How Self-Sovereign Identity Works with Trinsic's Riley Hughes
Jon Prial: Today, I'm talking to Riley Hughes, CEO of Trinsic. Trinsic is a full stack, self- sovereign identity platform that makes sharing and verifying personal data online easier through verifiable credentials. Now, self- sovereign identity should ring a bell. We'll put a link in the show notes to a podcast with Drummond Reed. Drummond's the Chief Trust Officer of Evernym, and is part of numerous working groups around trust over IP, decentralized identity, and a co- chair of Sovrin's Governance Framework Working Group. Now, I say this'cause Riley was the second employee at the Sovrin Foundation. And he told me that excited him'cause it was where blockchain meets identity. I'm Jon Prial and welcome to Georgian's Impact Podcast. We're glad to have you here, Riley. So, I'm gonna start with a scenario on identity and I need you to tell me if this is a good thing, or a bad thing, or both.
Riley Hughes: Okay.
Jon Prial: So, my father's 94, he's in an assisted living home, he's doing all right. But I manage all his finances. And if I need to do certain things, I will get on the phone. And rather than go to the trouble to say," Here's my power of attorney and I'm his son, and da, da," I just say I'm him. And they let me get away with it Because I don't think I sound like a 94 year old. But, of course, I know his birth date, and his social security number, and everything else about him, and I just pretend to be him and everything is much more efficient. Is that good, or bad? What do you think?
Riley Hughes: Well, it depends on which angle you're looking at it from. I think it's probably good for you, makes your life a lot easier. I think, structurally it's probably bad that that exists. It's probably bad that, in our world, you can essentially be someone if you know a few things about them. And, luckily, this is something that you and your father, obviously that is something that nobody would say is wrong. But it would be wrong if you were a hacker in your parents' basement somewhere overseas, or something who got this information from the dark web, and was phoning in with that information, trying to pose being your father, and wanted to open credit cards in his name, or something like that. Obviously, that wouldn't be good. But yet, that happens all the time. In fact, that's how my co- founder Thomas Love got into this space. His bank account was drained down to zero because somebody got a hold of a few key bits of information about him, called into the bank pretending to be him, and was able to drain his bank account down to zero. Now, luckily, that was all reversed. And he was okay. Thomas Love was okay, but they never caught the person who did it. And surely that person has done that same thing to scores of other people over the years. And, unfortunately, that's the world we live in. So, overall, I would say structurally, that's probably not ideal.
Jon Prial: I was hoping you were going to conclude that it was bad'cause every time I do it, I feel bad. I'm okay, for example, my wife and I log onto bank accounts and we have the same user ID and password that we share. But then, we go to the next level down and we both log onto Netflix and it'll say, who's watching, of course, now that's a good thing and a bad thing'cause they're beginning to figure out who I am and what persona, what I like to watch, and vice versa. So, I guess, where does identity start? It should not start at login. It has to start before that, identification so to speak. So what's your take of just what would you call identity?
Riley Hughes: Well, I have been a part of hours long conversations about what is identity? And people discussing it. And people who spend their whole lives thinking about this question and there's a lot of philosophy behind it and everything. The way I think about it, my mental model is that identity is sort of some identifier, and then the associated data to that identifier. And the sum of all of that is your identity. So, I think obviously people have an identity that's intrinsic to them. Things like their gender identity, or political identity, or cultural identity. You have your identity with your family, where maybe with your family your identifier is your face, and the associated data lives in the brains of your other family members. And it's sort of the sum of all of the interactions they've had with you over the years. And that is your identity in your family. But externally, when you walk into your bank, they don't have all of that years, and thousands of data points of data about you to trust you. So, how do they proxy that? They use some extrinsic identifier, or credential like a driver's license, or something like that to try to sort of bootstrap that same trust with you.
Jon Prial: Or sadly, my debit card and a PIN code is about all it takes at the bank. I guess they look at my name and they say," Please, put your card in the slot. Put your PIN code in and then we'll continue to deal with you." Kind of iffy.
Riley Hughes: Yeah. And, in that case, the debit card is the identifier, and if you can prove ownership of that identifier with something like a PIN, supposedly only you can do that. And there should be a lot less fraud if truly, only you could prove that.
Jon Prial: Your Trinsic homepage says that you are the proof of anything platform. What do you mean?
Riley Hughes: I think, when you try to boil down what is the problem with identity online today, the problem is that you can't prove anything about yourself online. And in- person I can sort of go about my life and easily pull out a driver's license, or something like that to prove who I am, and get access to the things I need. But digitally there's really no analogous to that. There's no version of me pulling out my driver's license, and instantly having a trustworthy kind of relationship with some party. Like, for example, there's no way for me to prove that I am actually over 21, or that my legal name is actually Riley Hughes, or anything else. As a business, they need to hire some third- party data aggregator, or verifier, or whatever in order to check whether those things are true about me. And so, the proof of anything platform is meant to invoke this notion. So, we're a developer tools company. And so, we're trying to get developers thinking about all the possibilities that are out there, and the things that they could build here. We have customers building things from COVID vaccine passport wallets to products for businesses, to products for rural smallholder farmers in Africa. And it's, the opportunities are really, really broad. And that's why we have that broad characterization on the website.
Jon Prial: Nice. I like that. And I can guarantee before this interview's done, we'll talk a little bit medical and that type of anything that people need to prove as well. But before I get there, I guess, I'm asking for maybe a verbal high- level market- tecture that there's a person, there's an identity, there's a verifier. What are the piece parts that a developer needs to think about when they're trying to do the right thing to ensure the right person is presenting the right information about themselves?
Riley Hughes: Any developer, who's building an identity product has a stack of identity solutions. They may have a directory service that they're using. They'll probably have an authentication layer. If they're a big enterprise, they'll have authorization, and governance, and other kind of policies related to access controls. And they may also have, depending on the use case, they may have physical access control, things like physical keys, or key cards, or things like that. If it's digital, they may have identity proofing technologies, or data that they bring in from other sources. And so, there's sort of a whole stack of things that a developer needs to think about depending on what they're building. If you want to make sure that somebody is the right person sharing the right thing, that's kind of where we're focused, as a company. An area where it's a little underserved today with the sort of historical, and existing solutions on the market. And the solution to that is an identity wallet. And so, we are really an identity wallet SDK. And, as a developer, you can embed our identity wallet alongside your existing authentication, and existing identity proofing solutions, and whatever. And you can tie the data that lives in the wallet to things like the identifiers in your directory, and the identity proofing that you've done according to your trust requirements. So, if you're a big bank, or something you will probably have higher requirements for identity proofing, and binding the wallet to the identity proofing that you've done. Then you will, if you are working with immigrant farm workers in the US, or something like that-
Jon Prial: Or if I walk into a bar and I need to say I'm 21, they don't need to know my name. Is there a way that I can flash my... Somehow digitally show my identity wallet, and they get all they need to know, which is this guy's older than 21?
Riley Hughes: Yeah. So, that's called a zero knowledge proof. And selective disclosure is another sort of name for that. But really it allows you to share just what is needed for an interaction to establish the kind of trust that you need, and nothing more. And I like to give the example that, obviously, it would be inappropriate if... Well, it is inappropriate that every bar that you go to you're sharing your full name, you're sharing your address, your height, and your weight, and your driver's license number, and all these sensitive things when really you just need to prove that you're old enough to get in. And wouldn't it be great if not only with bars, that's an easy example to allude to, but there are all sorts of examples across our lives where we are oversharing information because we have to, there's no other solution to that right now.
Jon Prial: Would it be initiated by me where I go to a bar, I open up my app, my identity wallet and say," Send my age." Or do I just say," Here's my identity," and then the back end, the guy behind the person behind the bar says," Give me his age." Does that matter? Is there a nuance there? I would think I'd want to go," Here's my age." I would want to aggressively declare what I want to share, I guess, is the key.
Riley Hughes: In the scope of Trinsic and what we offer, obviously, we are a developer tool company. So as a developer, you could build all of the above experiences if you wanted to. What we see being most successful is something akin to like an Apple Pay kind of experience where you sort of walk up, tap your phone, scan a QR code, whatever. And you have a little popup that says the bar is requesting to know whether you're over 21. And you just hit yeah, that's what I was wanting to do. And away you go.
Jon Prial: I like it'cause then I don't take the action. And if the bar wanted more information, they want your birthday. No, no, I don't need to get a free drink on my birthday. I will say no to birthday. So, you just need to know I'm 21. That's very cool. And the verification then, happens where? Because, obviously, the bar, does it go to Trinsic to do the math through the calculation on my age?
Riley Hughes: Everything we're talking about here is built on open standards. And so, the bar could pick up some open source code, and use that. They could use a vendor like Trinsic. They could use a product developer like one of our customers, which is actually what is most likely. The bar is probably not planning on hiring an engineering team to pick up open source code and run their own cloud platform there. So, likely they're going to use some product from someone who's sold it to them. And that product is going to sort of handle the verification piece. And so, if it's with Trinsic, one of the things we offer is resolution and verification of credentials. And so, if that credential was issued anchored to any number of blockchains, or if it was issued off chain, or whatever, we can sort of resolve the public keys, do the verification, verify cryptographically the zero knowledge proof is valid, and return that value back to the person behind the counter at the bar.
Jon Prial: Let me go beyond the bar, and my age. And I want to acknowledge that we have lots of data that's already been collected, and it will continue to be collected, and it's in centralized places. And sometimes I'm okay with that. For example, I have an electronic toll pass, and that organization knows my travels in quite some detail. But my assumption is as long as they don't share that data with, I don't know, Facebook or Google, maybe I'm okay with it. What's your take?
Riley Hughes: You want those assurances. You want to know that the data's siloed, and that it won't be hacked. The problem with a single centralized provider is I don't think you can get either of those assurances.
Jon Prial: Oh.
Riley Hughes: They could come out and say," We're not gonna share your data." But then it turns out," Oh, we just got something leaked," and turns out the thing they said isn't reality. And that's always a possibility, and there's no way to know whether they're... I mean, you have to just trust them, I guess. And when there are all sorts of companies where public statements don't maybe match the internal realities.
Jon Prial: So, you're taking me down the path from centralization to decentralization. So, let's talk about decentralization identity, and what that means for people.
Riley Hughes: Yeah. Decentralized identity is really this concept that the way we do identity in the real world can be mapped to the digital world. Like in the real world, I have a wallet, I have cards, and credentials, and attestations inside that wallet. And, as I go about my life, I pull things out of the wallet as needed to live my life. And it generally works okay. I mean, obviously there are issues with people forging driver's licenses and things like that. But overall, the model, the pattern, it works relatively well. And so, the decentralized identity movement, or it's often called self- sovereign identity, is this notion that, as a person, you can have a digital wallet, and you can put same thing, cards, credentials, attestations, whatever inside that digital wallet. And, as you go about your digital life, you can use those to access the things that you need. Like I mentioned, product builders have a stack or a suite of identity tools that they can bring to bear. And if they needed to bring some of those other tools into the picture, they still could. But, at least as a user, you hold your data. Instead of it being held on a tech company's servers that could be hacked, and you only share what you need to.
Jon Prial: So let me just talk about some service, and it's enabling self- sovereign identity already. And I've got my digital wallet in my hand, or on my phone, and perhaps I'm using face ID, and there are many ways that I can actually prove this is really me. And, by the way, this is what I choose to share with this service. It could be the IRS, for example. Once I'm in boy, do they have gobs of information about me. Now, in all cases, I do whatever needs to be done to authenticate myself, however many layers they might want.
Riley Hughes: Yeah. And they may want some of that data for whatever reason. But the key is that you would have to consent to sharing it. And we talked about, you wanted assurance that it is siloed, and it's not gonna get shared outside of it. But in the US, we don't have laws like GDPR that require companies to really implement sort of enforcement of those types of things. So, theoretically, your data could be taken by IRS, or any number of other third- party providers. And once it's there, it could be sold to other companies, or it could be used for internal whatever other purposes that it could be used for. And so, with decentralized identity, it doesn't mean that the IRS doesn't ever see any part of your identity. Identity is always a relationship between two parties. It's an interaction. And so, you're gonna be sharing something with the IRS, but maybe what you share is proof that this biometric is linked to the driver's license that you also own. Instead of here is all of my biometric data. Here is all of my driver's license data. Here are the keys to the kingdom, so to speak.
Jon Prial: Very different.
Riley Hughes: Yeah.
Jon Prial: So, I pulled an example up, Trinsic example, which I thought it was simple. And I just wanted to talk through it with you. It was using Eventbrite in Trinsic. So, a new attendee registers, they go to Eventbrite, they register. Next step is credentialing via Trinsic. So, Trinsic does the credentialing. And then, the next three steps appear to be quite normal in terms of what I would expect. As a new user, I would not have known about credentialing in Trinsic. Then it says, I create a webinar registration, and I send you an email. So, I really like that idea. My question to you is Eventbrite has a relationship, hopefully a trusted relationship, with their registrants. They get the emails. Trinsic doesn't get the emails. They're using Trinsic as a toolkit. And they will be given my email from me, or from you? I'm just curious again, how we're sharing information. I'm really learning this process of how I'm giving things up to somebody.
Riley Hughes: If you remember, for a moment that Trinsic is simply a developer tool, an API you could imagine an event producer who wants to do the ticketing, or whatever via Eventbrite. But maybe there are other related events, or there are other sort of use cases for this event credential. And so, what they could do is they still want to use Eventbrite to collect registrants, collect the fees, whatever else. But then, they could give an event credential to the user in the form of a verifiable credential in a digital wallet. And when that happens, the user can then use that for whatever they want. Just like if I have a ticket that I get, a paper ticket, maybe I take that down to the local Starbucks and they have a 10% discount for anyone who's attended that conference. Or maybe it's like a ski pass or something, and I can use it at other related mountains, or something like that. Even if those other related mountains have different databases, and different systems, and different architectures, and cloud systems, and whatever when the user has the credential in their hands, they can take it anywhere that it's accepted and for any reason. And it's really a new kind of enabler. It can enable new use cases that really don't exist today. Like I'm never taking my ski pass and using it at the movie theater, for example, because it's not something that's really doable today. But using decentralized identity, you could imagine all kinds of new use cases that don't exist today could emerge because of that level of interoperability.
Jon Prial: Yeah, I love that using the word credentialing,'cause I was thinking of credentialing I take a course, I get certified as a programmer of X, Y, Z. And now, I have a credential that's been issued by an authorized educational institution. And I carry that credential around with me, and I can do things with that credential. I can show it to my potential employer. I could show that validation of a ski pass to a store, and get a potential discount without having to pass a card around. And so, credentialing really is the anchoring in some relevant piece of information about me. And that's, we're going back to the original question, proof of anything. We could put whatever we want into that wallet, whatever makes sense. And you're right, the opportunities seem quite endless, which is pretty exciting.
Riley Hughes: Yeah. And I really like to think about it in terms of, if you kind of think back 20 years ago, or something where the internet really democratized publishing, or writing. So, anybody could be a publisher, and write on a blog, and get an audience. And then, fast forward 10 years from then, and we have crypto and it democratized finance where anybody can hold value. You don't need to be sort of in a banking system or something like that. Technology has this trend toward democratizing things that once had gatekeepers in front of it. And I think what the proof of anything thing, if you kind of take it to the logical end state, what it means is that, eventually, we won't need the" gatekeeper" of a driver's license to exist and go about our lives because the only reason driver's licenses are an identity document that anybody cares, I mean, it's meant to prove that you passed a driver's test when you were a teenager for goodness's sake. And why are we using this to open bank accounts? Well, it's because it's something people trust that the DMV did a good job vetting you before they gave you this card. And really that's it. It's just because people trust that the DMV's processes. And because nobody else has transparent processes, because nobody knows whether the ski resort did any vetting on me, they don't know what the university's vetting was on me, they don't know what my church's vetting was done on me or whatever, none of this is transparent, so they couldn't accept any of those other kinds of credentials. They only can accept driver's license, or passport, or whatever because they trust the process behind the issuance of those documents. But as soon as we can decentralize this, there's additional transparency into bull currency into both the process through which these things are issued, as well as the sort of cryptography, and the technical trust can be there. So that eventually, this is a little longer term, but instead of needing a driver's license to exist, if I could just take all of my information from the reputation that I've built up over on Uber, and the credentials that I have from a few different places in my community where I've served, and whatever else, I can sort of take all these different facets of my identity and create a single proof without sharing maybe any of this sensitive information. But I can prove that I'm a legit person who has this identity that's been built up over years. And that can sort of disrupt, or democratize the current model of identity, which is just bound in government paper documents.
Jon Prial: And government in those processes. I love that you, we got to this point of trust. And it's funny, you mentioned driver's license and passports, which may be a little more rigorous in getting a passport. And then, you go to the next level, and you want to get your global entry, and you become part of a Trusted Traveler Program. And there's the T word, which is kind of neat. So, what do you see then, as kind of a digital trust ecosystem?
Riley Hughes: A digital trust ecosystem is, I think, the concept that there's a set of organizations that trust a certain process. And so, in the Trusted Traveler Program, maybe there are customs offices all around the world that trust the process you had to go through to get this Trusted Traveler credential or certification.
Jon Prial: I had an interview. I had to talk to a real person to get there.
Riley Hughes: And you could imagine digital trust ecosystems, or trust ecosystems for all kinds of other things. Visa is a trust ecosystem. There are merchants that are willing to accept cards that are issued by banks. And it's sort of the way that trust works in the real world. And we can sort of now, finally, digitize that model, and abstract it away from just payments, or away from just travel, and apply it to any use case under the sun to enable people to access more things that they need.
Jon Prial: So, let me ask you a question against the negative side of things. There is the argument that says the worst thing we could have in the world of social networking is anonymity'cause people really become troll like when they're anonymous. And, of course, I'm a huge fan of not that. And everyone should register, we're investors in open web. To me, I think that's a very interesting direction it goes. They always make the argument that says, be careful though, because if you get rid of all anonymity, and you're a reporter in Ukraine, you're at risk. Or if you're a gay person in another country, you're at risk because now you're identifying yourself. And now you have to go through an exception process to stay anonymous, or not allow all these credentials to come out. In a digital identity world, you could almost do that.
Riley Hughes: You need the ability to create different identifiers for different contexts. So, if you reuse the same email everywhere, if I reuse my email with my local Target, and with my bank, then Target and my bank can go behind my back and say," Hey, this email did this with me here. And this email did this with me here." And therefore, maybe my bank can say," Oh, we see they've been shopping at Walmart and they bought all this stuff." And they can share that with Target and Target can use it to target me or something like that. And so, conceptually, you need the ability to be able to have different identifiers for all of your relationships. Every relationship should have a different identifier, so that nobody can correlate me behind my back. Unless I share correlatable information. Like I choose to consent to sharing my email, or something like that. So you do need, in my opinion, anonymity in terms of the identifier that is used. The interesting thing is the internet is full of technologies that help people be anonymous. And it's full of companies that are trying to help companies verify things about people. But the lacking thing is a tool to let me prove that I'm actually Riley. Let me prove, let me share information when I want to. But the people are like totally left out of the equation right now, except for like privacy tools. There are privacy tools for people, but there are not tools to help people strongly identify themselves when they want to be identified. Identity is really complex and there's no one size fits all thing. So, I think that's why the key is every relationship, every domain needs a different identifier. And then, the data that you choose to share needs to be consented to. And there needs to be good sort of governance. And we also, I think, need regulation to control kind of like once I share my information with Target preventing Target from going, and then selling that elsewhere, and kind of polluting, or correlating me behind my back, or whatever.
Jon Prial: That's great. So, let's talk hot trends. Just tell me a little bit about how you see identity evolving in Web3 and perhaps even the metaverse.
Riley Hughes: I don't have a crystal ball, but I do have some thoughts about identity is critical to any society, or system, or whatever. And if we're hopeful that Web3, and the metaverse and, things like this will take off we'll need a good identity layer. And that is more than just a public- private key pair. I mean, identity is complex and it needs to be done right because it's seriously impactful for people. When it's done wrong it can be very harmful to people and really impact their lives. So, it's really important that we do identity right. And that we have cross- functional kind of groups of people who are working on these hard problems to ensure human rights, and things like that in the future of the internet. But to sort of simplify it down to its essence, I think that people are going to have digital wallets, and those wallets are going to have money, crypto, and they'll have assets like NFTs, and they'll have identity, which are credentials.
Jon Prial: Many types of credentials.
Riley Hughes: That's right, yeah. And just like I assume people in eventually will have many types of NFTs, and people will have currencies for various things. And so, when you fast forward to that state, and you think about living your life in the real world, and as the real world and the digital world the lines blur between those two spheres, and we start talking about the metaverse, you need all three of those things in order to live a real life in the metaverse. And also, I would argue, in the real world. I mean, if, if you take something that's really tangible, a really real world experience, I don't know, imagine you get off the Elon Musk spaceship on Mars, our first Mars colony. And do you think that we're going to really pull out a laminated card out of our space suit to prove who we are? Identity is going to be a lot better than it is today. We're going to have digital forms of identification, payments, proof of ownership of assets. That's the future.
Jon Prial: And I was excited that I had an RFID chip on my ski pass versus having to show it to somebody. But I think you've given me a much broader view of the future. Riley Hughes, it's just a pleasure chatting with you. Thank you so much for taking the time to be with us today.
Riley Hughes: Yeah, thanks a lot, Jon.
At Georgian, we love talking about self-sovereign identity. We’ve discussed it in previous episodes with Drummond Reed, the co-chair of Sovrin’s Governance Framework Working Group, Kaliya Young, a self-sovereign identity expert with over 20 years of experience in the field, and Mathieu Glaude, CEO of Northern Block.
There’s a lot of layers to self-sovereign identity, and it’s easy to get lost in the noise of it all. We try to make it easy for you.
In this episode, we cover it with Riley Hughes, Sovrin’s second employee and co-founder and CEO of Trinsic. Trinsic, which Georgian recently invested in, provides a cloud-based platform for credential verification and monitoring.
You’ll Hear About:
● What is identity?
● The different ways Trinsic can be used by developers.
● Ways to disrupt or democratize the current model of identity.
● Decentralized identity and its many use cases.
● The continued need for anonymity in a digital identity world.
● How identity will evolve with web 3 and the metaverse.