Three Takeaways from Our Expert Panel on Safe Credentials

Last Thursday, we hosted a virtual fireside chat (watch the recording) with three leading industry experts in digital identity: CULedger’s Julie Esser, Mastercard’s Bryn Robinson-Morgan, and Evernym’s Daniel Hardman.

CULedger, Mastercard, and Evernym join a panel on safe credentials

The topic of the panel was ‘safe credentials,’ or more simply, a look at how we can architect digital portable credentials to maximize privacy, security, and usefulness. It’s a topic near and dear to us all at Evernym, and something we’ve written about a lot lately, through proposing five tests for determining whether or not a credential is safe and tackling two common, yet dangerous credential assumptions.

And sure enough, we’re not the only ones thinking about the importance of safe credentials. Last week’s panel discussion was, by far, our most popular webinar to date, attracting over 300 registrations from all over the world for a jam-packed Q&A session on what it means for a credential to be ‘safe.’

Here are three themes that emerged from the discussion:

 

1. Safe credentials are bigger than any one organization

Both Julie Esser (CULedger) and Bryn Robinson-Morgan (Mastercard) repeatedly emphasized that the benefits of digital credentials go far beyond their organizations.

Julie discussed several of the benefits that CULedger is actively driving for their credit union customers, including secure authentication in a call center environment (which she referred to as the ‘weakest link’ for security) and a path to smarter compliance with GDPR, CCPA, and Know-Your-Customer and Anti-Money-Laundering (KYC/AML) regulations. In addition to powering better, frictionless member experiences, these solutions have already created drastic cost savings for credit unions by dramatically reducing the time it takes to authenticate a member in the call center.

She then went on to mention how these credentials can be used outside of the relationships members have with their credit unions. A credential, especially one like CULedger’s MemberPass that will have gone through rigorous “KYC hoops,” is a digital asset that can be given to members to enable them to securely, privately, and effortlessly prove their identity not just to their credit union, but to any organization, individual, or device they interact with. For this to work, Julie added, we need open, interorganizational collaboration and true portability and interoperability (which is one of the five tests for safe credentials).

Julie acknowledged the strong sense of collaboration that already exists within the credit union industry, adding: 

Credit unions are a collaborative, cooperative industry. We don’t have the turf wars many other financial institutions have, and we don’t compete heavily with each other. That’s why credit unions can advance this technology.  We look at ourselves as one unit and look for ways where we can improve our industry and better serve our members. A lot of this comes down to improving back office processes, which has a huge impact for both the members and the credit unions.”

Julie Esser, CULedger

Bryn echoed this call for open collaboration, commenting on how portable credentials can be used for the benefit of everyone within the Mastercard payments ecosystem, including consumers, merchants, and banks. Unlike the “walled gardens” that have dominated information security up until now, he argued that the usage of digital credentials shouldn’t be subject to any “artificial barriers” across organization boundaries, sector boundaries, or even national boundaries. When consumers can navigate the online world as securely and seamlessly as they do the physical one, all parties will benefit.

 

2. Safe credentials show the need for both technical and human governance

Another common sentiment addressed by both Bryn and Julie was the dual need for human and algorithmic governance.

Bryn explained how it’s not enough to design technology around trust and safeness; there’s also a need for human governance, such as legal contracts, liability and redress, privacy, user experience, and the independence and reliability around a credential. This level of human trust is critical to KYC and AML processes within financial services, he added.

When asked how verifiers can determine whether or not to trust a credential issuer, Bryn responded:

“When we boil this down to human interaction and the five tests, the average person won’t understand what those tests are and won’t know or care what verifiable credentials are. When we bring [credentials] into the payment world—when we go to pay, whether it be at a physical location or on a website—at the storefront, there is an acceptance mark – the two conjoined circles for Mastercard that say “I can trust this, I know what will happen when I tap my card, and I know what protections I’ve got.” It all sits behind that acceptance mark. Part of our job is taking that complexity away from customers so that they can trust the ecosystem, as that’s the same whether it’s payments and Mastercard’s conjoined circles or identity and the ID mark.”

Bryn Robinson-Morgan, Mastercard

The level of trust Bryn describes boils down not to the technology keeping our data secure from hackers, but to our own confidence in, and knowledge of, the institution issuing the credential. It’s the same reason why an employer is likely to trust a diploma credential issued by Harvard University but not one issued by Joe Shmoe. 

When asked the same question, Julie discussed how CULedger is ensuring the integrity of its MemberPass solution through the creation of its recently launched Digital Trust Registry.

“We’ve taken a part of our implementation and created a digital trust registry, made up of all credit unions that have been verified (through the regulator, for example) and can be used by the verifier to check the public DIDs, schemas, and revocation data to ensure that the credit union is a bona fide issuer of MemberPass.”

Julie Esser, CULedger

This combined approach of human and technical is a core component of the Trust over IP Foundation, of which Evernym, CULedger, and Mastercard are all founding members.

 

3. Safe credentials are about building the future we want to live in

Last but not least, all three of our panelists looked beyond the bottom line and beyond user experiences in expressing their belief that safe credentials are the right thing to do.

In his introduction, Bryn kicked off the discussion with Mastercard’s vision for identity:

“Mastercard believes that every individual in the world should be the owner of their own identity and that they should be able to define it, protect it, and use it to advance their goals. Safe credentials are a great way of achieving this mission.”

Bryn Robinson-Morgan, Mastercard

He later pointed to digital credentials as a “natural extension of the Mastercard DNA,” and commented on Mastercard’s recent joining of the ID2020 Alliance:

“It’s not just about creating an identity infrastructure; it’s about creating the right identity infrastructure. One that’s a force for good that ensures there’s an ability for everyone to prove their identity and have that as a fundamental universal human right. It’s about designing it, first and foremost, for the benefit of people.”

Bryn Robinson-Morgan, Mastercard

Daniel Hardman (Evernym) seconded this notion of portable identity as a human right and added the need for digital trust solutions that work both ways. He discussed the importance of mutual trust (which is our fifth safeness test) in the timely context of COVID-19 credentials:

“It should be the case that everyone in the ecosystem plays by the same rules. You see the scenes in Wuhan where government employees are checking the forehead temperatures of individuals as they get on a bus, but what’s to stop someone from pretending to be with the government and walking around with a detector and checking temperatures as if they were with the government? What you need to be able to do is to have an app where you give proof only if the one requesting proof can prove who they are first.

This mutual authentication is top of mind for those doing COVID credentials, but it’s important in nearly all contexts. For Julie [CULedger], it should be the case that when people call a credit union, they know they’re talking with an authorized representative. Unfortunately, we see many solutions ignoring this need, but trust needs to go both ways.”

Daniel Hardman, Evernym

As an industry, we talk a lot about the need for organizations to be able to identify and know their customers, but we don’t spend nearly enough time talking about how individuals should be able to conduct similar due diligence every time they’re asked to type in a credit card number or present a credential. There’s a need to “verify the verifier.” 

Safe credentials aren’t just about KYC, improving organizational processes, or enhancing security, nor are they just about making it easier for individuals to prove and port their identity. They’re about making our digital journeys more trustworthy and secure, so that we can all go about our lives with greater confidence and personal safety.

 

Give your customers the gift of safe credentials

While we acknowledge that no solutions provider yet passes all of the five tests we’ve outlined, Evernym is committed to getting there first and designing tools that maximize privacy, portability, interoperability, and personal security.

This means we never take shortcuts, and we never make compromises when it comes to safety.

If you share in this vision, we’d love to work with you and introduce you to our platform.

[You can find the full panel discussion on safe credentials, as well as all past and future webinars, at www.evernym.com/webinars/.]