Updates from our Content Chair
As I’m sure you’ve noticed, things have been busy on the identity front over the past few months. There are a few key themes emerging which I expect will continue to develop over the coming months, and which I’ll start to explore here. Given the volume of activity to choose from, though, there’s a good chance I’ll have missed your favorite hot topic… you’ll find a suggestion for what to do about that at the end of this article.
Optimizing the user experience is one of the key benefits of a well-architected, modern identity deployment. But a smooth user experience cannot—and must not—come at the expense of security. It’s too early to comment in depth on the recent and well-publicized Facebook breach, but it’s particularly concerning that single sign-on (SSO) from the Facebook platform to other Internet applications was potentially compromised. On balance, standards-based SSO is both a more secure and a more convenient experience. We’re finally starting to see significant, consumer-scale adoption of SSO. It’s crucial that we don’t undermine trust in such solutions, or we risk delaying the adoption curve for important new technologies, including stronger authentication, user-centric authorization, zero-knowledge protected attribute sharing, and (potentially) self-sovereign identity—to list a few.
Of course, many of these technologies are only new in terms of broad adoption. Their respective interest groups have been working on the underlying concepts and standards for years. Standards are the bedrock of our industry, and the standardization process is designed to ensure well-vetted and secure mechanisms that foster interoperability and innovation. Following the announcement of the FIDO 2 and Web Authentication specifications earlier in the year, it’s exciting to see both standards gain traction. For example, take a look at the support for both standards in the Microsoft platform. On the security front, the OpenID RISC and IETF SET specifications supporting the secure sharing of security and identity related events, and the Vectors of Trust specification , have all been approved.The important work on token binding, however, has taken a step back: not with the specification process itself, but in the adoption of the protocol in one of the key browser platforms. Brian Campbell, one of the specification authors, provides further insight here. Whether token binding could have helped in the Facebook case is a moot point. It’s clear that there are important security benefits to be gained from token binding. Hopefully, a way can be found to move forward.
Good governance supports the progress of technical security and identity standards, as well as the best practices for architecture, engineering and devops. And at least in part, these are, in turn, informed by evolving privacy regulations. The impacts of GDPR are now being felt in very real terms by corporations around the world, and they’re driving developments in areas like consent technology. Policymakers haven’t been idle, either—think about the recent California consumer privacy act. But not every region has the same approach to individual privacy. In China, for instance, there is increasing interest in the use of machine learning behavior recognition tools for pre-emptive crime detection. Plus, companies operating on a global basis need identity architectures and processes that will support divergent regulations.
These developments all have implications for the identity industry. The impacts of regulations with increasing global reach are felt even by small companies and nonprofits—organizations whose scale of operation often precludes hiring a dedicated IT resource, let alone an identity, privacy or security expert. Business tooling with identity, security and privacy built in from the design stage will make it easier for organizations to avoid costly mistakes.
The growth of this landscape of standards and technologies can sometimes feel overwhelming and constraining, especially on a day-to-day basis when projects have to be delivered on budget and to tight deadlines. Take a step back, however, and I believe we are a point of tremendous opportunity. Strong and well adopted standards build trust and interoperability. Improved reference architectures harness disparate technologies to work better together. New and enhanced identity products and solutions help us meet project and business objectives.
Ultimately, this complexity enables the ethical use of identity data in support of improved experiences and innovative products and services, which at their best, make people’s daily lives safer, healthier, more productive and more enjoyable.
In late November, the Identiverse 2019 call for presentations will open. If you don’t already follow @identiverse on Twitter (join the conversation with #Identiverse), or track us on LinkedIn, make sure you do—that’s where the official call for presentations will be announced. The content committee and I are looking forward to seeing your proposals on these and the many other important topics emerging across the industry.
View More Posts