Sovereign Identity on Your CellPhone with YOTI
From IIW
Sovereign Identity on Your Cell Phone With Yoti
Thursday 2F Conveners: Bruce Nash, David Goate, Simon West
Note-taker: Simon West
Tags for the session - technology discussed/ideas considered:
Bruce Nash, David Goate and Simon West ran a demo of Yoti and called a Q&A for feedback from the IIW community on how it feels about the solution being offered, and what Yoti may be able to do going forward. URL: www.yoti.com
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Features demonstrated:
- Registering for a Yoti using a cell phone.
- Using Yoti for facial biometric Single Sign On into a website.
- Peer to peer sharing of age range, but choosing to conceal your real age.
Calls for consideration:
- Could Yoti explore using other forms of API protocol in addition to the SDKs provided? e.g. OpenID Connect.
- Being able to make an assertion about yourself that isn’t necessarily verified by a trust anchor. e.g. from an email address to a complete persona.
- Can you attest to where profile information was verified from (e.g. Passports, Drivers Licenses), and how could that level of confidence be communicated to a relying party? Is there a challenge around discrimination over this? e.g. a relying party questioning the strength of a verified attribute if it originated from/ was verified by a particular government issued ID.
- One of the principles of a self-sovereign identity is your ability to move that identity between providers freely. How could Yoti allow that?
- While each individual’s data/identity is centralised and concealed from Yoti’s view (Yoti cannot use the data held; the private key for the data is stored on the individual’s device), could someone transfer their identity to another without making a call to Yoti; i.e. offline or directly, peer-to-peer.
- Would like to know more about how to allow further devices to use your Yoti, and how to revoke one or more of those devices.
- Could individuals store information on an optional mechanism such as a blockchain, rather than forcing them to trust Yoti to store the data?
Observations:
- It’s like a “replacement for captcha!”
- Yoti doesn’t appear to be truly: zero-knowledge, verifiable by others, open-standard and open-source. It’s essentially a closed authority. How might that change in the future? At the moment the Yoti Guardian council is responsible for holding Yoti to account for being responsible to its users, and transparent.
- Being able to share minimal information with someone to get a job done, like only sharing the fact that you have been verified to be over legal age (but not your age itself), is really valuable. It’s a great example of being able to exert some control over your relationship with a vendor (see VRM), while meeting the relying party’s legal obligations.
- “Yoti isn’t really a Sovereign Identity provider because it forces people to verify their identity against a government-issued ID.” While this isn’t strictly true (you can just register with a selfie), Yoti is a system that people could potentially choose to use as a Sovereign Identity system, although there may be times when they're unable to do so (e.g. when required to present information partly attested for by a government recognised ID - as laws dictate).