6. Identity Market Segments
What different market segments are there in Identity?
In the next two newsletters I’ll describe the overall landscape of Identity. Firstly, this newsletter considers the market segments of Identity. Then, the next newsletter considers enabling and developing Identity technologies. I go into more detail here because there are many market segments – I hope you find the contextual knowledge useful.
Before I start, I want to mention the only other topology that I can find: Liminal’s comprehensive description of ‘everything identity’ – their Digital Identity Landscape (https://liminal.co/liminal-landscape-honeycomb/). The people at Liminal have some great IP they willingly share and have been maintaining their Digital Identity Landscape for five years. While their landscape is very comprehensive, it is much more than I am looking for, hence I have taken a much simpler approach:
Analysis
Identity and Access Management (IAM) is the solution for corporates to enable their employees to access corporate systems. I use the term IAM to include two other popular segments: Identity Governance Administration (IGA) and Privileged Access Management (PAM).
The need for a corporate single sign-on has been with us for decades and was initially supported, to varying degrees, by the bigger IT providers such as Microsoft, IBM, and CA (now Broadcom). It is now supported by a new breed of providers, including cloud platforms such as AWS and Azure, and a series of pure plays including Okta, One Identity, One Login, and three entities acquired by private equity firm, Thoma Bravo, in 2022: SailPoint, Ping, and ForgeRock. Okta, before the acquisitions, was the largest player and has a current valuation of $US 12b.
It is worth noting that IAM focuses on on-line Identity, that it is highly specialized, that it is a mix of old and new, and there is a lot of money involved!
Social Media Identity (SMI) is a sector that includes both the social media platforms (Facebook, Instagram, TikTok, Twitter etc), but also the identity hubs that can be used to log onto ‘other’ social media (Google, Apple, Facebook, Twitter, Microsoft). This is a form of federated Identity and it is enabled through protocols such as OAuth, OpenID Connect, and SAML (note that these protocols may also be used in IAM).
Social Media Identity works in the on-line world only, has 4.7 billion users, and the most special aspect of it is that most of the identities are unverified. It is quite astounding! The biggest databases of identities on the planet are totally unverified!
Obviously Eion Musk found this problematic, and I certainly was very keen to understand how he was going to verify all Twitter tweeters! Unfortunately that seems to be no longer the case! Where this all ends is anyone’s guess, but suffice to say Social Media Identity, with an estimated 4.7 billion users, is large and hence cannot be ignored.
Know Your Customer (KYC) probably would not exist if it were not for Osama Bin Laden and 9/11. Most countries now have Anti-Money Laundering laws that require organizations to perform KYC due diligence. KYC tends to be an on-line service that is based on document proofing and some form of liveness detection.
In Aotearoa New Zealand, we have seven such players that specialize in the local market, while major international operations exist, such as Acuant, Jumio, Trulioo, Onfido, and Prove. The KYC sector may have the opportunity to evolve to into Identity hubs, but as yet, none has made that claim. Perhaps they all prefer to repeat the KYC exercise, and gain revenue, rather than to attempt to create a cheaper reusable solution.
I include Identity Hubs (IHs) because they exist after a fashion. Normally based around a smartphone wallet, they aim to create a database with a critical mass of voluntary customers and then exploit this by inviting third parties to join their party and have easy access to customers’ Personal Identity Information (always with the consent of the customer). One of the highest profile players is a UK-based firm called Yoti. I say they exist after a fashion because building a critical mass of users is not easy and is yet to be achieved in a significant fashion. Thus IH has not become an established sector in the way KYC has, but it is active and may be a major sector in the future.
It is easy to forget Government Issued Documents (GIDs), but they are still a fundamental element in every country’s management of Identity. Where would we be without our passports and driver’s licenses?
Most countries now have some form of Government On-line Services (GOSs). These have varying degrees of functionality and quality, and often identity exists in silos. A major initiative for many governments has been to consolidate all the departmental silos into a single signon for government.
For Aotearoa New Zealand, this is an identity service called RealMe that uses a basic username/password identity process, and that has had limited success due to limited take up by government departments and a complex onboarding process.
The UK launched GOV.UK Verify in 2016 and after spending a couple of hundred million pounds on it, are turning it off in December 2023. I hope their proposed One Login for Government solution goes better! GOS is not at all easy to achieve, as experience has shown.
National Identity Schemes (NISs) operate most easily in countries with national identity numbers, notably the Scandinavian countries and Estonia. These countries have long histories using these solutions, with the Scandinavian countries utilizing the inherent security in their banking systems to create the BankID solution, and Estonia having a more bespoke solution.
These provide secure identification and authentication of a user, and they can be federated, with a variety of solutions including Government On-line Services and corporate solutions.
International Passports (IPs) is, of course, our one true international identity scheme. It has evolved from being a paper-document based solution to being chip-based using specific hardware in specific locations. No doubt it will evolve further in the future.
Customer Identity Solutions (CISs). CIS solutions are probably the most numerous and most varied of all Identity solutions. From legacy solutions to modern e-commerce businesses, there are a myriad of technologies that save and maintain identity information. The functionality is similar to, but also different from that required for IAM. However, the IAM vendors see the opportunity and are now promoting Customer IAM (CIAM). However, given that CIAM is associated with a group of IAM vendors, I call this sector CIS as this is more general and reflects that many CISs are bespoke solutions.
Insights
So, what insights do we have into the landscape I pictured above and repeat here?
Well, there are some structural insights:
Corporate Identity and General Identity are different. While there are crossovers, IAM has a very specific focus on protecting and providing employee access to online corporate solutions, whereas General Identity is much broader.
Identity is about individuals, not organizations – in most, if not all countries, individuals and organizations are legal identities. But Identity focuses on the person, not the organization. In order to represent organizations, individuals have credentials allowing them to do so.
And, more importantly, there are strategic insights:
Identity has many varieties – there are multiple colours used above for a reason - these solutions are very different. We do not have common solutions, such as are found in Payments. Do you remember my definition of Identity being Identification / Authentication and Date Use / Data Sharing? I expect that the lack of common solutions is because the variety of Data Use/Data Sharing uses has led to multiple solution types, even though the basics of Identification / Authentication are common. In other words, because we lack a common approach to Data Use / Data Sharing we have developed many types of industry solutions.
Identity has simply evolved. Without a dominating technology or design, Identity has just simply evolved. Compared to Payments which has evolved along technology lines, Identity development has been driven by other external factors (e.g. KYC with AML).
So, that’s it. A bit of a muddle in a puddle really.
Regards
Alan