How Vittorio Shaped my Perspective on SSI, and how he can Shape Yours
Vittorio Bertocci, much like many others in the identity space, had an important impact on my professional life. You can imagine how I felt when, a month following his tragic passing, I saw another blog post produced by the GOAT of creating understandable technical content about identity. Further, the subject of the post is my deepest area of knowledge: verifiable credential adoption (which was the topic of conversation for almost all my time spent with Vittorio).
Vittorio’s sage perspective on verifiable credentials is important for the IDtech community to understand. In this post, I want to outline how Vittorio influenced our direction at Trinsic and highlight a few important points from the recent post.
In 2017 I was a fresh face in the identity industry, pumped full of slogans and claims from the infinitely optimistic self-sovereign identity (SSI) evangelists who I surrounded myself with at the time. Having only seen one perspective, I fully believed that consumers could “own” their identity, that “data breaches would be a thing of the past”, and that verifiable credentials would usher in a new era of privacy maximalism.
The world needs idealists — but it also needs pragmatists. Vittorio became an archetype of the pragmatic energy that eventually worked its way into the culture and products at the company I cofounded in 2019, Trinsic. His directed questions and healthy skepticism of marvelous SSI claims came not from a Luddite spirit, but from deep experience. In a blog post about his involvement in the CardSpace project at Microsoft, he said, “When the user centric identity effort substantially failed to gain traction in actual products, with the identity industry incorporating some important innovations (hello, claims) but generally rejecting many of the key tenets I held so dear, something broke inside me. I became disillusioned with pure principled views, and moved toward a stricter Job to be done, user cases driven stance.”
For the last four years as a reusable identity infrastructure company, our developer tools for integrating verifiable credentials, identity wallets, and policy/governance tools have become quite popular. Thousands of developers have created dozens of applications that have acquired hundreds of thousands of end-users and issued close to a million credentials in production. This experience has given us a unique vantage point on patterns and methods for successfully deploying verifiable credentials in production. We’ve also spoken to many of these customers and other partners on our podcast and in private to understand these patterns more deeply.
I state all of this so that I can say the following with some credibility: Vitorrio’s perspectives (and by extension Auth0’s) are a must-read for anyone working on user-centric identity. I’ll double click on a few of what I view to be the most important points below.
What do we need to do to make a classic OpenID Connect flow behave more like the drivers license for buying wine scenario in offline life?
The two main discrepancies we identified were: Ability to use the token with multiple RPs and Ability to transact with an RP without IdP knowing anything about time and parties involved in the transaction
The first point I want to highlight is that Vittorio introduces verifiable credentials (VCs) by relating them to something his audience is familiar with — OIDC. This is not only a helpful practice for pitching products in general, but it embeds an important point for IDtech people: VCs are not a fundamental transformation of identity. VCs are an incremental improvement on previous generations of identity technology. (But one that I believe can enable exponentially better product experiences when done right.)
VCs will be adopted when they are applied to use cases that existing solutions fail to accommodate. It’s key for VC-powered products to demonstrate how VCs enable a problem to be solved in a new way — otherwise, buyers will opt for the safer federated solutions over VCs.
A classic example to illustrate my point is “passwordless login”. I’ve been hearing about it for 6 years, and yet never actually seen verifiable credentials be adopted for passwordless authentication. I believe the reason for this is that the two points above (ability to use the token with multiple RPs, IdP not knowing about the transaction) aren’t important enough for this use case, and that other, lighter-weight solutions can do it better.
We might say that there are too many cooks in the kitchen… I dare say this space is overspecified… A lot of work will need to happen in the marketplace, as production implementations with working use cases feel the pain points from these specs and run into a few walls for some of VCs to fully come to life.
Vittorio taught me about the history of OAuth, OpenID, OAuth2, and OpenID Connect. I learned about early, nonstandard iterations of “login with” buttons that had millions of active users. I learned about the market forces that led these divergent applications to eventually standardize.
Standardization is essential for adoption. But adoption is essential for knowing what to standardize (there’s nothing worse than standardizing the wrong thing)! Prematurely standardizing before adoption is a classic “cart before the horse” scenario. My conversations with Vittorio led me to write this catch-22 of interoperability post.
IDtech builders need to focus on building a good, adoptable product first. Then make it interoperable/compatible with other products second. This is a key design principle baked into Trinsic’s platform (e.g. whatever you build will inherit interoperability when it’s needed, but you won’t waste time figuring it out in the meantime).
[A misconception:] Centralized DBs will disappear… and in turn this would prevent some of the massive data leaks that we have seen in recent history. It’s unclear how that would work.
Vittorio correctly identified this as a misconception. Centralized databases indeed won’t disappear anytime soon. The notion that companies “won’t need to hold my data”, if it ever happens, will be far in the future.
The near-term disruption that will happen, however, is something I pointed out in a conversation with Vittorio that started on Twitter and moved offline. Service providers who don’t originate data themselves, but aggregate or intermediate between parties in a transaction, are at risk of disruption from verifiable credentials.
The example I use in the post linked above is Work Number. Employers give Work Number information about their employees to avoid fielding background screening calls. If employers gave that information directly to employees in a verifiable credential, however, Work Number’s role would need to change dramatically. Because of this threat, identity verification, student attestations, background screening, and other of these kinds of companies are among the first to adopt verifiable credentials.
Unless users decide to not present more data than necessary for particular operations, it is possible that they will end up disclosing more/all credential data just for usability sake.
This dynamic is Jevons paradox applied to identity — VCs counterintuitively risk creating worse privacy conditions, even with things like data minimization, because of the frequency of use. Nobody has a crystal ball, so it’s impossible to know whether this risk will materialize. Governance is the best tool at our disposal to reduce this risk and enable better privacy for people. I talk about this a fair bit in this webinar and plan to write a blog post about it in the future.
Users will typically already have credentials in their wallets and verifiers will simply need to verify them, in a (mostly) stateless fashion… However, we do have a multi-parties cold start problem. To have viable VCs we need effective, dependable and ubiquitous wallets. To have good wallets, we need relying parties implementing flows that require them, and creating real, concrete requirements for actual use. To incentivize RPs to implement and explore new flows, we need high value, ubiquitous credentials that make good business sense to leverage. But to get natural IdPs to create the infrastructure to issue such credentials, you need all of the above… plus a business case.
The chicken-and-egg problem (or, “cold start” problem) is a trick for almost all IDtech products. While there will always be exceptions to the rule, I have seen enough failure and success to feel confident in a somewhat concrete recipe for overcoming this obstacle.
- Remove the wallet as a dependency. If a user needs to be redirected to an app store, download an app, step through onboarding steps, see an empty app, go scan QR codes to get credentials, all before it can actually be used… it’s extremely unlikely to be adopted. Instead, give users invisible “wallets” for their credentials. This is the #1 unlock that led to several of Trinsic’s customers scaling to hundreds of thousands of users.
- If your entity can play the role of issuer (or IdP) then you’re in a great position. If you’re not, obtain your own data so that you can be. Dig in with one or more companies and partner closely to build something very specific first with existing data.
- Sell to use cases that aren’t well-served by existing OIDC or similar technologies. Expand the markets you’re selling to by going into the long tail. Focus on either low-frequency, high-value use cases or high-frequency, low-value applications. Make it easy to integrate.
Shamefully, it took me 5 years of pattern matching to land at the conclusions that Vittorio and others saw much sooner. These are the same points that led to adoption of OAuth/OIDC. And frankly, when you look at it, are pretty obvious.
The main one is being able to disclose our identity/claims without issuers knowing. It is a civil liberty; it is a right. As more of our life moves online, we should be able to express our identity like we do it offline.
Privacy is an important point. This requirement, in particular, is a requirement for most governments to be involved. It’s also a biggie for any sensitive/”vice” industry (gambling, adult content, controlled substances, etc.) which historically is a driver of new technology due to having broad appeal and high frequency.
Once [the adoption flywheel] happens, it will likely happen all of a sudden… which is why it is really a good idea to stay up-to-date and experiment with VCs TODAY
This “slow… then all at once” dynamic is a critical insight, and very true. We’ve seen this over the last year in the identity verification segment. My first conversations with identity verification companies were at Sovrin in 2018. Despite consistently following along, there was no movement from anybody for years. Suddenly, after Onfido acquired Airside in May, Plaid, Persona, ClearMe, Instnt, Au10tix, and more have jumped into the fray with their own “Reusable ID” solutions.
Auth0 posits that governments will be the critical unlock for verifiable credentials. While I don’t think that’s wrong, we are seeing increased bottoms-up adoption from the private sector, both from IDtech companies and verification providers of all kinds. Governments will play an important role, ideally anchoring wallets with high-assurance legal identity credentials and leading with standards that will produce to interoperable solutions.
If you haven’t already, I encourage you to read the whole post. I’m grateful for the Auth0 team for shipping the post after Vittorio’s passing, so the world can benefit from his knowledge. You can also continue to learn from Vittorio through his podcast, which I’ve found to be a tremendous resource over the years.
If this topic interests you, check out the podcast I host, The Future of Identity. And if you have any feedback on this post, find me on X or LinkedIn — I’m always trying to get smarter and would love to know if I’m wrong about anything. 😊