need to be reissued — but all certificates did. Queues formed at police stations as citizens rushed to complete the process.

Estonia made a pragmatic choice to halt operations because it really had no choice. Once the vulnerability was known, there was every chance it would be exploited so they had to act.

For an identity ecosystem , one security failure can mean extinction.

Identity is an enticing domain for tech innovators — but it’s no easy game. The cost of getting it wrong is immense.

A Target

There are many people out there who may be quite keen to target a national identity ecosystem.

For threat actors, the kudos gained would be extreme. These shady people gain satisfaction and notoriety through the amount of damage they can inflict – taking down a national identity ecosystem would be the ultimate hack.

Closely associated with threat actors are state-sponsored groups. The geopolitical and economic disruption from disabling a nation’s identity infrastructure would be immense. They will try!

At the same time, ethical hackers, researchers, and concerned citizens will test the system too — often with good intentions, hoping to catch vulnerabilities before real damage occurs.

And then there’s the media and social media — both serious and hysterical. In today’s world, everyone has a say.

I experienced this when I led the launch of Fastnet banking in the 1990s. Bruce Shepherd was a well-known internet guru at the time and he raised some security concerns with the executive at the ASB predicting that phishing attacks would destroy our service within weeks of launch. He had a point, of course, albeit somewhat exaggerated. Rather than battle Bruce, I hired him to do a monthly security report. I received one report. We never heard from him again!

That was a different era. Now the scale and diversity of attackers is far greater. An identity ecosystem will be a target.

Too Big to Succeed

For identity ecosystems there is no room for error and everyone is watching. Being overly ambitious will likely lead to fragile solutions. This must be avoided – entrepreneurs, regulators, developers, and implementors of identity ecosystems must take their responsibilities seriously.

To design identity systems that won’t collapse under their own weight, we need to start not with abstract ideals, but with our current technology landscape — legacy infrastructure, the internet, consumer digital devices, and institutional IT assets. That’s where we’ll begin next time.

All the best

Alan

There is a lot at stake for the European Union (EU) Digital Identity Wallet (EUDIW) initiative. It is the biggest identity initiative on the planet.

While it has great aspirations, I think it is doomed from the start, as it fails to consider the small issue of implementation on the ¾ billion current EU smartphones.

The Initiative

The EUDIW, created through legislation, will be the central technology for EU Digital Identity! This is the big play for the 2020s.

The EUDIW is driven by EU eIDAS regulation. eIDAS, or “electronic identification and trust services”, regulates electronic transactions. The initial 2014 regulation known as eIDAS 1.0 was revised to become eIDAS 2.0 in May 2024.

EIDAS 2.0 essentially legislates the EUDIW into existence and the EUDIW is central to EU Digital Identity.

This is no ordinary wallet: it is the fundamental technology for Identity for decades to come.

The Pilots

To support this, the EU is financing four pilots to the tune of 40-50 million euro. The pilots consider different use cases:

Two things stand out:

a focus on user functionality – the structure is clearly the use of identity as opposed to the underlying practicality of implementing identity.

a cast of thousands – 100s of large organizations, both governmental and commercial, and literally thousands of people involved. This is no ‘skunk works’ driving to a rapid solution; this is an EU megaproject.

Making the EUDIW Secure

Now, just to be clear, the EUDIW is the central technology that holds all Personal Identity Information (PII). The EUDIW is a decentralized approach in which the wallet holder goes from EU country to EU country freely sharing their PII as they see fit.

So the EUDIW needs to be secure.

The small issue of making the EUDIW secure is described in the Architecture and Reference Framework 1.4. Section 4.3 Architecture Types states that:

“…at least four different types of architecture for the EUDI Wallet Solution can be identified, each leveraging a different type of Wallet Secure Cryptographic Device (WSCD):

1. Remote Wallet Secure Cryptographic Device (Remote WSCD): In this architecture, the Wallet Secure Cryptographic Device is situated remotely, separate from the user's device, for example - implemented by the Wallet Provider using an HSM.

2. Local External Wallet Secure Cryptographic Device (Local External WSCD): If a device lacks sufficiently secure hardware, such as a secure element, external hardware components like smartcards may be necessary to enhance security. This architecture involves an external Wallet Secure Cryptographic Device that is connected to, or interacts with, the User's device, to provide cryptographic functions, for example - a hardware token or smart card.

3. Local Wallet Secure Cryptographic Device (Local WSCD): This architecture refers to a scenario where the Wallet Secure Cryptographic Device is integrated directly within the User's device. This includes solutions like eSIM/eUICC and eSE. In these scenarios, the WSCA (e.g., a Java Card applet) might be deployed by the Wallet Provider. Other examples are based on native solutions, such as StrongBox (Google) and SecureEnclave (Apple), in which access to the WSCD is facilitated via the operating system of the User device.

4. Hybrid architecture: This architecture combines two or more of the previous three approaches.”

The Implementation Problem

Now here is the problem – if the EUDIW is going to be useful, it needs to work for people and those people in the EU have roughly ¾ billion smartphones. Remember, we cannot leave anyone out. So how will these solutions fit the current ¾ billion smartphones:

1. Do the security centrally – well, it might work but why bother? If the whole solution revolves around central security infrastructure why not use a central infrastructure for the whole solution? Why would anyone come up with such a complex solution when a simpler solution is available?

2. External device – you must be joking. We will get a device that can integrate with ¾ billion smartphones. Plug and play for 750,000,000 different brands, models, OS versions etc! Not this decade and unlikely to be in the next either!

3. Use the security of the smartphone. I’ve seen that tried and failed when simply using one brand of smartphone. Trying to get uniformity of smartphone OSes is the stuff of science fiction and trying to retrofit 750,000,000 smartphones not possible.

4. Any two of three – even harder!

The EUDIW Project will fail to reach its goals

The EUDIW project is playing in the fun end of Digital Identity, imagining all the neat and wonderful use cases that can please everyone. Fancy that – some bureaucrats coming up with some good PR!

The actual challenging aspect is making it work for a large installed base of smartphones and that is inherently difficult. The implementation challenge is not being faced and the EU has, as yet, no answer.

And, I maintain, it has no answer because there is no answer! It is inherently problematic to secure PII on personal digital devices.

The partial rescue options

If the EUDIW fails to deliver in full, I see two possibilities:

1. the EU gives it all to Apple and Google

2. the EU simply declares EUDIW a success based on lesser functionality

Now Apple and Google already own a lot of us, so they would no doubt be keen to own all of us. Passing Digital Identity to them would simply formalize the relationship by passing over the keys. No need for governments to worry about the future of identity! Of course, this would be calamitous and must be avoided. If Self-sovereignty was the goal, we do not want to fall back to no sovereignty at all.

The second option is more likely. A lesser EUDIW functionality will be a signed document on a smartphone. For example a mobile drivers license (mDL). Such technology has benefits as the license can be certified as being authentic but it is also limited, just like physical document, as it does not identify and authenticate the person. It is simply a copy of a credential.

But a document on a smartphone is not a Digital Identity solution!

This will be interesting viewing!

All the best for New Year

Regards

Alan

Digital Identity 2024: a lot of talk, more regulation, EU pilots starting up, Passkey expansion, but little progress towards actually coming up with an answer to the big question:

“how do we implement a national identity infrastructure?”

But there is hope - recent pronouncements in three different countries suggest that this broad question is coming into focus. The evidence is somewhat circumstantial but I invite you to make up your own mind about Australian Age Assurance, Aotearoa New Zealand Age Assurance, and a US pivot to Identity Authorization Networks.

And I invite you to think about the future…

Australian Age Assurance

Isn’t it great when politicians legislate something into existence - it removes all that messiness of Business Cases and Net Present Value analyses. And that is what the Albanese Government has done by decreeing that Age Assurance must be live by December 2025 and initiating an Age Assurance Trial that is due to report back by June 2025.

Now Age Assurance is an identity problem at heart - the challenge is to authenticate a person and check that their age (a credential) is within range. This is the goal of this trial which will consider three technology options:

1. Age Verification: like Identity Verification, images are taken of identity documents and combined with live video of the person to confirm the individual is of a certain age (as recorded in their identity document such as a drivers license)

2. Age Estimation: utilizes sensory information (face, movement, voice) to estimate the age of a person

3. Age Inference: highly general big data approach of using broad sources of information to infer age

It’s good to see progress, but:

• Clearly Age Verification has useability challenges - there are a lot of moving parts and it takes time.

• Clearly Age Estimation and Age Inference have accuracy challenges - they have the words ‘estimation’ and ‘inference’ in their titles for a reason.

• Are these the only alternatives? Why has the trial limited its solution scope? See below for two more options.

Aotearoa New Zealand Decentralization

Over the ditch in Aotearoa New Zealand, the Department of Internal Affairs has established the Trust Framework Authority (TFA) to regulate the Digital Identity Services Trust Framework that supports the accreditation of Digital Identity service providers.

The TFA recently added some resources including a use case for age assurance! This use case is a decentralized solution which is unsurprising as the TFA states in Key concepts and principles that: “Personal information will not be held in a centralised database … The rules and regulations for the trust framework support a decentralised approach to the holding and sharing of information”.

Great, but one can only ask:

• Why has Australia not recognized the one technology option that New Zealand has adopted as the chosen solution for Age Assurance?

• Why is New Zealand so confident that this solution will work when there are no functioning solutions yet implemented?

Leading Research Agency in USA finds IANs

I have been a great fan of liminal.co — for many years they have covered the big strategic issues of Digital Identity, and they are now recognizing Identity Authorization Networks (IANs) as the next emerging trend.

In their report, they compare IANs to BankID in Scandinavia and as the name suggests, find that networked organizations is a central aspect of such solutions. IANs will provide a “scalable, cost-efficient, and user-friendly solution that securely links real-world identities to online actions.” Heady stuff but:

• why do neither Australia or New Zealand recognize IANs?

Identity 2.0, Identity 2.5, and Identity 3

All these initiatives fit into the framework of identity evolution that I described some time ago:

So, three fundamentally different approaches, two of them by governments of neighbouring countries.

My Questions to You

The first obvious question is “how can all these three initiatives be so widely different in a world of instant access to information and expertise?” This is a most bizarre situation and while I know the apologists that will say this is normal and good and all that type of excuse-mongering, the bottom line is that we all (especially governments) should be better at defining the options for Digital Identity.

My second question is “if we do not have a full view of all the options, how can we make good strategic choices?” These are important issues and we should ask why we are not better informed. Someone ought to insist on some better strategic thinking before we leap into decision mode (maybe it is already too late?).

My third question is “Which way José?” I expect the answer must be Identity 2.5 Networked simply because it is the only cost effect, secure, and useable approach. I just hope we have rational decision making processes.

Best wishes for the holiday season,

Regards

Alan

There is an interesting ‘decentralized identity conversation’ starting here on Substack and if you are just catching up - here’s where we are:

1. Phil Windley wrote Decentralized Identity Comes of Age

2. I responded with Yeah, yeah, yeah, yeah, yeah, nah, in which I asked:

   Is there someone who can distil all that amazing work into a decentralization design we can all understand?

3. And Phil obligingly answered in his post What Is Decentralized Identity?

I learnt a lot about decentralization through this last post, but I still had one of those nagging doubts about the efficacy of the solution. As I reflected on Phil’s post I recognized that the “will it work?” question needs to cover more than design.  Specifically we need:

design (a given requirement for any new solution) - a topography of people and technology, including interactions and information.

security (fundamental to the identity challenge) - how confidential data is secured, and why the solution is secure.

implementation (difficult for any solution that aims to become a standard) - how the solution can be implemented for large user populations.

So here is my take on the challenges for decentralization in these important areas.

Design

In Phil’s response, the decentralized design still includes Decentralized Identifiers (DIDs), but two additional elements, digital wallets and verifiable credentials, have been identified as ‘needed’.

These additions show that decentralized identity is an evolving discipline and so there is much to ask, including two fundamental design challenges:

The First Design Challenge - doing the hard bit first!

I’ll use my model of the identity process to illustrate this:

This model shows that identification and authentication, i.e. saying who you are and proving that you are who you say you are, precede utilizing credentials for some purpose.  No identity solution can be complete without both these components.

Phil’s explanation shows a digital wallet and describes how autonomous software components could potentially interact and exchange credentials securely.  But we still do not know how access to the wallet is controlled.  If this is not ‘the’ big identity issue of how the actual person is identified and authenticated, then what is?

Yes, the credential use is there, but surely an identity solution needs to be more than that?  If access to the digital wallet is predicated on the security of the smartphone, doesn’t that make the solution simply a distributed credential solution, which raises the obvious question of “why bother?”

The Second Design Challenge - a macro hybrid solution?

At the macro level, Phil’s design shows a decentralized identity utilizing other identity solutions to load their own structures with credentials.  If this is the case, the macro view of multiple complementary identity solutions should be made explicit and the design rationale for such a hybrid solution justified. 

A hybrid solution may ‘work’ but is that what we really need or want?

Security

This is clearly fundamental to an identity solution.  Decentralization based on a digital wallet with autonomic identifiers (local storage, if I have read it correctly) requires both an app and local data to be secured.  How is this achieved?  Does it rely on the security provided by the relevant smartphone operating system, does it utilize the hardware cryptographic capabilities of the smartphone, or is there some other bespoke approach to security?

This is important, and remember that much of decentralization is predicated on the lack of trust for major corporations that leak identity data all too often.  Surely decentralization should not be just another leaky solution?

Is there a relatively simple explanation of how security is achieved by decentralization?

Implementation

If you want to try something really hard, try implementing a complex software solution on every smartphone in a country.  That is, within reason, support every model sold in the last decade and still being used.  That is every operating system version and every variant of crypto support hardware. 

For an app that is simply a front for cloud-based data, implementation over multiple smartphone variants is relatively simple as the app is simply a presentation layer.  For a decentralized digital wallet, the challenge of implementing complex infrastructure for a population is extreme.

How will decentralization achieve this?

Summary

The current status of the decentralization model appears to remain somewhat conceptual rather than contextual.  That is, the concept is a good idea and easy to buy into, but the contextual challenge of making it work is being left to the developers!

This status is confirmed by the lack of working prototypes. And if decentralization were more fully developed, we should expect to see such prototypes and we don’t!

So, for me, “Will it work?” remains an open question, and yeah, yeah, yeah, yeah, yeah, nah is still a distinct possibility.

As you have read this newsletter, and perhaps others, it would be great to get your thoughts. Please comment, below, or write your own post and link back - whatever works for you. 

Until the next time ...

Regards

Alan

True Story.

A good friend of mine, Denis, put me onto a UK stock that was going to fund his retirement.  So, in I went, boots and all.  It was a bit up and down, but we believed.  We believed.  It started to slide.  Concerned, I left Denis a message saying “what’s up” and Denis, confidently, left me a message saying “I have total confidence in …”.   Phew.  A week later I rang again, and Denis began with “I sold the lot…”. 

Will decentralized identity go the same way?

In his recent post,  'Decentralized Identity Comes of Age’ , Phil Windley wrote that he feels that decentralization has reached its tipping point.  Phil was at the European Identity Conference and observed that ‘decentralized identity' is moving out of the ‘geek' space into ‘mainstream' space. 

That is intriguing!

I do agree with Phil’s assertion that decentralization will be a wonderful solution that transforms so many of today’s problematic identity processes. Not only that, but that view is shared by many people, as Phil showed - decentralization is the nirvana for identity.

Which brings me to the practical. As decentralization reaches its fulfillment, it only seems reasonable to ask “will it work?”

My challenge to the decentralization community is for them (someone) to explain how it works in relatively simple and reasonable terms.  I say relative because identity is not simple, so we should not expect simple solutions.  But … we should expect to see a design that can be understood by the informed, which probably means you and me.  We should not be expected to look at a whole bunch of code and then determine how it works.  Also, we need to see a design that is more than a list of desirable outcomes.  We need to see a tangible design.

The Internet Identity Workshop is in its 20th year and has produced so much and shaped so much more. Could I ask for them in the name of ’Steve' for just ‘one more thing’?

Is there someone who can distil all that amazing work into a decentralization design we can all understand?

Or is this like my UK stock journey – yeah, yeah, yeah, yeah, yeah, yeah, nah?

I promise you that the nah moment leaves one feeling a bit empty…

Regards

Alan

p.s. ‘Yeah, nah’ is a common expression in New Zealand Aotearoa. When used in conversation it often has lots of yeahs before the nah. In the end, It always means no.

Verifiable Credentials (VCs) will be forgotten and Verified Transactions (VTs) will be the norm.  How’s that for stirring the pot!  In this newsletter I’ll briefly discuss the technology basis for both, why Verifiable Credentials have limited use and are dangerous, and why Verified Transactions have many uses and will become the norm.

Technology Basis

It is all about public key cryptography (also called public/private key cryptography and asymmetric cryptography).  You use it every time you use a browser - it is the basis for SSL secure communications between Internet browsers and servers.  It works and it is proven.

Besides enabling secure communications, public key cryptography also supports the digital ‘signing’ of documents.  That is, such documents can be signed digitally and can then be digitally verified.  This tech has been around for a long time, it works, and it can be used to sign both VCs and VTs.

Verified Credentials

Let’s first look at VCs.  These are slated to be the next big thing for Identity, but I maintain that VCs are limited to data sharing, and I maintain that VCs are dangerous when stolen or lost because they have real value.

Data sharing only – not a full Identity solution

The major limitation is that VCs are not a full Identity solution!  Do you remember this:

VCs could clearly be part of the right-hand side.  That is, they could act as a standardised way for sharing data with the added benefit that the receiver could trust the validity of the credential.  This would have more applicability for decentralised solutions where trust needs to be established for every transaction, whereas networked solutions, with connected ‘already trusted’ parties, does not have the same need (i.e. if it is a trusted source the data should also be trusted).

But a VC does not do authentication.  Think about a person holding a university degree in front of you.  The name identifies them and the wax seal gives confidence that this is a valid degree.  But is the person holding the degree the person named on the degree?  There is no way to know.  The hard bit of identity, authentication, is not covered at all.  VCs are the same as a physical university degree – they are not an authentication solution.

Now, some clever person will likely respond suggesting that the credentials within the VC can be used to authenticate the holder of the credential.  But putting your secret password or your biometrics into some document you share with all and sundry is clearly not a good idea.  Keep the secrets as secrets.

So, VCs are only part of Identity and they are not the hard part of Identity!  The hard part is, of course, authenticating yourself to someone who doesn’t know you, and VCs do nothing for that problem.

The cost of stolen credentials

Currently a fuss is made when credentials are stolen or inadvertently made public, but the fallout will be minor compared to that in a world of VCs.

We know that there are data breaches and I take such breaches seriously.  But often the stolen data is commonly available!  Does anybody remember the telephone box with name, address, and telephone number?  Much of the data stolen is exactly this data.  And so, the reason data breaches do not condemn all those affected to lives of purgatory is because the data is probably available anyway.

In a world of VCs all that changes.  VCs will be lost and stolen due to leaky organizations and leaky digital wallets.  This will not be an issue in a perfect world where authentication is done properly and identified person strongly verified against the identity in the VC. 

But one can see the situations developing where nefarious individuals will attempt to use stolen VCs either through associating them with a similar name or by aggregating them to suggest a certain individual.  And if the technology becomes ubiquitous people will test the boundaries. 

The fundamental problem is that, because it is verifiable, the VC is valuable but it can be copied infinite times.  It’s a bit like making millions of perfect copies of the physical university degree I mentioned above.  Each one is ‘real’.  What can then be trusted?

Are VCs fools gold?

We do not yet know, but VCs have more challenges than simply being implemented.  By their very nature they can only be part of an Identity solution, but they are not an essential part, and when implemented they may create more problems that they solve. 

Verified Transactions

Recent discussions in the Anti-Money Laundering / Countering the Financing of Terrorism / Know Your Customer / Customer Due Diligence (AML / CFT / KYC / CDD) world has highlighted to me that we live In a world of compliance, and how important cost effective compliance is now and will be in the future.

Part of that compliance is an audit function, and organizations I have discussed this with confirm that when audited they often fall back on physical records.  In 2024!  And, of course, many of the AML processes they execute are performed by third parties.

So why not record the organization requiring the AML process, the person who is the subject of the AML process, and the result, and sign it?  That would seem to be a practical and useful application of public key cryptography.

Weighing it up

VCs are probably essential for the decentralized Identity movement.  We have Decentralized identifiers (DIDs), Digital Wallets, and now VCs that presumably will work in unison. 

But for any other Identity solution, VCs will not solve the basic Identity challenge of authentication, while adding another layer of complexity and possibly creating other long-term issues.

VTs could solve a current problem.

If you believe in the decentralized model you need to believe in VCs.  If you believe in a networked model, you don’t need VCs and VTs are a real opportunity.

What do you think?

Regards

Alan

Intro

Passkeys, announced by Apple, Google, Microsoft, and the FIDO Alliance in May 2022, are a replacement for passwords.  In this newsletter I will:

• show where passkeys fit

• describe why we need passkeys

• present a passkey primer because how they actually work is quite important

• list some key problems with passkeys

• suggest that passkeys are far from a complete solution and not THE answer.

Where do passkeys fit?

Passkeys replace passwords.  They are a unique cryptographic key for each website or app that a person signs onto.  Like passwords, passkeys are a form of authentication.  Remember this diagram (from my newsletter 2):

So, passkeys are not a full identity solution, but they perform a fundamental function within Identity, this being authentication.

And passkeys fit in a niche - they are not the saviour for all identity scenarios:

Passkeys work on-line for established relationships (2-party transactions).  That is, they work when you are signing on to an existing account you opened sometime before, for example a bank account.  They do not have any relevance for in-person or on-telephone situations, and they do not have any relevance when establishing relationships (3-party transactions) such as Know Your Customer, when you are opening an account.  For a full explanation of this framework, see my newsletter 3 and my newsletter 4.

So passkeys are limited in function (authentication) and in scope (on-line accounts already opened).

Why do we need passkeys?

Secure on-line access is a real problem now, so passkeys are very relevant, even if they do not solve every problem we have.  The culprit is a particular type of phishing — on-line username and password phishing.  That is, you are tricked onto a site and give away your username and password.  This is a problem and it is why so many sites now have moved to multi-factor authentication (MFA).  But even with MFA, phishing is still possible, even if it is less prevalent.

The Fast ID Online Alliance (FIDO) has a solution they call 2FA for second factor authentication.  FIDO 2FA is provided by a hardware device called a FIDO security key that often looks like a USB flash drive.  These devices use public key cryptography to provide very high levels of security.  But they are costly and they are painful to replace, and so they have not taken off.

We need something better, so FIDO, Google, Apple, and Microsoft invented passkeys that go beyond FIDO 2FA.

A passkey primer

So how do they do it?  I’ll discuss both the functionality, and how that functionality is implemented.

Passkey Functionality

The three principal processes involving passkeys are:

1. setting up a passkey

2. signing on using a passkey

3. administering of passkeys

1. Setting up

You start by signing off the old way. Then, somewhere in the app or website, you select an option to set up a passkey. You are asked if you want to save a passkey for the site:

You confirm saving the passkey by entering your Windows Hello PIN (this is your PC PIN - the one you might use when you boot your PC) and Windows confirms the passkey is saved.

2. Signing on

This is part of a signon page presented by a Chrome browser running on a Windows 11 PC. You don’t enter anything, you simply click in the signon username box.

The first thing to notice is that passkeys work a bit like a password manager!  You click in the signon username box and the browser gives you passkey options (if they have been setup), in the same way as a password manager gives you username / password options.  There is nothing to remember!

So you activate a signon field in the website, confirm the use of the passkey, and you are in.  Well almost – there is a second step:

In this scenario, the passkey is secured by Windows Hello which validates the use of the passkey, in this case through the entry of a PIN (there are alternative ways: face and fingerprint).

And note that a passkey functions very much like a password manager with MFA, in that both require an initial selection followed by a second factor of authentication.

An advantage of passkeys is that the two steps are local to one device, in this case a PC. There is no need for a separate smartphone to confirm the signon.

3. Passkey administration

On a Windows 11 PC there are three places for passkey administration:

1. the application itself

2. the Google Password manager

3. Windows 11 settings

The applications I have seen list the passkeys and allow them to be deleted.  The Google password manager simply defaults through to Windows 11 Settings below: 

Passkeys are embedded in the Operating System (OS)

In these examples, the passkey is saved within Windows 11, the Microsoft OS and the passkey is tied to a device.  Yes, that is important!

So, while passkeys function in a similar manner to password managers for the user (i.e. they make the process somewhat automated), the implementation is totally different (i.e. cloud for password manager, local OS for passkeys).  This has implications as described below.

And the problems

My analysis of passkeys above, and my reading, suggest that passkeys are user friendly and totally secure against phishing.  That is, you cannot phish a passkey.  Great - one big tick there. So what’s the problem?

Passkeys don’t stop phishing attacks!

Hold on, didn’t I just say they cannot be phished?  Well, passkeys work in the sense that they are unphishable.  But phishing sites can still phish for usernames and passwords.   Passkeys do not stop bad people sending fake emails in order to steer users into fake websites that then steal usernames and passwords.

So what can they do with a stolen username / password?

Well,  use them!  Yes, the bad people can simply go to any PC not set up with a passkey for that website, and they will be prompted for username / password, and then perhaps some form of MFA.  And, as we know, they can then break me!

The benefits of internet openness are eroded

Remember that the internet and browsers give us openness and access from any point.   If the problem above is solved by making passkeys obligatory (which is very difficult because you need to signon to set up a passkey), then you will be tied to specific devices for those services.  So, if the service is a bank, you will not be able to check your balance from work or a friend’s PC – you will have to use your own devices with passkeys already setup.

Passkeys are dangerous if you share devices!

Whoa, surely passkeys don’t make things dangerous!  Well, we are not sure yet, but they do open up some theoretical holes.  For example, say a company has a loan PC and everyone knows the Microsoft Hello PIN.  If a person saves a passkey on that PC, against the advice of the service provider, then it is seemingly useable by anyone who uses that PC. 

Put another way, the Microsoft user becomes the actual user.  If you know the PC’s PIN you have access to all passkeys and Microsoft provides a list of them all for you (see passkey administration above).  That is a bit interesting to say the least.

Giving control to Google, Microsoft, and Apple

Like so many things in IT, the politics of control are rarely broached.  The FIDO Alliance has many members including the big five IT companies and many of the major identity companies.  FIDO has been promoting 2FA FIDO security keys since 2013.

Passkeys looks like a second attempt to solve the phishing problem, but are based upon using hardware in PCs and smartphones.  This has appeal in finding a hardware-based solution without requiring a new piece of hardware.

But, and this is a very big but, while conceptually elegant, practically this puts the OS providers, Google, Microsoft, and Apple, smack in between users and their service providers.  Your access to services is through your OS identity and your OS identity is controlled by your OS provider.  I wonder if they will start charging for this service one day? Maybe this is why they are cooperating at the moment?

Note that even though Apple’s passkey implementation will be different, they too will be in a controlling position.

Passkeys are not the answer

Passkeys are not a bed of roses!  And passkeys are not the answer to Identity.

No doubt they are developing and will develop further, but in this early stage:

• passkeys only do authentication for on-line 2-party transactions

• passkeys are an un-phishable authentication method that does not stop phishing

• passkeys may limit the openness of the Internet

• passkeys create a problem with shared devices

• passkeys, if successful, put Google, Microsoft, and Apple even more in control than they are now

One has to ask, “Is this the best we can do?”  Passkeys look like a half-baked concept designed by a committee.  Passkeys look like an attempt to rectify a previous failure, and are more like a bed of thorns than a bed of roses.

For Identity, 2023 is the year of Identity Digital Wallets, Verified Credentials, and Passkeys.  These are all hot topics, important, and worthy of at least a newsletter each.  In this newsletter I’ll consider Identity Digital Wallets – what they are and the inherent challenges in implementing them for Identity.

But why the title “The Peculiar Case of Identity Digital Wallets”?  Well, because while they are a great idea, the very people promoting them have highlighted some massive implementation issues.  That sounds peculiar to me!

Digital Wallet Functions

Before I delve into Identity Digital Wallets (IDWs), I’ll consider Digital Wallets (DWs).  DW is a general term that applies to many types of app.  So categorizing them is not easy, but in this first attempt I’ll focus on the  functions that DWs support.

The most obvious function is Card Support.  Just like a wallet, the DW stores cards which can be then made digitally available.  The Google Wallet and Apple Pay are the most well-known examples:

Note the card types supported are more than just payment cards.  As per the Google example above, a Covid card, a transit card, and a membership card are all be supported.

Solutions that purely focus on storing identity cards in a wallet are EIDs.  The abbreviation EID (sometimes written eID) originally described identity cards which had a chip and hence were electronic.  Now, in Identity, EID is used to describe the storing of such identity cards in a smartphone wallet.  Current examples of EIDs are the initiatives in the USA to store drivers’ licenses using Apple Pay. 

I include within EIDs Identity Hubs such as Yoti, which have since 2014 utilised their own DW to build a user base and become an Identity Hub.  But while they have gone beyond storing cards to storing other documents such as passports, they still function in a limited fashion.  So, while they may claim to be full identity solutions (and IDWs as per my definition below), they are simply creating a digital version of physical IDs, thereby eliminating the need to carry all those plastic cards and documents.

One of the earliest and most successful wallet functions is the purse.  Strange to think that a purse fits into a wallet, but some wallets do have pockets for coins, so I guess the analogy holds ok.  Alipay and WeChat started as payments enablers by holding cash on the customers behalf. 

And then we have the add-ons!  I struggle to find a better word than this, but the challenge is that once you have a ‘killer function’ to bring in the punters, such as a purse, you can then ‘add-on’ all sorts of functions.  Look at the main Alipay screen below:

My expertise in Chinese script is very limited, but clearly there is a bit more functionality and interactivity going on than occurs in my physical wallet.  There seem to be many financial and transport services that go beyond storing and presenting a simple card to actually executing transactions within the DW.

New Zealand has its own DW.  Dosh is an example that provides a purse and supports its own payment card.  It is a relatively easy-to-use app that supports person to person payments and other general payment functions.  But it is not yet ubiquitous – there is more to a DW than being good technology!

And, now, we have Identity.  The Identity solutions proposed are a lot more than a card stored in an app – they are full ecosystems.  I describe the approaches and what is happening in the next section.

So, in summary, DWs have many functions which I categorize as:

• card support

• EID

• purse

• add-ons

• identity

They are relatively easy to build but need scale to be successful.  The Chinese DWs, Alipay and WeChat, with user bases in the billions, show what success can be like.  But, of course, reaching such lofty heights is not so easy!

Identity Digital Wallets (IDWs)

The concept of an Identity Digital Wallet (IDW) as a full Identity ecosystem has now emerged in the European Union (EU).  This goes way beyond the concept of an EID DW.  I’ll discuss the both initiative’s aims and the published issues with the security.

EU eIDAS 2.0

Initially, in 2014, the EU eIDAS (Electronic Identification, Authentication and Trust Services Regulation) focused on identification and authentication.  Now, in its latest version, eIDAS 2.0 creates a regulatory framework for cross-border digital identity.  A key part of this is the European Digital Identity Wallet, but in line with my  terminology I’ll call this an IDW.  The EU’s IDW aims to provide all the functions of Identity (the model below is from my newsletter 2):

As the EU states on their website:

"The EU Digital Identity Wallet will provide a secure and convenient way for European citizens and business to share identity data needed for accessing digital services such as checking in at the airport, renting a car, opening a bank account, or when logging in to their accounts on large online platforms.  With a click of a button on their phone they will be able to securely share information stored in digital versions of their driving licence, professional or educational credentials, and medical prescriptions."

Clearly the EU IDW aims to support 2-party and 3-party identity transactions in multiple environments of in-person and on-line, for multiple types of transactions, and in multiple countries.  This is a hugely ambitious project!

Being the EU, this initiative requires a pilot.  The EU, being the EU, has four pilots being run by four huge consortia with a cast of thousands.  I suppose the rationale is that one of the consortia must be successful, but it is hard not to be a little sceptical about their chances (check out the long lists of participants and the pilots are schedule to be running in 2025).

The little issue of security

So there are large expectations for this IDW and much activity.  But the EU’s own documentation highlights a security issue that is both conceptually and practically impossible to resolve!

In the EU’s design document, “The Common Union Toolbox for a Coordinated Approach Towards a European Digital Identity Framework, The European Digital Identity Wallet Architecture and Reference Framework, January 2023 Version 1.0.0.”, pages 28-29, it states:

“Where an EUDI Wallet Solution has an application running on a mobile device, there may be a need for additional trusted components which are not part of that application but are nevertheless part of the EUDI Wallet.  Such a need may arise for reasons:

• Security: e.g., if a particular device does not have sufficiently secure hardware like a secure element, external hardware components like smartcards may be needed”

In other words, the EU IDW will be secured through hardware and this may be an external device.  How are we going to make that work?  Does anyone in the EU understand the impossibility of the EU population all having homogeneous smartphone security hardware?  It is problematic getting two smartphones from the same manufacturer to operate the same but, if we want a ubiquitous IDW solution for all citizens, we will need all smartphones in use, from different manufacturers with multiple models and versions, to somehow operate the same way!

We tried this strategy in New Zealand in a SEMBLE, an initiative to create a payments card DW.  The complexity of using the security hardware in current smartphones from just one manufacturer was highly problematic and the project failed  (https://www.stuff.co.nz/business/82147557/developers-of-semble-mobile-wallet-app-refocusing).  Think of doing this for all smartphone manufacturers and all common smartphone models still being used!

Well, one EU body recognizes the problem.  The European Union Agency for Cybersecurity (ENISA) is the “Union’s agency dedicated to achieving a high common level of cybersecurity across Europe”.  In their report “Digital Identity Standards, Analysis of standardisation requirements in support of cybersecurity policy, July 2023” they consider standards in the light of eIDAS 2.0 and come up with several recommendations, including (my bolding):

“In the context of the EU Digital Identity Wallet, EU policymakers should make use of the new Digital Markets Act to provide direct access from the Mobile Application to the security anchor provided by EU CC certified secure elements available on smartphones. This direct assessment will help create a Trusted Mobile EU Digital Identity. This recommendation should be complemented by a new standardisation request to the European Standardisation Organisations, to develop a unique API from the mobile application to the security anchor provided by the secure element certified by the EU cybersecurity certification scheme. This is crucial for the provision of full interoperability by various smartphone manufacturers.”

So, ENISA recommends that we need a common security API for ALL smartphones.  This recognizes the need for a common way of accessing some standard security technology.  But that does not solve the problem.  There is no magic wand to turn a technology base of thousands of different devices into a standards-based environment.

Summary

So I have described Digital Wallets (DWs) and Identity Digital Wallets (IDWs).

The wallets that concern Identity are EID DWs and IDWs.  EID DWs, such as a drivers license stored in a wallet, have utility but limited functionality.  IDWs, if successful, will be the most significant Identity ecosystems on the planet even surpassing passports.

But while EU IDW project has a huge amount of participation it seems most peculiar in that it has already identified major challenges without having any inkling of how to solve the security challenge in practice.

Maybe, just maybe, the reason we do not yet have a fully functioning IDW is because it is almost impossible to make it a reality.  Maybe, just maybe, trying to legislate an IDW into existence is more about keeping the good news story going rather than being a well thought out strategy.  Maybe, just maybe, we need to think this through a bit more.

All the best,

Alan

Hi trendsetters,

This newsletter

• updates some key market segment terminology and

• suggests a Gartner report to read.

Identity Verification and Big Tech Identity

The main terminology that I want to change is the market segment that I previously called KYC (Know Your Customer).  This market segment uses a number of techniques, such as identity proofing and biometric matching, to verify the identity of a person to a new third party such as a lawyer, accountant, or real estate agent.  It has huge volume worldwide and is probably one of the few market segments making any money!

But, as Gartner’s insightful 2023 report rightly points out:

• KYC is an ongoing process that is greater than a single identity verification transaction as institutions need to monitor the status of identities over time,

• The need to verify identity is more than just KYC and this need is increasing as organizations want to be sure who their customer really is.

Besides these useful observations, Gartner also changed their naming of the segment from ‘Identity Proofing and Affirmation’ to – wait for it – ‘Identity Verification’.  I love it – it actually states what the process does.   And so I have updated my Newsletter 6 – Market Segments’ diagram accordingly:

You will note that I have also:

1. Changed ‘Social Media Identity’ to ‘Big Tech Identity’.  Why?  Well, the federated identity options that Meta, Google, and Apple previously provided to support social media level security are being supplanted by the passkey initiative that aims to deliver better security and ease of use.  How this plays out will be a subject of a future newsletter, but the with Microsoft, Apple, and Google leading this passkey initiative, Big Tech may well play a major part in the future of Identity.

2. Reordered the segments on the left (in the blue shading) to allow me to highlight the segments where we find the most commercial activity not dominated by Big Tech, and I have provided a list of the major international companies in this space:

Identity and Access Management

• Okta

• Thoma Bravo’s Ping, ForgeRock, and SailPoint

Identity Verification

• Jumio (USA)

• Mitek (USA)

• LexisNexis Risk Solutions (USA)

• Trulioo (Canada)

• Onfido (UK)

• GB Group (UK)

• IDnow (Germany)

• IDEMIA (France)

• Sumsub (Cyprus)

Identity Hubs

• ID.me (USA)

• Yoti (UK)

• Digi.me (UK)

I also want to highlight that Identity Hubs have taken the seemingly obvious step of remembering an identity that they have verified and reusing it.  Hence, they could be considered to be Identity Verification companies, but my reading is that they have changed their strategies and no longer focus on providing Identity Verification services. 

2023 Gartner Report

I do recommend the Gartner paper which is available through many companies that are named in the report, including Jumio.  It is a lot easier to read than the 2022 report that has a huge amount of detail and a veritable cure for insomnia if you choose to go there.

The report suggest that the Identity Verification market will decrease as Digital Wallet solutions come online!  That bucks the trend of every other report that I have read that suggests continuous growth.  Maybe, just maybe, some realism is creeping in!

All the best and watch out for my upcoming Digital Wallet newsletter.

Regards

Alan

The New Zealand Department of Internal Affairs recently stated that it is contributing to a “Future State New Zealand Identity Ecosystem” (my bolding, DIA discussion paper, June 2023).

The establishment of a national identity ecosystem is an important subject.  What is an identity ecosystem?  I ask what should we be aiming for as a society? And is it one or multiple identity ecosystems? 

What is an Identity Ecosystem?

Defining the term ‘ecosystem’ is a useful starting point.  Wikipedia states:

An ecosystem (or ecological system) consists of all the organisms and the physical environment with which they interact.  These biotic and abiotic components are linked together through nutrient cycles and energy flows. Energy enters the system through photosynthesis and is incorporated into plant tissue. By feeding on plants and on one another, animals play an important role in the movement of matter and energy through the system.

Wikipedia describes a ‘biological ecosystem’ that has evolved to a steady state.  Such a biological ecosystem has systemic features of many co-existing parts that, in a sense, cooperate.  An ‘identity ecosystem’ will share this systemic feature - it too will have many cooperating parts.

But an identity ecosystem is designed by humans.  This additional dimension is obviously important – it determines everything!  Such as whether the thing works, how efficient it is, how secure it is, and how much it costs!

So, we must avoid being too romantic about identity ecosystems - they are not natural, they are not easy, and there is no preordained ‘order of things’ to define how they should work.

Identity Ecosystems Attributes

So, there are different types of ecosystems.  To understand these differences, I categorize identity ecosystems using three attributes:

1. the operational environments that are supported

2. the type of transactions that are supported (2-party and/or 3-party)

3. the level of security

1-2 have been described in previous newsletters.

The third, the level of security, is determined by what identity-based transactions are being supported.  If the transaction is high value or high risk, like obtaining a passport, a high level of security should be expected.  If the transaction is low value or low risk, such as accessing social media, a lower level of security may be appropriate.

Together, these three attributes define the scope of an identity ecosystem.  There are two classifications:

• a broad-scope identity ecosystem that supports multiple variations of environment, transaction type, and security level

• a narrow-scope identity ecosystem that supports limited environments, transaction types, and levels of security.

Loosely and Tightly Coupled Ecosystems

An additional aspect that is important for ecosystems is how the ecosystem functions.  To describe this, I will focus on how tightly the entities within the ecosystem are coupled together.

One extreme features loosely coupled ecosystems with lots of independent entities that can randomly interact with each other.  They do not have hard and fast connections.  Biological ecosystems are clearly loosely coupled with a huge variety of entities and multitudinous interactions.  These many-to-many relationships somehow work, primarily because millennia of evolution have produced a steady state system.

At the other extreme, tightly coupled ecosystems have a structure, and the entities interact according to patterns that some might characterize as rules.  Such ecosystems are much more likely to be made by humans.

Current and Future Identity Ecosystems

I use the three attributes and degree of coupling described above to analyze a series of current and developing identity ecosystems.

Government Identity Documents

I start where we all started – birth certificates, driver’s licenses etc.   They are useful in many environments and transaction types, so they have broad scope, but they have limited security.  They are loosely coupled ecosystems.

International Passports

Passports are clearly the biggest identity solution on the planet.  They are highly effective in border locations where hardware is installed, although they can be used elsewhere for general identity in a moderately coupled manner.

National Identity Solutions

The most sophisticated and well-known national Identity solutions are in the Scandinavian countries and Estonia.  BankID operates in Sweden and Norway.  It evolved from a smart-card based solution to being predominantly based on smartphones providing 2nd Factor Authentication.  It focuses on on-line use and can be used with both government services and commercial services in a tight configuration. 

National Hybrid Identity Card / Biometrics Solutions

These are an emerging type of solution similar to National Identity Solutions.  For example, the Philippines is introducing a chip-based identity card and collecting iris and fingerprint biometrics at the same time.  If well implemented, this will give all sorts of options in the future and shows how countries with minimal Identity infrastructure may be able to take a major leap to a sophisticated technology approach.  They are likely to be tightly coupled.

Social Media Identity

Federated Identity is quite important for many of the four billion social media users!  Based around protocols, such as OAuth, OpenID, and OpenID Connect, this is an on-line 2-party solution, with a large unverified user base, that operates tightly.  It is difficult to measure the security, but the absence of any major reports of disaster suggests that the technologies themselves are secure.

Big Tech Passkeys

I’ll cover this in a future newsletter, but the tech giants Google, Microsoft, and Apple along with FIDO, on 20 May 2023, announced the technology of passkeys as the new identity solution.  Passkeys could be seen as an evolution of FIDO 2nd Factor Authentication, but it is much more than that.  Centralized management of passkeys to remove the reliance on passwords (and hence minimize the risk of phishing attacks) has a lot of positives and a few negatives (do we trust them?).  Passkeys, if and when it achieves some sustainable volume, will have an on-line, 2-party focus in a tight configuration.

Identity Ecosystem Summary

The ecosystems analysed above are:

There are some trends in this analysis:

• we do not have any identity ecosystems that are both broad-scope and highly secure - government identity documents is the only identity ecosystem that covers all environments and transaction types (i.e. is broad) and it is not secure.  I know of no other broad-scope identity ecosystems.

• current secure identity ecosystems are tightly coupled - this borders on stating the obvious, but governmental, commercial and big tech development build on the technology stacks we currently have, and utilize real-time communication and strongly-typed messaging.  That is, Identity providers utilize current technologies to tightly couple entities and to thereby gain security.

Conclusion / Observations

I will to conclude with these points:

1. the ecosystem approach is useful - the discussion in this newsletter is worthwhile.  We need to have a way of discussing identity at a national level, and the concept of ecosystems allows this discussion to take place.  By that, I mean at a national level, we must go beyond simply discussing standards, legal accreditation, and technologies.

2. identity ecosystems are a good idea - I started by recounting how Department of Internal Affairs’ aim to contribute to a “Future State New Zealand Identity Ecosystem” and asking whether this is a good goal.  While I have not focused on proving that in this newsletter, it seems intuitively obvious that ecosystem solutions at the same level as Payments solutions would be beneficial.

3. a secure broad-scope identity ecosystem is not easy – history supports this.  I think there are two primary reasons for slow progress: 1) it is a very difficult problem, and 2) industry is waiting on government.  Unfortunately, it is not the role of government to fix everything, so industry needs to find its own ways to move forward.

4. narrow-scope identity ecosystems will develop initially – before the big solution arrives, we will have narrow-scope identity ecosystems for industries, social groups, and communities.  This may be the future for the next 5-10 years or more.

So, Identity has some things to do.  In the next few newsletters, I‘ll consider how to design an identity ecosystem and discuss some current approaches to developing identity solutions.

Regards

Alan

The title of this newsletter is deliberate – Identity 2.5 is reasonable: that is, there is a coherent argument for Identity 2.5.  It is not about ideology nor is it about opinion.  Sure, the views expressed are based on my knowledge, but when determining the future of Identity I present a reasoned argument and I ask you to focus on the reasoning for my approach.

Subscribe now

A quick recap.  I define three current paradigms:

• Identity 2 Technology – our current disaster of multiple methods, fraud, and poor customer service

• Identity 2.5 Networked – a networked approach that uses current technologies in useful ways

• Identity 3 Decentralization – a future where identities exist under the control of the customer.

My Reasoning Summarized

• Identity 2 Technology should not be allowed to continue

• Identity 3 Decentralized is decades away and we can’t afford to wait for it

• Identity 2.5 Networking is demonstratable today and it works.

Given these reasons, Identity 2.5 is our immediate future.

Identity 2 Technology

The status quo is Identity 2 Technology, our current chaotic Identity world.  In this paradigm:

• we add security through complexity resulting in a horrid customer experience

• we cannot support in-person Identity (anyone remember the highly insecure Covid passport?)

• on-line fraud is prevalent.

As I have covered the topic in-depth in previous newsletters, I will not go on about these current performance issues here.  Suffice to say that we should not accept this state of affairs.

Identity 3 Decentralization

The promised nirvana, Identity 3 Decentralization, cannot be achieved in our current ICT environment, and the industry knows it, even if it will not admit it!

That is quite a statement!  There are millions, if not billions, of dollars being invested in decentralization.  Fortunes are being made and, if I am right, fortunes will be lost through a failed attempt to implement decentralized Identity (although not necessarily by the same people, unfortunately).

I present three reasons why Decentralization will not deliver an Identity solution now:

1. Decentralization runs on personal digit devices (PDDs) that are inherently insecure

2. Decentralization has failed to deliver the intended Decentralized Identifiers (DIDs)

3. Decentralization has changed focus to Verified Credentials (VCs).

Insecure Personal Digital Devices (PDDs)

Identity 3 Decentralization is based, of course, on not holding central information.  In its most fervent forms, it castigates the wicked central masters and exploiters of personal information, and longs for a world where the individual is the sovereign of their own realm.  But the data must go somewhere, and that is on personal digital devices.

Now, the first law of ICT security should be “Personal digital devices are inherently insecure”.  Decades of viruses, Trojan horses, and fraud surely make this clear.  That PC and that smartphone are not highly secure devices.  The security of PDDs is average at best.

And we should not be surprised – PDDs are designed to be ‘open’!  That is, the movements for open systems, open platforms, and open-source code have delivered great functionality where multiple software components can interact in the same environment.  A corollary to this is, of course, that it is much easier for malicious software to be effective.  And it is, and so PDDs are insecure.

This means that we will not have a society using secure PDDs for many decades to come.  Even if all new PDDs magically became secure, the time it would take to roll over all PDDs is decades.  So practically, any Identity solution has to work with a world of insecure PDDs.

See the problem?  Pragmatically, Decentralization cannot be secure, and is quite a problem for something that promises a universal solution to Identity!  Decentralization has a very large problem of operating within insecure PDDs and it has no solution!

Decentralization has failed to deliver Decentralized Identifiers (DIDs)

DIDs are the fundamental building blocks for Decentralization but the functionality that was envisaged does not exist in practice .  W3C has delivered a technical specification of a DID, and no matter what specifications have been published, DIDs have not been delivered.

A good place to start is the W3C Credentials Community Group’s Use Cases for Decentralized Identifiers.  One of the example use cases is:

When Sally earned her master’s degree at Oxford, she received a digital diploma which contained a decentralized identifier she provided. Over time, she updates the cryptographic material associated with that DID to use her latest hardware wallet, with biometric protections and a quantum resistant algorithm. A decade after graduation, she applies for a job in Japan, for which she provides her digital diploma by uploading it to the prospective employee’s website. To verify she is the actual recipient of that degree, she uses the decentralized identifier to authenticate, using her current hardware wallet (with rotated keys). In addition to the fact that her name matches the name on the diploma, the cryptographic authentication provides a robust verification of her claim, allowing the employer to rely on Sally’s assertion that she earned a master’s degree from Oxford.

This excerpt clearly shows what was envisaged for DIDs – it replaces a central identity provider with a decentralized identity!  This is made explicit in a diagrammatic representation of a DID’s functionality (note the ‘deleted’ Identity Provider on the right):

Looks great, but has anyone seem a prototype yet?  The answer is no – all we have is a published specification. 

I contend that for Decentralization, DIDs are at the centre of its Identity strategy and it has failed to deliver DIDs because DIDs cannot be delivered in today’s ICT environment.

Decentralization has changed focus to Verified Credentials

Now tech startups are innovators and, when you are stuck, one of the best possible innovations is to change the game.  So, now Verified Credentials (VCs) have now been ushered into the limelight. VCs, if implemented correctly, will be secure.  But they will not be an Identity solution as they do not do Identification and Authentication.  Remember the basic processes of Identity:

VCs sit on the right-hand side – a technique for Data Sharing.  The debate about whether they are a good technique has yet to occur, but suffice to say that Data Sharing alone is not an Identity solution.  And VCs will likely have other issues which I’ll cover in a future newsletter.

Decentralization, or should I say those commercial entities promoting decentralization, have switched from Identity to managing credentials.  They realise that Identity cannot be decentralized in our current environment and so head off to find better pastures!

Decentralized summarized

Decentralization operates on PDDs.  PDDs are inherently insecure so Decentralization cannot be secure which is cataclysmic for an Identity solution.  This problem is confirmed by Decentralization’s failure to deliver DIDs.  The resolution of this issue has been to change focus to Verified Credentials.  While VCs have capabilities, they are not general Identity solutions.  Decentralization has failed to deliver Identity and has given up the quest to do so.

Identity 2.5 Networked

Why do I believe that Identity 2.5 Networked will work?  Well, because it does!  Most countries are in Identity 2, whereas the Nordic countries have moved to Identity 2.5.

Now, the standard rejection of that argument is that it only works because the Nordic countries have a national personal number.  This is not a good argument.  We know that we have perfectly good tokenization techniques that link databases together, so there is no inherent reason that networked solutions are not possible.  That networked solutions are easier in Nordic countries is simply an advantage for them.

As the title of my newsletter indicates, I am an advocate for Identity 2.5 Networked.  Besides advocacy, I have also created my own solution called General Identity Protocol.  I discuss this further in future newsletters.

Summary

Some of the world is hell-bent of achieving Identity 3 Decentralization and, ironically, this is not going to happen anytime soon.  With our current proven technologies we have all the building blocks to build sophisticated Identity solutions that provide a good customer experience and good security.  That is where we should be spending our time, rather than dreaming of an impossible future.

Regards

Alan

This newsletter brings all the previous newsletters together in one place – Identity in a nutshell, so to speak.  I think it appropriate to summarize the basics of Identity before, in following newsletters, going more in-depth, critiquing different approaches, and suggesting what the future will look like.

So here it is – Identity as well as I know it; based on my experience and documented in my previous eight newsletters.  The process of summarizing these eight newsletters suggested some revisions and these have been made to this summary edition.

Subscribe now

Identity is important for Society

The starting point is Identity’s importance for society.  Consider the list of activities and entities below.

Clearly, a number of the activities involve identifying ourselves, and many of our relationships with the entities shown are based on identity.  We identify ourselves regularly in many situations that require security, and we want such services to be easy-to-use and convenient.  Identity is not a nice-to-have – it is part of the very fabric of our society and our legal system.  Identity is important!

Identity-based Transactions

I use the term transaction in an everyday manner “to carry on or conduct business… to a conclusion”.  That is, a transaction is a sequence of actions with a specific form and time period. Of course, not all transactions involve identity as shown in the picture below.

Transactions split into anonymous transactions and identity-based transactions.  Examples of anonymous transactions are buying a ticket for a movie or buying an ice cream.  At no time are you identified and you are anonymous (this is not to say that you cannot be traced, but that is another story…).

These newsletters are all about the identity-based transactions (in the red circle above).  In these transactions, the person’s identity is important.  These transactions are for a specific individual.

I differentiate identity-based transactions into named and nameless.  Most transactions are named, meaning that the recipient of the information wants to know who you are – they want to know your name.  In the alternative, nameless transactions, the recipient does not know your name.  This is how a covid-passport should operate – the recipient knows you are covid-free but does not know your name – you are nameless. 

Identity Processes

There are two basic identity processes that occur within identity-based transactions.

The first process, identification and authentication, is obvious and very important.  An identity-based transaction needs an identification and authentication process appropriate to the risk of the transaction.  Buying a house needs more security than taking a book out of the library. Identification and authentication is the hard, stressful bit, hence the red colour.

And every transaction has a purpose beyond identification and authentication, and this purpose is achieved either through the use of some personal data or the sharing of personal data.  An example of use of data is checking that a person has the required permission for entry, while an example of data sharing is opening a new account.  This is more about growth, hence the green colour.

Both processes are important.  Without appropriate identification and authentication, fraud can occur.  Without data use or data sharing the transaction cannot achieve its purpose. 

The ‘Real Context’: Parties and Environments

I write ‘real context’, because the number of parties and the environment are where Identity ‘really happens’. 

The diagram above shows the inescapable two dimensions of Identity: the parties who are involved, and the place where they transact.  They are inescapable because this is how our world is organized.

For parties, there are 2-party and 3-party identity-based transactions.  2-party transactions are simply a person and an organization, while 3-party transactions involve a person, an organization that knows the person, and an organization that does not know the person.  3-party is the difficult situation of proving to someone, who has never met you, that you are who you claim to be.

The places are the obvious ones: the physical environment, communicating on the telephone, and the on-line world.  While these are obvious, each environment has quite different communication possibilities and, when combined with both 2-party and 3-party transactions, there is a lot of variety and complexity.

So, parties and place are the real context of Identity, and it is not a simple context.

Identity Performance

Given the context above, how well does Identity do?  Well, it’s not great.  In the diagram below, performance is shown using traffic light colours: green = good, orange = ok, red = bad.

The judgements above are mine.  I find that the only redeeming feature of identity is the availability of 2-party solutions.  If I think about ease of use for 2-party transactions, I find cards in a physical environment mostly good, answering 20 questions to identify myself on the telephone as painful, and the online experience as being excruciating, with check codes and the like varying service by service and, it seems, by the time of the day!  3-party ease of use is worse, and security and cost just do not look good anywhere.

Identity is not easy to use, Identity is not secure, and Identity is not cheap.  This is not good news.

Current Status of Markets and Technologies

So what is behind and in front of all this poor performance?

Well, we have established market segments of Identity (the top half of the above diagram), but these are somewhat eclectic having evolved in a series of near accidents.  For example, Know Your Customer only exists because of Anti-Money Laundering / Countering the Financing of Terrorism legislation.  These segments do not share common origins or common strengths, but do share common problems.

Notwithstanding the eclectic nature of the market, there are several enabling and developing Identity technologies that have strengths and potentials (the bottom part of the diagram above).  Not of all these will be successful, but one cannot doubt the power of such technologies as biometrics.  But, so far, they have not delivered a significant change in the performance of Identity. 

Identity Paradigms

It is relatively clear that Identity is used widely and is important, that Identity has a complex context, that Identity has performance issues, that the market is underdeveloped, and that many enabling and developing technologies are trying to solve the problem.

But to take the conversation forward, I need to both generalize and conceptualize.

My approach to conceptualizing Identity is the series of paradigms above.  Briefly, “knowledge” is simply knowing a secret, “documentation” is having some proof of identity, “technology” is our current malaise, “networking” utilizes the power of current identity hubs and current communications, and “decentralization” is an envisaged future technology-based Identity.

These paradigms do not occur in a strict sequence and they vary by country, industry and organization.  But they have evolved over time, so in a sense the world is adding more paradigms as it moves from left to right in the diagram above.

I see most of the planet firmly located in Identity 2 Technology.  We have been here a while and we do not seem to be moving anywhere fast.  Technology has ‘improved’ but, for the consumer, ease of use is going backwards.

The Challenge

The challenge is ‘what to do next?’.  Shall we grin and bear Identity 2?  No, that cannot be countenanced in an age of metaverse and web 3 - we must progress.  The challenge, as it is generally understood in the Identity world, is how to get from Identity 2 to Identity 3.  My position differs – Identity 3 cannot be achieved for a decade or two, so Identity 2.5 is the only way forward!  I’ll describe my reasons for such an outlandish statement in my next newsletter.

Regards

Alan

This is a bit late. Why - because I rewrote it twice. It is important so I hope it worked out!

The title of this newsletter is Identity Paradigms.  The aim is to indicate both where we are now and future possibilities.  This is not a roadmap, it is a list of paradigms.

But what is a paradigm? The word, made famous by Thomas Kuhn in 1962 in The Structure of Scientific Revolutions, depicts a theoretical movement or a way of working with a common basis. The best example are three paradigms from physics: Newtonian physics, relativity, and quantum mechanics. In these three paradigms of physics, the underlying theoretical basis changes hugely.

Identity is more practically focused, so the Identity paradigms are based on the underlying technology-basis.  This is the prime driver of Identity and supersedes any ideological or theoretical considerations.

Please note that:

1. These are generalized paradigms, not rigorous definitions. Use them to have efficient discussions. Do not treat them as defining principles.

2. The horizontal axis generally indicates progress through time, but it is clearly not linear and it varies by sector/industry/country.

3. The vertical axis is more reliable as it reflects how technology develops over time.

4. Each paradigm may include the use of other paradigms. There is no exclusivity in Identity! For example, many solutions/sectors currently in Identity 2 utilize components of Identity 0.

Identity 0 – Knowledge includes the oldest recorded use of an Identity technique when Odysseus returned from the Trojan War, over 3,000 years ago, and was identified by remembering a secret only he could know.  A more generalized knowledge technique is passwords and, as we all know, this age-old technique is alive and well today (well, maybe just alive).

Identity 1 – Documentation is also centuries old and has gone through numerous changes, from the use of seals, to watermarks, and now sophisticated technologies such as holograms.  However, with modern counterfeiting becoming more sophisticated and available to all, documents are no longer as secure as they once were.

Identity 2 – Technology is currently where most sectors are.  There are many varieties of technologies including hardware devices and software apps, techniques such as biometrics, full blown solutions such as behavioral analytics, and methods such as MFA (multi-factor authentication).  This is a lot to bundle into one Identity paradigm, but I do so because all these technologies have a common aim of mitigating Identity risk, especially in the on-line world.  Mitigation is the current arms race to keep ahead of the criminals.

It is worth noting the recent trend of Identity companies evolving to become ‘orchestration players’ often through mergers and acquisitions. These new entities combine multiple techniques, as they find that there is no single solution to the Identity problem (examples are Trulioo, Mitek, and Jumio).

Identity 2.5 – Networking doesn’t get its own whole number as it is essentially an extension of current Identity capabilities, but uses network effects.  The highest profile implementations are National Identity Systems in Scandinavia and Estonia which have one highly secure authentication method which is then networked out to other applications and processes.  They leverage high-quality databases, such as banks’ customer data, to raise the veracity of the total system, but a key component is the presence of a national identity number scheme that simplify integration challenges.

Identity 3 – Decentralization is a major technology step-change that would see Identity being based in decentralized assets held in the Internet and which would remove the reliance on centralized assets.  Blockchain has been seen as a major contributor to this effort, and there are significant standard associations, such as W3C, leading the decentralized push.  Decentralization has a certain ideological tinge to it, as it finds ‘big business’ to be as much the problem as the criminals who are trying to break down Identity.  While Decentralization promises much, it has yet to deliver any significant solutions.

Insights

• In Identity 2 Technology, the challenges of Identity are being met by ‘adding more’.  This is both by making specific methods more sophisticated and by combining methods.  The strategy can be summarized as ‘more complexity = more security’,  While this may mitigate security risk, it comes at the cost of more complexity for the user, as many of us experience every day. So this can be restated as ‘more complexity = poor customer experience = more security’. Who won out of that?

• Identity 2.5 Networking essentially uses current networking capabilities and current assets to achieve a more widespread adoption of some standard approaches to Identity.  The major success stories have been in codified law countries where intrenched use of national identifiers makes implementing solutions relatively straight-forward.  However, this does not mean that this paradigm cannot be implemented in common law countries.

• Identity 3 Decentralization promises to be a totally new beginning and to revolutionize identity.  If and when successful, it will be a revolution for not just Identity, but for Information Technology in general.  However the question is still ‘if’, and the lack of any identifiable solutions suggests that the promise may be beyond current capabilities.

What does this all mean?  Well, technology matters and technology is undecided: the performance of Identity 2 is a problem, the potential of Identity 2.5 is not well understood, and the viability of Identity 3 is uncertain.

The name of my newsletter, Identity 2.5, gives away which paradigm I think we should be aiming for.  In my next newsletter, the last in this initial series, I’ll elaborate on why Identity 2.5 is the future.

A final thought

As I reflect on this newsletter, it seems as though this is all somewhat self-evident. I hope you feel the same way and I have been able to create a simple set of paradigms that are intuitively obvious and that facilitate better conversations.

All the best

Alan

At last, in newsletter 7, we have arrived at technology. Most commentators start with technology because they hope it will be the answer - I started with defining the question in my early newsletters. Now, I am looking at the context of identity, which includes this newsletter’s technology building blocks for Identity. In the next newsletter I will look at possible futures, that is, at possible answers.

This newsletter’s title, Current & Developing Identity Technologies, states the obvious – we have both:

1. current technologies that enable Identity solutions (on the left in the diagram above)

2. developing technologies which promise to be ‘the answer’ to Identity (on the right in the diagram above)

In this newsletter I summarise each technology area and what it means for Identity.  But to start with, I will discuss the one technology that is fundamental to so much Identity: cryptography.

Cryptography

Symmetric and asymmetric cryptography (also called private key and public key cryptography) are core to Identity.  They are the basis of PINs on cards, secure communications, blockchain, decentralization, and many hardware solutions. Cryptography is how to keep things secret, and it is important, full of jargon, and complex.  If you want to develop a deep understand of Identity, you need to understand cryptography! But beware, it is a deep rabbit hole.

Current Technologies

Physical Identity

This is where so much identity has started.  Documents include passports and birth certificates.  Clearly passports have evolved significantly to include a chip.  Cards include driver’s licenses, student identity, club identity, and corporate identity.  These all have evolved with different uses of watermarks and tamperproof coatings.

Customer Databases

CRMs and their predecessors, accounts receivable systems, are a fundamental part of the Identity solution - they are where Personal Identity Information is stored!  

Hardware Tokens

There are a variety of devices such as dongles, challenge-response devices, and code-generating devices that operate in the on-line environment by connecting through a USB port. They can also generate codes for other environments.  They have obvious security benefits but suffer from the need to both distribute and maintain the devices, and from the challenge of interfacing with multiple platforms.

SSL

SSL, or Secure Sockets Layer, is something we all use on a daily basis.  And for good reason – it is the most important security protocol invented.  Based upon asymmetric and symmetric cryptography, it enables secure point to point on-line communications.  Without it, on-line Identity, and the internet itself, would be very compromised.

Messaging

The advent of multi-factor authentication (MFA) requires the customer to have something, often a smartphone.  The confirmation that the customer owns the smartphone or device is achieved normally through the entry of a code delivered through some messaging service, such as SMS or email.  Messaging is now an established technology used for Identity.

Biometrics

Biometrics has been with us for decades and is now becoming ubiquitous, due to face imaging and finger print readers on laptops/ PCs and smartphones.  It is now hard to imagine a world without biometrics. But it is far from complete, with developing standards, and threats from such things as AI generated deep-fakes. This is a technology that will be very important in the future, especially if it can be securely implemented.

New Technologies

Behavioural Analytics

Behavioral analytics is a development from big data that uses AI like techniques of data analysis.  It has utility for general analysis processes such as providing a credit rating for a future borrower, and for predicting if a payment is fraudulent.  For Identity, measures of physical behaviour (e.g. the pattern of typing) through to more long-term contextual events can be analysed by behavioural analytics to add an extra dimension to an Identity Authentication process. The question is: ‘is it worth it?’ Perhaps if we cannot develop good authentication we need such a backup solution, but it seems like a lot of technology to solve a simple problem.

FIDO Passkey

FIDO has long been based upon a Hardware Token, but on 5 May 2023 it announced with Microsoft, Google, and Apple an initiative to create a passkey to replace passwords.  This is based upon asymmetric cryptography and will potentially eradicate passwords, and thus password stuffing attacks.  It may also make customers dependent on a centralized passkey register run by you know who: Microsoft, Google, and Apple.  It all feels a bit centralized and big tech to me.  This will be the subject of a newsletter quite soon (as will all of these new technologies).

Digital Wallets

Some pundits think Digital Wallets will answer all our problems.  If they are secure, there is much potential to go beyond basic payment wallets such as Apple Pay and Google Pay, to a functional Identity Wallet.  The EU’s approach is to legislate an EU Identity Wallet into existence. Such an approach is risky, as it does not consider technical feasibility and indeed, one of the initial proposals, now taken down, did recognize the possible need for ‘hardware security’.  That little question of security on a consumer digital device is an important one and one that will come often.

Blockchain

Once the answer to all things digital, Blockchain still is a significant industry and cannot be counted out as at least part of an Identity solution.  The biggest challenge is that blockchain is a open, distributed ledger and such an approach is the antithesis of what Identity is trying to do – keep things private.  There are, of course, smart people who can find ways to make blockchain work differently, but why bother? If blockchain is not designed for privacy, why try to make it support privacy applications?

Decentralisation

Self-Sovereign Identity (SSI) was all the rage for a few years and the World Wide Web Consortium (W3C) has done a lot of work promoting decentralized standards.  The initial push from W3C was to create Decentralized Identifiers (DIDs) and the push is now to utilize Verified Credentials (VCs).  DIDs do not appear to have taken off, possibly due to that little problem of security on a consumer digital device.  If one was sceptical, one might suggest that the decentralization guys have given up on DIDs, and are now pursing the 2nd prize of VCs.  If so, fair enough, but while VCs are a proven technology, the practical use of them may cause more issues than the problems they solve.

Insights

There are multiple insights into technology:

• There are many diverse technologies – this is not a simple or a consistent field.  There are many diverse technologies that support Identity processes.

• Current technologies are enablers of poorly performing Identity - current technologies enable current Identity solutions, but as previously discussed in newsletters 4 and 5, current solutions perform poorly.

• Biometrics, a current technology, will develop further and will be important - intrinsically, because of its uniqueness-based authentication power, biometrics is a key part of the future of Identity.

• Developing technologies are technology driven, not functionality driven - there is nothing inherently wrong in a new technology approach of seeking new applications for a technology. But at some point in time, the technology’s suitability and practicality need to be questioned. In many of these developing technologies, such questions have not yet been raised.

• Many developing technologies are unproven - the inherent insecurity of a customer digital device has yet to be solved in a comprehensive manner.

So, there it is for current and developing technologies. Lots has happened and lots is happening, and some of it is good, and none of it is comprehensive, and some of it may not work at all.

Summary

This and the previous newsletter considered the broader context of Identity:

Together, Market Segments and Current & Developing Technologies show:

• a muddle of a market and

• technologies that under perform or are unproven.

I feel that we are in the uncomfortable stage of an evolution, a bit like the lyrics from a Stealers Wheel song: “Clowns to the left of me, Jokers to the right, here I am stuck in the middle with you”.

Regards

Alan