May 29
Andi Hindle | Content Chair, Identiverse

Identiverse Tweet Jam Recap at 386 Tweets/Hour

If you’re a fan of the annual Identiverse Tweet Jam, we probably saw you in the Twittersphere just this past May 9. And once again, the event didn’t disappoint as we posed provocative questions and saw a flood of tweets have our heads swimming with ideas of the hot topics that’ll fill the session halls at Identiverse this coming June. Plus, we had a great turn out with 45 participants and 386 tweets in one hour, which contributed to over 3.9 million brand impressions for the day—that’s 45% more than last year!

If you missed the Tweet Jam, we’ve put together some of the highlights for each of the questions asked. Feel free to use #identiverse to jump in and add your own thoughts on Twitter.

Q1: Yes, World Password Day was last Thursday. No, passwords are NOT dead! *sigh* Discuss. #Identiverse (See some of the Q1 Answers)

It looks like passwords are going to be around for a while—if for no other reason, because getting users to change habits is hard! User experience is critical and may need more focus. However, replacements that are fundamentally better (more secure and easier to use) are coming, with new standards like WebAuthn and FIDO2 as well as developments in biometrics all helping to advance the cause.

  • @vibronet: #identiverse #A1 “the future is already here, just not uniformly distributed”. Availability of solid passwordless technology won’t make a significant dent in password usage until the barrier of entry for developers isn’t lower than passwords themselves
  • @NishantK: A1: Passwords won’t die, but they will reduce to a few key use cases, being replaced everywhere else by more user friendly MFA options. Provided we can get out of our own way 😀 #Identiverse
  • @pamelarosiedee: I suggest an immediate goal of “choice of first factor”. Until *this* question is omni-present in every RFP and a point of evaluation by every industry analyst, our desire for password extinction is only lip service. #A1 #Identiverse
  • @xmlgrrl: A1 cont. However, strong and adaptive authentication methods that reduce password reliance are becoming more common (hail WebAuthn!) and more well understood by users (“2-step verification”). #identiverse
  • @lpeterman: A1. Password won’t die anytime soon, we just have to accept that. Even with new standards like WebAuthN and FIDO2, too many companies have technical debt that will require passwords for the foreseeable future. Let’s keep marching toward that goal, however! #identiverse
  • @pingthebird: We have digital locks. Metal keys still prevail. Why would we assume that passwords will ever be extinct? There’s no analog equivalent that suggests this will happen… #identiverse

Q2.  Zero Trust, Zero Knowledge…Zero Hype? How should we close the gap between theory and reality? (See some of the Q2 Answers)

General agreement that Zero Trust and Zero Knowledge models improve security. But there’s a need for better tooling, better education and more practical experience with deployments before we can really start to reap the benefits.

  • @xmlgrrl: A2 #ZeroTrust is an awesome security concept – and trust is still a key human concept. You can never fully squeeze *that* trust air bubble out from under the wallpaper. #identiverse
  • @andredurand: A2. You don’t change a security paradigm overnight. If #ZeroTrust is short-code for identity-based security, let’s get #authentication right, and then figure out what we can get rid of. #Identiverse
  • @gffletch: A2. We need better models as well… micro-service architectures get tricky with cascading authorization flows. #identiverse
  • @dlpresidente: A2: The same way we’ve always dealt with hype. Prove it! We have to deliver tangible results on the architectures we talk about. We build ref architectures, based on ootb vendor integrations, implemented by service providers that lead to customer case studies. #identiverse
  • @identityhutch: A2. We’re already in a world where we cannot use network as an attribute to elevate trust. Closing the gap requires cybersecurity teams to make their services easily consumable at the application level by developers. #Identiverse
  • @bertrandcarlier: A2. We should definitely not focus only on the shiny new hyper hyped toys but be able to reconcile with existing/legacy apps #identiverse

Q3: How do we get application developers to care about identity? (See some of the Q3 Answers)

This one caused some contention! Some folks clearly felt that developers do care about identity, but lack the tools to do things well (although this is changing). Others were minded that more attention should be given to using solutions which remove the need to handle identity from the developer. Perhaps the biggest problem is a lack of education: application design patterns need to be updated to cover modern identity architectures.

  • @identityhutch: A3. Should be: “How do we get identity professionals to care about developers?” The biggest impediments I’ve seen are identity teams failing to understand developer needs and building their solutions with loosely-coupled integration in mind. #Identiverse
  • @vibronet: #identiverse A3- by ACTUALLY solving THEIR PROBLEMS in a language THEY understand, rather than snowing them with low level protocol details
  • @zachcollier: A3. As developers, our primary concern is serving our customers: the people who use our apps. To offer impactful features to our customers, while remaining focused on keeping their personal information secure, we need an excellent platform for identity services. #identiverse
  • @lpeterman: A3. Make it ridiculously easy for them to consume your products. Be able to confidently tell them, don’t worry about AuthN, here’s your library or microservice to call. Don’t worry about identity UX, here’s the platform that will do it for you. #identiverse
  • @gffletch: A3. We also need more nuanced identity models where it’s not “one size fits all”. Progressive identity, progressive authN, etc. #Identiverse
  • @bobbrandt: A3. A big impediment has been automating key&token mgt end2end for N-tier application flows (i.e. where the user resides in Tier 1, and initiates the downstream API call process tier2tier).  Robust automated AAA at each tier is what developers&enterprises expect. #identiverse
  • @pingthebird: A3. When a cop walks the beat, we don’t ask the citizen to be hyper-vigilante about security. Developers solve business problems – give tools for them to code with security in mind – if they choose not to use the tools, then you have a different problem to address. #identiverse
  • @jgklein23: A3: Applications without actual authenticated users are meaningless. Sadly it usually takes something catastrophic for most people to care about security. #Identiverse

Q4: Is there a viable replacement for knowledge-based authentication (KBA)? (See some of the Q4 Answers)

The discussion veered a little bit into KBV as well, but the general feeling was that, much like replacing passwords, biometrics and ML (for pattern recognition) will be important. Whether the solutions available are really deployable at scale yet is unclear, though.

  • @identityhutch: A4. Absolutely. Context-based authentication. I don’t care what a user can tell me he knows (stole). I care about what attributes and patterns I can gather about the user without him telling me a thing. #Identiverse
  • @andredurand: A4. I’ve often felt that security based upon shared secrets was always a house of cards. If it can be known, it will eventually be known. I think #biometrics and #FIDO are an eventual game-changer. #identiverse
  • @robdylan: A4 KBA cannot be taken seriously in the Facebook era, with people duped into giving up those answers to strangers on a daily basis. #identiverse
  • @lpeterman: A4 I like KBA methods where “I” control the question and the answer. But if I can’t control the question, at least let me control the answer. I could write book on my KBA answers at 2am. Some are even funny (at least to me). #identiverse Stored in vault, of course.
  • @xmlgrrl: A4 cont. Contextual/dynamic KBA can solve some problems for some services, but not the granddaddy problem of real-world proofing / verification / matching. #identiverse
  • @vibronet: #identiverse A4 – this is similar to passwords. KBA is a blunt instrument, but if you cannot make assumptions about the devices in your user’s hands, their level of digital literacy etc, what are you going to use? This needs to be available at the network layer.

Q5: Can we have the benefits of facial recognition technology without the risks of malicious surveillance? (See some of the Q5 answers)

The basic answer here seems to be ‘no’—Pandora’s Box is open! We need to be vigilant with regulation and ensure that privacy-by-design is implemented and enforced wherever possible.

  • @pingthebird: A5 – “Mr. Consumer, if I make it easier for you to check out and give you a 25% discount, can I keep your face image forever?” – “25%, heck yeah”… “Citizen, can I use your pic to confirm you at the border?”…. “Whooooaaaa, now hold up there big brother…” #identiverse
  • @sphcow: A5. I wish, but I don’t see it happening. Convenience trumps security Every. Single. Time. Until that convenience has a prominent failure mode. #identiverse
  • @johnfontana: A5. Local match. Not storage. #identiverse
  • @jonlehtinen: A5 2: I have always liked biometrics/facial recognition as used by Apple – as pattern checked in the secure enclave that only provides a “did the biometric check succeed y/n?” response to the apps that call for it. #identiverse
  • @stevelockstep: A5: No, we just constrain it, so it’s moderate, proportionate and transparent. One of the worst abuses is repurposing faces collected for one reason (usually just fun) for another (like training algorithms). #identiverse
  • @robdylan: A5: The Pandora’s Box of facial recognition was opened a long time ago already. It’s already ubiquitous – may as well try to get some good out of it. #identiverse

Q6: API breaches keep making headlines. What are your recommendations to protect APIs against today’s threats and to keep businesses out of the news? (See some of the Q6 answers)

There’s an obvious need to update existing ‘legacy’ API estate to use modern protocols like OAauth for protection. Beyond that, and particularly given the sheer scale of API surface that needs to be protected, intelligent automation will be crucial.

  • @xmlgrrl: A6 Too many APIs aren’t even secured with the basics. Honestly, how many connected car API hacks have we seen where it’s left completely open? We have an API security standards stack, people, use it! #IoT #identiverse
  • @gffletch: A6. Fundamentally, we need to protect APIs the way we protect authentication. History, context, ML are all important factors. I think of this as “continuous authorization”. #Identiverse
  • @andredurand: A6 – 1/2. I think all improvement begins w/ visibility. We can’t protect what we can’t see. Let’s monitor the usage of our APIs & from there I think it becomes obvious what we need to do to better protect them. #Identiverse
  • @matthewkcarter: A6: Utilize PKI for authentication for APIs – machines handle keys better then humans do. #Identiverse Oh, and don’t make the same mistake with scopes as we did with RBAC for application authorization.
  • @vibronet: Validate. The. Issuer!!!! 🙂 More seriously, due diligence in securing resources- either at the app or hosting layer. A6 #Identiverse
  • @stephen_g_cox: A6: In the grand scheme, treat it like any other touchpoint to your organization. Put adequate authentication in front of it, have automated tests to make sure it’s not broken when it gets upgraded, understand and monitor behavior and look for anomalous activity. #Identiverse
  • @robdylan: A6. Defence in depth. Go beyond oauth token/scope as the only control governing data access via API #Identiverse

Q7:  With all of that in mind, what can the industry do to better develop the professional skills of its members? (See some of the Q7 answers)

Emerging professional bodies such as IDPro and WID got a shout-out here, and a recognition that, in addition to networking and sharing best practices, better learning material is needed. Efforts to compile a body of knowledge are a good first step.

  • @bertrandcarlier: A7. Body. Of. Knowledge. and not only the small specifics of standards and protocols. But also high-level and still accurate overviews #Identiverse
  • @dlpresidente: A7: @idpro_org is off to a good start by first getting all the identity professionals together. Next step is we have to agree on some basic terms so we are all talking the same language. Next we have to start to share the knowledge trapped in our heads. #identiverse
  • @andredurand: A7. I’d love to see us put our efforts behind @idpro_org. We need to turn identity into a real and recognized profession and we need the community, tools and training to do so. #Identiverse
  • @idaccessgoddess: A7. Education and mentorship. Use @idpro_org and @IdentityMate to get educated! #Identiverse
  • @sphcow: A7: Now this is just a gimme. 🙂  Contribute to the IDPro Body of Knowledge so we can get our collective reality actually written down in a shareable fashion! #identiverse

Q8: ICYMI: Apple co-founder Steve Wozniak will close Identiverse 2019 by discussing the future of technology. What do you think the Identity industry will look like by the time Identiverse celebrates their 20th anniversary? (See some of the Q7 answers)

Hard to draw any firm conclusions here, other than everyone is excited to hear Steve Wozniak speak. But they all seemed to acknowledge that identity will still be really important!

  • @nishantk: A8: We’ll be debating consent flows for sharing authentication context that our sub-cutaneous biometric implants have built over time with new services. And over at the bar, @Steve_Lockstep will be explaining why we should stop talking about attributes.  #Identiverse
  • @stephen_g_cox: A8: Authentication will be much more recognition based instead of direct input from the user. Things like behavioral biometrics, looking at the physical behavior of a user much more prevalent because they are harder to thwart and offer a better user experience. #Identiverse
  • @steve_lockstep: By then we will have generalized from identity to data. There will be no Identity Providers but multiple meshes of data providers, sources of truth, brokers, processors & infomediaries. We will have built public-private #infostructure to safeguard data supply chains. #Identiverse
  • @sphcow: A8. Pretty sure we’ll have entered into the Zombie Apocalypse given the way the world is going. So, perhaps we’ll have tossed visible biometrics (given the decay of material) in favor of DNA? #identiverse

Thanks again to our moderator, Elinor Mills, at the Bateman Group and to all the participants that jumped in on the conversation. We look forward to hearing more from you all at Identiverse 2019 in Washington, D.C. June 25-28. And don’t forget to register!

View More Posts

There’s just too much to miss!

— Ian Glazer