Let’s talk about digital identity with Gautam Hazari, mobile identity guru, technology enthusiast, AI expert and futurist & is the CTO of Sekura.id.

Join this episode of Let’s Talk About Digital Identity where Gautam Hazari, mobile identity guru, technology enthusiast, AI expert and futurist & is the CTO of Sekura.id joins Oscar to discuss the missing identity layer of the internet. Gautam shares details about what the missing identity layer is, more about mobile networks as well as discussing Gautam’s TEDx talk.

[Transcript below]

“Internet did not have that identity layer. So what did we do? We created a trust-less model.”

Gautam Hazari PhotoGautam Hazari is a mobile identity guru, technology enthusiast, AI expert and futurist & is the CTO of Sekura.id, the global leader in mobile identity services. He led the implementation of the mobile identity initiative – Mobile Connect – for around 60 mobile operators across 30 countries. Gautam had also been an advisor to start-ups in digital identity, healthcare, Internet of Things and Fraud and Security management. He is a thought leader for digital identity, advocating solving the identity crisis in the digital world and speaking on making the digital world a safer place. If you ask Gautam, “What is the best password?” you’ll always get the same answer: “The best password is no password”.

Connect with Gautam on LinkedIn.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

Go to @Ubisecure on YouTube to watch the video transcript for episode 99.

Let's Talk About Digital Identity
Let's Talk About Digital Identity

The podcast connecting identity and business. Each episode features an in-depth conversation with an identity management leader, focusing on industry hot topics and stories. Join Oscar Santolalla and his special guests as they discuss what’s current and what’s next for digital identity. Produced by Ubisecure.

Podcast transcript

Oscar Santolalla: On this episode of Let’s Talk About Digital Identity we are joined by Gautam Hazari, from Sekura.ID as we discuss what is the missing Identity layer of the Internet. Stay tuned to find out more.

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar: Hello and thank you for joining us, a new episode of Let’s Talk About Digital Identity. Today’s guest is Gautam Hazari. He is a mobile identity guru, a technology enthusiast, artificial intelligence expert and futurist. And he is the CTO of Sekura.id, the global leader in mobile identity services. Gautam led the implementation of the mobile identity initiative Mobile Connect for around 60 mobile operators across 30 countries. He has also been an advisor to startups in Digital Identity, healthcare, the Internet of Things and fraud and security management. Hello, Gautam.

Gautam Hazari: Hi, Oscar. How are you?

Oscar: Very good, happy to have you here in the show.

Gautam: My pleasure. Thanks.

Oscar: It’s going to be super interesting. Now, we are focusing on mobile – mobile initiatives, like the one you are working with, can help us to solve the identity problems we usually discuss in this show.

First of all, I would like to hear a bit more about yourself. So, if you can tell us your journey to this world of digital identity.

Gautam: Sure. Thanks, Oscar. I have been in the identity space for quite some time now. And it started in the telecom world and that’s why I talk about mobile identity a lot. So I spent many years of my life in the telecom, so I worked with the Vodafone group for nearly 14, 15 years. What I realised is that there is one thing that the mobile operators have done quite efficiently is solving what I call the identity crisis of the internet. I started to talk about it quite passionately in different forms.

And in 2013, end of 2013, GSMA approached me. GSMA as you know is the GSM Association which is the trade organisation for the mobile operators. So the GSMA board was discussing that there were some assets within the mobile operators which can actually help in solving the identity crisis in the internet. Then they approached me that, “Hey, you were talking about this identity thing for quite some time, do you want to come and join?” And that’s when I joined GSMA to do the initiative for mobile operators to solve the identity crisis of the internet.

Then I led the technology for what was known and still known as Mobile Connect Initiative. I was the Chief Architect for Mobile Connect. And then me and my team created the reference architecture, the specification. And then of course, that’s not enough, so I went around the world, worked with the mobile operators to implement it as well. You know, at that time, there were around 62 mobile operators around the world who implemented it. And they did very passionately and this is where I met some of the founders, Mark and Keiron, in GSMA, working with the same team. And then I’m taking that journey forward in a much more accelerated and commercial way in Sekura.id.

Oscar: Yeah, excellent. Well, definitely a lot of your journey is in identity already and mostly in mobile, as you said. Before we start going to what you are doing in Sekura.id and we definitely want to hear more about that. I know that you have a special experience which is you have even a TEDx talk. So if you can tell us a bit of that experience.

Gautam: Yeah. Thanks, Oscar. It has been a fascinating experience actually, while preparing for the TEDx talk and also after that. So I was invited to do this TEDx talk to share my vision and dream of a world without passwords. I have been talking about these things passionately and that’s kind of my personal journey has been as well.

So, I had a lot of learning, you have to compact all that you want to talk within 18 minutes and that’s very interesting, right? If you have a free floating, I mean I’m really, really passionate about this identity thing, I can keep talking for days. But if you need to give your message within 18 minutes that’s quite interesting. So I learned how to deliver the message in that concise way.

And after delivering that, and once the TED organisation published the video in their YouTube. Interestingly, they didn’t actually remove any part of that, generally they do some editing but they didn’t do that for me. I’m really thankful to TED on that. So it happened end of last year. It’s been just one year completed and it has been viewed more than 157,000 times. And I have been receiving some very, very interesting messages from all around the world. From identity enthusiasts to security specialist, and also, from general public as well, saying that awareness is important. And we are having some inertia, right? We have been using passwords since, you know, 1961 actually, even before the internet was invented in 1989. But we don’t actually think that we are actually using it, and the complication that it brings too. I have been fortunate enough to hear lots of personal stories as well. These viewers, they have been sharing their personal stories related to passwords, and discussing what is the solution that can actually solve this.

Yeah, so it has been a fascinating experience and I’m really, really thankful for all the viewers who have been watching it and also most importantly, interacting with it and sharing their stories.

Oscar: Yeah, excellent. Yeah, I also watched and as you said, the way you explained also definitely appeals to the general audience which is of course what mostly TEDx is about, reaching wider audiences. So it’s definitely a good job you have done there. And I am happy to hear also that there have been a lot of conversation because that’s also important that people not only hear the stories or the ideas but also get involved in, spreading those problems, sharing their own pains, et cetera.

Gautam: Thanks, Oscar.

Oscar: I also know that you have written, of course, you write blogs, particularly, I read the you talk about the missing identity layer of the internet, missing identity layer of the internet. Could you tell us what is that?

Gautam: Yeah, absolutely, Oscar. I mean it’s extremely important that we acknowledge and realise that. Let me go back to when the internet was invented, right? Let’s face it, the internet was never designed to identify the human users. It was designed to identify the computers, right? That’s why there are IP addresses. Fortunately, or unfortunately, we humans don’t have IP addresses.

So, in the initial days of the internet, if you remember, all we used to do in the internet was browsing, right? We used to browse AOL, we used to browse Yahoo, different stories within Yahoo. So, it did not matter if for me, Gautam, is browsing AOL or Yahoo, or it’s Oscar browsing, or there’s fraudster who is browsing, right?  Because all we did was browsing the internet. Yes, the returning user needed to be identified, not as Oscar or Gautam but whoever was browsing, right? So that’s why cookies were invented just to provide a continuity of the experience, right?

But then we started to do interesting things on the internet. We started to do commerce on the internet. We started to look for things on eBay and started to pay for those things. We started to do banking on the internet. We started to interact in the social media in the internet. And then it did matter whether it’s me, Gautam, doing that commerce transaction, whether it’s me, Gautam, who is doing that banking transaction or it’s you, Oscar, or it’s the fraudster. Or, in the current days, if it is that AI chatbot who is doing that transaction, right?

Internet was not designed to do that. Internet did not have that identity layer. So what did we do? We created a trustless model. So, if I want to pay for some things that I found on eBay, or if I want to do a banking transaction, my bank will say, “Hey, you cannot do that, because I don’t trust you. First, I’m challenging you to prove that you are Gautam.” That’s what we created, because the internet didn’t have that identity layer.

So how did that challenge happen? And they initially did this, this challenge happened in the form of user ID and password, right? And again, we all aware of all the complications related to password from convenience to security, right? Then we said, “Hey, passwords are not enough. Let’s add other things.” So, we started to talk about MFA, Multi-factor authentication, we added SMS OTP, right? And again, OTP, the last P is about password, right? Just changing the acronym doesn’t change the problem.

But then again, they said, “OK, maybe that’s not enough. Let’s add the biometrics on top.” But again conceptually what we are doing is, we are creating a trustless model where these services are challenging me and the human user to identify myself, right? And whenever the human user is involving in providing a response to the challenge, for example in form of I need to type back the password, or I need to provide back the OTP, however I give, whether by typing back the OTP or some auto read happens. Or even if I do this, let’s say, biometrics in the form of facial recognition and so on, I, as a user, is the weakest link in the chain. I do something wrong, which is perfectly fine because me, as a user, is not a security architect. As a normal user, I am not aware of all those security complications that can go away, right? And that’s where all the problems that you have seen and again, why? Because the internet was not designed to identify this human user. Internet never have the identity layer. It still doesn’t have.

But we almost ignored the fact that almost at a similar time, there was a parallel internet that was getting created. So, as you know, I’m actually using the world wide web as synonym to internet, so when I say internet, it’s actually the world wide web, right? So, 1989, this wed, world wide web or internet as we call it was invented. In 1991, there was a parallel internet that was created. And we never call it the internet, we call it the mobile network, right? The first SIM-based GSM mobile network was used in 1991. And that parallel internet worked completely differently.

So, as we discussed, in the traditional internet, if I want to do any interaction, where I, as a human user, needs to be identified, I’ll be challenged, right? My bank will challenge me, my social media will challenge me, my e-commerce provider will challenge me, even my grocery store, online store will challenge me, right? But this parallel internet, which we call mobile network, worked completely differently, still works differently.

If I need to make a phone call, receive a phone call, send an SMS, receive an SMS, it doesn’t challenge me. My mobile network doesn’t say that “Hey, I don’t trust you. First, you prove that you are Gautam, then only you can make a phone call.” It doesn’t work that way. It just knows that it’s me, who is Gautam. So how did they do that? They actually created this identity layer. They actually created a mechanism which identifies this human user from day one, since 1991.

But we know this. How did they do that? They did that using this small gadget that we always carry in our mobile phone, this is the SIM. We almost forget that I, in the SIM, stands for identity. It’s Subscriber Identity Module. SIM was created to solve this identity problem in that parallel internet, which we call the mobile network, right?

So, isn’t that a solution? We were just ignoring it and also, just unfortunately, these mobile operators knowingly or unknowingly, kept this with themselves, right? What we are doing at Sekura.id, I’ll just mention here, that we are bringing in that identity layer from this parallel internet which we call the mobile network into this traditional internet so that we actually solve the fundamental problem rather than keep creating technologies on top like password, like SMS OTPs, like biometrics. And that is what will solve the problem from its root and bringing in an identity layer from this parallel internet to the traditional internet.

Oscar: Thank you for the explanation, of the lacking, missing identity layer of the internet. And then you put a parallel, I haven’t thought of it in that way, the parallel of the mobile network which always had this identifier of the subscriber. As you say, even in the term it’s subscribe, the SIM card. So, I understand that Sekura.id solution is primarily based on the SIM card. Tell us a bit more how it works and if you can give also how it works, Sekura.id besides being based on the SIM card.

Gautam: Sure. So, GSMA doing this Mobile Connect, the conceptual idea was very similar, right? It’s to utilise the assets from the mobile operators, not just the SIM card. SIM card is a cryptographic engine. But there’s a lot of data available with the mobile operators which can help to identify the human user without challenging them.  And also, protect them without putting a hurdle for the user, like what user ID, password, OTPs or biometrics are. They are hurdles, right? They are actually saying, “Hey, you cannot access the service until you pass that hurdle.”

This is where Mobile Connect started and this is the journey that we are continuing in Sekular.id as well. So, in Sekular.id, what we do is, as I say, the SIM is a cryptographic engine. And now, in the digital world, there is realisation that all the different, let’s say, identification and authentication methods where the user is actively involved, which means the user is challenged to prove who they are, or authenticate themselves, that is a limitation. A limitation in the form of that you know, if let’s say the user has got an OTP they have received, these fraudsters will always call this user and say, “Hey, I’m calling from your bank, or I’m calling from the government, you have received an OTP, can you hand it over, right?” If the user is not involved, right, these fraudsters can call the user but they have nothing to handover. So in that case, we solved this problem of all the fraudulent activities that’s going on.

So now, there is a realisation in the digital world as I was seeing that we need to avoid involving the user. So we need to do passive authentication. And how do we do that? Cryptographic authentication is one way to do. So, Apple last year in WWDC announced these passkeys which is basically based on the FIDO, the Fast Identity Online mechanism, where this is reliance on cryptography and cryptographic key on the device. And then that’s how we identify the user, right?

But exactly same mechanism is what happens in the SIM. And it is happening for the last 30 years. There is a cryptographic key which sits in the SIM which the user is not even aware of. And that’s an important thing. The user is not aware. As soon as the user is aware, or the user is involved in that awareness, OK, all these problems will happen because these fraudsters will approach the user and try to do some funny things, right?

And that’s another aspect that we say that here, this cryptography is humanised. If the user is not involved, it just happens behind the scene. In that case, this technology is humanised. Invisibility is more humanised. Steve Jobs used to say that technology should either be beautiful or it should be invisible. So here, this technology is invisible so that makes it much more humanised, right?

So, at Sekura, we’re utilising this cryptography in the SIM to seamlessly, invisibly authenticate this user. At the same time, there are a lot of what we call signals associated with the SIM which can help protect the user, at the same time, identify the user. For example, one of the largest fraud happening in the digital space right now is SIM swap fraud, right?

If we can identify that hey, is there a recent SIM swap happen? By recent, I mean in the last few hours, for example, to one day. If there is a SIM swap happen, in that case, that’s a red flag, that might mean that the user who is in the transaction process, who is interacting with the digital service may not be the genuine user, it could be a fraudster who have got access to the phone number of the user and using their own SIM. That’s one data signal that’s there in the mobile, with the mobile operator, that doesn’t need to involve the user to ask if something has happened or not.

Similarly, setting up a call redirect, right? The fraudsters can actually setup a call redirect for my number calling up the operator, doing some mechanism, some process there where they can say, “Hey, I have lost my phone, or I left my phone at my home and I’m expecting an urgent call from my family who is in the hospital. Can you please redirect all the calls to my number to this?” If I can convince the operator, in that case what will happen is, all calls, SMSs will be redirected or forwarded to me as a fraudster, right? So, if we can actually identify, is their call forward active for this number? That data itself can protect the user, again, without involving the user. So, we have identified 66 such potential data signals which can invisibly protect the user and their identity. And that’s what we do at Sekura, working primarily with the mobile operators.

Oscar: I like the idea of this invisibility because from the beginning you started that the human side is going to make security fail, right? But if the human doesn’t have to be involved, yeah, I’m sure, there will be less hacking. So that is definitely the concept, it’s very interesting.

Gautam: And just to add there, Oscar, you know, of course, there is this identity protection, there is this authentication without involving the user. That element is there. At the same time, it is allowing these good guys to access the service, right? So, as I was giving that example, it’s me, right? I’m not the fraudster. It’s me who wants to pay a particular merchant online, right? And I’m assuming I’m the good guy, right? And I want to pay. In that case, there shouldn’t be a barrier for me, right? And it’s good for the business because the business will get me to pay them. That’s what they want, right? So, in that case, it’s important that the good guys should sail through, right? For them, there is no barrier.

If we make it invisible for the user, in that case, these good guys can actually access, you know, without any trouble. At the same time, because it’s invisible, we can actually protect this user behind the scene as well. What does that mean is – it’s not just helping out with the identity verification, security and authentication, it’s also getting better business. Because if we put barrier to the good customers, good users, in that case, there are dropouts happen.

We have been told by our clients all around the world that on an average globally 20% of the users dropout due to all these, let’s say, challenges. They say, “Hey, I’m not going to use it.” SMS OTP is needed to do our transaction or to pay and OTP doesn’t get delivered or it is delayed, the user say, “Hey, I’m not going to pay now, right?” So that will direct 20% on an average globally, dropouts happen.

Here, if you make it invisible, you don’t have any dropouts, right? Because there are no barriers. There is no door which is closed that needs to be opened. So, in that case, the businesses get 20% more conversion, so that’s more business, more revenue. So that element is also there, if you make is invisible using the mobile operator’s asset like the SIM and all the data. That needs to be considered as well alongside security.

Oscar: And what if, myself as a normal user, I want to try Sekura.id, how can I use it already? There might be some services which is already available?

Gautam: Yeah, absolutely, Oscar. So one element here is you know as you can understand, this is B2B service, right? So the businesses are using us. Businesses are protecting that. All our services are, you know, they go through one single API, right? So, it’s not the user who is accessing our services directly. As I was giving the example, I, as a user, accessing my banking service, right? And my banking service is using the Sekura.id services through the API, right? So that’s how I, as a user, as a consumer use it. Not directly through Sekura, through my services. And then again, I may not be even aware that that service is getting used, right? Because this service, as I said, for the human user it’s invisible.

So majority of our clients right now are mostly from the financial services, so the major banks in the UK, they are using our one or more of the services like Barclays is using our services, Virgin Money is using our services. In the US as well, Morgan Stanley, they are using our services, Flora Bank, they are using our services.

But again, just to reiterate, it’s not a B2C service, right? So it’s not that me, as a consumer, is using the Sekular.id services. It’s my business who is using the service to help me as a user getting protected. And at the same time, no buyer has been put by the businesses to access it. And we are actually expanding globally. As I mentioned to you earlier, I was in India, I came back yesterday, we are actually launching in there. We have some very, very exciting discussions happened across the use cases there, not just in the financial sector, beyond as well. And then we will be announcing those pretty soon.

Oscar: OK,as soon as they are launched, it will be interesting to know what are these use cases. So, very interesting initiative that you have in Sekura.id. So what happens for instance if – because this depends on people having good mobile networks and good phones, so what happens if that’s not available in some regions in the world?

Gautam: That’s a very important question you ask, right? And there are two elements you said, one is good mobile phone. One of the thing that we really passionately believe in Sekura is inclusiveness. And that’s very important for us. We have a mission statement for identity for all and everything. So no one should be excluded from identity protection, right? And this is why we tackle it from multiple angles.

So for example, we have platform that we have created from ground up based on all our learning from the GSMA and also my learning from Vodafone. That platform can integrate with any mobile operator in the world, right? Because all mobile operators are different. There are 700 plus mobile operators there. Right now, we are connected to around 75 mobile operators globally and we want to connect to all. Why? Because we don’t want any operators to be excluded because if we exclude that, their consumers or their users will be excluded.

So, one example is in India, one of the phone smallest operator is BSNL, right? It’s government-owned operator. They are quite small. They don’t have platform. And they were actually not included in this identity space. So what we have done is we have provided our platform to them so that, that platform can actually connect to that mobile operator and then it can actually expose their services, right? So that we don’t want to exclude their users.

At the same time, it is important, as you rightly asked. What happens if I don’t have a good phone? So, this is where the principle that we use in all our services has got two major aspects. One, I already talked about – not involving the user because if you don’t involve the user, we increase the security, because user is the weakest link, right? And rightly so. And the second thing is not depending on the mobile device, because that’s extremely critical. Because let’s say, if the user can afford an iPhone 15 right? Of course, that’s extremely secure. The key chain there where the keys are stored is a hardware, right? That’s an HSN. So, it will be extremely secure.

But what about the user in let’s say Southeast Asia or in Sub-Saharan Africa where it’s a sub $10 phone? That may not have that much security. So, it’s unfair on the user because they cannot be pay for that advanced phone, they are getting excluded from security and identity verification. At the same time, it is unfair on the businesses, they cannot rely on a security because the user cannot afford that high end phone.

That’s why that’s the principle we use. We don’t rely on the mobile device. What do we rely on? The SIM. The exact same SIM is in the iPhone 15 or any of the high-end devices or in the low-end, not so expensive phone and provides the exact same security, right? The cryptographic security that I talked about doesn’t differentiate whether it’s a very high-end, expensive phone or not so expensive, much simpler phone. So that’s an important element here, right? So, our services don’t rely on the device. It doesn’t matter what device the user is using.

Secondly, all the data elements that I talked about is in the mobile network. This is completely independent of what device it is. So that way as well, all those data elements that I talked about, all those 66 potential data elements are independent of the device. So, that’s how we use the service and then make it inclusive end to end, for any user, right?

The other thing you asked about is what if there is no mobile network? It doesn’t really matter. So, the way to look into this thing is, we are relying on the mobile network. But the user doesn’t have to use the mobile device even at that moment of time for majority of the services. For the authentication services, the mobile device need to be in the network. But again, if the mobile device is not in the mobile network, it is connected to Wi-Fi or any other networks, in that case, we have fall back mechanism because we cannot really, rely on the mobile network because the device is connected to Wi-Fi, still we have a fallback mechanism.

And in some regions, like in US, we have worked with one of the large mobile operator there. Where we have worked with them to utilise the SIM, even if the device is connected to Wi-Fi. Because even if the mobile device is not connected to the mobile network, still there is a SIM there, right? If you can reach out to the SIM, we protect the device anyway.

And the other thing I was talking about, all these 66 potential data signals, they are available at the mobile operator’s secure CRMs, CVM and all the OSS, BSS system, right? So they don’t need the user to be using the mobile device at that moment of time. For example, if there is a SIM swap that has happened in the last few hours, the mobile operators databases, they already are aware of that even if there is no network. So, all our services other than the authentication service which we call SAFr Auth, all our services are data-related or signal-related services where these businesses, let’s say, this is a bank or an e-commerce provider or even a social media provider, their server makes the API call to our platform to get this data signal. So the mobile device is not involved, mobile network is not also involved there. Because again, we want that inclusivity for every user to be involved in there.

Oscar: OK. Well, definitely very novel way of addressing these problems. So I’d like to ask you one final question, Gautam, for all business leaders listening to us now, what is the one actionable idea that they should write on their agendas today?

Gautam: Thanks a lot Oscar for asking that. The most important thing to add into their agenda is an acknowledgement that the internet doesn’t have that identity layer. Because that’s a fundamental problem. Because if we start to add technologies on top to fill the gap, that will not solve the problem. And we have seen over the years, right? We have seen user ID password, they didn’t solve that, SMS OTP or any form of OTP, they didn’t solve that. Then we added all sorts of other OTPs, right? TOTPs, authenticated apps, we even used those RSA tokens that we used to carry on. Then we evolved into biometrics. And by the way, biometrics, I’m sure your audience is aware of this, after Generative AI, every form of biometrics is challenged.

And then actually, you know, interestingly, LexisNexis, which is one of the largest fraud management provider on app based in US, their CEO of the government affairs came to the press. This person gave an interview to Fox News in June, saying that we are so much relying on these biometrics and after Generative AI revolution, there is a financial impact in the industry and then that impact is around 1 Trillion USD because every form of biometric is challenged through this Generative AI. Not just through deep fake, through all sorts of mechanism. I mean you can actually search the internet on those kind of fraudulent activities happening on almost a weekly basis.

So, let’s acknowledge that there is a fundamental issue with the internet and that’s no one’s fault because internet was not designed for that. If you acknowledge that, then we can solve the fundamental problem, right? And that can be done through the already existing identity layer which is existing in the mobile operators. Let’s work through that and solve the problem forever.

So, basically, what I am saying is, let’s bring in that identity layer from that parallel internet which we call mobile internet into the traditional internet. And let’s solve that problem at the root. And that’s what we are doing in Sekura.id. And that’s what we would invite all the leaders in the digital space to look into and solve the problem.

Oscar: Thank you very much, Gautam, for this very insightful conversation. And let us know if people would like to find more about you on the net, what are the best ways for that?

Gautam: Thanks a lot, Oscar. Thanks for inviting me. I am on LinkedIn. Please connect to me. It’s Gautam Hazari, G-A-U-T-A-M H-A-Z-A-R-I. If you Google me, you will find me there as well. And also, please visit Sekura.id, S-E-K-U-R-A.ID. You will find insightful solutions there and also we post lots of insightful stories, articles, blogs and what the future is looking like. Recently, one of my article is published in Forbes, I’m calling it Internet of Thoughts, where the future is coming and where, if you don’t solve this identity crisis in the internet it may create more issues. So, please reach out. Please look into Sekura.id and let’s solve this identity crisis together.

Oscar: Yeah, of course. Again, thank you very much Gautam for this conversation, and all the best.

Gautam: Thank you very much Oscar for having me.

Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.