A few months ago, the Linux Foundation (LF) announced its intent to launch the Open Wallet Foundation (OWF) in early 2023. The OWF aims to develop open source software, key building blocks, and best practices that anyone can use to build multi-platform, interoperable, secure, and privacy-protecting digital wallets that will support a wide variety of applications from identity credential to payments.
I’ve been really intrigued by digital wallets, a fairly complex and poorly understood subject. To learn more, I read “The Current and Future State of Digital Wallets,” a comprehensive report on digital wallets published in April of 2019 by technologist and entrepreneur Darrell O’Donnell. The report was sponsored by a consortium of Canadian companies that recognized that digital wallets were a major requirement to be able to properly manage our digital identities, — arguably the toughest challenge in the continuing evolution of the internet and the digital economy.
“Technologies are converging and provide immense potential for shifting how we can improve every aspect of our lives,” wrote O’Donnell in the report’s Executive Summary. “Underneath all of that technology lies the internet, which has a flaw that could have been fatal – until recently it has lacked a built-in digital identity. Hacks to get around this missing piece have resulted in huge security gaps and abusive digital relationships.”
The internet has become the most prolific innovation platform the world has ever seen thanks to its ability to support a remarkable variety of applications. A major reason for the internet’s ability to support such a rich diversity of applications is that its TCP/IP infrastructure has stuck to its basic data-transport mission, i.e., moving bits around. The internet has no idea what the bits mean or what they’re trying to accomplish. Just about everything else is the responsibility of the applications running on the internet, including security. Consequently, the responsibility for internet security is divided among the many applications it supports, making secure, trustworthy operations significantly harder to achieve.
Internet threats have been growing right alongside the increased digitalization of the economy. Large-scale fraud, data breaches, and identity thefts have become far more common. Cyber attacks are costly to prevent and recover from. As we move from a world of physical interactions and paper documents, to a world primarily governed by digital data and transactions, our existing methods for protecting identities and data are inadequate.
Digital identities have long been recognized as the best opportunity for correcting the internet’s security shortfalls. Over the years, various approaches have been used to certify digital identities, such as the widely used Secure Sockets Layer (SSL) to ensure that the interactions between a user and a website or application are secure, or the use of a Certificate Authority provided by a trusted third party.
“Organizations and people who understand how digital identity works will see the early benefits and likely receive more of the benefits,” noted O’Donnell. However, “Without a Digital Wallet, which allows us to control our Digital Identities – both at a personal and business level – we won’t be able to realize the benefits.”
Let me summarize a few of the key points in his thorough report.
Digital Wallets are critical to the evolving digital landscape
“The world of Digital Identity is changing,” wrote O’Donnell in the report’s Introduction. “Centralized services still dominate but the advent of self-sovereign identity and verifiable credentials have changed the landscape. Our ability to control what information we share is increasing – from identity documentation to various forms and data that others need. … Organizations are issuing various credentials for employment, education, and more. We’re seeing digital ownership become more common.”
“We’re told that our Digital Wallet is where we put these things to keep them safe and use them. But what is a Digital Wallet? Ask a dozen people and you’ll get a dozen different definitions. … Digital Wallets are clearly critical to the evolving digital landscape. They are poorly understood, though. … The simple fact is that as an industry, we do not know what a Digital Wallet is or what a Digital Wallet needs to become.”
What is a Digital Wallet?
Digital wallets are generally defined as an app in our mobile devices where we store the digital versions of the items that we carry in our physical wallets. That’s not a very helpful definition because we all have different ideas of what goes into our physical wallets, — from some cash, a credit card, and a driver’s license to multiple credit and debit cards, identity documents from various organizations, health and car insurance cards, merchants’ loyalty cards, vaccine information, photos, receipts, tickets, and so on.
“The general idea of a Digital Wallet is pretty simple – it’s a Thing that we put our Stuff in,” said O’Donnell. “The hard part comes when we have to identify what is that Thing, what Stuff do we put into it, and even, what does it mean to put Stuff in it? What about getting our Stuff out? Updating our Stuff?”
Digital Wallets have two key components:
- Wallet Storage — “the encrypted database of keys, credentials, and other information that is put into a wallet. This is the Thing that holds your Stuff.”
- Agents — “the software service(s) that manage things on your behalf” to keep you connected and secure. Services include sending and receiving messages; encrypting, decrypting, and signing information; managing the information on the wallet, and so on.
These two building blocks can be combined to create a variety of Digital Wallet applications.
Wallets have a long history
Microsoft Passport, for example, was introduced over twenty years ago as a single sign-on to a variety of services, applications, and credit cards on Microsoft platforms. More recently, digital wallet apps have been offered by a number of vendors, including Apple, Google, and Samsung for their respective mobile platforms, as well as by payment companies like PayPal, Venmo, and Zelle.
These wallets have had limited success because they are only meant to serve the users of their respective platforms and do not interoperate with each other. “We have a lot of pieces of a wallet, but they are kind of like using a paperclip to hold cash – they do one thing (maybe) reasonably well, but they don’t work together,” said O’Donnell. “We don’t have a single application that mimics what our physical wallets do.”
Risks to watch out for
“As Digital Wallets evolve though there are risks that need to be acknowledged and mitigated.” These include:
- Lock In – a lack of open standards will effectively hold the information on our Digital Wallet hostage because we won’t be able to move information around;
- Surveillance – we need assurance that our Digital Wallet application isn’t sending information off to an entity that we haven’t agreed to share with;
- Theft & Loss – we can lose our Digital Wallet physically if our smartphone is stolen or lost, or virtually if our Digital Wallet has been hacked or taken over;
- User Experience – Digital Wallets are quite complicated for the vast majority of users so a simple, positive user experience will be crucial. “People will not adopt things if they are confusing or difficult.”
Advanced wallet capabilities
Beyond the basic capabilities already available in existing wallet apps, — e.g. credit cards, airplane boarding passes, merchant loyalty cards, — the report suggests a number of more advanced capabilities that Digital Wallets will hopefully support over time. These include:
A wider variety of credentials — in order to support a wider variety of credentials, our wallets need to be able to respond to requests for our credentials and offer our credentials to others. Many early stage Wallets can do some of these tasks but the user experience is so complicated that it’s beyond the ability of most users.
Authenticating and logging you in — “One of the more exciting uses of Digital Wallets is that they allow us to log in to websites and other services with far higher security,” and simplify logging in by removing the need for a username and password.
Organizing credentials — “Managing many (hundreds or thousands) of credentials mean that a Digital Wallet must be able to organize information to allow its owner to find the information they need.”
Personas — Our digital wallets need to be able to support the different personas and related information that we use on a daily basis depending on what we’re doing, such as dealing with our jobs, our personal relationships, financial institutions, healthcare and insurance, and government agencies.
“The Digital Wallet ecosystem is in a very early stage … and many predictions here will be wrong – either in timing or even in intent,” wrote O’Donnell in the report’s Executive Summary. Since the report was published, he’s held two online updates on the changes that have taken place in the Digital Wallet landscape, the first one in October, 2021, and the second in December, 2022.
In closing, let me mention that on January 17, 2023, the Linux Foundation is hosting an event at the annual meeting of the World Economic Forum in Davos to discuss its plans to launch the Open Wallet Foundation (OWF). I’m hopeful that initiatives like the OWF will lead to the development of a number of multi-platform, interoperable, secure, standards-based digital wallets.
Comments