Let’s talk about digital identity with Riley Hughes, Cofounder and CEO at Trinsic.

This week, Oscar is joined by Riley Hughes, Cofounder and CEO at Trinsic and host of the Future of Identity podcast. They delve into Verifiable Credentials, including what verifiable credentials are, some examples and success stories of how these are being used and implemented, the connections between verifiable credentials and wallets and whether verifiable credentials will become interoperable.

[Transcript below]

“It seems like the future of identity will be much better than it is today.”

Riley Hughes, TrinsicRiley Hughes is CEO and Co-founder of Trinsic, a reusable identity infrastructure provider. As a leader in the decentralized identity community, Riley has pioneered efforts on making emerging, privacy-preserving technologies such as identity wallets and verifiable credentials adoptable to the masses. He began his career in the decentralized identity space as the second employee hired at the Sovrin Foundation where he established and led several teams.

Connect with Riley on LinkedIn.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

Go to @Ubisecure on YouTube to watch the video transcript for episode 97.

Let's Talk About Digital Identity
Let's Talk About Digital Identity

The podcast connecting identity and business. Each episode features an in-depth conversation with an identity management leader, focusing on industry hot topics and stories. Join Oscar Santolalla and his special guests as they discuss what’s current and what’s next for digital identity. Produced by Ubisecure.

Podcast transcript

Oscar Santolalla: This week we are discussing verifiable credentials. I am joined by Riley Hughes, the host of The Future of Identity Podcast, to explore some of the most recent success stories of verifiable credentials and how we can work to improve adoption moving forward. Stay tuned to find out more.

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Hello, and thank you for joining a new episode over Let’s Talk About Digital Identity. One term that has been in our radar for the last – I would say four or five years has been verifiable credentials. Which I will say personally, I’m feeling that is becoming in the last one, two years pretty crystallised. And we have not talked too much about this lately, so I have a very special guest who has a lot of insight – what’s going on worldwide about verifiable credentials.

Our guest today is Riley Hughes. He is the CEO and Co-founder of Trinsic, a reusable identity infrastructure provider. As a leader in the decentralised identity community, Riley has pioneered efforts on making emerging privacy preserving technologies – such as identity wallets and verifiable credentials – adoptable to the masses. He began his career in the decentralised identity space as the second employee hired at the Sovrin Foundation, where he established and led several teams. Hello, Riley.

Riley Hughes: Hi, Oscar. Great to be here.

Oscar: It’s great to have this conversation with you. So very welcome. And let’s talk about digital identity. And as usual, I want to hear more about our guests. So, if you can tell us about yourself, and especially your journey to this world of identity.

Riley: Happy to do so. I am very fortunate to have totally fallen into this amazing industry. And it happened because while I was at college, I was seeing all those smart people around me going and getting jobs at elite places, you know, investment banks and management consulting firms, and so forth. And I thought that I wanted to kind of differentiate my resume enough that I could, maybe I could get an interview as well at one of these places. So, I thought, “What is the most, kind of, off the wall internship that I could get that would differentiate me from all of my peers?”

And I ended up getting a job at the Sovrin Foundation, as you mentioned. Sovrin at that time was very early. I was, as mentioned, the second employee hired, and it was kind of a blockchain meets identity meets nonprofit, you know, meets early employee kind of a role. And so, it, sort of, fit my criteria for differentiating my resume. But it was also just really, really exciting to be part of an early organisation. It grew up to about 25 employees in short order. And I was able to participate in some of that growth. And that was a lot of fun.

And what I realised is that there are a lot of problems to solve in this world of digital identity. I remember just thinking, “Man, it seems crazy that we are sending people to outer space, and we’re editing genes, and we’re doing all kinds of unbelievable things with science and technology. And yet, the best way to prove who I am on the internet is to take a photograph of my government-issued document and a selfie, or something. It just seems kind of backwards.” It seems like the future of identity will be much better than it is today.

And so, although I didn’t necessarily know whether Sovrin would be the ultimate manifestation of that better digital identity future, I did know that something would happen here that would lead to that better future. And so, I thought I would stick around in this space. I decided not to go for those other kind of recruiting opportunities that I alluded to. And instead, I started Trinsic with a couple of -. And that’s kind of how we got to where we are today. That was a little over four years ago.

Oscar: Yeah, super interesting that one of the first jobs – when you start to differentiate yourself – it was Sovrin. How did they find you? How did you find them?

Riley: The Chair of the Board of Sovrin was Phil Windley. And he was a professor at the university that I was attending. So, they had a job posting out for university students. And they didn’t have any money yet so they couldn’t pay very much and so they needed a university student and that’s sort of where I came in.

Oscar: Right place, right time. Fantastic, those coincidences that sometimes happened.

So, you’ve been around, as you said, four years/five years in this space already. So, what would you say has been something that has surprised you the most, something special you would like to tell us?

Riley: Yeah, that’s a great question. I think that when I started in this space, and the way we were talking about verifiable credentials, was as if it was a digital representation of a physical document. Right? And we can get into more about what verifiable credentials are and what they aspire to be. But the thing that was most kind of interesting and surprising recently, is – at Trinsic we are an infrastructure provider for verifiable credentials. And so, when companies want to incorporate a verifiable credential-based solution into their offerings, we’re an infrastructure to enable them to do that.

And as we did a kind of – an inventory or a survey of the landscape, of all of our customers and the ones that were most successful. What we realised was that people were not using verifiable credentials as a replacement for a physical document, generally. Instead, what they were using it for, is – in the same way that a FinTech developer might use an open banking API, right?

Basically, open banking allows you to unlock your data from its original silo, which is your bank account, and reuse that financial data and make it interoperable across other third-party applications. And, you know, what our customers were using verifiable credentials to do is something similar, but for personal data. Unlocking that personal data from its original silos and making it useful and interoperable and reusable across multiple applications.

And so, it actually changed, Oscar, the kind of form factor of the product we needed to build, right? And we realised that the correct – you know, we needed to change some things about how we were approaching our product.

So that’s been what we’ve been in the thick of doing for the last few months. And it’s been a fun journey. Startups are always a little bit of a roller coaster. And this is a fun part of that roller coaster.

Oscar: OK, super interesting, Riley. So, let’s jump into the main topic. So, tell us please, what are verifiable credentials?

Riley: Yeah, I alluded to verifiable credentials often being talked about as a digital representation of a physical document. And generally, when you hear the term verifiable and credential – a credential is sort of an attestation, or a claim made about one party by another party. So, in healthcare, right, your credentials are something that you’ve obtained, from a trusted source, that you can use to prove to somebody else certain things about you, and what your qualifications are, et cetera. And verifiable credentials are a way to do that verifiably, cryptographically in a digital form.

Now, if we’re talking about – I think there’s two ways that people use the term ‘verifiable credentials’ today. One is with an uppercase, V and C, an uppercase Verifiable Credentials, that is the formal official W3C Verifiable Credential Data Model Standard. And that is a specific kind of verifiable credential that is sort of an interoperable, and probably the most well-adopted, and well talked about kind of verifiable credential.

And then you have the lowercase, vc, verifiable credential. And there are lots of different kinds of lowercase verifiable credentials. Lots of things that can fit this model of an attestation that is given to you by some trusted party, and used to get access to the things you need throughout your life. So, I guess it depends on which of those you’re talking about. But I hope that that’s a helpful kind of intro.

Oscar: All right, thank you for that. And the same term can mean different things from different perspectives. Let’s make even more concrete.

So, let’s hear from you some concrete examples. If you can tell us something that is already widely used, some that most of us might already know about. So, tell us a bit of some examples of verifiable credentials.

Riley: Yeah, I mean, again, if we’re to zoom out a little bit and talk about verifiable credentials in the broadest sense. Even something like a credit card could be considered a verifiable credential. It is something that was given to you by a trusted source, likely a bank, and you can use it with third party merchants in a way that they can authenticate that card and charge your account based on your actions with that card. And so it is, you know, in the broadest sense, even something like a credit card or a government-issued ID could be considered a form of a verifiable credential.

But if we’re talking about specifically, the new W3C Verifiable Credential Standard, I think, one example that is helpful to conceptualise what this looks like, is the vaccine, or the sort of travel pass type products – that many of us used throughout the pandemic. I think this is where – this is the first use case that we found that Trinsic received broad adoption. And, you know, these are products that allowed you to prove that you were vaccinated against COVID, or that you had obtained a recent COVID test, and that you are therefore eligible to travel. And you know that is a form of verifiable credential, Apple and Google even were accepting those credentials into their native operating system wallets as verifiable credentials as well. And so that is maybe an example that a lot of people have used in the recent years.

Oscar: And those were already based on the W3C standards.

Riley: Yeah, technically, I think the smart health cards was what they were based on, and smart health cards were based on the W3C standard, so yeah.

Oscar: OK. Yes, definitely that has been a case that millions of people have used. Those helped us during the pandemic without knowing the term of ‘verifiable credential’. So that definitely has been widely used in different regions, different implementations. But yeah, that’s correct.

OK, if you tell us also some other examples, how has been, yeah, across different sectors, let’s say verifiable credentials are being implemented and as well, interesting stories.

Riley: Yeah. So, I think when you look at Trinsic, we are, again, an infrastructure provider. And so, we see companies all across the spectrum using Trinsic to accomplish their verifiable credential use cases. Everybody from a car manufacturer to a B2B supplier, an invoice management solution to a consumer product application for events and concerts, to education and healthcare use cases, I think.

A use case that I really like, is the medical staff passport. It is something that’s easy to conceptualise, really, it’s an identity wallet that a provider, a physician or a nurse could use to prove that they have the correct credentials and qualifications to do that job.

And so, if you’re a physician that needs to go to a new hospital, to substitute for some staffing shortage or something. The way this works today is there’s a big, long credentialing process where the new hospital needs to spend a lot of time checking lots of different things to make sure that you are eligible to do your job. And still, there’s fraud that gets through. With a digital staff passport, a doctor could simply prove who they are much faster, prove their credentials much faster, and get to work serving patients much sooner. So that’s a use case that I think is pretty helpful and has been succeeding, I think there’s four or five projects that I’m aware of around the world that are that are doing that, including some that are being built on Trinsic.

But I think regardless of where you look across all of those different industries that I mentioned, you see a couple of common patterns. And one of those common patterns is – you often need to anchor that credential in something, some foundational verifiable credential. So, what we’re seeing is, you know, if you’re a doctor, and you want to get your credentials in a digital verifiable credential form. The first thing that you’ll do is not actually go get your doctor credentials. But instead, the first thing that you do is verify your identity, scan a government document and authenticate yourself against some authoritative, again, government type document. And then when you obtain your doctor credentials, you can then make sure that those match. And then when you prove who you are in subsequent interactions, it’s much higher trust. Because you can cross reference the two credentials, and that brings a high degree of trust.

And so, what we see across a lot of these use cases are people doing, sort of, an identity verification step. In addition, and that becomes the foundational verifiable credential, or reusable identity (as we call it) that anchors some of these verifiable credentials. And that step is something that we at Trinsic help facilitate as well.

Oscar: OK, so the very first identity verification. So, when you mentioned that for this healthcare professionals, credential, you mentioned, there are a few worldwide. So, will these initiatives, I don’t know how much if they are in production, or is still in development? I don’t know, but if you know enough about the difference of these projects, do you think they will become interoperable or they are following different paths? What’s your view?

Riley: Yeah, I think that, yeah, I think that they will become interoperable. It’s hard for me to say a blanket statement that every single one will definitely be. But yeah, but I think that many of these projects are based on the W3C Verifiable Credential Data Model. And if they’re not based on that data model, they’re based on something else that is very similar. And I think the important thing to remember as it relates to interoperability is there’s a little bit of a conflict, actually, between two very important things.

When you’re launching a product, you want the ability to move fast, to iterate on the form factor, and change things to the extent that they’re not working, and bring the best technologies to bear, to build the best product that you can for the customer. And at the same time, you also want interoperability and compatibility across applications. And these things come into conflict because in order to be interoperable or compatible with other applications, you sort of need to slow down and agree upon a set of standards. But to be sort of innovative and moving fast, you kind of need to speed up and be willing to throw away your old solution and replace it with something better. And so, you get is this tension between innovation and interoperability.

So many of the solutions that you see out in the market today are not interoperable simply because they’re focusing more on the innovation side of the equation. And yes, there are proof points of kind of interoperability testing and interoperability suites that people can come into compliance to. But oftentimes, that’s kind of a steppingstone and will come into compliance with that. And then you’ll see another divergence of different attempts, and then they’ll sort of converge back to another point of interoperability at some point in the future. And so, it’s never quite as cut and dry as just interoperable or not.

And so, the important thing, before you build a bridge between your island and someone else’s island, you need to make sure there’s stuff on the islands for people to do, right? You need to make sure that people actually get to drive their car across the bridge. And so, in my opinion, the most important thing to do first, is get a product out there and get people using it and get happy customers where you’re solving their problem. And once you’ve done that, you can incorporate interoperability to make your product even better for those customers and solve even more problems. But I think trying to solve interoperability before you have a product in market is a little bit of putting the cart before the horse in some ways.

Oscar: Yeah, definitely. Definitely a good observation. And I agree that, yeah, you need adoption, you need adoption, you need to solve problems. To see that yeah, this new technology, this new product is really solving, solving problems for a big enough mass of users. And from that perspective also, my impression is that most of the companies who are building these products are not the big ones, right? Not the big companies, that’s my impression. So, it’s like, startup entrepreneurs, mostly. So how is the – are they doing profit in this space of verifiable credentials? What is, what you have seen?

Riley: Yeah, I don’t think I can say that there’s a, you know, hundreds of really successful, kind of, high profit generating companies out there. But there’s definitely companies earning revenue. To the extent that their revenues exceed their costs, I don’t know. But from a revenue standpoint, I think, you know, the key to making money with verifiable credentials is not the verifiable credentials. The key to making money with verifiable credentials is to – solving a problem with a customer. And to the extent that verifiable credentials can help you do that better and more effectively, that’s the extent that you will profit with verifiable credentials, right? So, you know, what we’ve seen is really not a whole cloth reinventing of the fundamental economics of the internet, or anything like that.

I’ve seen a few ways that people are making money. The first way is they build a consumer product that makes a person’s life better, and they charge the consumer for that product. Right? Password managers cost a few bucks a month. CLEAR is an identity product that you might see in airports, especially in the United States, you know, where you can skip the line at the security by enrolling in this identity company called CLEAR. These are examples of consumer products that consumers pay for because it makes their lives a little bit easier.

And I’ve seen verifiable credential type products that do the same thing. I’ve also seen products that solve a problem for our business, and they take, maybe it’s a subscription revenue, maybe it’s a usage-based fee for that. And they follow the software as a service playbook that is sort of tried and true. And, you know, this is – I mentioned the doctor, kind of the staff passport solutions a minute ago.

And I’ve seen some of these types of solutions that have done really well by leaning into a vertical, a vertical software approach. And using the kind of verification of individuals and employees of a given hospital or something like that, as a benefit, a value-add to their existing software as a service product. And so that just sort of strengthens their revenue proposition there.

And then the third way that I’ve seen are companies that are already doing some kind of an attestation, but in a non-verifiable credential way. So, for example, this might be an identity verification company, a background check company, a student ID verification company, and the list goes on.

And I’ve seen, you know, these kinds of companies incorporate reusable identity or incorporate verifiable credentials into their product. Or in other words, issue their attestation as a verifiable credential, instead of just simply, you know, an API response, and continue charging the same business model that they always have, and actually make more money than they were making previously. Because now that it’s a reusable credential, people can use it more places than they otherwise would have. Or it becomes their go-to resource for authenticating themselves, which then leads to even more revenue for the attestation provider. So, these are a few ways I’ve seen people make money with verifiable credentials, and then our fundamental kind of transformations of the business models that may have come before.

Oscar: Yeah, but it’s very interesting to see that there is value generation on top of solving problems and solving people’s problem. Excellent. So, one, relatively new term that is relatively new is wallets. And that is a term that I feel that is already reaching the masses, so people hear about that more commonly at this point, 2023, that we are having these conversations. So, what is the relationship between – or the connection between verifiable credentials and wallets?

Riley: Yeah, it’s pretty simple. I think the easy answer is wallets are where your verifiable credentials are stored. So, you get – just like in real life, you obtain a driving license. Where do you put it? Well, generally speaking, you put it in a wallet. And in a verifiable credential world, that holds true. I think this breaks down just a little bit if you think about wallet in the way that most people use the term. Most people associate a wallet with payment of some kind.

So today, your verifiable credentials are unlikely to fit inside of your Apple wallet. They’re unlikely to fit inside of your crypto wallet. They’re unlikely to fit inside of some other things, which are called wallets today. But I think that’s just a function of the maturity of the technology. I think, you know, we’ll get there.

For now, the term that I use are ID wallets, right? They’re sort of wallets that are built for verifiable credentials. And today, they sit alongside other kinds of wallets. So, in the Web3 space, we have some customers in that world. And for the users of their products, the ID wallet is a separate container or a separate data store or separate wallet that sits alongside or next to a crypto wallet for those Web3 applications. And, you know, in a Web2 world, again, a user ends up getting a wallet, oftentimes, they don’t even know that it is a wallet, they don’t even know that we refer to it as a wallet. To them, it’s just storage of their verifiable credential, or of their staff passport or something. But, yeah, hopefully that helps.

Oscar: But the ID wallet that you mentioned, it’s also from a normal user perspective, you just want one more app in the mobile, something like that?

Riley: Yeah, it could be an app. It also could not be an app. I think oftentimes if you are requiring your user to redirect out to an app store, download an app, authenticate to the app and get on boarded through the onboarding screens, and then obtain a verifiable credential. Also, that they can verify themselves and get the thing they actually want, that user experience becomes pretty tricky.

So, while we have seen some apps, you know, mobile apps, you know, succeeding and that is a model that is definitely a viable option. It definitely should not be the only option. And I think we’ve even seen web-based wallets or cloud-based wallets really taking off in much, much greater numbers than a lot of the mobile app wallets that we have, that we’ve seen. And I think it’s just a function of the friction required for a user to go through that journey is just so much less.

So yeah, it could be an app on your phone, it could be embedded into an existing app you already use. Or it could be a web resource that you, you know, authenticate to and get access to your credentials that way.

Oscar: Looking at the future from where we are now, what do you say is needed in order to see a broader adoption of verifiable credentials?

Riley: Yeah, I think we need more products, and more focus on product. So, you may have kind of heard from some of my previous answers that I, you know, I tend to think a lot about adoption. I think a lot about product. And I think a lot about business models. And that’s obviously because of my background. You know, I’m not an engineer by training.

But I do think that a lot of times, people get a little bit lost into the weeds with the technology. There’s a lot of cases where, you know, we’re talking about theoreticals in the technology, before anybody is actually using the product and we’re sort of holding up these, you know, certain technology principles as gold standards or best practices. When in reality, many verifiable credential approaches do not have product market fit yet. And so, we could build the most amazing, elegant, utopian technological solution. But if nobody uses that solution, then what’s the point?

So, I think really, the thing we need to focus on so much more is adoption and product execution over anything else. The technology is there, it’s good enough, it’s plenty good enough. It’s been good enough for – I mean, four years ago, literally, we launched the first version of our product, which allowed any developer to issue a credential within five minutes on Sovrin. And then a few weeks later, we expanded it to where there was a dashboard where even a non-technical person could issue credentials within five minutes.

So, the technology has been really accessible for a long time now. And when we look at our customer base, and we look at the success rates, and then we try to correlate those success rates with something and see what predicts success in this market. Every single time it comes down to product execution, and just being focused on solving a real problem for people. And so really what we need to get more verifiable credential adoption, is we just need – more of that, more problems being solved for businesses and people who are willing to pay for it. Right?

Oscar: Yeah, I agree. All right, thank you for the explanation of what’s going on verifiable credentials. And I agree a lot of your views on the focus on solving problems. So, leaving us with a final question, for all business leaders listening to us now, what is the one actionable idea that they should write on their agendas today?

Riley: Well, I am going to piggyback off my last answer for this one, Oscar. I’m going to say, if you are a company that has an identity product, or some kind of attestation service for people, or something like that. You should write on your agenda to explore how verifiable credentials could augment your business, because it’s likely that there’s some startup out there that is sort of doing something using verifiable credentials in your space or an adjacent space. And, you know, and they’re learning fast about what’s working and what doesn’t, and what this new world will look like. And so, as the world moves to fully digital and moves to reusable identity, the ones that sort of obtain those insights fastest and move first are going to get a lot of the benefits. And so, that’s the first thing.

If you are not in that category of a company that would sort of incorporate verifiable credentials, then the action item that I would give to you is to be a user of one of these products. And if you can’t find a product that uses verifiable credentials, if you can’t find an ID wallet that solves a problem for you, that’s maybe a little bit of an indicative of where we are as a space. But if there is something that you can use and try out and actually use it in the real world to solve some problem for you, I encourage you to do it, give it a try and give feedback to the developer of that product and let them know your experience. Because these are the kinds of things that will drive adoption of better identity systems in the future than what we have today.

Oscar: Yeah, definitely. Oh, thanks a lot for this very interesting interview, Riley. Please let us know how people can follow the conversation with you.

Riley: Yeah, I – so the first thing I’ll say is that we do a podcast as well. This has been a blast, Oscar. This is a great podcast. I love it. I think if you’re interested in reusable identity, specifically, and diving deeper into some of the stories of companies that have launched reusable identity products, or verifiable credential-based products out into the wild, I have a podcast that we do, called The Future of Identity podcast. And so that’s what I would encourage you to check out.

If you’re interested in following me or getting in touch, you can email me at [email protected]. Find me on Twitter @rileyphughes. I’m also accessible on LinkedIn. If you search my name, I’m sure you’ll find us. And I’m always open to feedback and love the conversation so please reach out if you think there’s a way we could work together.

Oscar: Yeah, thank you and indeed I’ve been listening to your podcasts, The Future of Identity, so it’s highly, highly recommended. So, if you want to learn more in identity especially the topics that Riley has been bringing us today. So again, thanks a lot Riley for joining us. And all the best.

Riley: Thanks, as well, Oscar. You as well.

Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.