I had the pleasure to attend the KuppingerCole Consumer Identity World 2018 conference in Amsterdam last week and would like to summarise some of the highlights and list some of my take aways from the event. I was joined by Simon Wood and Charlie Rowland. It was nice to see many of our partner companies present and hear their views on the topics presented.

Day 1 – GDPR Workshop

GDPR is still fresh in everyone’s minds and although in full force, it is still on the to-do list of many customer facing product and service owners. Many companies have implemented the bare minimum processes and procedures and are still struggling with the wide ranging implications and risks.

The day was mainly led by Fabian Bauer and Frank Naumann who walked us through breach process handling and contract law in the context of the GDPR.

Frank Trautwein from Fresh Compliance presented a concise background and practical hands-on for Data Protection Impact Assessments.

Frank recommended the documentary called “Democracy” by David Bernet about the birth of the GDPR and expressed his fascination in the turns of events that made the law stronger than originally desired. If you haven’t seen it, check it out!

The presenters of the workshop day all agreed that proper understanding of GDPR is still lacking, particularly determining the grounds for processing in order to avoid the need for explicit consent. The use of legitimate interest for cookie usage was commonplace in countries without separate cookie legislation. Without court judgements for legal precedence, we have only the recitals of GDPR to work with when interpreting nuances of the law.

Frank reminded us of the importance of the original intent of the lawmakers and how this is taken into account in the legal proceedings when deal with ill-defined aspects or grey area of the regulation. Transparency for the data subject was another big theme.

Data portability without having defined technical standards has lead to similar services providing different types of export file formats – for example raw CSV or HTML dumps of data. These differences and the lack of common standards make the ability to move the data to a competing service more difficult, as each file format will require service specific transformation.

Day 2

Matthias Reinwarth from KuppingerCole opened the event highlighting the importance of Customer Experience as the core of any CIAM. He showed some “worst case” screenshots of modern systems, where the majority of the screen is taken up with cookie warnings, privacy policy descriptions, chat bots and consent questions. Only a small part of the screen was left for useful content. Although the example shown was extreme, the message was clear – simplification of the user journey is needed.

Karel Roes from Aegon presented his experience of implementing a wide-reaching IAM project across his organization, integrating six previously siloed applications. I enjoyed Karel’s humorous approach to a serious topic and the many specific examples he gave throughout the presentation.

Bryn Robinson-Morgan presented the UK’s Post Office project to enable citizens to perform remote renewal of passports using self-service kiosks across 750 retail post offices. The challenge of tying an online identity to a real physical person at scale.

In Finland, the equivalent system is completely automated without the need for kiosks – see this blog. Mainly thanks to ability to strongly authenticate citizens via their banks, mobile operators or using eID cards, the entire transaction can be completely online. This could be a good topic for a future blog post – comparing the approaches of each country.

Day 3

John Tolbert from KuppingerCole opened the day with a state of the nation for CIAM. He posed the question – what is the C in CIAM?

Kristijn Krol from postnl, Post Office of Netherlands, showed their innovation center projects, including a re-engineering of the receipt process for registered mail and parcel deliveries. The current process of signing with a stylus on a digital pad had proved inadequate in providing a watertight record of receipt. The current pilot allows citizens to scan a QR code on the package or delivery slip, and confirm receipt from within their own postnl smartphone app. With some 4 million (out of 17 million) active app users , the new solution proved faster than the system it will replace. The expected first target cases are remote sales of age restricted items such as alcohol.

Another utility case was presented, highlighting the use case of identity for non-traditional consumption devices – this time a smart display for energy management. The Netherlands specific iDen authentication system was displayed, which resembles the Finnish Bank ID system Tupas or FTN. Implementations were shown where iDIN login could replace a traditional OTP PIN sent by mail to customer home addresses – saving 3 to 5 days for onboarding process.

Real life implementations are always great to see. This year, Srijith Nair from Booking.com gave a great overview on their experience of managing changes to the platform. He highlighted the importance of a/b testing by giving actual examples that for many seem counter-intuitive. he said not to trust your gut instinct – instead let the facts talk for themselves. Another great discussion was around usability and user training when introducing one time passwords to a wide audience.

One of my favourite presentations was about the future of sales and marketing. Gabriele Horcher gave a dynamic presentation showing what is on the near horizon – from software agents that do business on your behalf to AI powered artists that can command hundreds of thousands of dollars for their art at auction. This presentation gave pause for thought about the different channels and use cases identity will be a core part of in the future.

The Kantara Initiative was well represented by many member companies, led by executive director Colin Wallis. I had the pleasure to present the work of the Consent Receipt project, a part of the Consent and Information Sharing Working Group. Ubisecure participated this summer in an interop demonstration showing how the consent that a user makes in one service can be read and interpreted by another. Two more vendors committed to joining the group and to implement the standard within their product. Oscar Santolalla will present our work this week in Brussels, at the ISSE Conference.