Transcript: Kantara Initiative Interview Following Airside’s Award of High Identity Assurance Trust Mark – January 11, 2023
Karyn Bright: Hi, everybody. Thanks for tuning in to watch our latest spotlight interview with Kantara member, Airside. I’m with Peter Davis today who’s the Chief Technology Officer at Airside, a digital services company based in the Washington DC area with a huge experience in running ID verification programs for clients in the public and private sector.
Peter, thank you very much for making time today to chat. First off, tell me a bit about Airside: what’s the history, where did you come from, and where are you focused today?
Peter Davis: Airside was founded quite some time ago by a couple of former DHS (Department of Homeland Security) employees who wanted to optimize the travel experience through airports, and the flagship product for Airside was Mobile Passport. Mobile Passport was a means for U.S. and Canadian citizens to expedite their way through U.S. Customs and Border Protection at about 35 airports across the U.S. Over the course of that operation for many years, it grew from a footprint of one to a footprint of 35 some-odd airports and over 10 million downloads. It became a very, very successful, highly applauded application over the course of its existence.
Airside transformed into a more broad digital identity services company several years ago. I came in and joined a number of very brilliant engineering folks and business and product management folks to further both the travel sector focus that Airside started with, as well as to expand in other vertical markets.
We really pride ourselves on putting the user at the center of an identity transaction and putting them in control of their identity information; that has been a key pillar of our design ethos ever since. We focused really on user-managed identity release, information release – (with) no centralized aspect to our architecture whatsoever.
Karyn Bright: So, I guess with being involved heavily in the travel industry you’re very close to the end user, you’re close to the person who’s holding that mobile passport, or that they possibly get the connection to identity assurance maybe in a different way than you might if it was hidden behind a government services gateway or something. What have you observed about consumer behavior and about what people are feeling with regards to their identity over the last few years?
Peter Davis: Speaking just from the travel sector, the driving force for the consumer is not about control; they don’t view it as a primary function of controlling their identity. It is about speed through the airport. If you distill it down to its bare essence, that’s really what people are excited about and what Mobile Password was trying to do.
Mobile Passport was the first example of that, where you went from going through a lengthy line. Even as a U.S. citizen, going through U.S. immigration often took 30, 40, 50 minutes to get through, depending on the time of day. With Mobile Passport with a dedicated lane, you would literally go through immigration in five minutes.
Further along in our journey, we recently just launched the TSA mobile identity platform that took that same “speed through the airport” vision and applied it to security checkpoints as you enter airports. So that is the value proposition to the consumer that’s instrumented in a way that makes it simple for the user to do that exercise, but also meets the regulatory requirements of TSA and Homeland Security to make sure that the vetting and verification process behind the scenes is sufficiently robust to meet their requirements. And now, with the (American Airlines Mobile ID) TSA (Precheck®) program in place in DFW, and soon in many other airports – with a dedicated lane in DFW – even compared to Precheck®, you’re still getting through the line quite a bit faster than even Precheck®, and you don’t even have to pull out a passport.
Karyn Bright: Is that for people just with American or Canadian passports, or can that apply to other nationalities as well?
Peter Davis: For the initial pilot program, it’s restricted to U.S. citizens and IAL Level 2-verified identities. So you have to be able to have documents that will allow you to achieve that level of assurance to participate in that program.
Karyn Bright: Okay, so obviously over here in Europe, we could do with some of that, I think… it’s a different perspective.
You talk there about IAL – Identity Assurance Level 2 – that’s for those that would be new to this industry. That’s very much around having a number of documents, a number of proofs of identity, that give assurance in the broader sense that you are who you say you are and can be used to confirm from one organization to another, that this person is a credible individual and highly verified customer or individual. But what, from your perspective, does that whole notion of “high assurance” mean? Is it the same across all sectors? What have you learned in travel that could be applied into other sectors? Because I guess what’s high assurance in one place isn’t necessarily the same as a highly assured individual for a different sector or a different use case, or am I simplifying it too much?
Peter Davis: Yeah, you’re right. IAL 2 and the rest of the levels of verification described in 860-33 are reference points, and in the world of identity assurance, it’s really a continuum. As is common, you want some sort of benchmark saying “to be IAL 1 you’re this, and IAL 2 you’re that, and IAL 3 you’re that.” That helps with things like compliance.
What I’ve seen in practice, though, is that different kinds of transactions, whether they’re online or offline, require different degrees of certitude about assertions about an identity. For example, the risk to a business about relying upon an assertion of age or relying upon the assertion of your identity that is suitable for travel are different places in that continuum. And even things like KYC AML, for example, while there are specific checks that have to be performed for those kinds of financial transactions, in general, that’s just another point in that continuum.
And so the challenge thus far has been that achieving IAL 2 for example, which is probably the most common, strong verification level that people see in the marketplace today, is a somewhat onerous process for the consumer to achieve. It’s compulsory for the business to achieve that level, but it’s a huge friction point for their consumers on how to achieve that level of verification, and I have to do it for every single kind of transaction all over again when I do IAL 2 for bank one, or bank two, or this investment community, or for TSA. And I have to go through that same ritual of pulling out my driver’s license or passport, proving my identity, doing the scans and all that kind of stuff, and the selfie matches, and it’s a time-consuming process.
The part that Airside is really accelerating with is taking that verified identity and making it reusable on the device. And so it no longer becomes an issue to take a high-degree assurance identity and apply it to use cases that don’t necessarily need quite that level of diligence. And so you’ve changed the market dynamic of asking for a level of assurance from the user without making them go through a huge verification ritual that is friction between me and the checkout button.
Karyn Bright: So what’s stopping us from getting to some interoperability between sectors where you have got that, exactly as you describe it, which sounds like heaven. That basically I can take my device – my mobile phone – I can take my verified identity that’s been through a bank over here and use it when I’m going through the airport. What’s the biggest challenge to that, do you think?
Peter Davis: Obviously, the industries as a whole – not only within a certain vertical like travel, but more horizontally as an industry – we need to start developing some of these standards. There are some standards that are emerging. Some of them are our compliance and audit-related standards to prove that you’re doing the process correctly, such as the 860-33 audits that Kantara does, and others are in technological interoperability to use the same vocabulary for certain types of assertions and things of that sort.
And there’s work afoot in interoperable wallet and interoperable identity assertions, and there’s a bunch of different industry consortia focused on this stuff now. My days go back to X.500 and X.509 and LDAP, where ISO was the establishment body for a lot of those standards. I think that while they play a key role going forward in things like mobile driver’s licenses, there are literally dozens, if not hundreds, of consortia out there trying to accomplish this level of nirvana. Having a true interoperable identity across a vast array of industries is still a long road to hoe and we’re just at the beginning of that journey.
Karyn Bright: And as somebody who works in the industry – so just thinking of yourself as a consumer, as an individual, a citizen of the U.S. and yet you know all of this industry so well – what’s your biggest frustration, personally? What, from your history, what would you really like to call out?
Peter Davis: Wow. I think that the hardest part is bridging the technology-to-human aspect of what we’re talking about; that a bunch of engineers can sit in a room and figure out interoperability. It’s going to take a long time and there’s going to be a lot of competing views, but we can eventually get to not one, but a small number of interoperable standards. I saw this in the federation days, when there were literally a dozen standards out there for how identity federation worked, and now we’re down to basically two: OLAF and SAML. And you see those out there pretty much uniformly across the industry.
I think that same kind of phenomenon is going to happen here, but the part that is the most interesting is the human machine interface (HMI) to how we describe identity to the user that doesn’t sound like engineers trying to describe identity to a user, because that’s kind of where we are today. And we fall back on things like wallet metaphors and other things because they feel familiar, but they’re not really meaningful representations of what we’re talking about. Because I could have multiple identities that represent me as a social individual versus a business individual versus some hobby that I participate in, and I’m going to project my identity slightly differently and elevate some facts and suppress some facts, more or less, depending on the context that I’m in.
And so the HMI really needs to be able to understand that, and that’s a part that is just now starting to get some attention in academia. And then layer on top of that, “Oh, by the way, all this stuff needs to be governed by a set of privacy principles that the user ascribes to.” Users don’t understand privacy like a technologist understands privacy, but they want to know that the data that they’re releasing is meaningful for the context of the transaction and it’s not just going to turn into a cash cow for some business by selling my identity data to the highest bidder. That’s the kind of thing that I think is the biggest challenge to the industry: it’s not technology at all; it’s about how we present all of this technology to the user in a meaningful way.
Karyn Bright: Tell me about yourself. What’s your background and how did you get to this wonderful place in the whole world of user-managed identities and interoperability and all the rest of it?
Peter Davis: My early forays in identity stem from the early days of the web-hosting industry.
Back when I was at UUNET Technologies, which was an early ISP startup in the U.S. – eventually global – we started this little business unit called the Web Hosting Business Unit. We hosted websites in our data centers, which in the mid-90s was an unheard-of concept. But for UUNet, our data centers were on our backbone, which was one of the largest in the industry, so people paid a premium for being parked to the closest high-bandwidth networks around. This was back when everyone had modems in their house for accessing the internet.
Very quickly, we realized the B2B quality – or aspect – of the emerging web world, and started building services around what, at the time, we called “extra notes,” which were really just B2B exchanges between a business and their customers.
And so from that, and a bunch of access control bumps and bruises along the way, I got involved in the very early days after SAML 1.0, but really I started hardcore into federated identity and other areas when Liberty Alliance was first formed, which was the predecessor of Kantara Initiative. I was involved both from a technology standpoint and what was then the ID-WSF architecture – so everyone was still thinking SOAP back then–and IDFF, which was essentially the next generation of what became SAML 2.0.
And then an equal smattering of technology and policy, which is how I got so much involved in privacy, and incredibly smart people at Sun and elsewhere that were involved in the early days of Liberty that were instrumental in framing how I view identity, and I think largely how the industry has looked at identity since. A lot has changed since then.
But federation was really kind of the first baby step. To get a sense for adoption curves, SAML 2.0 came out in the early 2000s, and it wasn’t until the mid teens that it really started to get serious adoption and traction at the consumer level. I think that B2B and internal federations started to happen a lot quicker, but the risk associated with relying on external IDPs to do transactions to your system was still an uncertainty that businesses were reluctant to sign up for.
Literally 10 to 15 years of slow, methodical realization of the optimizations and improvements in the identity industry outweigh the risks that businesses were reluctant to take at the time, in the early days.
Karyn Bright: And what gets you out of bed now, as CTO?
Peter Davis: Well, I can tell you what keeps me up at night, that would be one part. What gets me out of bed? I’ve been involved in startups a number of times, and I always find that the most exciting part of a startup is every day is a chance to have some new epiphany about how the industry works, or how you can improve your product in a way that really fundamentally changes the game. And so working with the team, brainstorming around not only the technology of how to innovate in the identity space but also to make it a better experience for our customers, I think is a really exciting place to be. And like I said before, we have a great team of engineers and product and UX people that are instrumental in making those waking moments a realization.
Karyn Bright: I want to talk a little bit about the certification process. You’ve obviously just been through this with the audit process for IAL 2, which is a Kantara identity assurance program that we run for NIST 860-33. How has that been? And why do you think it is so important now, that organizations do get certified and we start to see that sort of standardization across the industry?
Peter Davis: I talked before about this continuum of measures and levels of assurance, and I think it’s important to have these benchmark reference points that are a lot easier for compliance departments to set expectations and goals to their engineering teams and their business partners to achieve. The process itself is like any other audit and compliance process. I’ve been through SOC II and 27,001, and we’ve certainly seen our share of audits in the technology space over the many years. And I have to say that the 860-33 audit is probably quite a bit simpler than a SOC II audit. I think the number of controls and things that you need to put in place are much more narrowly focused, and so it’s not as complex a process as something as all-encompassing as 27,001 or SOC II.
But having said that, I think it requires some deep, very specific knowledge about how to interpret the NIST standards and ensuring that you have all of your pieces lined up ahead of time before you enter into the audit process, because I think if you wait until the auditor comes in to explain to you what you’re doing wrong, then you’re going have a hard time. So being well prepared for that process makes it a reasonably straightforward audit like other audits can be.
Karyn Bright: And that’s a quite good question, actually: what advice would you give to another company just thinking about going through the assurance program now from your learnings, both this time and in previous ones?
Peter Davis: I think I said my lot there. I do think that the preparedness of the organization to enter into the audit process, the preparatory material that Kantara Initiative provides with respect to that, is incredibly useful. So definitely start with that, and I think those things are generally available on the website. I don’t think you’d have to go hunting and pecking for those too terribly far.
But being familiar with it and being able to understand what the expectation of what that compliance requirement is, is important. It’s not just reading the words and checking boxes to say, “Those five buzzwords I have in my system–check,” right? It’s not it’s not quite that simple. You have to understand the underlying reasons for that compliance requirement to fully understand what IAL 2 objectives really mean. They’re not just words on paper; they actually have a semantic to them about true assurance that meets regulatory requirements, U.S. government requirements in some cases. To verify identities to most any agency in the U.S. government, it’s required to be IAL 2 for a large percentage of their transactions. You saw that with the recent IRS program that kicked off the beginning of the year; that was an IAL 2 requirement that they were fulfilling to provide a level of assurance of the taxpayer, as you’re filing your taxes.
And those are just early adopters, if you will, in the U.S. government to apply to that. And of course, no sooner do they start complying to that, that the winds shift and so now there’s going to be a “dash four.” You get to restart all those engines again.
But, I think that to the industry, it’s going to become more meaningful if, for no other reason, it is a set of reference points that exist and there are a handful of other countries that have comparable reference points. The UK does, for example, but even if there’s five or six or eight reference points, that’s a lot more meaningful than just a “businessy” description of the process to try and placate a compliance department, because that’s really the customer for these kinds of things. You must have a level of assurance of “X” in order for the customer to perform this transaction.
Karyn Bright: As we come to the end of the interview, what’s your prognosis for the industries in the next three to five years? What if you had a crystal ball? What do you think we’ll see happening there?
Peter Davis: I do think we’re going to see an increasing shift from centralized identity models to decentralized identity models. I’m not advocating for a particular kind of model necessarily, but I think that compliance departments in particular are eager to shed as much liability in the data that they hold on to about their customers and partners that is going to compel pushing that data out to the edge and pushing it back into the users’ hands and establishing a rapport with the user that “When I need this data, you promised to give it to me again,” as opposed to today, which is, “Give it to me once and I’ll just remember it,” and hope like heck that no one hacks into my database and takes it all. Because that’s kind of where we are today.
So I think that that’s one: the migration to user controlled-identity and putting the user in the center of the identity transaction. I’d like to say it’s short term but I think in reality, it’s probably closer to the five-year horizon.
And in part because of what we were talking about before, we don’t yet have the right metaphor for people to engage in businesses in this way.
Karyn Bright: Yeah, the culture around it, really, for people to engage. With that in mind, and to reach that point, what would your advice to the industry be? Let’s say to the CEOs collectively, or organizations like Airside that are out there developing the technology to underpin this future state, what’s your start, stop and continue message to them? What should the industry be looking to start doing? What should it stop doing? And actually, what are we doing well and should continue to do?
Peter Davis: To start, I think there’s a groundswell of interest now in moving the verification and the establishment of a high-assurance identity in a way that’s reusable, and which in turn unlocks using high-assurance identity to a bunch of other transactions, whether they’re online or offline. And so the whole notion of having a provable verified identity on my device that I can then project out to relying parties as appropriate removes that piece of friction that exists between a checkout transaction, or some finalization transaction with an online service; having a verified identity is a precursor to that. Moving towards this reusability by taking away that friction, you’ve completely opened up the market for places that you can use it.
Stop? Stop collecting all my data!
Karyn Bright: That’s pretty clear! And what about continuing?
Peter Davis: Ask permission; it’s okay to ask permission. And I think this gets back to some of the human-machine interface stuff that we’re talking about: how do you do that so it doesn’t get to where I’m tired of checking the consent button?
Every time I go to a website and I have to dismiss the cookie warning, it’s just a nuisance. And so the risk is that we keep doing that kind of heavy-handed consent, sort of lawyer-driven UI – forgive me, lawyers – and move towards a much more meaningful exchange with the consumer that has all of the confidence of the consumer that you’re doing the right thing with my data without putting a bunch of impediments between me and my objective, and whatever online transaction I’m conducting.
To sum it up, I think that’s the thing I’d like to see “stop.”
Karyn Bright: I think there’s probably a few million people with you on that one.
To end on a positive, what are we doing well as an industry, and what should we collectively focus on continuing to do? What’s your feel there?
Peter Davis: I think as technologists, we have done a pretty astounding job of understanding the problem and trying to build consensus around reasonable sets of solutions. We’re not at a uniform consensus right now, and I think it’s a little Pollyanna-ish to think that we’re going to get down to one. But I do think that we’ve done the community as a whole a big service by trying to establish cross-industry collaborations between health care and open banking and travel sectors and trying to avoid thinking about those as silos with different problems to solve, and thinking about them more as a holistic problem to solve.
And to the extent that we can continue to do that, I think that the outcomes will be much more positive than if we end up with ten siloed identity solutions so I end up with this metaphorical wallet with ten flavors of identity in it, depending on whether I’m getting on an airplane or opening a bank account.
Karyn Bright: Yes, going to work or being just at home.
Peter, thank you so much. It’s been really interesting chatting with you. I know you’re a busy man and I appreciate that there’s a lot going on for Airside at the moment, so thank you very much to you and the team for making that time.
We’ll pull this all together and when we can, we’ll get it out there to the market and hopefully be able to promote what Airside is doing, but also your views, which are great to hear on where the industry’s going.
On behalf of the Kantara team, thank you very much.
Peter Davis: Thank you very much for having me.