While participants adjusted to the time zone differences, all of Monday and Tuesday morning were occupied by meetings and workshops presented by standards and initiatives bodies, including the FIDO Alliance, the Kantara Initiative, the OpenID Foundation, and various blockchain-centric and self-sovereign identity efforts under the Blockchain ID Workshop. The FIDO Authentication Workshop reviewed the technical concepts behind FIDO authentication, implementation roadmaps from vendors, and dove into implementation case studies and lessons learned. The Kantara Initiative presented a demo of its Consent Receipt specification, as well as provided updates on its other programs like UMA2 and Identity Assurance. The OpenID Foundation Workshop gave updates on its current standards efforts (including MODRNA and FAPI), a report on the award-winning Self-Certification Program, and detailed view into OpenID Connect for Identity Assurance. The Blockchain ID Workshop was less a report on the status of any one organization’s initiative and more a coalition of decentralized identity players presenting on their use cases and implementation of blockchain-based identity, particularly within an enterprise context. Microsoft, Sovrin, Evernym, Consensys, and IBM presented.

The conference began in earnest Tuesday afternoon, and the keynotes clearly set the themes for the week: privacy/regulation, self-sovereign/blockchain identity, artificial intelligence/automation, and enterprise/customer identity best practices. Whereas many of the keynotes stuck well within the technical/regulatory lanes of identity and privacy, there was some surprisingly philosophical content among them as well. One which merits special mention in the view of the author is Dr. Emilio Mordini’s “Das Sterben der Pythia” – On Humans, Artificial Intelligence and Oracles (requires login) because identity (as generally practiced within IDPro) is necessarily married to technology, and as such finds itself susceptible to the same tendency to venerate technology as the final arbiter of the possible (and where something is not currently possible, it is assumed that advances in technology will make it so someday) at the hazard of ignoring the human elements and solutions of the problem and practice in the interim.

Throughout Wednesday and Thursday, there were tracks on Microservices, Identity Standards and Architectures, Enterprise Identity, Customer Identity, Privacy by Design, Machine Learning, and Blockchain Identity. Despite the wide track list (over 20 tracks), a few topics were visibly woven throughout a large portion of the content. First, that dynamic services and processes are taking over from fixed processes. Whereas organizations may have a fixed authentication and authorization service or policy, consensus from presenters was that this is no longer enough. Consider authentication. Distinct from “continuous authentication,” which assumes a constant, chatty channel over which to continuously authenticate a principal, a dynamic authentication service should consider the authentication context of a transaction, based on signals such as time of day, location, device information, etc., and decide to apply authentication only when the authentication context changes. This gets difficult very fast as one must decide what the “normal” context is, which is where these sessions would often leap into the machine learning/AI topics.

Second, identity verification and proofing are getting recognized as critical for the enterprise to adopt as a necessary component of a holistic information security strategy. The urgency behind the adoption of identity verification and proofing is similar to that of adoption of multifactor authentication a few years ago. Identity verification and proofing are processes by which a person validates their identity, often using external sources of assurance, like public records, credit bureau information, or government-issued documents, for certain business processes such as account recovery. For years there has been talk of addressing the data provenance question of identity; organizations tend to trust information because it came from within the organization. Identity proofing rectifies a type of provenance question when someone cannot verify themselves using recognized credentials.

Finally, decentralized identity continues its push for adoption, regardless of the barriers to enterprise or customer adoption. Microsoft had several representatives at the conference, and they presented a unified theme of users needing to be put in control of their own data, and self-sovereign identity being the tool that would enable this. Though there were some sticking points (e.g. one keynote suggested consumers could become their own Data Controllers, a role which has a very specific definition under GDPR), they demonstrated their commitment by announcing the launch of the Identity Overlay Network, or ION. Elsewhere, demonstrations and case studies on the practical implications of using decentralized identifiers could be seen. There was no shortage of passion and effort behind decentralized identity, though the author still has not seen a good answer on getting past the usability hurdles of wallet management in a world where grandpa still operates a feature phone.
For those who could not attend EIC this year, the good news is that many of these same topics will undoubtedly emerge again at this year’s Identiverse conference in Washington D.C. Visit the Agenda page to see which speakers and sessions will be diving into and expanding upon these themes at Identiverse.

Jon Lehtinen
IDPro Editorial & Body of Knowledge Committees Members

The post EIC 2019 and Identiverse Preview appeared first on IDPro.

This year I was fortunate enough to be able to attend my first ever European Identity & Cloud Conference (EIC). It’s an event that I have wanted to attend for a long time, jealously reading other attendees’ tweets, but I have had a difficult time justifying an overseas trip in a corporate environment where every budget dollar is an important asset. A judicious combination of a cheap airline route, an inexpensive little B&B in Dachau, and, most importantly, KuppingerCole’s generous offer to come speak about IDPro allowed the fulfillment of this desire.  

While I was expecting some differences to the RSA, CIS, and Gartner conferences I have attended in the States, the biggest contrast was in the format of the conference sessions themselves. Keynotes and the sessions (in five different tracks) typically ran from about 9am to 7 or 8pm. Almost all of those sessions, including the keynotes, were just 20 minutes in length, which meant it was possible to attend about 20-25 different sessions each day. It was definitely the mental equivalent of drinking from a firehose.

The plethora of sessions also meant, however, that almost every subject within the vast pantheon of the identity industry was being discussed at one time or another. While sessions on the impact of GDPR were prevalent, even they were outnumbered by sessions about Blockchain. Whether it was talks about Decentralized Identifiers, Self-Sovereign Identity, or even Canadian Blockchain, there were no less than 30 sessions around decentralized ledger technology, demonstrating that there are still very smart people having very serious discussions about this technology. Other popular topics were advances in identity standards, FIDO2, CIAM, PSD2, PAM, identity governance, and privacy.

There was also a collection of three sessions around IDPro. This group of Wednesday sessions was kicked off by an incredibly well-researched and informative session on developing identity talent within your organization by IDPro member, and Director at Deutsche Bank, Olaf Grewe. He’ll be reprising the talk in a couple of weeks at Identiverse (formerly known as Cloud Identity Summit): make sure you attend! I got to follow that with a talk titled “What Every ID Professional Should Know” covering one of my favorite topics: the benefits of the community of IDPro members. The track finished up with Olaf and I being joined by Microsoft’s Pam Dingle and Identiverse Content Chair Andi Hindle for a panel discussion about the future of the identity profession. It was a great experience and I was honored to be able to participate in it.

As with most conferences, the opportunities for personal interaction with other identity professionals were just as valuable as the sessions themselves. On most evenings there were numerous different groups forming for dinner, drinks, or even just group chats. It was a great occasion to catch up with old friends, but the European location provided a chance to meet a whole new audience and I was happy to form a number of new relationships that I hope to maintain for years to come. 

The EIC was extremely valuable to me and has definitely earned a spot on my annual conference attendance list. I cannot wait to return next year!

Steve Hutchinson
Board Member, IDPro.org

The post EIC Roundup appeared first on IDPro.