Vlog: Decentralized Identity Explained

Hello, everybody. This is Michael Cichon, chief marketing officer at 1Kosmos. I’m joined today by Rohan Pinto, our chief technology officer at 1Kosmos. Rohan, welcome to the vlog today and congratulations on your new book.

Thank you. Thank you.

Hot off the presses January 2025. I’m delighted to have a chance to talk to you about this today. I’ve just started. Full disclosure, I just started to read it, but tell me a little bit about, let’s start at the beginning, the origins, what prompted you to write the book about digital identity?

Absolutely, absolutely. Thank you so much. I have a copy of it right here, and you spoke about the origins, SO I would say, when you have some time, Mike, go through the second page, the preface. It talks about me and my kids and what kind of motivated me as far as my family goes to get the book done. But in all reality, putting family aside and the emotions aside, one reason why I wanted to write the book is because the entire industry has been focused on identity management, and the key word out there is just “identity management”, IAM, identity and access management, identity governance, identity proliferation, and that’s what the focus was. And over a period of time over the years, everybody built fantastic identity management platforms, but all of them were centralized, and centralized systems come with its own set of issues, pros and cons, of course. And then came by a new technology, a new framework that was, of course, initiated by the entire boom and the hype in the industry started off with crypto assets coming into the picture, like Bitcoin and Ethereum.

But what fascinated me was the technology. The technology used to launch all these cryptocurrencies or tokens or whatever they want to call it. And the technology was so fascinating, and I said, “Wait a second, this architecture can actually be used for managing identities in a very privacy-preserving manner, following the laws of zero trust and privacy by design, and also enhance the security posture of any organization that needs to deal with identity management and governance within their organization.” So that’s when we came up with the whole idea of building something on the decentralized identity platform or the framework.

However, even after building it and launching it in the market and a bunch of organizations using it day-in and day-out, there’s a huge facet of the industry that didn’t really understand the core concepts of decentralized identities. And I said, “When it comes up to new tech, the number one or the primary go-to-market or the primary task that any organization has to undertake is user education.” If your users don’t understand the tech that they’re working with, that they’re dealing with that applies to them, there would be reluctance both from an adoption standpoint and also from the standpoint of, “Oh my God, where is my data going? Is it going to go on the blockchain? Is it going to go on somebody else’s network? Who’s going to own this data?” There are a million questions that pop into a person’s mind, both from a user standpoint, from the organization standpoint, from the CISO’s perspective, from the CTO’s perspective. So I said the best way to move forward in enabling this industry to embrace decentralized identities is to write a book about it.

Fascinating. That’s great. Well, you’ve kind of walked up to the second question I had in mind, which was, why now? And you’ve kind of touched on it, but maybe you can expand on that. It seems like there’s this duality where businesses, organizations, individuals need to know with certainty who they’re dealing with online, but then there’s the privacy concerns. Talk a little bit about this balance, if you will, of getting past this built-in anonymity.

Anonymization of user data, et cetera. But before I jump into that and talk about the difference between the two, if you look at the book, and even without going through the entire book, if you just go through the table of contents in the book, you would notice that I start with the history of digital identity and then I jump into identity and access management and then I dive into best practices for identity and access management. And then it’s only after that that I jump into topics like trust anchors and sources of truth and the relationship between trust. And finally, towards the end is when I jump into the near future, which talks about the digital identity era.

So it’s not that I’ve written the book with the ideology or with the mindset saying, “Let me just write about decentralized identities.” It is important for someone to understand how identities are managed and governed, what’s the industry used to, and what are the pros and cons of the current approach or methodology before they can learn to appreciate the value that decentralized identities bring into the picture. So I tried to write the book in such a format that it can be read by any non-technical person to understand what the concepts are all about.

There are a few technical chapters as well, because it’s not just for the common man, it’s also for your IT managers and your CISOs and your CTOs too, but it does touch upon both aspects of it. As in, what is identity in the traditional sense of the word? And what does decentralized identity bring to the table and how does one go about implementing it? Which is why the book is split into various parts that talks about centralized identity and then talks about decentralized identity. Because I don’t want to nail a thought in your head out of force. I want users to be able to read, understand, gauge, and determine for themselves if it is something that their organization wants to implement or if it is something of value to the organization, rather than me just writing about decentralized identities without any context and tell people that, “This is important for you,” because nobody’s going to buy into the concept of me telling you that it is important, whereas me giving you proof and information about the difference between the current approach and the new and why this is better would yield better results.

Well, that’s great. I mean, I’ve always thought if you really know something, you can explain it so just about anybody can understand it. It sounds like that’s the approach you took with the book. Let’s just cut right to the heart of it. What are the top three things or the top three takeaways that anybody should know about decentralized identity?

Okay, I was not expecting that question, but I’m going to try. I’m going to try. I don’t know if I’m going to be able to tell you the top three or the top four or five, but I’ll tell you a few of the top key elements that I want people to take away from this. One is that identity, what is identity? Whether it is a user ID and password that you use to access systems, whether it is my driver’s license or my passport or my birth certificate, what is it that actually comprises my identity?

So I’ve gone into describing what identity means from a user’s perspective. And the reason I went in from the user’s perspective is because if you talk about corporates or organizations, all organizations, I think I mentioned this before in another podcast, that they tend to have this, it’s called the God concept. So if I’m an organization and if I have an active directory or an Oracle database or an LDAP server that contains the credentials for all the employees in my organization, I own it. So I believe that I own facets of your identity, be it your passport data, your email address, phone number, name, date of birth, et cetera.

But the reality is that the only person who needs to own that data in terms of ownership is the user himself. So it is important to draw that differentiation between why decentralized identity puts rights of user data back in the hands of the user with very low friction. So as long as a user owns his data, manages his own data, has the ability to selectively present the data that he wants to present to various institutes or organizations in a privacy-preserving manner, a centralized identity system won’t be able to do it. So that’s where decentralized identity comes in.

Okay, great. Now, what is the difference between decentralized identity and self-sovereign identity? Also a term I’ve heard floated around lately.

Yeah, there’s a lot of back and forth in the industry with those two terms. People typically assume that decentralized identity means it’s a self-sovereign identity and vice versa, but it is not.

Decentralized identity is the framework or the platform that allows you to store information in several locations without having a central authority controlling it. The whole concept is like a ledger, where you’ve got a trail of when that data was created, when it changed, who changed it, how it changed, what was presented.

Self-sovereign identity sits atop of decentralized identity or sits beside decentralized identity. In the self-sovereign identity world, the user asserts his own identity. So I can tell you that I’m Michael Cichon, I can probably use a deep fake video and hold my phone up to your camera and say, “This is me,” where the user self-asserts his identity attributes or information.

Decentralized identity doesn’t state that decentralized identity only talks about the technology stack on how identities can be managed in a decentralized manner. That does not necessarily mean that the user has got the right to claim to be whoever he or she wants to be. So the decentralized identity framework, I need to prove who I am first before my identity can be asserted and validated. And a good example of that is in our BlockID app, the product that we have at 1Kosmos, you scan your driver’s license and you scan your passport.

Now, I can talk for two hours of what happens behind the scenes when you hold the driver’s license in front of the phone or you scan your passport. It takes only two seconds, but the amount of tech behind it that scans the driver’s license, goes and validates the authenticity of that driver’s license, looks at whether the document itself is real or fake, goes and validates that against sources of truth, which is why my book also talks about trust anchors and sources of truth, goes and validates that against sources of truth like the Department of Motor Vehicles to ensure that the driver’s license is actually valid and it was actually issued to you, correlate that data to the data that’s extracted from the passport, verifying the signatures on the biometric chip on the passport, and that becomes my identity. So I can state that I am Michael Cichon, but the documents that I’m presenting to prove who I am, state that I am Rohan Pinto. So the identity that’s created for me is for the identity extracted from those documents that were presented. So I can never be Michael Cichon.

In the self-sovereign identity world. I can claim to be whoever I want to be. Now, the self-sovereign identity world has also embraced a lot of concepts from the decentralized identity framework itself. So you can claim who you want to be, but once you claim to be someone, you then need to substantiate that claim with proof of identity documents later to make that identity valid. But in our world, you prove who you are first, and that is who you are, rather than me saying I’m somebody else and then using other documents and things like that. So there’s a huge differentiation there.

So one way to look at it is self-sovereign identity, I say I’m Rohan Pinto. Decentralized identity, the province of Ontario says that I’m Rohan Pinto because that’s what’s on my driver’s license, the government of Canada states and asserts that I am Rohan Pinto because that’s the information on my passport. So that’s my identity as opposed to the other one.

Okay. All right. So in a practical application, decentralized identity allows you to very quickly access a digital service without an artifact, like a password or something and it allows you to preserve that privacy. Like, I control my own data, I determine what I share with any given service at the point that I’m using that service. That’s all well and fine, but this is one organization at a time, right? How far off are we? Where, if you will, I have a QR code and I’m the QR code, and wherever I go, it just recognizes me.

Yeah, very interesting question. Very valid question. And you touched upon a very important topic out here. When we first built this product or the platform, the focus was all on the term decentralized identity and blockchain, I’m talking about the product and the platform at 1Kosmos, and almost everybody said, “Oh my God, this is absolutely awesome.”

Now, once you build some awesome tech and you want to go to market with it, the first question that pops into mind is, “Where do I use it?” So I have a decentralized identity with me right now, but where do I use it? “Can I go and shop on Amazon with it?” And the answer is no, because Amazon doesn’t consume it yet. “Can I go to eBay and buy something?” Oh, no, you can’t do that yet. All those examples that you gave and those use cases and the demos that you gave last month where you were explaining consent and you were talking about things like selective disclosure where you can go to a liquor store and present your decentralized identity to prove that you’re over 19 without divulging information like my date of birth or my home address, brilliant use case, but can I do it in reality? And you say, “Oh, no, you can’t do it yet.” So the big problem is adoption.

So you can distribute a decentralized identity, whether it’s on a mobile phone or on a laptop or any which way you want to all the 8 billion people on this planet, but if there’s no place that they can actually put it to good use, the value in that is zero. Because as great as the technology stack is, if you can’t put it to use, there’s no value in it. So we took another approach. Instead of trying to convince 8 billion people on this planet on how awesome this tech is, we said, “Let’s go the top-down approach. Let’s go to organizations and look at their current security posture, tell them the pros and cons in their current approach, talk to them about where the industry is headed, talk to them about the technologies that are going to come into play very soon, and show them how they can proactively circumvent all the security issues, the hacks, the breaches, the phishing attempts that they would have to deal with over a period of time before it happens rather than after it happens.”

The number one mistake that I have noticed in this industry is that everybody is reactive rather than being proactive, so one of the primary focuses that 1Kosmos had when they went out to market is putting a solution out there that enables organizations to be proactive rather than reactive. So when organizations start embracing this technology and enabling their employees, their customers, their partners to access their digital assets or systems using a decentralized identity, the employees or the customers and the partners and every user says, “Wow, it was that simple. I did not have to provide a user ID anywhere. I don’t have to remember passwords anymore. I don’t get OTP codes via SMS anymore.” And we know OTP via SMS is really weak, but this podcast is not about talking how bad the current systems are, but rather talk about the value that decentralized identity brings to the table. So when you take the top-down approach where organizations release this as a feature to all their employees, they say, “Wow, this is great.”

Right.

And then they look at another service that has also embraced and implemented decentralized identity platforms and they say, “Fantastic. Now I do not have to go from Service A to Service B and create another user ID and password and then go to Service C and create another user account out there. I can literally take my digital identity and go from A to B to C whenever I want.”

It’s fascinating, because what you’re describing sounds like, number one, a tectonic shift in using artifacts to prove who you are, artifacts like a password, versus using yourself as an authenticator. And at the same time, there’s some tipping point, whether it’s, as we look at the Fortune Global 500, make a move toward this technology, the Global 1000, you start to see federal agencies, state local agencies doing it. At some point, there is this tipping point, and I personally look forward to that at a time where I’m recognized it’s very difficult for anybody to fake my identity, cause me fraud, cause the organizations that I transact with fraud.

It’s fascinating and equally fascinating, Rohan, is this, for many, is a new topic, but we did more than stumble on it back in 2016 when the rates of the company were placed. 1Kosmos was incorporated in 2018. I know you’re a couple of years ahead of that. So literally nine years ahead of the trend, you dove into this. So that’s a remarkable accomplishment.

Thank you. Thank you, Mike. But I wouldn’t say we stumbled on it or I didn’t stumble on it either, because I’ve been playing in the identity management space or been working in the identity management space for decades. I have been working in the cryptographic and the PKI space for decades. And way back in early 2000, I would say around the 2009, 2010, 2011, when there were small discussions in pockets about, “Oh my God, Bitcoin. Have you heard about Bitcoin?” That’s when my interest in the technology stack started increasing, and it started increasing exponentially because the minute I saw the tech stack that Bitcoin ran over and how other platforms like Ethereum or Solana or Tron started adopting the same technology, not the same for end-to-end, that’s when I said, “Well, this is a very, very efficient way to manage a system.”

The initial thought process was very basic, Michael, very, very basic. And the thought process was, what’s the cost of managing 1000 users in an organization? I am not talking about the investment an organization has in active directory or LDAP or Oracle. The cost of managing those users is that you need to store their credentials somewhere. You need to have access governance rules that govern who has got access to that. And the industry does not know what to do with it, so they come up with six alphanumeric, then they make it eight alphanumeric with numbers, then they made it 12. I’ve seen instances where the passwords is almost 24 alphanumeric characters with special characters, cannot be used three times. I mean, the industry is coming up with all kinds of permutations and combinations to make it harder for the user to remember who he is or she is. It should not be so hard.

Also, the cost of the organization managing that identity is quite huge because it’s not just about storing a user ID and password somewhere, it’s also about the cost of all these other systems that you need to build over it to ensure things like data breaches, password changes, password resets, it’s not hacked, it’s not phished. And you can literally eliminate all that by putting a user’s identity on this little device that you carry.

Let’s look at scale right now. So instead of having a million users sitting in a database and you incurring costs to manage those million users, you now distribute those million identities or identity data to a million users on a million devices. So let’s go down to the grassroots. If you hack a centralized system that has a million user IDs and passwords, regardless if the passwords are clear text assaulted, you have access to a million user IDs and passwords. And that’s the number one breach that goes on today. We hear it all the time. “TechCrunch was hacked, 1000 user IDs compromised. This one was hacked, a million users compromised. 10 million user IDs compromised out here.” It happens day-in and day-out almost every single day. Now, imagine you want to hack an organization where a million identities are stored on a million users own devices. You’ll need to hack a million devices.

And then the added layer of security on top of it is biometrics. So when you add biometrics on top of decentralized identity, stealing my phone is not going to give you access to my identity data. You need me because I need to unlock my device with my biometrics. And it is not a static biometric like scan a photograph. You’re talking about live ID where you ensure that the person is a real person by expecting the user to express human emotions like smile or blink or move your head. We also do depth calculations on the user’s biometrics, for example, the depth between the ears and the nose and the chin, et cetera. So the entire stack is so technically advanced from a technology standpoint, but from a usability standpoint, it’s as simple as pick up the phone, look at it, and you’re done.

Right, Well, the time for this is now, in fact, it’s probably a few years past already as all these data breaches, we have now nation states attacking individuals and organizations at will equipped with all this data breach information. And you see it every day in the phone calls, the text messages, the emails that you get that are phony, trying to get you to click on a link and compromise yourself. I could talk to you at length on this. It’s a fascinating topic. I’ve got a dozen questions in my mind I’d like to talk to you about now, but we’re kind of running out of time. Very much appreciate you spending 20, 30 minutes with me this morning. Your book’s fascinating. I’m going to be digging into it more deeply. Just really appreciate it. Any parting thoughts? Again, I’ve got a dozen, but I don’t want to get into them.

Okay. So parting thought is not simple. A lot of people say that the time is now. I think the time was yesterday.

Yes.

If you are trying to build a better security posture for your organization, if you have not done it already, then the time is now. Do you want to consider yourself to be a proactive organization or a reactive organization? Do you want to deal with the fines and the levies by the governing bodies for leaking user information or privacy data? The impact it’s going to have when you have a weak security posture is very, very expensive.

So for those organizations and people who have not yet embraced decentralized identity within the organization, the time is now. But a lot of organizations have already embraced it. Even organizations and entities like MasterCard, Visa Card, Microsoft are all there already. But we still proudly say that we were the first, because we were the first. There are a lot of players in the market out here, but we also had the first mover advantage, because any organization building something on the decentralized identity platform or framework, they don’t build it once and it’s done. They evolve. They evolve all the time.

You’ve got to look at current market trends, you’ve got to look at current threats, you’ve got to ensure that all threats from an operating system standpoint, from a usability standpoint are all addressed. So you’re constantly building on top of it. So being the first to market gives us that ability to be on top of all the security threats and start addressing those as well, rather than being a new entrant in the market and starting off with decentralized identity now as opposed to an organization that has been doing it for the last five, six years.

Yeah. Well, I think that’s fair and I think we’ve seen it in the customer growth here at 1Kosmos where we’re seeing organizations with literally hundreds of thousands of employees, and I don’t know the exact count, but tens of thousands of authentications daily.

Millions.

The scalability is proven there. And I think whether it’s a law of nature or not, the most simple, straightforward solution is probably the best solution. And the built-in complexity we’ve seen in identity systems has come from the fact that we didn’t have this technology before. We’ve had passwords that had to be protected, and then anti-phishing and all these defenses that had to be built up over time because we didn’t have a decentralized identity. Now that we have it, we can take a more simplified cost-effective approach.

Absolutely. And one more thing I would like to add, Michael. Every time I say decentralized identity, I have a tendency to pick up my phone and say, “Okay, this is where your identity is stored.” It’s just a habit because our initial launch was actually building it and ensuring that it’s on a device that the user owns. But as of today, your decentralized identity does not necessarily need to be on your phone. It can be on your device, it can be on your laptop, it can be on your desktop as well. So for organizations that mandate no phones in a particular area, like white room use cases, you can actually still enable decentralized identity and biometrics based authentication into your password-less systems without using your phone as well, because you can do it directly from your desktops now.

Right. Well, keep adding last points here. One thing you mentioned in the past we touch on now, though, is that the standards bodies have caught up in terms of the frameworks.

Yes.

Just a little fragment on those if you would, please.

Oh, very simple. One of the most important standards body is NIST. The most important. And NIST has got a spec called the 800-63-3A, which everybody follows, that talked about the levels of assurance that need to be associated with that identity from an anonymous identity, which is a level one, to a proved identity, which is a level two, and then a higher level.

NIST, in fact, just published their 800-63-4 very recently. And if you look at the specification, if you have the time and the effort and the patience to read through the entire spec document that NIST has published, you will realize that this is something that we already did six years ago. Therefore, that itself is quite a good indicator that all the governing bodies, the regulations, are also catching up because they know that this technology is going to be adopted by anybody and everybody. All organizations are moving forward and they are publishing governance rules and regulations to make sure that organizations implement it with the right mindset, with the right thought process, which is, it’s not about “Let’s build something and make money,” but it’s all about, “Let’s build something that to ensure that user’s privacy and the user’s own consent is mandated and required and safeguarded.” So the focus out here is still the privacy of the user.

Got it. Well, I think, in addition to that, it’s a great way to create efficiencies and in particular government efficiencies, and we’re going to leave it at that roll on. Rohan, thank you so much for your time. Everybody else, the book Decentralized Identity Explained, we’re going to put a link to this on our corporate website. You could order it there. Interestingly enough, there’s a QR code to let you download a free PDF of it. But a fascinating read, a very well-written book by a very renowned expert. Rohan, thank you so much.

Thank you so much, Michael. Thank you so much for your time.