This week at the Internet Identity Workshop @IIW

It was an interesting several days of discussions at the IIW this week in Mountain View.  The event brought together individuals who have been passionate about driving user-centric identity for many years, as well as some of the newer players in the space who bring a more corporate perspective, trying to balance business model with user control.

At a high level, there was much continued discussion on the concept personal data stores (PDSs) which would be completely controlled by the End User and fully portable.  Two key challenges remain with this vision: 1) the major identity providers who have the critical mass of users and data, such as Facebook, Twitter, Yahoo, Google, PayPal, etc., are not (yet) interoperable or provide the End User a “copy” of their data, and 2) there is no obvious business model for PDSs that doesn’t include these providers.

At a more technical level, our team had the following key takeaways:

  • Google is continuing to do great UX research in the authentication space, and they are toying w/ the idea of using the identity selector concept coded directly into their login page to help users choose the identity they’d like to use to access Google properties.
  • #2 OAuth + Standards: There remains LOTS of discussion and opinions about the OAuth 2.0 specification. Some companies (most notably Facebook) implemented OAuth 2.0 while many people feel OAuth 2.0 draft still needs work. Some discussions touched on using OAuth 2 together with SAML. And others about using OAuth 2 for Native Apps. But for all these standards, one person noted there’s always a tension between ease of implementation and security.
  • OpenID Connect and OpenID Artifact Binding (AB) may converge at one point, but not in the short term.
  • The goal is for JSON Tokens to support integrity checking; integrity checking and confidentiality; non-repudiation; non-reputation and confidentiality; and authenticated public key encryption.

Adding links to other posts as they emerge:

By Kevin White