Why Digital Identity Is Broken And How Ditto Plans To Fix It

[00:00:00] So a big thank you to NordLayer for backing the podcast and supporting the kind of real-world cybersecurity conversations that we need more of. Because as someone that records 65 plus interviews a month, I've personally seen a huge increase in browser-based attacks over the past year, whether that be phishing, malicious extensions, account takeovers, the list is long. And it's all happening where people spend most of their time, inside the browser.

[00:00:29] So NordLayer's new business browser, that's built to address exactly that. It blocks malicious sites before they load. It limits risky behaviors like uncontrolled downloads or data sharing. And gives you visibility into how your team interacts with web apps. And it also helps you stay compliant by controlling access and enforcing policies without the need to rely on multiple disconnected tools.

[00:00:55] So for anyone listening that is thinking seriously about reducing risk in SaaS-heavy environments, this feels like a smarter and more focused approach. And you can learn more about it by visiting nordlayer.com slash browser. Let me know what you think. But now, let me introduce you to today's guest. How many times have you handed over your personal data online today?

[00:01:24] Maybe done it without even thinking about it. Maybe it was logging into an app, a social media site, signing up for a service, or just ordering a coffee. We've all been trained to almost accept it. Type in your details, trust the system, move on. But here's the uncomfortable question. What if the entire model that we've built digital identity on is fundamentally flawed? Well, today's guest believes this is exactly the case.

[00:01:53] Joining me all the way from Barcelona is the CEO of a company called Ditto. And they're rethinking digital identity from the ground up. And with leadership experience at Google and Microsoft, he has seen firsthand how identity has evolved from simple access to convenience at scale. And now to something much bigger. Trust infrastructure.

[00:02:18] So today we're going to explore why identity is breaking under the weight of modern threats. How European regulation is shifting back to individuals. And why the future of authentication might rely less on passwords and more on mathematics. And yet we'll also get into what this means for businesses who have built their entire models around owning customer data. And why that error might be coming to an end faster than many expect.

[00:02:47] So if you've ever wondered who really owns your digital identity, and what happens when that answer changes, you're going to want to stick around for this one. But enough from me. Let me introduce you to my guest now. Can you tell everyone this thing a little about who you are and what you do? Hi, Neil. And hi to all your audience. Thank you for inviting me here. I'm super excited. So I'm Gonzalo Alonso. I am the CEO for Ditto.

[00:03:17] And at Ditto, we do something that is actually pretty simple to explain, but it's really hard to solve. And that is one of the things I love about what we do at Ditto. So we focus on the trust of the digital world, if you want to have it more abstract. So at Ditto, we think that there is one problem that we haven't solved online at all, and that's trust.

[00:03:42] And until we don't solve that missing layer of the digital economy, that's how I see it, we won't be able to move forward in many, many other stuff. But the simplest example I have is a transaction. I don't think that transaction will be the fuel for things like volumetrics in the future anymore. I see identity as being the fuel for that volumetrious transactions in the future.

[00:04:11] So specifically in identity, which is where we want to create trust in the digital world, we focus on how do you know that person or thing on the other side of the transaction? And how do you trust and prove who that person or even material thing is? And that's the challenge that we have right now to solve at Ditto.

[00:04:37] And I think all over the world, this is a challenge that should be in many people's minds. So in this world where everything becomes more and more remote, our job is to create trust in the infrastructure so that you can stop trusting how other people manage your data, and you can start managing it yourself as a citizen of the world.

[00:05:06] So not a minor thing. As I said, this is something that hasn't been solved yet. So it's one of those challenges that, you know, it's tough. And we wouldn't have it any other way. That's exactly what we would like to solve at Ditto. And it's funny you say that because I would say over the last, what, three to six months, the word that has been transported right into the spotlight, probably because of AI, agentic AI, and all these agents out there, is identity.

[00:05:35] They seem to be setting off a lot of alarm bells right now. And when I was doing a little research on you, you've described digital identity as fundamentally broken. So starting from the top, where exactly is identity failing today? And why have passwords, tokens, and existing systems struggled to keep up with the modern threats we're seeing now? It's a great question.

[00:05:58] And I think identity is fundamentally broken because of its architecture, of its legacy architecture. And let me be more like eating the... So at the core of identity, we have the wrong assumptions. If you look back in time. If you look at least back in time to the last 25 years, right?

[00:06:23] The assumption has been the more data I have about someone, the more qualified projections I can do about that specific person, right? And I think that is totally wrong. I think that the era where we all go collecting data in this sort of fantastic world where we think we own it as an organization,

[00:06:52] we create the flows for it. We create our own definition of what's privacy in most cases and our own definition. Of course, governments regulate entities in many cases, but still there's a lot of movement there for people to... And then fundamentally, this has created a world where people don't trust data anymore. And that inference is hitting directly the core of what we do online.

[00:07:22] So it's time that we stop asking everyone for personal data. I think that's crazy. I see governments all over the world failing at keeping that data stored in the right way and managed in the right way. And then finally, being secured in the right way. So if this is what's broken at its core, how do we turn this around?

[00:07:50] And it seems we have many promises in a lot of geographies and many ideas on how we could start doing this without making it more complicated and risky for everyone. Because right now, where we are, is we're all losing, right? So the user doesn't trust anything. The government state that times three.

[00:08:14] And then we have the second system of private organizations thinking, and this is not only banks, by the way, thinking that the data is theirs. And I think within that fantasy lies the problem of the whole conundrum. It really does. And you were talking about the different promises that are being made in different geographies around the world. And here in Europe, there are initiatives like the European Digital Identity Wallet,

[00:08:41] which we're seeing an almost shift towards giving individuals more control over their data. At least that is the promise. But what does this actually mean in practice for consumers listening? And how different will their experience feel just to help them bring it to life? Oh, oh, it totally changes them all. So it flips them around. Yeah. So what it means for users, which is actually the most important part of the equation,

[00:09:10] even if we, you know, we let detect them to forget this sometimes. But it puts users in the middle of the equation, which is the first thing we needed to admit. So this is not about everyone owning as much data of you as they can. This is actually about understanding who you are without exposing you to all of the problems that exist.

[00:09:37] So specifically in Europe and around UD laws, we're promoting, we're mandating this idea that the instrument to carry around your identity should be a digital wallet. And that this digital wallet, that it's very different from other wallets we've seen. Most wallets we've seen are very, their focus is transactional. This wallet specifically, it's focused to keep your personal information secure.

[00:10:07] So within this wallet, in Europe we're calling it the identity wallet, lies proof of who you are. Not that data of who you are, but proof that you have attested to of who you are. And then you as a user get to choose who do you want to share that data with, depending on how it really empowers your life different.

[00:10:34] So what we found is just like pushing the systems as a national identity system from somewhere above to everyone else creates a lot of wrinkles in the ecosystem. So many that we haven't been able to move forward with this around the world. You know, if we suddenly give integrity to the information and we make it secure, and then we put at the user in the steering wheel,

[00:11:04] then suddenly you have this interoperable system that we can start sharing without sharing the information, the personal information of the user. For everyone out there, that is zero knowledge of proof. And what I think is really cool about zero knowledge of proof, if you go back 15 years, 15 to 20 years, we didn't know what to do with that model. Because it's a very sophisticated math model. It is.

[00:11:31] And then suddenly we start finding some applications, probably 15 years ago, blockchain is born and it creates this backbone for crypto, amongst other things. So listen to this case, which is my case, right? I just moved from America to Europe. And of course, I've been working in America and international companies, my own companies all my life. So I've got credit there. I've had little investments there.

[00:12:01] I meant something in that part of the world. When you move to Europe, you go back to actually being in a limbo. Identity purgatory. You're not up whatever you came from in America anymore. You have to fit in into this new digital societies. And it takes you about six months. One of the most exciting things about decentralized identity and the whole UD proposition is that,

[00:12:29] you know, in the future, in the very near future, before even traveling to Europe, I can choose to share some of my proof with the governments in the other side of the ocean so they can start looking at that proof and see if they can trust me or not and if they can verify who I am or not. That would actually save someone like six months of their life from being a living hell

[00:12:58] to actually becoming a productive citizen for another country really, really fast. And I think that has a huge economical impact and so on. But we also see that, you know, while identity fuels transaction, very cool things happen. So, for example, you buy a car. You know, the moment you buy a car, you cannot test for that car. So you have proof of ownership of something. And that, you know,

[00:13:26] thinking of inter-priority can help you leverage that asset for other things, which brings credit to a more democratized society. And it brings a constant, real-time thermometer of who you are and what you want. You know, if suddenly in a couple of years I need more credit from a bank, I can actually show the attestation of my car, which is proof of what I own,

[00:13:56] which could mean, you know, a credit of about the size I would want for my company at that moment. And suddenly you're, you know, leveraging your identity to grow in the financial world with things that we haven't been very effective around the world taking to the mass population. So, as you can see, what we're doing in Europe really excites me because it also has a little backbone, right? It's got, you know,

[00:14:26] GDPR has gone all over the world. It's now standard. And ADAS, same. So, I envision the mandate of UD also to go across the world. And I think this is the actual model that, you know, makes the other model just inadequate and all. And on the flip side of everything we're talking about here, for the business leaders listening who are currently shuffling a little nervously in their chairs,

[00:14:56] what challenges does this create for a business that, that when they have to operate in a world where they no longer control the identity layer in the same way, it's going to be a few challenges there too, right? It's going to be a lot of challenges. So, first of all, organizations have to face the fact that the way that they've been using identity is never going to come back theoretically as time passes. And as we go into the mandate specifically in Europe, but not only Europe, Canada has already accepted

[00:15:26] decentralized identity as the model to go. And, you know, so as companies realize they can't own, quote unquote, the identity of their users anymore, they will have to shift to the mandates very fast. And for, you know, organizations like banks, this means totally shifting their model to something they've been avoiding now for years, right? So, we can talk as much

[00:15:54] as we want as open banking, but open banking has not changed my life or my kid's life or your life. So, we have to start facing the fact that there's something wrong with that model that hasn't become the standard we thought it was going to become in terms of sharing data. And then, so that's a big shift for any kind of organization, especially banks. And, you know,

[00:16:23] in the financial world, this actually, if you don't manage it well, could very well mean loss of assets because these guys were convinced this information was one of their most important assets. So, what happens in a world where clearly it's illegal for you to take that role and you empower the user to do it? It's going to be, to say the least, it's going to be an interesting shift. The other thing we're used to is just asking

[00:16:52] everyone for information. And this I see, look, it's ridiculous. It goes everywhere from my fitness club to a restaurant, right? And it's way past dangerous. It's chilling at this point. And users all over the world don't realize that they're probably one line of data away from being totally hacked. The other things

[00:17:21] that will change severely is how do we deal with recovery? So, in the systems we have right now, yes, they're far back and fragmented, very tough to interoperate on them. But it is true that if you lose credentials somewhere, you can get them back pretty easy. In this new world, recovery is another type of paradigm where you really need to create the models on which you create trust really, really fast again

[00:17:51] on scenarios like what happens when a user loses or gets stolen their mobile. And that is the simplest of examples, but we can go all the way down to a very tough example. So, everything will change and it will... So, how I like to put it is we're changing from weak signals to cryptographic proof. that is 90% of the living, acting,

[00:18:21] producing world right now, which makes it really interesting. And as you said there, we're talking about moving from those weak signals to just trusting systems to relying on cryptographic proof. So, can you tell me a bit more about what that shift looks like in real-world terms, especially for organizations that are very serious about trying to reduce fraud and meet regulatory demands and do things the right way and be a part of this shift rather than resisting the change. Tell me more about that. It all

[00:18:50] starts from my point of view and you said it really well, right? We now trust systems. We need to start trusting cryptography, which means infrastructure becomes something really different as we know it today. And that's also, I get very passionate with this subject. So, going from trusting systems to trusting cryptography it's a big, big change. And to me, how do

[00:19:20] you start doing this? Asking different questions about what you're trying to do. So, the first question I would ask is, do I trust the system I'm going to have contact with? And there will be systems that you do trust just because of legacy. Many of the systems in the banking ecosystem we just crossed, right? Swift, whatever, right? And then they will have to adapt to leaving that trust to

[00:19:50] the user and how they manage their trust. And that's through cryptography and through safe environments. So, that's interesting. The second question I would have to ask myself is, can this claim, you know, whatever the claim the counterpart is doing, can be proven with something? And that something is cryptography, right? So, those are the big two questions you have to ask yourself entering this new world. Because if you don't realize

[00:20:20] this, you're missing the bigger point, which is because the system online hasn't produced the type of trust we need, we need to give it back to the actual cool onset, and then empower him to do something with it, which is where the real economy of satisfaction kicks in. And until we don't have this, it's going to be a ride.

[00:20:50] And then I see a few things happening, right? So, the mandate is very clear, although I could say that you could have your own flavor of making a few decisions, and then one of the problems we might have if we don't take this seriously, is fragmentation. So, instead of having this system we all, a system that we don't trust, but we trust on its proof,

[00:21:20] then suddenly that proof can go to hell. So, what do we need? The credentials that are digitalized. That's what it looks like. It has to be, those credentials have to be bound to a real user and a real device. And when I say a real user and a real device, it's like forget the burners, forget all the anomalies you can think about in the system. You have to critically just shove them away and leave this. And then

[00:21:50] authorization that is phishing resistant, because right now with tokens and all that stuff, walking around, is that we found tokens can be intervened. We found all type of non-cryptographic messages can actually be broken and phished. So, I think if you ask me what it really looks like, it looks like credentials that are digitally signed and with protocols that are worldwide, if not

[00:22:20] worldwide, geographically approved, bound to a real user and a real device, and that it has real systems that are anti-teaching by architecture, which is the one thing we don't have right now. And on a personal note, looking at your career, you've held leadership roles at Google and Microsoft. Now you're leading Ditto. I'm curious, how has your perspective on identity evolved across these different environments? because you must have seen and experienced

[00:22:49] so much. Neil, it's a journey. It's been a journey. It's been a real journey. So, this is a tough question because you can argue in the 90s and early 2000s at Microsoft, you know, what was identity about? And I would say, at that point in time, it was about access. Hotmail was probably the biggest database around of Lehman people just there.

[00:23:19] And at Microsoft, the conundrum was, how do we give safe access to everyone? Right? And that was it. That was it. Then I went to Google and Google took a totally different meaning. So, at Google identity, when I was at Google, which is early Google, it meant scale and convenience with a big underlying inconvenience because scale was getting there, but we had to take care of the projections, not of the reality,

[00:23:49] because of the natural rhythm of how everything was grown. So, at Google it meant convenience. So, how do we add a scale with billions, right? How do we make this convenient for everyone in a world where you will have a suite for, you know, your work sessions, and a suite for your personal sessions, and so on, so forth. And then at detour it means something else completely, because both Microsoft and Google still

[00:24:18] have this fantasy of owning identity. That's what I think. So, they explore everything, right? But what they would love is for this conundrum to sort of play the way they want it to be played. Of course, these guys are freaking smart. they have the interoperability at some point in the world with data, so they know a lot of things we don't know. And this thing of playing your

[00:24:47] own identity sooner or later, I think is going to give them a reality check. Like reality gives checks to everyone, right? So in detail, we think totally different. So identity is not owned by a platform, it's owned by a user with, as I said before, with the right credentials, the right unit, and the right platform that is doing that.

[00:25:15] So my trip from access to convenience to trust infrastructure has been super interesting because, you know, now it's very clear for me that infrastructure for this new identity in the future will mean something that is owned by the user, that it's managed by the user, and our job is just to provide the user with the

[00:25:44] way that identity will change its world because he owns it. Simple example, Spain. So Spain has had an incredible uptake in digital mobile licenses, and everyone's asking me, like, what do you think? You know, what's going on there? And I'm like, nothing's going on there. It works. It's something that a citizen can own, understand. They can see how it works for them, right? It's practical.

[00:26:14] So why not download a governmental wallet? In Spain, there's fundamental trust with the government. And why not attest to your license, which is your first proof of who you are? And once we have this in a wallet, and by the way, these attestations are interoperable, which means I can check if I'm qualified and I'm structured enough and I have certifications, I can use these attestations

[00:26:43] also. And suddenly this world that is very siloed, it just became more of a, you know, common ground for certain things. So it has to be provable. It has to be owned by the individual. It has to be provable anywhere. That's one of the conundrums we have while working at this stuff, right? And yeah, so I've gone through this very naive thinking, I would

[00:27:13] almost call it kapchka thinking, to this very sophisticated and powering technology vehicle that we're providing to, at least in Europe, to city sensor. I'll tell you why this is powerful in Europe, because of the 27 countries mandating upon it. So suddenly you have something we haven't had in the world, which is scale at a multi-nation level with pre-approved facts.

[00:27:43] So this is why I think this one has a special chance to actually make it. Absolutely love it. And if we look ahead, if digital identity is rebuilt around privacy and user control, lots to celebrate there. But rather than move fast and break things, are there any new risks or unintended consequences that we should possibly be thinking about now to ensure we don't create anything else? Every time we change the model, there's new risk.

[00:28:13] One of the quotes I log is from Bookminster Fuller. He was a graphic designer back in the 70s, a brilliant man, brilliant mathematician. And I'm going to read it because I don't want to misquote him. He said, you never change things by fighting the existing reality. Build a new model that makes the existing model obsolete. And I think that's exactly what we're trying

[00:28:43] to do. So while making obsolete the legacy model, of course, we have a lot of risk. So I'll name a few. Device becomes critical infrastructure for the world, not for the guy that's using it, which of course it is, but it's a trustful relaying infrastructure that will be on the hands of users. We've never done that. Yeah. And I'm excited about

[00:29:13] it because probably by not doing what everyone has done is how we're going to find the answer, right? But yeah, I mean, this is the first time that in the identity world, we choose devices as part of the critical infrastructure to deliver identity. And I think that's fascinating. And of course, it will bring new challenges and new risks, right? Wallets will become a high-value target for all of those not that want to steal your information

[00:29:42] or want to take your identity or whatever, right? But I think that protecting wallets, in fact, we have technology to do that at Tito, even European identity wallets will be easier than containing this problem of everyone asking for data and treating it differently because this is how I treat it or whatever. And then I already said it, but I think the biggest risk is getting recovery right

[00:30:12] because once you've messed up with a user, it will be tough for him to believe in the system again. And then if he takes six months recovering his identity, we've lost purpose of what we did originally. So recovery is, I think, is going to be a very important part. So for Tito, or at least how I see it, is how do we balance the user controlling identity, the

[00:30:41] strong security that has to be behind it, and then the global standards that make it interoperable. I think those are the main risks we should be very aware about and then just focus on them. They're very solvable. So this is not a technology problem. And people sort of feel uncomfortable when I say, at this point, I don't think in identity technology is the problem. I think the

[00:31:10] model is the problem. And we're not being successful at tackling the problem itself because we have chosen to follow the same model for 10 or 15 years. And as you know, I think that legacy model is inherently broken. So, you know, whatever happens from here till we get it right, it only gets worse. You know, you can throw millions and millions of dollars at cryptography at

[00:31:40] this point. If you don't change the model, I don't think it'll have a lasting effect at all. Wow, I think that's a powerful moment to end on. So for anyone listening that are inspired by your passion for this topic, wanting to learn more about Ditto, connect with you or your team, where would you like me to point everyone before I let you go? So you, I mean, for everyone that wants to know more about us, you should go to our web page which is ditto.id. You can find me, Gonzalo, Alonso, CEO Ditto at

[00:32:09] LinkedIn and we have a Ditto page at LinkedIn and yeah, we're always glad to listen to you outside, get opinions, feedback, even a debate going. I think this is when we try to get better at identity by understanding not just the technological things that make it so powerful, but also the model itself that has to travel with the modern digital sheets. Wow, well

[00:32:39] I will have links to everything. I'd urge everyone listening to go check out, learn more about what you're doing and this mission that you're on here of building the next phase of digital identity with cryptographic principles, but take the tech away for a moment, it's consumer privacy at the very core and I think that's something we can all celebrate, I think. So a big thank you for sharing your story today, really appreciate you. Thank you, Neil, it's been great and thank you to all your audience for listening to us. There was a line that

[00:33:08] Gonzalo shared in this conversation that particularly resonated with me and that is we're moving from trusting systems to trusting proof. And when you sit with that for a moment it changes how you look at everything from logging into your bank to proving who you are online to how businesses build relationships with their customers. And it's this shift that feels subtle on the surface but underneath it rewrites the rules completely. So for consumers there's real promise here, more control,

[00:33:38] more privacy and potentially a world where you decide what to share and when. And for businesses I think there's a tougher conversation. Letting go of control over identity actually means rethinking long-standing models and for some that might feel like losing one of their most valuable assets. And then there's the reality that every new model brings new risks. Devices become critical infrastructure, wallets become high-value targets and recovery becomes

[00:34:08] just as important as security itself. And if we look at what happened with cookies on websites it's not actually protected us. It just means you have to click about three or four times just to scroll down a website. So this isn't just a simple story of progress. I think it's a story of trade-offs, opportunity and a fundamental rethink of how trust works in the digital world. But I'd love to hear your take on this. Are we ready to take

[00:34:36] back control of our digital identities? Or have we just become too comfortable letting somebody else manage it for us? As always, techtalksnetwork.com pop over there, let me know your thoughts, have a little visit of the site and click on some of the links in the show notes and let me know your thoughts. But that is it for today. So thank you for listening as always and I'll speak to you again very soon. Bye for now.