During the third week of May Identerati from all over the world converged upon Munich for the 13th KuppingerCole European Identity & Cloud Conference. IDPro membership was well-represented, and not just among attendees; sessions, panels, and keynotes were delivered by (deep breath) David Brossard, Bertrand Carlier, Pamela Dingle, George Fletcher, Allan Foster, Gerry Gebel, Steve Giovannetti, Ian Glazer, Andi Hindle, Andrew Hughes, Steve Hutchinson, Mike Jones, Nishant Kaushik, Mike Kiser, André Koot, Martin Kuppinger, David Lee, Jon Lehtinen, Jean-François Lombardo, Eve Maler, Andrew Nash, Lance Peterman, Mike Schwartz, Fady Semaan, and Colin Wallis. With so many IDPro members in Germany, a meetup at Augustiner-Keller was just the thing to make sure everyone got their week started off right with plenty of beer, pork, and pretzels.
While participants adjusted to the time zone differences, all of Monday and Tuesday morning were occupied by meetings and workshops presented by standards and initiatives bodies, including the FIDO Alliance, the Kantara Initiative, the OpenID Foundation, and various blockchain-centric and self-sovereign identity efforts under the Blockchain ID Workshop. The FIDO Authentication Workshop reviewed the technical concepts behind FIDO authentication, implementation roadmaps from vendors, and dove into implementation case studies and lessons learned. The Kantara Initiative presented a demo of its Consent Receipt specification, as well as provided updates on its other programs like UMA2 and Identity Assurance. The OpenID Foundation Workshop gave updates on its current standards efforts (including MODRNA and FAPI), a report on the award-winning Self-Certification Program, and detailed view into OpenID Connect for Identity Assurance. The Blockchain ID Workshop was less a report on the status of any one organization’s initiative and more a coalition of decentralized identity players presenting on their use cases and implementation of blockchain-based identity, particularly within an enterprise context. Microsoft, Sovrin, Evernym, Consensys, and IBM presented.
The conference began in earnest Tuesday afternoon, and the keynotes clearly set the themes for the week: privacy/regulation, self-sovereign/blockchain identity, artificial intelligence/automation, and enterprise/customer identity best practices. Whereas many of the keynotes stuck well within the technical/regulatory lanes of identity and privacy, there was some surprisingly philosophical content among them as well. One which merits special mention in the view of the author is Dr. Emilio Mordini’s “Das Sterben der Pythia” – On Humans, Artificial Intelligence and Oracles (requires login) because identity (as generally practiced within IDPro) is necessarily married to technology, and as such finds itself susceptible to the same tendency to venerate technology as the final arbiter of the possible (and where something is not currently possible, it is assumed that advances in technology will make it so someday) at the hazard of ignoring the human elements and solutions of the problem and practice in the interim.
Throughout Wednesday and Thursday, there were tracks on Microservices, Identity Standards and Architectures, Enterprise Identity, Customer Identity, Privacy by Design, Machine Learning, and Blockchain Identity. Despite the wide track list (over 20 tracks), a few topics were visibly woven throughout a large portion of the content. First, that dynamic services and processes are taking over from fixed processes. Whereas organizations may have a fixed authentication and authorization service or policy, consensus from presenters was that this is no longer enough. Consider authentication. Distinct from “continuous authentication,” which assumes a constant, chatty channel over which to continuously authenticate a principal, a dynamic authentication service should consider the authentication context of a transaction, based on signals such as time of day, location, device information, etc., and decide to apply authentication only when the authentication context changes. This gets difficult very fast as one must decide what the “normal” context is, which is where these sessions would often leap into the machine learning/AI topics.
Second, identity verification and proofing are getting recognized as critical for the enterprise to adopt as a necessary component of a holistic information security strategy. The urgency behind the adoption of identity verification and proofing is similar to that of adoption of multifactor authentication a few years ago. Identity verification and proofing are processes by which a person validates their identity, often using external sources of assurance, like public records, credit bureau information, or government-issued documents, for certain business processes such as account recovery. For years there has been talk of addressing the data provenance question of identity; organizations tend to trust information because it came from within the organization. Identity proofing rectifies a type of provenance question when someone cannot verify themselves using recognized credentials.
Finally, decentralized identity continues its push for adoption, regardless of the barriers to enterprise or customer adoption. Microsoft had several representatives at the conference, and they presented a unified theme of users needing to be put in control of their own data, and self-sovereign identity being the tool that would enable this. Though there were some sticking points (e.g. one keynote suggested consumers could become their own Data Controllers, a role which has a very specific definition under GDPR), they demonstrated their commitment by announcing the launch of the Identity Overlay Network, or ION. Elsewhere, demonstrations and case studies on the practical implications of using decentralized identifiers could be seen. There was no shortage of passion and effort behind decentralized identity, though the author still has not seen a good answer on getting past the usability hurdles of wallet management in a world where grandpa still operates a feature phone.
For those who could not attend EIC this year, the good news is that many of these same topics will undoubtedly emerge again at this year’s Identiverse conference in Washington D.C. Visit the Agenda page to see which speakers and sessions will be diving into and expanding upon these themes at Identiverse.
Jon Lehtinen
IDPro Editorial & Body of Knowledge Committees Members
