Announcing Neo, Ping’s Decentralized Identity Solution

Neo means “a new and different form of something that existed in the past” and PingOne Neo reimagines today’s centralized IAM systems. Traditional centralized IAM systems store personal information, and are controlled by a single entity. Decentralized identity allows identity information to be securely stored and controlled by the owner.

It is an approach to identity management that allows users to control their identity information. Sometimes referred to as “identity on the network edge” or self-sovereign identity, it eliminates the need for users to provide unnecessary amounts of personal information in order to access a service. Do you really need to hand over your driver's license which includes your home address, just to prove your age? In practical terms, if you need to prove your age, you don’t need to present your driver's license that contains far more information than just your date of birth. 

Organizations issue users a verifiable digital credential that is stored in a digital wallet. Users present their credentials to organizations that can verify the information and confirm the credentials source instantly without having to contact the issuer.  A digital credential represents or incorporates any claims that the issuer has verified or minted. These claims typically include one or more attributes that support:

• Identification:  Biographic information, photo, PIN code, etc.

• Eligibility:  Entitlements, permissions, privileges, roles, etc.

• Affiliation:  Employment or contractor status, membership or customer/account status, purpose, etc.

• Other extended attributes:  Such as rules about how/when/where a credential is intended to be used, account or policy details/balances, and credit score, etc.

To name a few ways these could be implemented, these could be claims: 

• Of purchase:  Property deed, car title, sports & concert tickets, insurance.
• Of membership:  Citizenship, employment, association/club, residence, subscription.
• Of achievement:  Educational diploma, professional certification, titles and distinctions.

According to the 2022 Verizon DBIR, more than 80% of breaches involved the human element, including social attacks, and credential compromise. Decentralized identity, on the other hand, uses robust identity verification methods prior to issuing a cryptographically signed credential to ensure that personal information is secure and cannot be altered without the owner’s permission. The information is stored with the owner, primarily on their mobile device and in a digital wallet. 

As compared to traditional approaches that rely on extensive backend integrations and federation across organizations, decentralized identity supports a modern, scalable architecture that makes identity and access more portable while simultaneously improving convenience, security, and privacy. Three major advantages are: 

1. Decentralization of data. Credentials are stored in the user’s mobile device, fixing the choice, consent, and control in the hands of the user. Users are empowered to take advantage of more and new services while staying protected from unnecessary tracking, data abuse, and potential breaches. It also minimizes risk for service providers who no longer need to store stale copies of the user’s PII.

2. Credential issuance is not limited to claims that originate from specific documents. Credential issuance is not based upon a narrow set of identity proofs like a government-issued ID or a vaccine card. A credential can be issued to include any claim that an authority can verify or that they mint. This can include any claim, attribute, or facet about a user’s identity, authorizations, affiliations, or purpose.

3. Eliminate friction. Once a user verifies their identity, a credential may be issued so that the user never needs to go through verification again. That credential may be shared with other entities than the issuing authority thanks to credentials being issued using industry standards.

Additionally, users have greater control over their personal information. Rather than having a third-party entity dictate how personal information is used and shared, decentralized identity allows individuals to manage and control their own data. This includes the ability to choose which information is shared, with whom it is shared, and how it is used. No more wondering “how did this person get my information?”.

Today we are introducing Neo, Ping’s solution for decentralized identity management. Neo consists of two parts: Verification and Credentials. 

Verification: Neo provides numerous types of verification: 

• Digital credential verification: This is the critical element of verifiable credentials. Once a user presents a verifiable credential, it must be verified by the original requestor (e.g. Service Provider) checking the cryptographic signature. 

• Physical credential authentication: Authenticate that a government ID is genuine; includes passports and national ID cards; optionally compare biographic data extracted from that ID against a system of record. 

• Phone and email possession verification: Send a one-time passcode to the person’s email address or the person’s phone via SMS; tightly bound to the verification event.

• Fuzzy biographic matching: Compare the verified biographic data from the submitted government ID to the biographic data typed in by the user or stored on file.

• Selfie verification: Check for liveliness.
  

Key features of PingOne Credentials includes:

• Automated issuance: Define credential templates, identity attributes, and assign either a user or population group to the credential template. As users get added to the corresponding group the digital credential is automatically issued.
• Centralized Lifecycle Management: Manage the entire life cycle of credentials, from definition to revocation, from a single management console. Revoke credentials on demand or automatically based on expiration date (coming soon).
• Consent & Privacy: Credential owner must consent before credentials can be shared, including whether the full credential is shared, or a subset of the credential, referred to as selective consent.

The good news is customers can also implement PingOne Credentials in a hybrid, additive approach. Existing applications and infrastructure can be left intact. The use cases and applications are unbounded.

Request: Users typically first prove who they are with the issuing organization using one or more methods, such as verifying a government issued ID [using PingOne Verify] or authenticating with their login credentials. Organizations then notify the user that they are eligible to receive one or more credentials by sending an invitation via email.  Users can request to opt in by scanning a QR code to pair their Neo wallet to the service after clicking on the web link in the email.  

Create: The service uses the predefined credential template to determine which attributes should be included in the credential and pulls them via PingOne Directory and its synchronization capability with external directories and databases. PingOne Credential packages the credential based on the type indicated in the template, including using standards. 

Store: The service then automatically provisions the credential(s) that the user is eligible for by sending a push notification to the Neo wallet and a courtesy email notification to the user. The user can then accept or reject each credential for inclusion in their Neo wallet. 

A note on wallets: while open source wallets are still in development under such initiatives as the OpenWallet Foundation, we see these as pivotal to empower the user across applications and platforms. Being able to issue a credential to any wallet using such emerging protocols as OpenID4VCI will be important in the future to give users choice and to support regulations that are still in development, such as the EU Digital Wallet initiative.

Present: Users are now able to present their verifiable credentials as needed. They can share data that is essential for the interaction to take place. Presentation of a verifiable credential can be online or in person, as long as internet connectivity is available. In the future, proximity-based communications such as NFC and BLE will be supported for low or no communications in-person scenarios (ISO 18013-7 is in development for this).

So, what are some of the practical applications of decentralized identity, and verifiable credentials? Here are a few examples:

• Financial Services: Can use verifiable credentials to reduce check cashing fraud using robust identity proofing mechanisms once and issuing a verifiable credential for the future. Banks can also offer business partners to leverage these same credentials for strong identification and to access affiliate services.

• Government Services: Verifiable credentials could be used to replace many of the paper-based documents that are issued, including birth certificates, fishing licenses, real estate documents, and of course driver's licenses. Verifiable credentials could also be used as a means to secure voting systems and ensure that only eligible voters are able to cast their ballots.

• Retail and eCommerce: Could use verifiable credentials to verify the age of customers, such as for purchasing age-restricted products like alcohol and tobacco, as well as loyalty programs including to access services and benefits from business partners. 

These are just a few examples of the many potential applications of verifiable credentials. In our discussions with organizations, the applications are seemingly endless, and more importantly, solving problems that are either challenging or impossible with today’s technology.

The increased mobility of users and their demand for personalized, unified omnichannel access experiences has stretched federated IAM beyond its limits. Meanwhile, the need for organizations to collaborate more to compete, as well as build communities of trust and value for those same users affordably and securely, cannot be met by existing federated IAM solutions. Customers that embrace the new paradigm of decentralized identity are able to improve existing experiences and create the opportunity for new, valuable user experiences and increased levels of engagement and collaboration with business partners by implementing PingOne Neo. These customers can do so without the need to replace their infrastructure. Since it’s designed to integrate with Ping’s ecosystem, PingOne Neo can integrate with existing applications and systems to bring enhanced functionality and extend the user’s reach.

Simultaneously, PingOne Neo can also support new use cases and applications developed on a lightweight, lower cost, and more secure, privacy-enhanced infrastructure. 

We are excited to introduce PingOne Neo as it solves today’s problems in a practical way and works in harmony with IAM systems enhancing existing federation platforms. This means that if customers are bridging from federated to decentralized models, or building new user experiences without backend integrations, PingOne Neo delivers value immediately.