At the Gartner IAM European Summit in London a couple of weeks ago, Simon Wood, Ubisecure CEO, had the opportunity to share the stage with Lauri Immonen, Telia Company’s Head of Identity. Together they would provide insights to the audience on how the Ubisecure-Telia partnership has enabled strong reusable identity throughout Europe. The live session can be replayed for attendees in the Gartner Conference app, but for the benefit of our wider audience, I have summarised the session below.
As a background, Ubisecure and Telia have a unique relationship. Ubisecure is a European identity services provider, and Telia is a leading Nordic telco. Together the companies developed a solution (the Telia Identification Broker Service) that connects Service Providers to the European strong reusable identity ecosystem. The ecosystem, while rich in high assurance Identity Providers, won’t reach its full potential until its issues around complexity are solved.
This blog talks through the why, the how, and what this solution delivers.
The three identity waves
To understand strong reusable identity, we first need to look at its evolution, or as Rod Boothby coined, the “waves of identity”.
Wave 1 refers to workforce identities. Companies give their employees identities and passwords to access work networks. The identities reside in enterprise directories and HR systems. Sometimes these identities can be federated and used on external services, but ultimately they remain controlled by the company.
Wave 2 refers to the identities businesses give to their Customers. Customers now have hundreds of identities. A particularly popular type of wave 2 identity is the social identity like Facebook, Google etc. These identities are low assurance, or perhaps better said as ‘self-assurance’, but highly prevalent. The user’s identity became the product.
Wave 3 refers to strong trusted identities. These identities are highly assured – issued by a bank, government or mobile provider. They deliver high value because they can be trusted. They are designed to replace many of the wave 2 identities by offering Customers a single, secure and privacy enhanced method of registering and authenticating to a service. But currently the strong identity ecosystem, particularly in Europe, contains many disparate identity providers – some regional, some national. They need connecting together.
What defines a strong reusable identity?
Firstly, it cannot be self-certified, it must originate from a certified, trusted identity service. In our society we see three organisation types issuing the majority of such identities – banks, governments and mobile providers. All perform KYC (Know Your Customer) as they onboard their Customers or Citizens to digital services.
The identity must allow the Service Provider to authenticate and identify the user. This doesn’t mean attributes should be shared, in fact quite the opposite. A good identity service will share assertions and claims rather than actual personal data, and the identity owner will maintain total control over what specific data is ever shared. Think about the case of buying alcohol. The store clerk needs to know that the buyer meets the legal age to buy alcohol, not their actual birthday. This is the key difference between sharing personal data vs making a trusted claim. This in turn helps the Service Provider to build trust with the Customer over time, requesting identity assurance only when it is needed.
Finally, it should also follow a Zero Trust model of “never trust, always verify”. Once the “always verify” concept can be automated without causing friction on the user, Zero Trust can dramatically step up the anti-fraud benefits for both the Customer and the Service Provider.
Why would a Customer or Service Provider want to use strong reusable identity?
We all have dozens, if not hundreds of accounts. There is considerable fatigue in being asked to create yet another account. Being asked to share private details yet again in the hope they will be adequately protected and not illicitly shared. And creating yet another password, or maybe reusing existing passwords (not a good idea, ever). Then, assuming we finish yet another registration process, we still have to remember or dig out the credentials every time we want to log into the service again. It’s time consuming and frustrating.
Customers want a simple registration process that is standardised, familiar and easy to use. One that allows single sign-on across connected applications. They don’t want to remember yet more passwords, and they want to control what data is shared, and why. Strong reusable identities deliver all this to Customers.
Service Providers have similar requirements. They want assurances that both new and returning Customers are who they say they are. Sometimes, for more valuable transactions, they might even want further assurances the Customer is really the Customer (step up authentication).
It’s notoriously hard getting people to sign up to new services. It’s incredibly frustrating, and wasteful, when a potential Customer abandons the registration process halfway through – which happens far more often if the process is lengthy or provides friction beyond reasonable security requirements.
If there’s a way to just get the Customer onto the system quickly and easily, churn can be reduced, and marketing investments maximised. Strong reusable identities deliver all this, and more, to Service Providers.
European Strong Identity
Now we know that strong reusable identities have a lot to offer both Customers and Service Providers, let’s review what is available in Europe.
The European identity ecosystem is very rich. It contains dozens of initiatives managed by both public and private entities. Plus, there are some public-private partnerships. All, however, are anchored on nationally issued identities, making them extremely high assurance and perfect for cross-border transactions and trust.
As disparate as it may be, the pool of identities is plentiful – covering millions of individuals throughout Europe. As attractive as the pool may be, with such a plethora of initiatives, and no (at least yet) harmonisation between the identity providers, if you are a Service Provider looking to support multiple providers, there are serious challenges.
The challenges within the current European Identity ecosystem
The Customer perspective is easy to understand. They simply want their strong IDs to accepted in as many places as possible. They don’t care if the Service Provider is in Finland, or in Sweden etc. They just want to authenticate themselves to gain access to the service, with a consistent and familiar user experience.
Service Providers look at the current ecosystem and see opportunity, but also complexity. They see complexity in integrating many different Identity Providers (IdPs) to their service(s). And, they see complexity in having to manage many contractual relationships with the IdPs, especially banks in different regions. Finland is a good example here. To offer all bank-issued reusable IDs, a Service Provider would need to maintain contractual relationships and technical integrations with 14 different banking entities! The ecosystem is rich, but it is overwhelming, and few organisations have the resource to get it right.
The strategic drivers for Telia Company
Service Providers want to tap into all the benefits of the strong identity ecosystem, but they don’t want the technical and commercial complexity of doing so. They want just one contract, and one single integration. They want a service that solves the problems, and opens up the ecosystem.
This is where the Ubisecure & Telia partnership offers value. Telia is responding to its enterprise Customer (Service Provider) needs, while complementing other Telia identity services such as e-signing (AATL).
The Telia Solution – One contract, one integration
One contract, one integration. This critical approach has opened the European identity ecosystem up to many more Service Providers than would otherwise have been able to use it. 200 Service Providers are now connected to 20 different identity providers, all through a single integration delivered as either an OIDC (OpenID Connect) or SAML API.
How the Telia ID Broker works
The Ubisecure Identity Platform powers the 24/7, highly available ID broker system. In 2021 alone, over 58m strong authentications were brokered. The usage of the system is growing, with 40% YoY growth for Swedish and Finnish eGovernment services alone. All from a single integration, and a single contract.
The Future – eIDAS 2.0
So far we have examined the strong identity ecosystem from the Nordic and Baltic perspective. We should note that the system has been largely successful due to political pressure in these regions. Where such political appetite does not exist, we see fewer programmes that are less successful (such as in the UK). To help solve these regional differences, the European Commission is close to finalising a pan-European eIDAS 2.0 framework to:
- Ensure that people and businesses can use their own national electronic identification schemes (eIDs) to access public services available online in other EU countries;
- Create a European internal market for trust services, by ensuring that they will work across borders and have the same legal status as their traditional paper-based equivalents.
With the eIDAS 2.0 specification due to be released imminently (May 2022), we are just around the corner from a true European ‘network of networks’. eIDAS 2.0 will enable so much more than just strong reusable identity for authentication. It is planned to also include identity wallets that can manage both identities and documents, such as driving licenses, medical data and more. This puts the identity holder in complete control over what is shared and how, while retaining a trusted cross border ecosystem.
By 2024, eIDAS will also support Organisation Identity – an underserved aspect of identity. As the #1 issuer of strong organisation identities through our Legal Entity Identifier business unit, Ubisecure naturally supports and contributes to enabling use cases where organisation and individual identity can be linked and expressed as a trusted relationship. More on this aspect in the future!
Identity brokering platforms will be essential in the success of such initiatives.
The Future – GAIN
The hope of eIDAS 2.0 is to open up the European strong identity ecosystem. The hope for GAIN (Global Assured Identity Network) sets its sights on the entire globe. If successful, GAIN will be a true global network of networks, mapping the trust between all the regional initiatives. It’s a lofty goal, but one that has a good chance of success thanks to the involvement of several key individuals and organisations, such as the IIF, OIX and GLEIF (Global LEI Foundation).
Hopefully, this has given some good insight into the origins of the Ubisecure-Telia partnership on enabling strong reusable identity. Get in touch to discuss using the Telia platform, or to discuss strong identity for your own business use case.