Authenticate conference wraps with binding digital ID, wallets and FIDO wins
The final day of the 2023 Authenticate conference hosted discussions on the digital wallet ecosystem, the Accountable Digital Identity Association (ADIA) Specification, and binding FIDO authentication to digital ID.
In a morning session, Heikki Palm Henriksen, the CTO of BankID BankAxept AS, spoke about the Norwegian organization’s innovations in the digital wallet space. BankID, co-created and co-owned by all Norwegian banks, launched in the public sector in 2012 and now covers 99 percent of adults in Norway, offering authentication for 16,000 services.
The initiative is now focused on BankID as a wallet, and on using it as a springboard for innovations in e-signing and authentication.
“FIDO2 is modernizing BankID and enabling our wallet proposal,” says Henrisken. BankID intends to position its app as a hub and foundation for services. “Verifiable credentials is a central part of the platform we are creating, where the user is in full control.”
Henriksen says the slow pace and additional delays in standards and the European Digital Identity Wallet Architecture and Reference Framework means a comprehensive implementation could take time, but that BankID digital ID pilots are underway with Norway’s postal service and national liquor store, to get started in anticipation of regulations.
OASIS Open developing lightweight verifiable credential
Abbie Barbir, a security advisor for ADIA, acknowledged that the title of his talk, “Interoperable Verifiable Credential (VC) Schema for Online Identity Accountability,” was a mouthful. His message, however, is simpler: there are trust and accountability issues in the digital identity landscape relating to fraud and disinformation, the status quo results in data leaks, and a verified credential schema can help re-centralize the user in user experience.
“The whole decentralized digital identity ecosystem needs something like FIDO” to streamline the governance and management of digital wallets, Barbir says. A standardized VC framework can improve trust, efficiency and interoperability while reducing cost and friction.
Barbir’s answer is a project developed with OASIS Open, dubbed the Lightweight Verifiable Credential Schema and Process (LVCPS). “The purpose of this Technical Committee is, let’s have the minimum verifiable credential that could be used for KYC, for healthcare, and for financial.”
“Verifiable credential interoperability is a must for a more private and secure digital world.”
Rolf Lindemann, VP of Products for Nok Nok Labs, joined Barbir to talk about binding FIDO authentication with digital identity, and about the need for digital wallets to bear a minimal burden of trust in the process compared to the issuer of a credential. The session included an update on the ADIA Specification, which will soon publish an updated version incorporating feedback from version 1.0. With the same focus on reducing complexity driving the LVCPS project, the Specification is being split into three separate documents with different intended audiences.
Celebrating the passkey, but looking to the wallet
One of two keynotes on day three saw Steve Wilson and George Peabody from Lockstep take up the discussion on digital wallets and how to make good on their promise, with reference to data supply chains and the need for a third party “distributor” to load verifiable credentials onto wallets and move data and metadata between the subjects, issuers and replying parties in the digital wallet ecosystem. Wilson, the founder of Lockstep, praised the FIDO Association’s skill and speed in developing complex technical standards. He also took a moment to acknowledge 2023 as a coming out year for passkeys.