July 11, 2017
One’s identity is the centerpiece of every aspect of his/her life – financial and social standing, health, family welfare, employment, education, etc. Identification, whether through civil registries or other national identification systems, has three overarching outcome goals from a development perspective: inclusion and access to essential services (healthcare, education, electoral rights, financial services, social safety net programs); effective and efficient administration of public services, transparent policy decisions, and improved governance.
With the far-reaching effect of digital identity systems, identity management has become one of the most important areas of innovation in the financial services industry and beyond. One of the companies investing substantial efforts to bring a federated identity system and give power over own identity to the individual is SecureKey. The company applies an ecosystem approach to building a trusted and secure identity system for Canadian citizens to access over 80 government services through its SecureKey Concierge service. Andre Boysen, Chief Identity Officer at SecureKey, shared his vision of the trusted identity networks of the future in an insightful conversation with the LTP Team.
Elena Mesropyan: For part of the LTP audience that may not be familiar with SecureKey, please tell us about the company and its products/solutions.
Andre Boysen: Before we get started, I want to thank you for the opportunity to discuss SecureKey with your readers. Digital identity is such an exciting topic and will be at the forefront of people’s minds as our world becomes more intertwined with digital technology. I really think it’s important to have conversations now about what companies like SecureKey and our partners are doing to protect consumers’ digital futures.
SecureKey simplifies a consumer’s access to online services and applications. Our technology allows consumers to conveniently and privately assert identity information using trusted providers, such as banks, telcos and governments, thereby helping them connect to critical online services with a digital credential they already have and trust, while ensuring that information is only ever shared with explicit user consent.
In a nutshell, we put the consumer back in the middle. We operate a great service called SecureKey Concierge, which creates a secure and private framework in which consumers can sign into essential Government of Canada services. If you’ve ever filed your taxes or purchased something through a government agency in Canada, chances are you’ve used our technology.
We’ve recently entered into partnerships with Canada’s largest financial institutions, telcos, government agencies, the Digital ID & Authentication Council of Canada (DIACC), and IBM, among many others to develop a blockchain-based digital identity ecosystem for Canadian consumers. Effectively, this ecosystem leverages a cross-industry blanket approach to protect consumers’ digital assets and identities. Consumers get to choose what companies see their digital assets, why they see it, when they see it and how they use it. This ecosystem will help consumers prove they are who they say they are with much greater ease, privacy and trust.
Just to be really clear, it’s hard to have robust digital payments without robust digital identity. Each of the transaction participants has a need to know who they are dealing with for both business and regulatory reasons.
Elena Mesropyan: SecureKey is advocating the ecosystem approach to identity – a different way to approach identity and attribute sharing in the digital age. There are two questions on the matter:
1. What is the problem with the existing approach to identity and authentication?
Andre Boysen: We live in a digital world, but are being forced to use outdated and broken identity systems that have too many avenues that welcome the possibility of fraud. Interactions in person have worked in the past, but that ease of identity confirmation hasn’t translated over into the digital world, even though our expectations have. When we as consumers try to access or transact with online services, we have to prove who we are, even though we’re often trying to access our own digital assets. That doesn’t make sense. To make matters worse, we trust passwords to be the gatekeepers of our most confidential information and often have over 100 password/username combinations. That model comes with an immense amount of friction.
2. What are the advantages of the ecosystem approach?
Andre Boysen: What we have today is do-it-yourself single-sign-on; users have voted with their passwords for a simpler online life by making all their passwords the same. Users do this not because they don’t care about security, but because it is the only way to manage a complex online life. We see the problems this has caused with online service providers in the form of risk propagation. When site A gets hacked it has consequences for sites B, C and D, despite the fact that those have top information security practices in place.
The primary advantage of an ecosystem approach is that it’s cross-industry in order to impact all consumers, regardless of the service they choose to use. Ecosystems aren’t exclusively for financial institutions, or sharing economy applications, or payments solutions: it impacts everything. More importantly, it simplifies online life for consumers while making it safer for business to transact.
Elena Mesropyan: Tell me more about the ecosystem built by SecureKey – what is the role of alliances, banks, and technology partners you have? How does every party benefit from being in the ecosystem?
Andre Boysen: Think of an ecosystem in nature. Every part is essential; if one part disappears or falters in some way, the whole thing comes apart. The same stands true for digital identity ecosystems. Banks, telcos and payment providers can keep their operating costs down, governments can reduce data security costs, healthcare providers can protect patient records, and sharing economy organizations can cut costs related to identity fraud. The consumer ultimately benefits from all of this. The strength comes from the crowd cooperating for the benefit of the consumer which is repaid in the form of lower operating costs, higher online adoption, and lower risk of breaches.
Elena Mesropyan: How does the Canadian government use and benefit from your identity and authentication solutions?
Andre Boysen: Currently, the Government of Canada uses our SecureKey Concierge service, enabling citizens the ability to login into over 80 government services. One of the most well-known services allows Canadian citizens an absolutely secure option to file taxes through the Canada Revenue Agency (our IRS) online. But our offering to the government is fairly extensive. For example, if Canadians traveling this summer want to book a camping site at any of the country’s national parks, they can pay online with SecureKey Concierge.
Elena Mesropyan: How does SecureKey integrate and ensure continuous enhancement of its solutions within its ecosystem?
Andre Boysen: We’re constantly exploring new collaborative partnerships to help drive that continuous enhancement. We continue to increase the features of the service to make it even more convenient and useful to customers. Our ecosystem is also very open to collaboration from its participants.
Elena Mesropyan: SecureKey operates its identity solution on a permissioned Hyperledger blockchain fabric, as I understand. What explains the choice of a permissioned blockchain for an identity solution? Any why operate identity on blockchain at all?
Andre Boysen: Permissioned blockchain was the natural choice for our ecosystem. Although our service will be cross-industry and collaborative, it’s still important to control who participates in the network and validation process.
The futures of blockchain and digital identity would not be possible without the other. Blockchain sets the foundation on which modern digital identities can grow with security, privacy, and trust. What better way to give consumers the rights back to their digital assets than to provide them with a technology that prevents any party from seeing their attributes unless consumers themselves give their consent? The additional benefit is the destination service that receives the consumer’s information will know it has not been altered nor will it be presented by someone other than the owner.
Elena Mesropyan: SecureKey’s focus is a federated identity. What do you think of decentralized/distributed identity solutions like Civic? Especially in areas like financial services and healthcare.
Andre Boysen: While our model is federated, it also incorporates distributed ledger technology. We believe that distributed networks are the future of digital identity and provide the best framework for identity ecosystems to grow. It also prevents vulnerable honeypots of data from accumulating, which ultimately protects the consumer and ecosystem at large. We never hold the user’s data. That’s where decentralization has the most security benefits for areas like financial services and healthcare; the data is never held in a single place. Imagine being able to access your private health records securely online with the absolute confidence that your data will never be breached or viewed by malicious parties. The cross-industry implications for decentralization are very exciting.
Elena Mesropyan: In a 4-to-5-year period, will identity move to a distributed model? Yes/no and why?
Andre Boysen: At SecureKey, we think digital identity will fully migrate to a distributed model. Simply put, this is the most secure format for an ecosystem approach that prevents any single points of failure. It is also worth noting that this is how paper identity works today – identity is distributed and there is a plurality of providers. This continues on with what consumers already understand, and it’s a common business practice. It is enhanced by adding integrity to the data and prevents over-sharing of data.
Elena Mesropyan: Who is the main beneficiary of the identity and authentication solution that you offer in your ecosystem? In other words, who are you solving a problem for – businesses, governments, consumers, or financial institutions? Who has the ultimate control over identity and information in your ecosystem?
Andre Boysen: The main beneficiary is ultimately consumers. Everything we do here at SecureKey is aimed at putting consumers back in the middle and allowing them to decide when, how and why their digital assets are shared. But by benefiting the consumer, businesses, governments, and financial institutions also see the value. From keeping onboarding and identity fraud-related costs down to keeping processing costs down when individuals file their taxes securely online, the positives are seen across the board.
Because our solution is built on the blockchain, it is specifically designed so that no single party within the network can see, control or utilize consumer attributes. And that includes SecureKey. For example, if you share your banking credentials through our system to pay your phone bill via a telco, your bank does not know what services you’ve engaged, the telco does not know what bank you use and SecureKey similarly sees neither. Participating organizations do not have any context when it comes to consumer attributes. All they have access to is what the consumer decides.
Elena Mesropyan: What are the top three use cases for the identity and authentication solutions SecureKey offers?
Andre Boysen: I would say government, financial services, and healthcare. But the market is growing exponentially. With IoT and sharing economy services on the ascendancy, the need for trustworthy, private and ubiquitous identity is going to be even more important.
Elena Mesropyan: SecureKey offers an efficient way for customers (government, banks, etc. – entities) to enroll new online users via third-party trusted credentials they already have. How do your clients reach those who are not registered with any trusted member of your ecosystem?
Andre Boysen: Right now, we’re focused on growing our list of partner organizations. By spreading the word of how ecosystems can benefit consumers, we hope to encourage those who don’t currently participate to explore our services and join. All existing services are coping with current methods for identity proofing and access, albeit with high cost and the existing risk profile. As the Concierge experience shows, consumers are quick to adopt it because the benefits are compelling in the form of simplicity and convenience. Service destinations have to get on board because consumers will abandon services that continue on with current methods.
Elena Mesropyan: SecureKey Concierge Service has two parts to it – Federated Authentication Service and Identity Verification Service. Federated Authentication Service enables consumers to access online services using their credential of choice from an Identity Partner that is part of the SecureKey Concierge Service. Although you have an extensive (and impressive) list of partners, there can be a part of the population that’s left behind for one reason or another. If I, for some reason, don't have credentials with any of the trusted members of your ecosystem, how can I benefit from SecureKey?
Andre Boysen: Our list of partner organizations is constantly growing. As more organizations join, SecureKey Concierge permeates further and further, becoming more intricate and trusted. We have no doubt that the vast majority of Canadians will be engaged with our services. Organizations across Canada understand the benefits federated authentication and identity verification services have on individual consumers, customers, businesses, and government.
In addition, bringing up a conversation about the true value of our digital identities will impact everyone, regardless of whether they can participate in our services or not. We live in a digital world and we need to build frameworks to help it grow in a way that ensures privacy, security, and trust.
We have a very high coverage in Canada already; 99% of the adult population has a bank account. But we recognize that success means 100% coverage and, with our partners, we will be there soon.
Elena Mesropyan: What milestones do you have for the company?
Andre Boysen: In October of last year, we announced $27 million in funding from Canada’s largest financial institutions. That was such an exciting and huge step for us and our ecosystem. It really set the foundation for what we’re trying to achieve.
We also announced a grant partnership with DIACC and the Command Control and Interoperability Center for Advanced Data Analytics (CCICADA), a research center of excellence funded by the US Department of Homeland Security, Science & Technology Directorate, to help develop the framework of our ecosystem, ensuring that privacy and security are of the utmost importance from the very beginning.
Finally, and more recently, we announced that our ecosystem will be built on Hyperledger Fabric, the leading distributed architecture developed by the Linux Foundation, in large part thanks to IBM. The technology here is unparalleled and was a phenomenal milestone for SecureKey.