Ask Me Anything: Vereign Recap
Georg C. F. Greve
Thu Jun 20 2019
On Thursday, the 6th of June we held our first Ask Me Anything (AMA) in our Vereign Telegram group. The AMA was hosted by our Community Manager, Ivan Dzheferov, and the questions were answered by one of our Co-Founders, Georg Greve, who is also the Chairman & Head of Product Development.
Below we have put together an overview of the main questions for you:
When should we expect integration with Microsoft 365 and outlook?
We are slightly dependent on Microsoft in this because we would like to offer this as a supported option for existing Microsoft customers, such as the Canton of Zug, which wants to use Vereign. We have a contact at Microsoft who is currently finding the right people to work with on their end to make this happen in cooperation. Integration is not difficult. It only took Collabora a few days for LibreOffice. My guess would be sometime in Q3.
Why did you first try to solve digital identity for email?
Digital identity is difficult. There are interesting pieces and approaches out there, but they often have a high failure rate. It boils down to an identity you cannot use for anything being quite useless. That sounds tautological but it seems to have escaped many people. We were looking for the most valuable use cases for a third party verified, self-sovereign identity with zero touch key management. Email was a clear winner: it was the only truly federated communication protocol out there. It is not dependant on a single company or group, there are multiple implementations, it is censorship resistant and much more.
Email is used by four billion people. Ninety-five percent of businesses depend on email as their primary means of communication. According to forrester, last year, more teenagers had email accounts than Facebook. This makes sense because email is the root identity for many other online identities by virtue of being used for password recovery. Therefore email is at the heart of most online identities. It is the world’s largest unverified identity database. That lack of verification brings some challenges, though. Business Email Compromise, invoicing fraud & co are at an all time high – and growing.
Right now only email and phone can be validated in your beta app… How exactly are you going to verify other data in the live version, such as name, address, etc.?
We will be doing this via third parties as there is no “one size fits all” that would work globally. So you will be able to use your Zuglogin (the eID of the Canton of Zug), your SwissID, your RFID passport, or any other third party that can offer such verification and assurance levels. We are for instance already looking at the practicalities of integrating this with Yapeal.ch, a very cool challenger bank from Zurich. They have a great onboarding via mobile app. So you can start your onboarding via Vereign login with selective data disclosure to pre-fill the forms. You then receive the returned verified data into your Vereign identity.
What about other countries that don’t have access to this type of services? I assume you’ll be using KYC providers such as Onfido/Jumio? Yes, we are agnostic in this because every country and culture may have its own ideas about how to approach this.
Will any of the scanned documents that users provide for this type of verification be retained somewhere? That will in part depend on the verification provider. You could for instance even use existing functions, like a notary, to do higher level verifications. I believe they would usually keep a paper copy in their safe. Other 3rd party onboarding providers might also store such data for a limited time (GDPR applies, obviously) as part of the regulatory requirements the government has placed upon them. As for our solution: users will of course be able to retain a scan of their ID card or other document (potentially with verification) in their personal storage as that may be very useful.
Hmm, regulatory requirements would apply if the verification was being done by a regulated business, such as a financial services provider. They shouldn’t be required to keep the documents under any regulation as the verification is not done for a particular purpose… However, if using the Vereign identity for regulatory purposes is a potential use case, some framework for that needs to be put in place.. and negotiated with regulators I guess.
Yes, exactly. Banking is a very real use case for what we’re building. A lot of banks would love to be able to communicate with their customers over email. Because right now they are usually sending messages in online banking. Which most customers happily ignore as the message counter goes higher and higher. So the account managers have started sending text messages to the customers “please look at your online banking messages, I’ve left you something important.” Both customers and banks hate that currently approach.
Side note: It is even more complicated. You have two laws competing. One about retaining business records. The other one about deleting data as soon as possible as part of data protection. We’ve been looking at this in some detail – one of the perks of having a CISO of the world’s no 1 logistics company among the founders – but of course this won’t all be implemented in the Minimum (!) Lovable Product.
What is the chance of digital identity to go deeper in real life and maybe replace the current monolithic ‘hardware’ ID cards?
That may happen at some point. In a way Vereign will make these hardware tokens (a.k.a. passports) portable in a sense, but knowing the speed at which politics moves, I think that may take a while to become “official”. This is not a terrible thing because there is a huge area for which “inofficial, but robust” is “good enough”. Just like you do not really need qualified electronic signature all the time. An advanced electronic signature with a solid identity grounding will be extremely useful already – and cover 90% of the cases.
Why do you coin Vereign as a new service category? Why has nobody built something like this?
At this point, there are fragmented identities that are owned by the companies that provide them to us. Vereign puts user-data and control into the hands of the people. It is a useful, verified identity that allows users to take control of their identity in a way that you can take authentication and selective data disclosure toward third party services. If you combine that with the zero touch key management that creates one-time keys for every interaction, and you have a kind of function that has not existed before, which is why it is so hard to find a name for this. The true power becomes apparent once you realise this seamlessly integrates into any existing application or service. Peer-to-peer interactions create live connections between people – on equitable terms that are determined by the people as they connect, which creates a sort of “social fabric”. The first steps of that will be a magically, self-updating, verified address book of all the people and organisations you are interacting with, but a lot more will be possible on this basis. As to why nobody has built this yet… We have not had all the ingredients in the past. Things become more obvious only after someone has done them first.