By Vittorio Bertocci
After having attended in person one Identiverse, two EICs, one AuthenticateCon, one IETF, one OSW and one IIW, I thought I definitely left behind the woes of the Lockdown Winter that forced our favorite events to take place in the netherspace that is Zoom or proprietary eponym equivalents. Boy, was I wrong. None of those events prepared me for a conference that takes over entire blocks, where the expo alone is large enough (700+ exhibitors!) to have its own weather system, if not its own zip code. Above all, I wasn’t prepared for an event where you no longer have direct line of sight with your tribe, and the majority of the badge-clad people are perfect strangers.
The very distrustful conference site (it asked for my username/password every couple of hours; is this what continuous authentication means?) offered a staggering 612 sessions. One first-time attendee asked me – “how do you choose what to attend at RSA?”. My answer: use the search feature to tease out what’s relevant to your interests. That is also what I have done: as a result, expect this report to be a very partial & personal account of the event. If you want to broaden your perspective, you can chat to other IDPros who were there; you’ll find them on #RSAConference in our IDPro Slack.
Content highlights
Despite all the rhetoric about identity being the new perimeter and other platitudes, and some shoutouts to OIDC and FIDO from the keynote, RSAC 2022 had very little content on our favorite topic. The Identity track had 44 sessions, 13 of them being vendor sponsored and 7 being duplicates (overflow rooms).
While zero trust was still one of the dominating buzzwords, I was surprised to see that a search for “blockchain” only returned 5 sessions, “web3” exactly zero, and “decentralized” only one track session, from IDPro’s very own George Fletcher.
George’s session, “Managing De-Centralized Identities: A Relying Party Perspective”, was one of the highlights of the conference for me. The first time I saw George present on this topic was at an IIW in 2019. In a nutshell, the session takes tools and principles of Self-Sovereign Identity (SSI)/decentralized identity and tries to apply them when developing a realistic relying party. In so doing, he uncovers discrepancies, opportunities and impedance mismatch that are both a powerful tool to understand SSI’s value proposition and an honest litmus test to assess the maturity level of those new technologies. TL;DR: things did improve since that first 2019 session, but much still needs to be figured out for those technologies to be viable in real world use.
After the session, a bunch of IDPros and identirati congregated right outside, engaging in an incredibly satisfying 30 minute long discussion on VCs, passkeys and their potential impact on society. Those 30 minutes alone were worth the trip, what a JOY to be among one’s people!
Passkeys were the centerpiece of the other awesome event-in-the-event I had the chance to attend, the half-day FIDO Alliance seminar on – surprise surprise – passwordless and passkeys in particular. The Apple WWDC announcements about passkeys created a huge interest around the topic, and the seminar was the perfect opportunity to demystify the technology and get a glimpse of the enormous potential it has to finally deliver a substantial blow to passwords in consumer authentication. Our very own IDPro member Tim Cappalli delivered key parts of the event, from the very first live cross device/vendor passkey demo to a very lively panel.
Remaining in IDpro territory, mighty board member and acclaimed book author Jon Lehtinen presented a session on “Demystifying the Identity Capabilities of AWS for Enterprise Practitioners”- no one will be surprised to learn that it was well received.
Just because it’s RSA, and the RSA experience needs some “pure security” to be complete, I decided to attend “Bypassing Windows Hello for Business and Pleasure” – and I wasn’t disappointed. The lengths to which the researcher had to go in order to defeat Windows Hello were substantial, and he presented his journey with flair and competence. If you have access to the on-demand content, I would recommend this session.
In Summary
Is RSA still worth the very hefty admission price? From the content perspective, I am honestly not sure. I got lucky with George and passkey, but the dearth of identity content is concerning, though I suspect part of the fault falls on ourselves – I personally had some submission fatigue and didn’t propose anything. Perhaps we should resolve to submit in bigger numbers and see whether we move the needle. From the experience perspective… I’d say it’s a resounding YES. True, we identirati have other opportunities to see each other, but with its sheer size, parties (rrrisky) and general vibe, RSA remains an important milestone in the conference calendar, and I am glad it’s back!
About the Author
Vittorio Bertocci is a Principal Architect for Auth0|OKTA. A veteran of the identity industry, in his 20 year career Vittorio helped create, shape and steer key identity products, technologies, and practices. Vittorio is currently serving on the OpenID Foundation board of directors, and is the host of the Identity, Unlocked podcast. An active member of the identity community, Vittorio is a well-known speaker, educator, and published author.