It's not a product yet, just a blueprint for a proof-of-concept. But with dozens of banks around the world already planning to take part, this could be the most serious effort yet to create a trusted identity framework for a connected world — one that doesn't require individuals to hand over control of their personal data to the likes of Facebook, Apple, Amazon, Netflix and Google (known to investors as FAANG).
Called the Global Assured Identity Network (GAIN), the blueprint was unveiled in a keynote yesterday during this week's European Identity and Cloud Conference (eic2021). At the same time, a white paper with more than 150 individual contributors from the digital identity and banking spheres was made available for download. A first proof-of-concept will be shared next month at the annual member meeting of the Institute of International Finance (IIF), the trade association of the global financial services industry.
GAIN's mission is to bring verified identities to the Web, using each bank's knowledge of its customers to validate their online identities, with interoperability provided by the underlying OpenID standard. Know Your Customer (KYC) regulations oblige banks to ensure that they have validated their customers' identities. They also have robust systems for authenticating customer logins. The goal is to put these together with an open standard that allows them to offer digital trust services as an API.
Login online without sharing personal information
Whereas individuals currently often have the choice of using their Facebook or Google login to access online services, GAIN would be a new option with advantages for both the individual user and the services they access. For the user, it retains the convenience of not having to maintain separate logins for each online service they use, but without paying the penalty of sharing their personal information and online activity with Internet giants. For online service providers, it means they can rely on the authority of a bank or other financial institution that they are dealing with a real person, and can also verify their entitlement criteria, such as age, card ownership, and so on. Through extensions to the OpenID standard, the extent of personal information being shared is limited, so that, for example, the provider can receive assurance that the individual is over 18 or 21, without needing to know their date of birth. Using GAIN, people could even buy certain products or services without the provider having to know their identity at all.
The attraction for banks and financial institutions is that they have already verified their customers' identities for KYC purposes, and so becoming an Identity Information Provider (IIP) as part of GAIN makes use of that existing investment, while offering a valuable service to customers that will help retain their loyalty. GAIN could become for global digital trust what VISA and MasterCard have become for global payment processing, or SWIFT for international financial transactions. Rod Boothby, Global Head of Identity at Santander and co-chair of the Open Digital Trust Initiative at the IIF — which is also planning its own GAIN proof-of-concept — calls it the third wave of identity, He explains:
In the first wave, you were an employee and your company gave you a login. In the second wave, you were a user and companies from Google to Amazon to Facebook gave you a login. In many cases, in the second wave, people and their attention was the product. They lost control over who knew what about them. And the systems simultaneously became full of fake anonymous identities.
The third wave is Bring Your Own Trusted Identity. You'll have one ID. You will be able to use it everywhere. You will work with a verification partner that will help you build trust without forcing you to share all your private data and your biometrics with every single site you use on the Internet. At least, that is what we are trying to build.
Trust and accountability
The need to re-establish trust and accountability on the Internet is an important part of GAIN's pitch. In yesterday's keynote, Nat Sakimura, Chairman of the OpenID Foundation, spoke about the enormous cost of illicit financial activity and how bad actors are taking advantage of how easy it is to stay anonymous on today's Internet.
Many people say that anonymity is good for privacy, and I agree. But the situation today is that it's only available to those with resource. And the rest of us are pervasively tracked, resulting in the situation that only the criminals are enjoying the anonymity.
So why are we not successful [at] improving, despite over 30 years of time, cost and effort? It's because we haven't addressed the root cause — the identity and accountability of the participants in the network. What we need is to re-establish the accountability of every participant within the ecosystem ...
GAIN is an overlay network over the Internet that consists of accountable participants with assured identity only. Every participant [is] identity proved through the hosting organization, primarily consisting of financial institutions and other regulated entities which are required to identity-proof their customers.
Despite its apparently impressive roster of supporters, GAIN is still something of a grassroots movement at present. Its backers are looking to gain support from financial services leaders and other interested parties, to move it forward from proof-of-concept to practical reality.
So how likely is it to succeed? The notion of banks as certification authorities for people's identities on the Internet is almost as old as the Web itself, and indeed one of the precursors of GAIN is BankID in Norway, delivered in 2004 and now used by 4 million Norwegians to access online banking, public services and some commercial services. What differentiates GAIN, as Santander's Boothby explained to me, is that it is based on open standards, in particular OpenID Connect. Therefore, rather than being proprietary to one provider, it can be adopted by multiple providers whose credentials will then interoperate. This is the key to building this as a global network, he believes.
Then there's the question of adoption. The notion of wresting identity and personal data away from the Internet giants and putting it back in the hands of individuals is another concept with a long pedigree, encompassing the Solid initiative launched by Web founder Tim Berners-Lee and the now-defunct Respect Network, whose launch we covered in 2014. Internet privacy champion Doc Searls, who spoke at that launch, was speaking at yesterday's event, promoting a new project called CustomerCommons.org. His argument is that giving individuals a single location where they can manage their own Internet identity, data, settings and subscriptions is a much simpler and cost-effective model than having separate accounts and profiles at each online provider. But again, the initiative is still at proof-of-concept stage.
What any of these initiatives needs before it can take off is a 'killer app' — one or more use cases that are so compelling for so many people that adoption snowballs. Can GAIN overcome this hurdle? That depends on who picks up on the opportunity and runs with it. There are many potential candidates. Just off the top of my head — and purely as a speculative exercise — you can imagine that online entertainment providers would welcome a foolproof way of validating age compliance; that social media providers would like to reliably validate the identities of account holders; that an electronic signature linked to a verified identity might finally replace wet signatures and witnesses; that a CRM vendor would see value in being able to accurately validate identities held in a customer data platform.
For now, it's up to the banks and other interested parties in the financial services sector to move GAIN forward. That requires a taste for innovation that we don't necessarily associate with the banking industry. But GAIN's backers make a persuasive case for the cost-effectiveness of building on the existing KYC and secure authentication infrastructure that banks already have in place. Fear of missing out should also be a consideration — if top banks don't want to move ahead with this, maybe there are fintechs that would seize the opportunity. We'll watch out with interest for future developments.