There's a growing password crisis. Everyone has too many passwords, and it will get resolved somehow, someday. Consider that almost 26 percent of call center calls are from people trying to reset their passwords. For this reason alone, it would be worthwhile to get rid of passwords. I can tell you that someday we're going to look back and we're going to laugh at all of the passwords and usernames we have because we're going to have something drastically different.

Identity is a platform—it's a disruptor, and it's a hot topic for every industry. So far, all the other identity plays have failed so far. Google, Microsoft, Facebook, LinkedIn, and so many more. Banks have explored this in the past but have failed because they weren't willing to collaborate. I believe this is changing now. This opportunity is wide open. No one has solved this. So, what is sovereign identity? Well, let's start off with just explaining what sovereign means.

Sovereign is a rightful status; it's also known as independence. When a nation is sovereign, that means that it is independent and no one has rule over it. A sovereign identity, for individuals, gives people a digital identity that only they can control and manage. Currently, identity paradigms like social media and bank logins are actually controlled by the companies that own those websites, not by the users who rely on them. That's why people keep a long list of log-in information; one is required for every site. A sovereign identity would be controlled by only the individual it identifies. Think of it as having a passport for the internet. It's a single standard way to prove a person's identity without having to deal with incompatible log-in screens, username, and password challenges, multifactor with indication techniques, and all the other hassles posed when logging into secure websites and apps.

Trust Frameworks

Trust frameworks are foundations that the next level of authentication will be built on, and it's the holy grail of product positioning. There's nothing more important to users than their credentials, and for financial institutions, it's strategic high ground. Each time an organization interacts with a customer, it must authenticate the person before doing anything else. The problem is that most of us have so many passwords and so many usernames that we can't remember them all. And we've resorted to tools like 1Password or other products that will store passwords for us. This, of course, kind of defeats the purpose. If hackers get into a password-management tool, then they have access to everything.

So, what's the answer? To determine that, let's talk about the current model of identity. I want you to think of identity as your passport to get into any place. Suppose I want to use a shopping site like Amazon. I have to give my address. I have to give my name. I have to give my credit card if I would like to buy anything. And then on top of that, I will need a password and username to log into the site—and I don't want to use the same password for every site, so I might pick a unique password for the site. I can only really use the site fully after I have provided all this information. This is true for nearly every online retailer or service provider. As a result, all of us have too many usernames and passwords.

The first problem with this setup is merely an inconvenience. Imagine say you get a new credit card or move to a new address. You now have to manually update this on every single site. It's a hassle, plain and simple.

The larger problem with this deals with data security. Pieces of our identity are everywhere, all over the internet. As we've seen from breaches in the past, this creates giant enormous honeypots of data. Consider for a moment the seriousness of the Equifax breach. In one fell swoop, the sensitive data of nearly half of the adult population of the United States was stolen by hackers. Financial institutions rely on and store customers' most private and important data. When data are stored in so many different places, the risk that some of it will be stolen is incredibly high—and the effects can be dire. If someone steals personal data, they now have the ability to engage in identity fraud. On top of that, we're tracked. Our data are valuable to not only hackers. Marketers also want to know everything about us so they can sell us things. Everywhere we go, our data are harvested and sold without our consent (or, perhaps we have given our consent when we accepted the fine-print terms of use). So, if that's true, then what are our options? Why would we consider looking at this?

There's a great article about security and digital identity by Patrick Gauthier, the vice president of external payments at Amazon. He mentions that it is the time to reinvent digital identity: “For more than a decade, the financial institutions and businesses have significantly invested to protect personally identifiable information, otherwise known as PII.”¹ Companies take data protection very seriously, yet an epidemic of data breaches continues to occur. Highlighting the need for a new set of strategies and tools to manage this risk. Until now, there really hasn't been a way to have a sovereign identity, an identity that exists that no one else controls.

The reason for this is because all identity plays have been built around this centralized platform. Think back to Chapter 12, which distributive ledgers and decentralized platforms. So, how can we do this? Well, let's imagine that instead of Amazon requiring your information, Amazon had a way to subscribe to you. You would be the sole owner of your personal identity. Every time your address changed or every time your card information changed, you could simply change it in one spot to be picked up by all of the organizations you grant permission to. Imagine if Apple, eBay, Facebook, Amazon, Google, your doctor's office, the government, all of these places, could talk to you to verify that the information is correct and current.

This concept was originally proposed by an identity specialist who I'm proud to say is a friend of mine, Doc Searls. Doc Searls wrote The Intention Economy, which I highly recommend. His idea is for individuals to become the source for proof of identity, including their correct info, their correct data, and their actual preferences. Consider that. What if your preferences followed you around everywhere you went?

Encryption and Data Security

Imagine if you never had to touch those nasty buttons on gas pumps to select your gasoline type. The pump would know what kind of gas you wanted based on the car you were driving. Your consent, your rules. This represents an inversion of control. It's also private and super secure because it uses the encryption methodology of the distributive ledger platform and it's irrevocable due to the immutable properties of the distributive ledger. So, how would we even implement something like this, and what does it mean to a financial institution? Let's start off with the most important concept. As I mentioned before, identity is strategic high ground. Now think about this. Before we can do anything, at any bank, any transaction, the first thing we have to do is that we have to prove that you're you.

If you've been on a call with a call center recently, you know the inane things that they will ask you in order to determine your identity. My favorite one is the last two or three transactions from my account. This assumes that I'm the only one spending on my account. If they looked closely, they would see that I have a joint account with my wife, and there's a likelihood that she has spent money without me knowing. So, if I want to answer this question, I actually have to log in to home banking and look at my history. The second thing that we've seen is that when people call in to the call centers, they'll ask for some information based on personal identity information. This includes things like your Social Security number, your birthday, your last name, and so forth.

All of these critical pieces of data could be discovered on the internet. The answer is to get rid of passwords all together. What does that mean, and what does it look like? Well, first of all, it's important to understand that in a sovereign identity that is built around distributive ledger, the identity itself is actually not stored on your device. The identity is just a key in the cloud or in the distributive ledger network that's perpetuated throughout the network in perpetuity that you can access with your device. And let's think about how this might work. I call into the call center, a person picks up. Assuming I've already registered for this digital identity, the customer service rep can click a button, and my phone (or perhaps my Amazon Echo or my Google home device, or any other number of IoT gadgets in my home) might pop up and say, “The Suncoast Organization is trying to validate your identity. Would you like to continue?”

If I answer it on the Alexa, assuming that someday in the future they have voice validation software, it will know that that's me and pass that back to the organization. And, in seconds, I would be able to be authenticated and move on with my transaction. And it can work no matter where I am. Imagine that I call from my cell phone. A message pops up, and it says, “The Suncoast Organization is trying to validate your identity. Would you like to continue?” When I say yes, the call center representative knows it's me. But more importantly, I know the person on the line really is the call center representative. Not only does this guard against people pretending to be me, but it also protects me from talking to someone pretending to be a particular organization. In the world of finance and banking, this is a tremendous safeguard for institutions and their customers.

This two-way validation is at the heart of sovereign identity—and you would never need a password again. Just close your eyes for just a minute and pretend. What does it feel like to no longer have passwords? Yeah that's right, it's a big load off, isn't it? All of a sudden there's unicorns and rainbows—everything's better.

Sovereign Identity in Practice

Let's apply this sovereign identity concept to a context that has recently come about. Not too long ago, the Consumer Financial Protection Bureau (CFPB) looked into the practices of a certain large financial institution that was setting up credit cards and other accounts without its customers' permission. The organization in question was Wells Fargo, and its sales process failed three different ways. First, it failed to get client consent. The tellers and the sales reps who were opening these fraudulent accounts had the ability to give consent on behalf of the customer. If I had to guess, I would imagine that there's some sort of software program that was intended for use in the call center that allowed somebody to walk through this process and at the end accept the terms and the agreements and the disclosures on behalf of the customer. Now, let's imagine this process in the sovereign identity trust framework, like the one I just discussed. So you're sitting at home, watching football or The Golden Girls or whatever it is you watch. And all of a sudden your phone buzzes or your Echo lights up or maybe even your TV displays a pop-up message that says, “Wells Fargo wants your approval to open a new line of credit. Allow or deny?” Well, you're not talking to them and neither is your spouse, so you say no and hit the deny button. The problem of fraudulent accounts—even those set up by supposedly trustworthy bank employees with access to all the necessary information and systems—disappears.

The other portion of this is that it creates an opportunity for a high level of privacy. Currently today we are tracked everywhere we go. Consider how convenient it is to log into websites using your Facebook or Google account. It cuts down on the number of passwords and user IDs you need to remember, but that convenience comes at a price. When people do this, they might not realize that Facebook or Google can now use that related data (i.e., where you have an account, what you buy there, what services and settings you have selected). They're going to sell that information without your consent. With sovereign identity, people would have to give consent before doing anything with it, so that means that no one gets any information without needing it—and without a person's explicit approval.

Now, I'm going to go out on a limb and talk about a wild idea. So here's a question, and I want you to chew on this for a minute. Does Amazon have to have your address? And before you answer, think about it. So the obvious answer to this question is that yes, of course Amazon needs my address. How else are they going to ship my magical brown boxes of awesome stuff that I get every week? But, if you really think about it, Amazon doesn't actually need your address. The only company that needs your address is the shipper. What if the shipper provides a cryptonym that you could store in your sovereign identity infrastructure? Then you could give that cryptonym to Amazon. When preparing your package, Amazon would send that cryptonym back to the shipping company, who would use it to set your real address. The result is that you no longer have your address information stored in Amazon for shipping. The same process could be used for credit card billing addresses and the credit cards themselves.

This is a whole new world to think about, and it will have a huge impact on the state of identity in financial institutions. First of all, we're going to start with home banking. Currently, a home banking credential storage is a mish-mosh of different things. I have found that in many institutions, the home banking credentials are not even under the control of the financial institution. This means that it can't be used in other applications. I call this digital dysfunction. Sometimes it's so bad that the mobile application doesn't use the same password as the home banking application. A good example would be Amazon Echo having to have its own authentication that is separate from a person's primary Amazon login.

The second piece is that we have something called multifactor authentication (MFA), which is mandated by the FFIEC. MFA, unfortunately, is difficult when it comes to cross-device implementation. Meaning that you can log in to home banking and if it sees a pattern or something unusual it may ask you who your favorite first-grade teacher was or what your favorite pet was or something like that. The mobile interface may not ask the questions. It may want to text you instead. The challenge with this is we're continually playing catch up with all the different channels—and they are going to continue to expand, which will create costly integration.

Weaknesses in the Current Identity System

Our current identity platform—the user-name-and-password setup—presents a number of opportunities for illegal activity. Sovereign identity can solve quite a few of these.

An Opportunity for Financial Institutions

Who does background checks, AML checks, and KYC checks? Who is forced to verify new customers' identities? Financial institutions. This means that there's an opportunity for financial institutions to become the authenticators, and they're going to be able to create verifiable claims. Currently, if you would like to have a verifiable identity, you go down to the DMV and you get a driver's license. It's government issued and it has a picture of you on it; the license itself is actually built to be tamper proof, and it's designed to prevent counterfeiting.

So, what would a digital version of this look like? Well, to go there, we first have to understand the hierarchy of the internet. Right now on the internet there are organizations or companies that have their identity confirmed through something we call DNS. This type of website authentication relies on a security feature called an SSL certificate. How do you know you're on Amazon's site and not some hacker's imposter honey trap? Well, most of us will look up at the bar that's in our browser and see that there's a lock icon there. When we see it, we assume that Amazon's identity as a website has been verified for us. The second step of this hierarchy concerns Amazon's customers. These customers must enter all of their information into each site they set up. This is where the problem emerges. Since customers do not have a reusable verifiable identity, they are forced to either use a browser to auto fill their personal information, or type it in themselves. Each time the customers set up another identity in another site, they add one more place that must be updated if they move or if they get a new credit card. If this were a programming platform, the architects of the platform would question the design. Why? Well, the institutions or organizations are unique, but people are unique as well. Anything that is unique in a data model should only be referenced once. An efficient data model doesn't duplicate unique data; it creates pointers. On the internet, we have a way to deal with that. When you go to type in a website address into a browser like google.com or apple.com, the human readable name you typed in is transmitted to a large database that translates that request into an internet address, which is an octet of numbers, that looks something like this: 12.23.45.100. This database that translates this information from human readable to numbers is called DNS or Domain Name Server. We have a human model for this—it's our social security number. However, unlike the DNS system, it is dangerous to have a directory of people that would provide information on everyone. So how would one address this problem and more importantly, how will personal data be registered?

In the future, when I set up my Netflix account, a sovereign identity platform would verify that I am really John Best. Now, there are other people with the name John Best, but I am a unique John Best in that I have different attributes than the rest of the John Bests on the internet. My collection of attributes are what makes me identifiable to others as the specific John Best that is attempting to do transact business with them.

The first thing you have to do to understand digital identity is, you have to expand your definition of identity. I've noticed that in the financial institution space we tend to think of identity basically as a collection of attributes. Your username, your password, your real name, your social security number, your address, secondary address, your group of MFA questions, and so forth. But true identity actually has a lot more to it. For example, let's pretend that you worked for a company, I'll just name one. Let's pretend you work for the publishers of this book, Wiley. Suppose that you would like to go get a loan. Now, today you would go to a bank or a credit union, and you would sign up for the loan and one of the things the banker would like to do is validate your employment. How do we do this today? Well, you would have to go to a website or your files and collect two of your paystubs, and you would give these paystubs to the financial institution. The FI would use the paystubs to confirm your income and employment. These are often known as stipulations. The whole procedure can take up to one or two days. There is also the danger that the FI has no way to validate the paystub without calling the employer to prove employment, since, in a world where much of our private information has been disclosed on the internet, its highly likely that a counterfeit paystub wouldn't be caught due to the fact that it may actually contain the information of an real employee.

But what if Wiley had a sovereign digital identity as a corporation and it could claim you, and prove your identity as an employee? Imagine that you go in to do a loan and you tell the banker that you have a sovereign identity. The process would look a lot like when you approve access to your local services for an application on a smartphone. Have you ever downloaded an application and been asked for your consent for the application to use the camera or microphone? In much the same way, the lending FI would solicit digital consent to your information contained in your sovereign identity using verifiable claims. The application or smart phone would inform you that the FI wants access to your address and your consent to digitally verify your employment status and the other personal information that is necessary for a loan. As part of the process, the FI's identity is also verified using a digital signature, so that you can be very sure the request is legitimate.

The safety in this model would likely incent more people to use this method than previous methods. A process like this would be far more efficient for both the customer and the FI. Suddenly, all the friction of filling out the form and typing in redundant data, as we do so frequently, is gone. Not only that, but we're certain that we have provided the most up to date and accurate information. The same process could be used to digitally sign the loan and validate the terms of the loan. The loan and its terms could then become part of your digital identity as an attribute of your finances. A smart contract could be used to enforce a direct-deposit-based rate. If the customer agreed to pay via payroll reduction or automatic payments to get a better rate and the customer then changes this by canceling the recurring payment online, the smart contract would automatically pick up this change and apply the new rate to the loan.

The backbone of this new claims process will be built around the work being done by the W3C's verifiable claims working charter group. The verifiable claims group is designing a standard that would allow organizations to transmit and validate claims. The verifiable claim is not a protocol but a syntax or standard that would allow cross-industry interoperability. What is a verifiable claim? A verifiable claim is any attestation that an entity or organization can make about you or something that they can confirm with proof. The claim is then digitally signed by the organization and digitally provided to entities that need to use the proof to conduct business with you or an entity.

In the example above, we discussed verifying employment as part of a lending process. A verifiable claim might contain an employee identifier, the amount of time the employee has been employed, and finally, a digital signature to prove that the information came from the actual employer. And they can actually submit a verifiable claim that can now be stored at the financial institution to prove that John Best is an employee of Wiley. And instead of this taking a day and a half because someone has to go get paystubs, take pictures of them with their phone, or send them in, or drop by, or fax them, or whatever they're going to do, it all happens in seconds. This is a complete paradigm shift. Imagine that you walk up to the teller line and the teller simply asks you if you're part of the sovereign. You say yes, you click a button, they know who you are. Same thing with the drive-through. Imagine no more passwords on home banking. This will solve so many problems. However, there's a lot more to it.

Today, in most financial home banking and digital platforms, there's what I call a single source of truth. And that single source of truth, or the system of record, is where all the usernames and passwords are validated. And so if you have this, you have the keys to the kingdom. And what I mean by that is, home banking could well be up. And your bill pay could be running fine and all of the other services are fine. But if your login is down, then nobody can sign in to get those services. So effectively, you are down. But what if instead of having just one system to validate who you are, you had tens of thousands of systems? Well, that's what this digital identity service can bring—the idea that there is more than one system to validate you.

Now let's suppose you suddenly, magically, somehow hacked into one of them, or three of them, or even five of them. And you changed information so that you could log in. It still wouldn't work because you would have to change more than half of all the systems out there in order to violate this identity. Now, people who are critics of this, they'll see a few flaws. The first flaw is that all of this cryptology resorts to a key. And key management is very important. If you lose the key, then you effectively have to start over.

What people don't realize is if we switch to an inversion of control where every time you log in to something, every time you consent to something, it checks with you first. It almost doesn't matter if your private information is out there unless someone can digitally impersonate you to say yes. However, in the world of digital identity, particularly sovereign identity, you're going to be able to put your identity back together by using your families. So, you lose your key, you may have your brother and your sister, you call them both and they can click something and restore who you are. This is a very valuable concept. Finally, why is this worth considering? Why would people move in this direction? Well first of all, normalizing authentication methods will reduce integration costs for digital platforms. This should also reduce call center calls regarding passwords. It should improve speed to market for all products. Imagine that you didn't have to worry about creating the “I forgot my password” or “I forgot my user ID” security questions.

There is so much extra overhead to get someone into a product. This would improve security drastically, simply by getting rid of passwords and checking with the person before you do anything. This would also increase interoperability between organizations due to the distributive ledger. So, if you have a sovereign identity and you would like to sign up for another institution, you could actually conceivably bring all of your bill pay payees with you.

So let's think about that for a second. Maybe you have used bill pay at a financial institution. For those of you who haven't, I'll give a quick overview of the process. You log in to the financial institutions digital services, whether it be mobile or the web, you go into the bill pay area, and you break out the envelope for the bill that you would like to pay. Let's say it's a health care bill. You type in the address of where you're supposed to remit the payment from the health care bill, from the physical piece of paper. You give it a nickname, and then you go in and you schedule a payment. And when you schedule this payment, the solution will look at the address and the name of the payee. And it will make some determinations on payment routing (or at least a good bill pay system will). So it may decide to send this payment as a check because it doesn't recognize the address or the payee information and its electronic payments registry. So its only option is to cut the check and send it. In which case, it may take a couple days to get there. It may also decide to go ahead and send this via electronic means, meaning that they have a relationship, be it Lockbox or ACH, to send money directly to this payee.

However, here's the real question I have for you: Are those payees that you just typed into that system yours, or are they the financial institution's? I would suggest that they are the customer's. With a sovereign identity, you could actually store all of your payee information inside your own service platform. Meaning that you could go from institution to institution and reload your payees. I can hear you now. Oh, John, we've all bought bill pay, and we were supposed to have it around because it's sticky and once people type in 10 or 12 of these payees, it's hard for them to leave, and that's part of our model. I don't disagree. As a matter of fact, I can remember in 2008, 2007, saying those very words to customers. But today is 2017, and a captured or trapped data business model isn't going to fly with consumers anymore. Why? Because fintechs will allow sovereign identity, and customers are going to go where there is utility. It's that simple.

As an industry, we either have to figure out how to start doing it or we have to figure out how to join the groups there. Because in a perfect world, you should be able to pick your payee from your preferences and then you should be able to determine how you want to pay. And one day, you might want to use the financial institution's bill pay, and that should be a button click away. But another day, you might decide to use Venmo. Or you might decide to use PayPal because you have different needs. The key is, how are we going to change the business model to support this?

So, not too long ago, I was talking to an organization that was interested in real-time balances. And one of the things that happens in a real-time balance is that when customers know what their real-time balance is, they're less likely to overdraft. Overdraft, as many of you know, means income for the financial institution. However, it's not looked upon favorably by the customers. The challenge is this, to my way of thinking: Is it right that, due to our inability to show a correct balance or data, the customers would overdraft, and we would charge them for it? Furthermore, is it right that if we were to solve this problem, we would be careful about sharing that information because we would not want to lose a revenue source? I would say, continuing to operate in this methodology is going to be a problem for all institutions.

Why not replace the overdraft fee with an artificial intelligence fee? Something that would tell people when they're getting close to these numbers and prevent it from happening. Again, this is where the distributive ledger and the identity platform can come together. So the final thought on why this is worth considering is this: If we believe that there will be a market for these claims—and by claims, I mean claims of employment, claims of identity—then the banks and financial institutions stand to benefit from this market. Because they are in the best position to identify and register the consumers.

Consider this: I once helped a friend who owned some property. And my wife and I was helping her to lease her property out. And any time someone came up to rent the duplex, half the duplex that was out there for rent, we would have to go through and do a background check on this person. That could cost anywhere from $50 to $75. The background check wasn't that useful, in the sense that we would have to go through a service and that service was related to credit reports and other things that were out there. But what if we could switch that and the person who was doing the lease could actually check with the financial institution through the magic of sovereign identity? Well, maybe I don't want to pay the $50. But I sure as heck might pay $25 or $35 for a validation that this person has an account at your institution—particularly if the customer has consented. So new revenue sources will be in play thanks to identity.

I'll close out this identity chapter by saying that the biggest impact that identity could have is in the payment space. As we mentioned before, checking with the consumer before we put the charge through is going to help reduce fraud. Imagine a purchase on the Amazon site where, before you could go through and buy something you had to validate your purchase with your sovereign identity on your phone by using your thumbprint to allow the purchase to go through. This would reduce fraud on card-not-present transactions significantly. So, if we have the opportunity to drive identity, we should take it. Identity is strategic high ground.

For more information visit sovrin.org, which is run by Sovrin, a private global foundation that is establishing a sovereign network. It is free for anyone to use. Another great resource is Doc Searls's book The Intention Economy.