Let’s talk about digital identity with Kristofer von Beetzen, Chief Product Officer at Freja eID.

In episode 55, Oscar speaks to Kristofer about Swedish verified identity provider, Freja eID. They discuss why Freja was created; how it works; where it can be used; how it compares with BankID; how it ties in with European identity schemes; the importance of organisation identity and Freja’s plans for the future.

[Scroll down for transcript]

“Everything becomes related to your identity as things become digital.”

Kristofer von BeetzenKristofer von Beetzen is the Chief Product Officer at Freja eID. He joined the company in 2012 and was part of the transformation from a technology-centric IT security company to the cloud-based, user-oriented identity service that is offered with Freja eID today. Kristofer previously worked in media production and advertising and studied marketing at the University of Växjö. His interest, aside from bringing Freja to the world, is writing and he has published several books and columns, among them a crime novel and a book on poker strategy.

Find Kristofer on LinkedIn and Twitter @KvonBeetzen.

Find out more about Freja at frejaeid.com.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

 

Subscribe to
Let's Talk About Digital Identity

Or subscribe with your favorite app by using the address below

 

Podcast transcript

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar Santolalla: Hello, and thanks for joining for a new episode of Let’s Talk About Digital Identity. As you may have heard before that Sweden is one of the countries that has one of the best electronic identifications in the world. And we are going to hear specifically one of these systems, which is Freja eID.

So our guest today is Kristofer von Beetzen. He is the Chief Product Officer at Freja eID. He joined the company in 2012 and was part of the transformation from a technology-centric IT security company to the cloud-based user-oriented identity service that is offered with Freja eID today. Kristofer was previously working with media production and advertising, and has studied marketing at the University of Vaxjo. His interest aside from bringing Freja to the world is writing, and he has published several books and columns – among them are a crime novel and a book on poker strategy.

Hello, Kristofer.

Kristofer von Beetzen: Hello. Thanks for inviting me.

Oscar: It’s a pleasure, super interested in hearing about Freja eID, which a few years ago- Ubisecure started work more and more in Sweden, and then I start hearing this name Freja eID. So you will tell us for everybody how exactly this system works, this service. But please, first, we would like to hear from you a bit your personal side. Tell us about yourself, and how was your journey to this world of digital identity.

Kristofer: Yes. So, I started out in the industry, actually, as I said, I came from media production and advertising. I was working with this company, back then was called Verisec. And I was working with their communication and PR and so on. And they were working a lot with the traditional digital identity things like hardware tokens for banks, establishing trust on a pretty high level so that banks could migrate from bank offices to online banking. So this company was actually started already in 2002. And then they also started with some initial product development with an authentication server, and had some plans of going international with this product. So I actually went from being a consultant to the company to joining them in 2012, as a part of their expansion.

And along the way, we kind of figured out that the proprietary solutions, that was kind of the name of the game back then, where you had an authentication server placed in your server room, and then issuing identities from your own organisations to your customers. We saw that, particularly in Sweden, and in the Nordic countries, the use of these kind of communities, such as BankID and similar, were taking a lot of ground. And we didn’t really see this coming in other countries at the same pace and speed. So we thought that if this is the future of identity, that you have this kind of cloud service and Identity-as-a-Service, rather than having your own, each company having their own identity systems, then we can actually do something and create something in Sweden, and then take it to the rest of the world.

So that was kind of how I came into this. And then somewhere around 2016, we started the work to focus on these Freja eID products. And then we actually transformed the whole company and change the name and so on from Verisec to Freja eID group. And now we’re totally focused on this service and sold off the legacy products that actually was in place when I started.

Oscar: So Verisec became Freja. And Verisec was always a Swedish company?

Kristofer: Oh, yes, yeah. And Verisec still exists, so the legacy part we sold is now in a new company called Verisec International. And they are still doing a lot of good things and working on those solutions that we developed back then. But we felt that we needed to focus, which is one of the hardest things when it comes, especially in this technology era where you can do almost anything and it’s tempting to do anything and everything. But we felt like we really need to focus on this Freja eID order to make it successful. Because we really felt that we had such a strong drive and we had such a strong support from users and from relying parties that this was needed. So we took the decision. And actually last year we changed the name to Freja eID Group and now we’re solely focused on the Freja eID product.

Oscar Santolalla And I guess you joined the company in a more advertising or marketing role and then you move to innovation.

Kristofer: Yeah, I started out as the VP Marketing and was looking after the communications and all the things related to how we established ourselves as a brand and so on. And then when we came to doing this kind of consumer-oriented product which Freja eID is, we realised, OK, we need some product management here. We need to think totally different, because our main target group is the users, not the IT security director and such, which were the previous.

And I was fortunate enough to have a couple of colleagues that worked as product designers in the company. And they were actually much more knowledgeable and had ideas around product management in this new evolving tech era than any of us had in the company. So as it happened, they took me to a conference in London, which was called Leading Design. And that was for the purpose of inspiring me and the management to understand how to build the company as a product and user-oriented company rather than a technology-oriented company.

And that’s maybe the total opposite of how it’s normally done, I guess, when the management is trying to inspire employees, here it goes the other way around. So thanks to designers, we actually realised that we need to make a shift in how we organise development, how we organise ourselves within product design, and so on. And that turned out really well. So I’m grateful for that inspiration. And now we have a totally different organisation than before.

And actually, at that conference, there was an American product specialist, who had – the topic of his presentation was, “Is it product or marketing? Yes.” And I think that was kind of interesting. And when you have a product that is continuously developed, you have an interaction with your users, and the product becomes what the user needs, if you see what I mean, then the kind of limits between marketing and product disappears in a way. So we have organised ourselves now as a company without a marketing director in the traditional sense. The product organisation takes care of what we’re going to develop, and the sales process of it and the marketing. So it’s one big unit doing this in a very integrated and agile way. So it’s completely different from how it was organised before.

Oscar: Very, very interesting. Please tell us how the product or service Freja ID was created.

Kristofer: So we had- and it’s no secret that we saw how it grew and grew with this BankID community here in Sweden to begin with. We saw that it was almost impossible for us to sell our authentication servers, which was very successful in Latin America, in Spain, in other countries, and they were serving banking customers in the volumes of I think it was as much as 50 million users for that product.

And when we tried to pitch this authentication service here in Sweden, it was more or less impossible, because everyone was in the next generation. They were looking at Identity-as-a-Service and with pre-established identities, which is something that’s pretty unique, I think, for the Nordic countries, which means that we as a company, we kind of vouch for the identities. We make sure that the users come into our ecosystem into our community, we check their identities, we make all the identity checks, and document checks with the issuer, and so on. So when you have registered with Freja, then you have an electronic identity that can be reused to many places, all the way from tax authority to gambling services, to healthcare, and so on.

So there was no competition in this area. It was BankID, and nothing else, basically. And in all the other business areas in the world, in history where one company has taken such a dominant position that it’s more or less a monopoly, then there is room for innovation and there’s room for improvement. And to be honest, in the beginning, the most common question we’d had the first couple of years was why do we need Freja? What is Freja good for when we have BankID? And then I always answered, “Well, did you remember back in the ‘70s when we had one TV channel?” Oh, and people just like, understand that competition is something good. And what we have built over these years is something that has been differentiated a lot from BankID.

So, I think there’s room for a couple or two or three identities on a national scale and on a European scale, I think we will see quite a few solutions. But it’s kind of like we tried to look at it from the user perspective. And the thing with identity, and that’s a discussion that’s becoming more and more relevant now when we have the discussion of self-sovereign identities and so on, is that everything becomes related to your identity as things become digital. In one way or the other, you need to identify yourself online and in all the services that are some way digitalised, right?

So, we wanted to give the user back the control of this. So we wanted to create something that was both kind of met all the compliance and regulatory measurements that we could test Freja against, but also something that really was user-centric in a way that you, as a user, can really control your identity. And that was kind of the starting point rather than having an identity that is controlled by the government or controlled by your bank or someone else, open it up for the user to call the shots I would say.

Oscar: Yeah, so please tell us how Freja eID works for an individual.

Kristofer: So what you do is you start to register for the service. And you do that by downloading the app. And then you register on your own, so to say. So you take a selfie, and you register your ID document, and you register your email address, and set the pin and so on. And then we make all these checks, make sure that the face is the same on the selfie as on the ID document and check the validity of the documents. And up until now, that’s kind of similar to what you see on identity verification services that are offered everywhere.

So, the difference is that we then bring you in safely into our database and to our community. And you can then reuse Freja to a lot of services. So currently we have, and this is mostly in Sweden, because this is where the focus has been up until now. So you have around 350 plus services that we have agreements with. And then you can use Freja to access those services by logging in or making electronic signatures. And that’s kind of what’s expected from an electronic identity.

But we’ve taken this one step further. So since we have the face and the selfie of the user, we have created in the app a physical ID document. So you can use Freja instead of your physical ID document in many places in Sweden. For example, when you pick up a parcel at the post, or when you go to a pharmacy and things like that.

Oscar: People just show it or there’s a… it has to be scanned or just shown to the person?

Kristofer: Well, it’s both, either you can show it and then they have the information that is the same things that’s presented in your physical ID document. But there’s also a QR code so they can scan it, and they can get the information that way. Or they can make a transaction all the way to our backend, which means that if you have a transaction that is of high value, then you make an electronic signature in a physical context, which means that they are the same level of assurance as when you do an online transaction with an electronic signature. We offer the whole range of that.

So, that’s kind of the starting point of what we’re doing. But we also see that there is kind of interesting way forward here. So if you think about everything that is required, in terms of KYC, in terms of digital identification, in all sorts of areas, primarily, I mean, we’re talking about payments, we’re talking about gambling, we’re talking about other regulated industries. If you have control over the digital identity ecosystem as we have, I mean in Sweden, there are BankID, and there are Freja eID. So either one of these two needs to be – you need to be connected to one of these in order to make payments, for example.

And the interesting thing with one of these systems is controlled by the few large banks. And then you have all the FinTech companies that’s trying to challenge these big banks, right? But the interesting thing is what happens when these FinTech companies eventually challenge the big banks, to the extent that the big banks feel threatened. And the FinTech companies are dependent on the very infrastructure that the FinTech companies need, namely, the identities.

So I think if you construct and build an infrastructure of identities, which is, you know, in Sweden, we’re government approved. We have now been approved by EU in the pre-registration to eIDAS from the Swedish government. If you have such an infrastructure, then you can build upon that payment services, you can build everything that actually needs this regulatory compliance.

And I’m not saying that we’re going to do it, but we can offer this to all these FinTech companies who don’t want to be dependent on their competitors. And I think it’s the same wherever you go in different countries, a lot of the FinTech companies are dependent on ID methods issued by the banks. So we’re building kind of a parallel infrastructure here that is open for competition in a way that the bank-controlled identities are not.

Oscar: Yeah, definitely. What type of services already, you mentioned around 300, right, already services that are using? Tell me the types, just to have an idea what type of services are already using today Freja eID.

Kristofer: Yeah, we started out by trying to get a lot of these well-known and well-used public services such as the tax authority, the insurance authority, the unemployment agency, and healthcare services, digital healthcare services, because partly they have a big reach. Everyone in Sweden uses them at one point or another, and it’s also about credibility. So even if we’re governmentally approved, it’s so much more easy to say to the next customer, “The tax authority trusts us. Oh, so it’s pretty easy for you to trust us as well.”

So we have a large chunk of the public sector, its municipalities and government agencies. But now we’re kind of shifting focus towards the commercial side of things, e-commerce and payments, as I mentioned, gambling, and the whole kind of private sector. And the thing with the private sector, perhaps not the banks then but it has not been regulated. In Sweden, it became regulated with gambling that you need an eID in order to register an account and so on.

But for e-commerce and so on, it’s not like they have regulatory demands to have a Level of Assurance 3 identity to onboard a user. So they have been using things like Facebook and Google and things like that. But I think we’re seeing a shift now towards the benefits of having a better interaction with your users with a proper eID rather than these solutions that I mentioned.

Oscar: Yeah, absolutely, I would rather if – prefer my customer of an e-commerce site to use something like Freja eID as the identification definitely.

Kristofer: And one more thing that I mean, to comment on the e-commerce, what is happening there? I mean, if you think about if I may make an analogy of how Google was perceived in the media industry. So you had all of these big media houses all the way from New York Times to every other media outlet in the world, they were like, “OK, should we accept Google as the advertising engine, or we lose out on a big chunk of advertising money? So should we let them into our house and have them as kind of the advertising agency for our own media outlets?” And they were like “Yeah, what could possibly go wrong?” And as we’ve seen, Google has taken a huge chunk of that advertising revenue.

So basically, it’s Google, rather than New York Times, to take one example, that’s controlling the flow of the advertising money for their own media outlet, OK? And this is nothing new, you know about the story. But the same thing is actually happening with all these checkout companies. You have in e-commerce, you have these payment checkout companies that’s taking a big chunk, and that they’re providing a lovely and brilliant service, makes it easier for you as a customer to check out when you pay for your goods and so on. But what happens is that most users have a relation with the checkout company, not with the e-commerce operator.

So what happens then is that it’s the checkout company that owns the customer relation, not the e-commerce company that’s actually selling the goods. So we’re having the same thing over again, as Google had with the media outlets. It’s now happening with the checkout companies and e-commerce companies. And here, we’re saying to them, “Why would you give away your core assets, which is the relation to your users? You could offer your users to identify to your service rather than the users identifying to the checkout service.” And that’s where Freja comes in. And slowly, I think this is starting to dawn on them that if they do the same mistakes as the media outlets were doing with Google, then they might not have a long-term profitability, at least on that side.

Oscar: Yeah, it makes sense. Just to clarify also, can Freja eID be used outside Sweden in some way or another?

Kristofer: Yeah, that’s the whole concept of what we’re trying to build here. We’re focusing on Freja to build a strong position here. And we actually have already released Freja for other countries, so Finland, Norway, Denmark, and the UK. But we’re not kind of focusing there to bring in relying parties as it is today. But we have some Swedish customers who have users in these countries. So they can onboard users from different countries. And if we have some customers saying, “Ah, we actually need you to open up Poland, Germany, and France and whatever” then we can do that. And that’s just a matter of adding international ID documents and doing some testing.

So then when we have built this service and become stronger in Sweden, then we can take the next step. And our goal is to make this a European eID, and we very much look forward to the EU identity wallet development, because we think Freja is basically a blueprint of what they’ve been discussing, or rather, their kind of presentation of the wallet is a blueprint of Freja, I don’t know. But we’ve been around for a while. And we have this whole wallet concept. And we think it’s something that we can scale up on a European level. We’re not there yet. But I think we have a good position to do that.

Oscar: So the authentication/identification is the main service that Freja eID offers. You also mentioned signatures, you also mentioned compliance with eIDAS so tell me if there is something else that Freja eID offers right now.

Kristofer: Yeah, and one thing that’s very interesting, and I was actually looking at when you, in Ubisecure on your webpage, you describe customer identity management, and then the traditional identity management for employees as two different categories. And that’s, I totally agree on that description. And what we have done with Freja is that we have made it possible to add your own organisation eID in Freja. So if you’re an organisation and you want to issue employee identification to these employees, you can do that in the Freja ecosystem and you have the whole lifecycle management within Freja and you onboard and offboard users and so on. And you pass along whatever attributes that you as an organisation need to have in order for your employees to login to this cloud service or open doors with Freja or whatever.

So we’re both this consumer-oriented identity, but also this organisation identity. And that’s also really growing fast here in Sweden. Because it’s been – traditionally, it’s been a lot of either you have some kind of proprietary system for employee authentication, or you ask your users to utilise your private eID to log in to your workplace. That’s not a good idea. But it’s been the way it’s been done here because it’s easy, it’s simple for the organisation to just ask employees, “Hey, use your private eID.” And then we don’t have to worry about it.

So, we kind of combined these worlds. So we issue the identity. We make sure that this person, who is your employee, we have the fundamental identity verification of the individual. And on top of that you can manage your own identity lifecycle, and connect to all the services that’s in your organisation.

Oscar: Please tell us what are your plans for the future of Freja eID?

Kristofer: The next big thing I would say that we’re planning, and we did some test pilots around this, and that is to expand the concept of what is possible, what kind of value we can provide for our users. So if you think about an electronic identity, it’s probably one of the most used apps on your phone, at least if you have a system like we have in Sweden, where you use eID to everything. So you use your eID many times a day perhaps or at least many times a week. So then you have a trusted relation with your electronic identity. And we try to utilise that.

So we have a section in Freja eID, in the app, that’s called Explore. And here we present interesting services and new services that’s suitable for this particular user. And then in that way, we can offer our relying parties to connect with our users. So it becomes more of a relation where if you are searching for something and you want to have a trusted connection to that company, we can offer… well, I wouldn’t say that we would offer a search engine, but in the same way, as Google can add value by connecting an end user with a service, we can do the same thing here. And on top of that, we can actually add the KYC process and everything.

So let’s say you’re applying for a loan, you find within Freja that, oh, here’s the different financial companies that’s connected to Freja. And they have an offer that suits you, you can click on that. And then you can pass along your regulatory KYC, or a lot of the KYC and identity data and become a customer in a click. And that’s something that Google cannot do. And that’s something that Facebook and others cannot do either. So we kind of shortcut this user acquisition, user journey by adding KYC and having users explore and discover services via Freja eID rather than from other sources.

Oscar: Indeed, and that sounds definitely very powerful. Yes, absolutely.

Kristofer: So that’s kind of what we’re developing in this moment right now. And then, when the time comes, and when we have built the strongholds here in Sweden, we’re looking to take this outside of Sweden. We were, as I mentioned, you know, pre-approved in the EU a couple of weeks ago, we’re looking at what’s happening in the UK with their certification process for electronic identities. So Europe is – it’s a big market, and that’s the next step. And we’re not really looking outside of that for now. But who knows what happens in the future?

Oscar: OK, excellent. So Freja eID is coming to the rest of Europe, at least for now.

Kristofer: Yes, that’s our plan at some point. And I think it’s also a timing aspect of it. I mean, if you think about- I mean, here in Sweden, our challenge is to convince people that that OK, so there’s a new kid in town. They have BankID. But with Freja, you can have this and this and this and this, so… but you have an incumbent that you’re trying to challenge. So that’s a challenge of its own.

If you go to a country like the UK, where identity is something that’s perhaps a bit you know, they don’t have identity cards in the same way, they don’t have a personal identifier as we have in the Nordic countries. So, a totally different challenge to convince someone from England to start using an electronic identity everywhere and trust that. It’s totally different challenges. I think the analogy with streaming music a lot. Spotify was obviously also a Swedish company. And it took a while for them to convince the world that streaming music was better than alternatives. And there are still people don’t think, they’d find the records on CD or pay by song or whatever is a better solution. But I think streaming music, and that’s pretty obvious maybe. But a few years ago, it wasn’t that obvious that streaming music would be the answer to that particular industry challenge.

And I think it’s also pretty obvious to see, at least if you look in the Nordic countries, an electronic identity of the sort that we have here in the Nordics, I think that would be the norm in the rest of the world. But that will take time. It will take time before this spreads and you have to fit all the – before even countries have frameworks that you can get compliance against, it will take time. So I don’t really feel the stress in that regard. I think time is on our side in this case.

Oscar: Yeah, but I’m sure that you will come definitely. Kristofer, to finalise, could you leave us with one idea for all business leaders who are listening to this conversation, what is the one actionable idea that they should write on their agendas today?

Kristofer: Yeah. And that would be to see identity as a core asset. And if you leave that asset in the hands of the banks, or if you leave that asset in the hands of checkout companies, or anyone else that controls your main relation to your users, I think you will have a brutal wake up down the line. And there are not many providers of this open solution that Freja is, but I think that is the future because users do want to control their identities. And they can do it in a direct relation with your company. And I think you will benefit from that on the long-term, even if it’s perhaps easier in the short-term to take the solutions available today. But then you lock yourself into something that will be very difficult to get out of in the long run.

Oscar: Yeah, I couldn’t agree more. Kristofer, could you tell us for the ones who like to follow the conversation with you, what are the best way to find you on the net?

Kristofer: First of all, if you have any direct questions, you can write to [email protected] and I’ll respond to that email address. And you can find me on Twitter and on LinkedIn, search my name Kristofer von Beetzen and hopefully I’ll pop up in that search and just connect and I’ll be happy to continue the conversation.

Oscar: Fantastic. Thanks a lot. Again, it was a pleasure talking with you, Kristofer. And all the best.

Kristofer: Thank you so much.

Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episodes at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

[End of transcript]