The Internet Identity Workshop (IIW) brings together industry experts, thought leaders, and standards developers in an unconference-style setting, fostering deep and wide-ranging conversations about identity, with well over 100 sessions in three days. SailPoint engineers have long participated in IIW, with this year’s event being my first opportunity to attend and contribute.
Identity isn’t just a computer science problem – the question of “Who am I?” and the methods and degrees to which one asserts, and trusts, the answers, are exceedingly complex. There were many sessions tackling different angles of this topic, as one might find in a university philosophy class. These deep-thinking discussions naturally turn to challenges, and technological solutions.
Government has long had a role in identity – issuing “official” identification documents for individuals, articles of incorporation for companies, and tying these identities to transactions such as tax payments and land ownership. Several sessions examined various ways in which state actors are embracing new technologies to improve their efficiency and accuracy in performing these historical functions, while also avoiding accidental overuse. One example of overuse is the widespread use of a person’s driver’s license at restaurants to verify the holder’s age to be served alcohol, even though this identity use case was never intended by the issuing states. While the government requires the restaurant to confirm that a patron is over 21, the restaurant does not have a valid need to know the patron’s actual birthday. Systems in which the government can issue a claim “this holder is over age 21”, which the restaurant trusts, would eliminate the disclosure, and thus potential misuse of, the actual birthday information.
Almost as important as oxygen these days is access to WiFi. One session covered the systems by which 60 million academic users have WiFi roaming access as they travel around the world to collaborate. The member institutions have federated their individual identity systems together in a way that allows a researcher from one university to get on the WiFi of another institution, seamlessly. Beyond WiFi and some commonly used shared applications, newer applications using OAuth2 and OIDC for authentication and applications providing API access do not yet work in this widely federated structure. It’s great to see these challenges recognized, and the work under way to tackle them, while keeping data privacy regulations and the decentralized nature of such federations in mind.
The Workshop provides face-to-face meeting space for those people who are working on standards efforts such as with the IETF and W3C. The OAuth2 and Open ID Connect (OIDC) family of standards were well represented, with topics ranging from incremental improvements to fundamental rethinking of the protocols. The OpenID Fast Federation (FastFed) Working Group held a session to discuss simplifying the task of connecting a company’s identity system to a SaaS application to which they are subscribing, an activity more and more common as companies rapidly adopt SaaS services.
Self-Sovereign Identity was a hot topic, with both the Sovrin Foundation and Civic projects presenting. These technologies enable a decentralized form of identity creation, attestation, verification, and consumption. The Sovrin team did a great job with their demo application, demonstrating the SSI concept end-to-end. Attendees were issued several Sovrin identities on the spot, with simple claims (your name, your company name, if you wore glasses, if you were a person or a dog), split among several demo identity providers. When prompted by the sample application, you could mix-and-match the claims from the several identity providers to satisfy the request, without revealing the other unnecessary claims. This is a key part in the end user retaining control over their “identity” – as they can control how they appear (their claims), provided they have them in the first place. All this backed by the Blockchain-based Sovrin network of trustees. One could easily see how this concept can be extended to more trusted identity providers for additional claims (think: postal service for a home address, an employer providing verification of employment) and consuming applications, enabling B2C use cases globally.
One area that will need continued thought is to how end applications know which claim providers to trust. What’s to prevent a fraudulent, or just sometimes fraudulent, provider from being in the network? There will still be a need for applications to identify the providers they trust, and to prompt for additional “step-up” claims if the current set are deemed insufficient or for more risky activities. In the end, it is the final consuming applications that must “trust, but verify” the information they’re given.
Expanding the Ecosystem
IIW did a great job of giving time and space for dozens of small company and new project demos. I particularly enjoyed the “speed dating” hour, where attendees could move from table to table in 5-minute increments, learning of each of the projects, and making notes for further follow-up. I was also pleased with the diversity of backgrounds, interests, and both individual and corporate goals represented throughout the week. By welcoming input from all corners, the best ideas will resonate.