Signicat Interview: Aron Kozak talks on federated identity and level of assurance

What is federated identity and what are the implications for customers, third parties, banks and governments?

A federated identity is a means of sharing an individual’s identity and attributes across multiple systems and sites. These take multiple formats, ranging from reasonably lightweight social logins to highly verified electronic identities such as BankID in Norway.
We’ve been working with federated identities for over 11 years and continue to be amazed by the range of opportunities they present. 

For banks and governments, a verified, pervasive federated identity means that detailed and verified customer information can be shared as part of a customer onboarding, as well as using that identity for secure signing on to governmental and financial services. 

For consumers, it means they don’t have to re-enter their personal data every time they want to sign up for different services, nor do they need to remember hundreds of different usernames and passwords. They can use the same credentials for banks, government, health, insurance and a number of other services.

Finally, a trusted identity helps make third-party vendors and service providers’ lives much easier as they can quickly onboard new customers through a familiar method.

As a final note, one of our customers is using a federated ID (BankID) to verify consumers’ ages. In Norway, you need to be 18 to visit a tanning salon. Many of these are not staffed, so they use BankID to verify that a visitor is 18 before they are allowed to use the tanning beds.

How are social-logins perceived by the consumers, taking into account that the user has to exchange profile information with a third-party site?

Social logins are interesting in a certain sense. Customers don’t “trust” them per se, but value their convenience. And for the average user, convenience trumps anything. In our Battle to On-Board research we found that very few consumers would like to see social logins form the basis for an electronic ID. Overwhelmingly, banks are the ones consumers would like for this.

However, as a door-opener, social logins are great. For instance, in the situation where a potential customer would like to log in and see the services that a bank offers via their mobile app, a social login provides an excellent way to start the customer journey. However, as they engage more deeply with the bank, more and deeper levels of assurance are required that social authentication methods can’t provide.

This combination makes it easy to get the relationship with the consumer going, and only asking for more information, when the consumer is more motivated to provide it.

The Level of Assurance is an important factor in streamlining the identity management. Could you please explain how Signicat works on this solution?

As strange as it may sound, level of assurance becomes a key element in the User Experience process. We have a triumvirate of points that we regularly display during presentations as it illustrates the point well: On one corner we have Security, on another we have Verified Information, and the final we have Ease of Use / Convenience. Each organization needs to balance these three elements carefully so as to ensure you’re not losing customers, but you are actually secure and gathering the correct amount of information for the task being completed.

Asking for too much information is a primary reason why customers abandon a digital onboarding process according to our Battle to Onboard research. Asking for too much information when it isn’t required is a good way of needlessly driving customers away.
In the case of many traditional banks, they see the user identification as “binary”: Either you are verified or you are not. We believe that paradigm needs to shift to better balance consumer requirements and behaviours.

The concept of digital identity has evolved a lot over the last decade, with many systems of storing digital identity already being adopted: centralised, user-centric, federated, and now self-sovereign. In your opinion, what is the most appropriate system to solve the identity problem nowadays?

This is a widely debated topic these days. In some circles, there is an effort to put everything into a blockchain but when it comes to federated identities, we believe that blockchain specifically is not well suited. For one, you cannot store any sensitive data on a blockchain, not even encrypted data. One of the properties of a blockchain is that data can never be modified or deleted, meaning that when encryption algorithms are broken (as they all eventually are), the data will be revealed.

So there must be some traditional storage of the actual identity information. In addition, if the user is the only holder of the private key to his identity (eg username and password), how does this solution handle compromised or lost keys? People forget passwords, and many do not have an adequate back-up solution.

The users want somebody to call when they have a problem, and somebody to take responsibility for misuse.

We believe in self sovereign identity (SSI) as a concept with merit, where the user is in control of which information is shared and with whom. But this must be done through trusted parties, or Identity Custodians. The user should be able to choose which identity custodian to use.

At the end of the day, there needs to be a centralized management of the identity store, as without it we risk customers losing their identity or worse, having the security cracked on a blockchain and compromising the entire chain of data.

Banks are well suited to act as identity custodians, as they have been providers of trust for generations. Contrary to general perception, the main product of banks is not money, but trust. This is also reflected in the Battle to On-Board report, where people, in general, have high confidence in banks for managing identity.

About Aron Kozak

Aron Kozak was recently appointed Chief Marketing Officer at Signicat. A 20-year veteran of the technology industry, Aron brings a wealth of experience in technology marketing, communications, and developer relations. Prior to Signicat, Aron has held positions in Norway, Canada, and Silicon Valley. Previous experience includes ForgeRock, Nokia, Microsoft, Trolltech, Mohive, and North Plains Systems.

About Signicat

Signicat is based in Trondheim, Norway, and was founded in 2007; the company operates the largest Digital Identity Hub in the world, offering a leading digital identity platform and trusted to reduce the burden of compliance in highly regulated markets. With Signicat, service providers can build and leverage existing customer credentials to connect users, devices and even ‘things’ across channels, services and markets transforming identity into an asset rather than a burden. By ditching manual, paper-based processes and replacing them with digital identity assurance, customer on-boarding is accelerated and access to services is made simple and secure.