Let’s talk about digital identity with Don Thibeau, Executive Director of the OpenID Foundation.
In episode 9, Oscar talks to Don about his career so far; his work with the OpenID Foundation (including FAPI and CIBA standards) and the Open Identity Exchange (OIX); and what he calls the ‘Holy Trinity’ driving the identity industry. Throughout the conversation Don highlights cultural differences in attitudes towards digital identity, and how we should be taking a more global approach.
[Scroll down for transcript]
“We have to work locally, but we have to think globally”
Don Thibeau is the Executive Director of the OpenID Foundation, a non-profit international standards development organisation of individuals and companies committed to enabling, promoting and protecting OpenID technologies. The Foundation’s membership includes leaders from across industry sectors and governments that collaborate on the development, adoption and deployment of open identity standards. Formed in June 2007, the Foundation serves as a public trust organisation representing the open community of developers, vendors, and users while providing needed infrastructure and leadership in promoting and supporting expanded adoption of OpenID. Find more information at openid.net/foundation/.
Don is also the Co-Chair of the OASIS Electronic Identity Credential Trust Elevation Methods (Trust Elevation) Technical Committee. He founded and now serves on the board of the Open Identity Exchange (OIX) – a non-profit, technology agnostic, collaborative cross sector membership organisation with the purpose of accelerating the adoption of digital identity services based on open standards. As Don mentions in the episode, you can find the OIX’s extensive whitepaper library at openidentityexchange.org.
Don also refers to previous episodes of Let’s Talk About Digital Identity with DIACC President, Joni Brennan – ubisecure.com/podcast/joni-brennan-diacc – and with One World Identity’s Cameron D’Ambrosi – ubisecure.com/podcast/cameron-dambrosi-one-world-identity/.
Or subscribe with your favorite app by using the address below
Let’s talk about digital identity. The podcast connecting identity and business. I am your host, Oscar Santolalla.
Oscar Santolalla: Hello and thanks for joining. Today we will have a conversation with a man who has led, and today leads, very influential organisations in this realm of digital identity.
Don Thibeau is Executive Director of the OpenID Foundation, a non-profit international standards development organisation of individuals and companies committed to enabling, promoting and protecting OpenID technologies.
The foundation’s membership includes leaders from across industry sectors and governments that collaborate on the development, adoption and deployment of open identity standards.
Don is also the Co-Chair of the OASIS Electronic Identity Credential Trust Elevation Methods (Trust Elevation) Technical Committee and Don was the founder of the Open Identity Exchange and serves on its board.
Don Thibeau: Hello Oscar. I’ve been looking forward to this conversation for some time.
Oscar: Same on our side. It’s great talking with you today. So let’s talk about digital identity. I would like to ask you first, what was your journey to this world of digital identity?
Don: Yes. Most of my career has been involved in the identity data business. The companies that I’ve been part of and the companies that I’ve founded have all in one form or fashion been concerned with how identity is expressed online, both in code and in governance.
So the work that I’ve been doing for the last 10 years has really been focused on digital identity on a global basis. I’ve had an opportunity to lead two organisations in the space and if I can, I will just briefly summarise for your audience what the OpenID Foundation is and the Open Identity Exchange is.
Oscar: Yeah, please.
Don: So in short, it’s really a focus on the rules and tools of identity. By tools I mean how identity is expressed in code, in machine-readable language online and specifically how that code is expressed in open identity standards. Most recently the OpenID Connect standard, which has been adopted by most large and small companies worldwide, and building on top of OpenID Connect is the financial grade API standard. I’m sure we will talk about that more later.
But the OpenID Foundation really has a focus exclusively on providing these open standards for adoption on a global basis. So that’s the toolset. But increasingly important, and certainly for European audience, is that technology is not enough. We need to have a rule set, a governance framework, a trust framework if you will.
So the Open Identity Exchange was really born in the White House, in the early days of the Obama administration. President Obama had a very personal and substantial interest in online identity and protecting citizen services. So he gathered the leaders of the industry in the White House and asked them to organise a partnership so that there would be a public-private conversation over the course of his administration about digital identity, its technical standards and its governance.
So the OIX has focused on building trust frameworks and best practices in digital identity at scale and we’ve had a lot of work done in the US throughout the Obama administration and over the last many years, in the UK with the UK cabinet office and their government digital service. These two efforts, like others throughout the globe, represents the challenges of government delivering services to its citizens and citizens being able to reliably and securely and easily sign into government services.
So there has been not without friction and challenge in both those efforts. The reason that I am interested in talking to you and your audience is because in the Nordics, there’s now a ten-year history of success in this collaboration between government agencies and private sector companies. And that success comes from when you add open standards, technical requirements, with governance, rules and the sum of those two parts is what many call a trust framework or a scheme as the Brits say.
So if you look in the Nordics, certainly in Norway and Sweden, you can see the power of trust frameworks at work and that power results in better services to government by- for its citizens and also an expansion of economic development in the private sector, all based on having a common trust framework around knowing that that person online is in fact who they say they are and that company that you’re doing business with is in fact a company that is authentically your partner.
Oscar: Yes, very interesting and you have put in a very simple way. You know, the OpenID Foundation is about the toolset, the technical side of these standards that we need and we use like OpenID Connect and OIX, the Open Identity Exchange. The rule sets, how to scale this globally, and you mentioned that started in the US, in the White House you said. Also now it’s used in the UK. What else is Open Identity Exchange today focused on?
Don: Open Identity Exchange really has been working hard on building new institutions, new instantiations of this public-private partnership. Again this has been a matter of success over time in the Nordics, but still is a challenge for countries like the US and UK, and Australia as well, as we culturally and legally have an aversion to identity cards for example.
We culturally and in our common law don’t have a provision for a specific government role in online digital identity. So the struggles that continue in my country and elsewhere really speak not to the technology problems. We’ve got great technology tools. But we in many countries haven’t found the way of aligning technical tools and governance rules.
What I find interesting about the Nordics and the experience there is that it really represents a third way for this public-private partnership to occur. And that third way I think is best expressed by Francois Macron who said the state of identity on the internet is really two polar opposites.
Macron talked about the Chinese model of state-sponsored identity and surveillance, and the California model, which is anything goes and the monetisation of personally-identifying information.
So it’s with great interest I think that this global audience has turned to the experience in the Nordics, the challenges that we now have in taking identity into payment processing and banking and the regulatory environment under construction in the EU, through the eIDAS and PSD2 and other regulations that are founded on a strong authentication and Good Identity verification model.
Oscar: Yeah, very interesting these – you mentioned two poles, right? Very state-governed identity and one that is monetisation of a very open market.
Don: I should also add the good work that’s being done by the DIACC group in Canada. I have a lot of respect for Joni Brennan’s leadership, which has resulted in what’s now known as the Pan-Canadian Trust Framework and through the work of DIACC and Joni’s leadership, they’ve been able to have the full participation of not only the banks in Canada but the telcos as well as the provincial and federal government.
So the Pan-Canadian Trust Framework, like the work being done in Nordics, represent this third way or middle ground that accounts for the economic power that we’re discovering in data in general and identity data in particular, but also provides a proper and appropriate regulatory environment for those transactions to occur.
Oscar: Yes, we talked also with Joni Brennan.
Don: Yes, I listened to all of your podcasts – with Joni and most recently with my friend Cameron at One World Identity.
Oscar: Oh, yes, that was the last one before this conversation. Yes, she mentioned exactly some – one thing that you said that bringing identity– digital identity opens more opportunities for more business. You know, that’s business growth. So that’s excellent. Now that you –
Don: We can see that in real time. Facebook makes $16 billion a month with a product and social network that has as its basis digital identity.
Oscar: Yeah. Well, big numbers, exactly. Yes. You already mentioned CDIAC. What about comparing how is the modus operandi of – especially OIX with DIACS and also Kantara Initiative that we talked earlier during this podcast. How would you compare- how it’s different to OIX?
Don: Yeah. OIX is taking a global approach and Joni and DIACC are really focused again on a Pan-Canadian model. So I think that we have to work locally but we have to think globally. A good example of that is working in this current disruption, in the global financial services sector where new regulations associated with open banking in Europe, PSD2 regulations, really require financial institutions that we know well like banks and new innovators in the FinTech space, and payment processing space, to really begin to rethink their understanding and their deployments that at its very core require a deep understanding of digital identity technology and governance.
Oscar: Exactly. And what would you say that for an organisation that is hearing about OIX for the first time, how– what are the best ways that an organisation can collaborate, cooperate or benefit with doing something with OIX?
Don: Well, the great benefit of OIX is our work product, white papers. We have over 10 years been able to receive very substantial funding from companies like Google and Microsoft and others, but also government or funds both from the EU through the LIGHTest programme and also the UK government.
All of this work has been delivered in terms of white papers. Those white papers can be found at Open Identity Exchange’s website, openidentityexchange.org. But importantly, each of those white papers takes a very laser-like focus on particular problem sets or particular use cases that are involved in identity systems at scale.
So for example we have a lot of white papers on, ‘what is a trust framework?’, ‘how do trust frameworks operate?’ and ‘how is liability associated in these trust frameworks?’
So the white papers range from legal treatises on the interaction of liability and law and identity systems. Also the inclusions of marginalised populations in identity systems as well as how biometrics and trust marks are to be added into these identity systems.
So we would like to think that OIX made a contribution to the community at large by offering these white papers freely available to anyone at any time through its website.
Oscar: Wow, that sounds excellent. That’s like in here very specific real case examples. OK. So it’s …
Don: You know, we wanted to avoid the problem that many identity professionals get into where they want to boil the ocean. We boiled a few ponds and have tried to report the progress and the challenges of different pilots that have occurred in Scotland and the State of Jersey and the UK and the US. So we’ve got some interesting work on attribute exchange models that was very early days that are now being adopted globally.
So we hope that by sharing the benefit of this work experience and these practical white papers, that other companies, organisations and governments can build on what has been built.
Oscar: Yeah, excellent. It sounds like really valuable resources available there. Yeah, being – talking a bit more about OIX. You are the founder. But now to my understanding, my understanding is that you are now more focused in OpenID Foundation as an Executive Director. So please tell me what is your work there currently.
Don: My work at OpenID Foundation really has taken on a specific focus around Open Banking. And the reason I mentioned Open Banking is that a deep understanding of Open Banking takes you into the world of open identity. So if you think about the Venn Diagram of Open Banking and Open Identity, where those two circles meet is where I think the real action is, the real dynamism is in the global ecosystem that we are part of.
What I mean by that is that in the work that the OpenID Foundation has been doing with respect to PSD2, Open Banking regulations in the US and UK, Australia and Japan, what we’re trying to do is meet a burning business problem. And the burning business problem of Open Banking is expressed in two ways. We will go bottom up and top down.
Bottom up, what is at the core of Open Banking and its related regulations in Europe, Australia and elsewhere is giving the user, giving the bank customer agency over the data about them being held by a financial services institution.
What I mean by that is expressed in terms of data portability. What governments around the world are pushing for is greater agency or greater control by a user of the financial data that that user generates about his life, the mortgages that he takes, the credit card statements that represent his transactions, the loans, etc.
That information, that very rich identity data is very powerful. So giving greater agency and protecting the privacy of the user and making a user experience that’s easy to understand, with the appropriate consent, is the largest challenge that we have in financial services and really the north star of those of us that are in the identity business.
So Open Banking is a disruptor in the identity ecosystem and I think its disruption is being felt again from the bottom up for all of us as citizens, as customers as users of these online financial services, but also top down. What I mean by top down is that global players in financial services, large banks, start-ups, FinTechs, payment processors all have to be concerned with two things. Being in compliance with government regulations in each country, in each region, and at the same time, being in conformance with technical standards.
Because we live in a global world, it’s not enough to have a proposition for your customers that only works in one country. We have to understand that both business organisations, governments as well as citizens are increasingly participating in a global economy. So what that means from a top-down perspective is that it’s very difficult and very problematic for an organisation that wants to do business internationally to have to comply- to be in compliance with a different set of regulations in each country.
That’s a lot of opportunity cost. That’s a lot of complications from a technology platform point of view and that’s confusing for the businesspeople that are trying to sell goods and services on a global stage.
So what we’ve been trying to do at the OpenID Foundation is to make that simpler, to make that more secure. So we built a new standard on top of OpenID Connect called the “financial grade API”. And what this new standard is all about is having a higher level of assurance, a step-up if you will, from verification to authentication and to do it in an open and standardised way.
That allows banks and other financial institutions to be able to be in compliance both from a regulatory point of view as well as in conformance from a technical point of view on a global basis. So for example, the FAPI standard has been adopted by the UK Open Banking Implementation Entity, which is a group of the nine major banks in the UK and we continue to have a very vigorous dialogue with our colleagues in the Berlin group so that we can make this approach consistent with the objectives of the PSD2 regulations and the way that the European Union has organised its eIDAS programme.
So what we’re trying to do and what we’ve got some great success in doing is having different jurisdictions and different global players adopt the FAPI standard, so that they can be assured of compliance on a global basis, so that they are more secure as institutions and can provide more secure and privacy-protecting services to citizens on a global basis.
Oscar: So is FAPI, financial grade API, already in production in the UK?
Don: It has been adopted by UK banks and let me tell you a quick story about FAPI. It’s always interesting to look at the names of things. So about midway through the course of the work group’s development, the three leaders of the work group decided to make a change in its name. Originally the financial grade API was intended to serve financial services business sectors. But the more experience and the more adoption that took place with that standard is- a very simple thing occurred, which is a global open authentication standard good enough for the banks, would be good enough for other high assurance applications and other sectors, like airlines and transportation, health insurance, healthcare or others. So we have the promise of FAPI. We’re still in the early days. That we can have a global high assurance standard that not only FinTechs can use but other industry can use as they build out their identity infrastructure.
Oscar: OK. And the other standard that is to my understanding connected to this effort is CIBA, correct?
Don: Yes, indeed. So if you begin to think about what I’m calling this disruption in Open Banking, it requires not only the orchestration of standards for authentication but we have to be mindful of the platform of choice, and of course the platform of choice is the smartphone. The mobile device is the place where increasingly people are doing banking.
Don: So that requires a really careful synchronisation, if you will, with the evolving standards in the mobile platform world, standards developed by GSMA and others in an OpenID Foundation working group called MODRNA.
So orchestrating standards on the platform of choice in the mobile platform with these high authentication– with the FAPI standard is really challenging, both from a technical point of view and the varying interest and often conflicting or overlapping interest of business models. So we’ve been modestly successful in the development of OpenID Connect, of FAPI and on the mobile device and that development is expressed in a new standard, a new profile, if you will, called CIBA. Now hasten to say that good, open standards are beneficial. But a standard is only as good as its adoption.
Don: And its adoption is only as good as its trustworthiness. So how do we trust an organisation, a government, a small fintech that we’ve never interacted with? How do we trust that they’ve implemented the standard correctly? We see in the case of the SAML standards how brittle it has become over its 25 years of use.
So what we want to do is to have a robust standard that is highly trustworthy. So what the OpenID Foundation has done over the last several years is to create, alongside of the new standard, a certification suite. And this is called “self-certification” which is a new concept for many people. Most associate certification with the high cost of auditing, the careful and often time-consuming work that auditors do on a third-party certification and that’s certainly an important option for trust-building.
But the problem is it doesn’t scale. The problem is it takes time. So self-certification is a way of having a low-cost, low-opportunity investment but highly trustworthy way of building trust and it operates like this. In very simply terms, any organisation at any time at no cost can go to the OpenID Foundation website and take the self-certification test for compliance to OpenID Connect, to FAPI, to CIBA.
Many companies and organisations are now doing this. They frankly use it as a way of a QA-QC to make sure that their software code is in fact providing the benefits of the standard and is in conformance with the standard.
But at the time of their choosing, for a very low cost, an organisation can submit a package of information to the OpenID Foundation which demonstrates in very technical terms how their deployment of software or a service is in conformance with the spec, OpenID Connect, CIBA, FAPI, etc.
So they submit their logs and demonstrate in code their conformance. Now what that does is triggers three things. One, you can be sure that when Google self-certified its implementation of OpenID Connect, that its competitors went through that code with a fine-toothed comb. So it triggers a peer review by competitors to make sure that that code from that vendor does what it says it does.
The second thing it triggers is a kind of global outsourcing where any individual at any time can look at the OpenID Foundation site and look at that code.
So we have a crowd-sourced review alongside of the peer review. So from a technical point of view, that gives us great fidelity. It allows us to trust that implementation. But that’s not enough. We ask a third thing of any company that seeks self-certification. We ask them to put the most important asset they have at risk.
We want an officer of that company to make a legal declaration that that code, that that deployment is in fact representative of their company. That puts their brand at risk. So you can imagine that companies are very careful in their self-certification process and the care that they take both from a legal brand point of view as well as a technical point of view produces the result we want, which is that companies that claim conformance can be trusted. They can be trusted because of the peer review, the crowdsourcing and that legal assertion.
What this self-certification does is it builds trust and trust is a thing that is most important in today’s world in general but certainly in identity systems.
Oscar: Well, I can see completely – quite impressive these three layers of – for self-certification and so an excellent job that you are doing.
Don: Well, speaking of the jobs that we are doing, one of the early adopters of FAPI and of – and early contributors of this CIBA code base has come from the Nordic community and Ubisecure in particular.
So one of the things that the OpenID Foundation is committed to is, in collaboration with our colleagues at Ubisecure and other Nordic banks and financial institutions, is sometime soon to have a workshop in Finland or Sweden so that we can demonstrate not only how CIBA, FAPI, OpenID Connect work but also how the self-certification mechanism provides the kind of trust that is the basis for trusted transactions at very high volumes, at a very high velocity, with a variety of use cases in mind.
Oscar: Well that will be fabulous.
Don: Well it’s important that we have global adoption. From a standards point of view, we need global contribution for these standards in identity.
Oscar: So how much – also on a global basis as you mentioned – how much is the activity in– especially in these new profiles? You know, FAPI and CIBA. How is right now – are many companies currently doing this, implementing, contributing and doing those sort of self-certification?
Don: That’s a great question and it’s great because it goes to the heart of the burning business problem we share, which is trust. So the contributors, those individuals and those organisations, do so publicly. So one could go right now to the OpenID Foundation website, go to the FAPI working group and they could see specifically who is contributing to the development of the standard, what organisations are investing in human capital, which is an important thing in the technology world, in the development of these standards.
So it’s fully transparent again at any time, at no cost by anyone to see who’s participating in the working group, what the working groups are working on, the challenges that they have, the fights that they have over different implementations and different points of view.
So the who and the what is publicly available as is the end result, which is the open standard. Also, and importantly, one could right now go to the OpenID Foundation website in the certification section and they can see what organisation self-certified what service or deployment, when they did it and who was the person that assigned that certification on behalf of that organisation.
So that transparency is very intentional because we want it to be a trusted process, both in terms of how the process was developed, how the standard was organised, who contributed and, importantly, who has self-certified their conformance to that standard. So it’s all about trust and the contribution that the OpenID Foundation is making is to build this plumbing, this infrastructure for the global identity ecosystem in a very trusted and transparent way.
Oscar: Yeah. So the answer is going to the OpenID Foundation and seeing the results. So this …
Don: Yes, oidf.net.
Oscar: Excellent and very early in this interview, you started talking about the efforts here in the Nordics with experience with national IDs that have been already for more than 10 years in most of our countries here and more evolved than other regions in the world. How do you see this evolution similar in other regions in the world? Where do you see that are going to be the next ones?
Don: Well, I think I often associate the experience in Nordics has what I call the courage of the first draft. Which is to say that 10 years ago, the Nordics developed and deployed the first trust framework based on identity standards that allowed, importantly, not only government services to be delivered but that same level of trust that one has with government as the root of trust, it’s now extended to include banks and airlines, etc.
So as companies like yours are expanding to international markets, they bring that experience with them, allowing other organisations and other governments to build on what they Nordics have done and the kind of expertise that exists in companies like Ubisecure and others.
So I think that’s important. I think it’s necessary for us to find a way of having the rightful role of government in these complex transnational identity systems.
Now that’s easier said than done because culturally we have disconnects between the role of the government in these systems. Historically and culturally the US population trusts the private sector and tends to distrust the public sector.
There is just the reverse in the Nordics and the EU. Now that’s all being tested currently. But again it’s this notion of how do we have trusted transactions online when we’re increasingly living our lives and doing our banking, paying our taxes online. And I mentioned online because the experience of identity cards has shown that the true value of a government-issued identity, it goes beyond simply paying your taxes or voting. It goes to how again this economic development can occur when you have a trusted infrastructure that relies on knowing that the person that you’re interacting with is in fact that person and that the organisation you’re interacting with is that person.
It’s what I call the holy trinity of identity, which is to say the identity ecosystem is often bounded by AML, KYC and LEI, anti-money laundering regulations, Know Your Customer regulations and this third and increasingly important legal entity identity. Who is that company? Who owns that company? Where is that company located? Those three things are the real drivers of identity, particularly in the financial services marketplace and importantly for companies that are transacting on an international basis.
Oscar: The trinity of identity.
Don: Well, it’s one lens, not the only one. But it’s a lens that I think is important because those are the guardrails if you will for the enormous disruption that we’re seeing in the identity ecosystem and that can be seen in traditional credit card companies like Visa and MasterCard, announcing very substantial investment and initiatives in identity, as well as traditional credit bureaus and credit reference agencies moving into identity, and companies like Google who have applied and been granted licenses to be payment processors, and of course our friends at Facebook through their Libra program seeking to be not only a payment processor but creating a whole new monetary system through the Libra Blockchain approach. All this disruption is occurring within the context of AML, KYC and LEI.
Oscar: Yeah, excellent. Yeah, very well-illustrated as well. I will ask you a final question. It’s for everybody who is listening to this. If you could give us with your experience what are practical ways to protect our own digital identities?
Don: Now we have to talk about passwords. I think of passwords as the cockroaches of our industry. No matter how we try and stomp them and eliminate them, they keep popping up. I hate passwords. I hate passwords because it gives a false sense of security. I hate passwords because if you look at the very substantial and very harmful breaches that have occurred in large companies and small, in governments and banks, more often than not, it’s not that someone has breached the firewall. It’s that someone has gained access to a password in a social account.
Our disruption in the US election occurred because a campaign staffer had his email password stolen and thus that was the breach for the political system and has had cascading effects. To say nothing of the enormous financial damage done in breaches and financial institutions, all because password is the weak link in the chain.
Now increasingly, leading companies like Amazon and others use the password in very minimal ways. They use artificial intelligence, machine learning and other signals from your cell phone to establish that that is in fact you.
But passwords are harmful because for a small company or a medium-sized company that doesn’t have access to AI expertise, doesn’t have a substantial security infrastructure, it’s easy to deploy passwords. So they are the cockroaches of our system. They’re not going away. But they’re becoming less and less important.
Now having said that, as my friend Cameron said in your last podcast, get a password manager. Do the best kind of protection you can by using one of the many products on the marketplace for password management. So I wish I had a silver bullet. I wish I could report great success in securing identity systems. But the fact of the matter is that passwords are increasingly ineffective. The fact of the matter is that the security infrastructure of our identity industry is not improving. The sophistication of the attackers, the lack of joined-up security systems has given us the world that we have today, which is increasingly distrustful and disruptive of banking online, voting online and having a community meeting online.
But that’s why identity is important and that’s why the work that you’re doing in this podcast and that others are doing of sharing the experiences with new and distant audiences is a really important part of the work.
Oscar: Thanks a lot for your words and yes of course important to talk with experts like you. Thanks a lot for this very enlightening interview and tell us how people can find more about you and the organisation that you are leading.
Don: I’m easy to find and I would be happy to answer questions or queries from your audience. It’s [email protected] and I’m happy to talk more with you and others about this very important work of identity and invite others to join in.
Oscar: Excellent. Again, thanks a lot Don and all the best.
Don: Same to you and good luck with the podcast.
Thanks for listening. Let’s Talk About Digital Identity is produced by Ubisecure. Be sure to subscribe and visit ubisecure.com/podcast to join the conversation and access the show notes. You can also follow us on Twitter @ubisecure or find us on LinkedIn. Until next time.
[End of transcript]