Some on the next 10-ish years in identity management.
[This was originally written in December 2019: pre-pandemic, pre-US presidential election, pre-George Floyd. Truly, it was written in the â€œBefore Times.â€ I thought about updating this before posting but that felt wrong – somehow dishonest. So here is the lightly touched up text of my talk which was given first in Tokyo at the OpenID Foundation Summit and then again as part of the all-virtual Identiverse. If you want to skip the text and go straight to the video, you can!
My deepest thanks go to Naohiro Fujie and Nat Sakimura for prompting me to write this, Andi Hindle for his feedback. – IG 11/24/2020]
It is my honor to present to you today. Today, it is my privilege to talk to you about my vision of the future of digital identity. When Naohiro-san asked me to speak on this topic, I was both honored and panicked. In my daily role, I focus on a 12 to 18 month time frame. My primary task is to help my stakeholders and, yes I have a multi-year vision, but I primarily focus on how my team can execute in the next few months to help those stakeholders. I donâ€™t, as a matter of my daily routine, think about the future.
So I was a little panicked. I am not a futurist. I am no longer an industry analyst. I am just a practitioner trying to help where I can. How then should I talk about the next ten years of our industry?
I can name 4 ways to think about the future and with your permission I will briefly try all 4.
Looking at the Past to See the Future
One way to talk about the future is to look back at past predictions and see how they fared. Iâ€™ll choose 3 predictions:
- The Need for Password Vaulting
- SAML is Dead
- The Year of PKI (Again…Still)
The Need for Password Vaulting
In 2014, I said that by 2017 the need for password vaulting would be gone. Well, itâ€™s 2020 and there are systems that simply refuse to participate in single sign-on schemes. My guess is that in the next 5 years the need for enterprise password vaulting (not including privileged account management) will be gone.
In non-enterprise settings, password managers are more prevalent than ever, at least browser-based ones. My guess is that WebAuthn will drive passwordless use cases and when combined with OS-based software tokens the need for passwords and password vaulting in our daily lives will dramatically decrease in the next 5 to 10 years. But more on that later.
SAML is Dead
Back in 2012, Craig Burton famously stated that SAML was dead. Itâ€™s 2020 and SAML remains dead. It is so dead that my company is involved with at least 70,000 different SAML federations. (May all of our endeavors be so successful upon their demise.)
The Year of PKI
Since 1977 it has been the year of PKI. It is now the year of PKI. It will continue to be the year of PKI until it becomes impossible to safely distribute keys. (But Iâ€™ll get to that in a bit.)
While looking at past predictions is one way to talk about the future it is not completely sufficient.
Another way to think about the future is to imagine a continuous oneâ€¦ one in which todayâ€™s technologies and techniques progress in a linear fashion towards the future. Promising things that are growing today continue to grow into the future. There are four items Iâ€™d like to discuss briefly:
- OIDC and SCIM Will Be the New Normal
- SAML Will Still Be Dead
- Passwords Will Also Be Dead
- WebAuthn Will be an Alternative to Social Sign-On
OIDC and SCIM Will Be the New Normal
The next decade of IAM, especially workforce-centric IAM, will be based on OpenID Connect and SCIM. This implies that OAuth and JOSE will continue in their role as critical supporting standards. This is not to say that other protocols, such as SAML or Kerberos, will not be important, but OIDC and SCIM will be the assumed pieces of our infrastructures.
SAML Will Still Be Dead
The reason why SAML is â€œdeadâ€ is because it works and it is a legacy technology. It is mature. It is popular. And that will not change in the next 5 years. Now, I do not expect a resurgence of SAML federations but I also do not expect rapid migration from SAML to OIDC (unless prompted by a shift in platform or provider.) Consider that it took years to stamp out WS-Federation; SAML will take a similar path. In 10 yearâ€™s time, the SAML zombie herd will be quite thin but still shuffling onwards and very much considered a legacy protocol.
Passwords Will Also Be Dead
Good news! The password is dead! And I mean this in both senses: passwords work and passwords are legacy. In the next 5 years, consistent best practices will roll through our enterprises: long passwords, infrequent changes, and strengthening with a second factor.
At the same time, we can see how the use of passwords will decline significantly over the next 10 years. Enterprise is already showing this to be the case: federation as the primary means of resource access. We are not far off from having 1 password per enterprise user. What about in the consumer space?
WebAuthn Will be an Alternative to Social Sign-On
As a consumer, how do I get the best experience getting into sites and apps? One approach is to use a password manager. But in 2016 only 3% of internet users use a password manager app and only 2% use a browser-based one according to the Pew Research Center. While those numbers have undoubtably grown, I cannot imagine they have cracked double digits.
Another approach is to use social sign-on to get into sites and apps. I believe people use social sign-on to avoid the twin hassles of creating an account and managing a password.
But I believe by 2030, there will be parity between WebAuthn and social sign-on. This is predicated on active clients ruling our mobile worlds and the use of desktops continuing to decline. Concerns over personal privacy combined with the ease of use in which the mobile OS is the dominant active client that â€œmagicallyâ€ signs one in, will bring a meaningful alternative to social sign-on.
WebAuthn is the standard that makes this happen at the wire-level. Ubiquitous browser support is a key enabling step which is well underway. Connecting OS-level biometric recognition to services via enabled-browsers is the obvious next step. Those two things will deliver a â€œmagicalâ€ mobile sign-in experience in which I just look at my phone and I am in the app. we should expect to see play out over the next 3 to 5 years and mainstream adoption in 5 to 10.
These items will help us, in different ways, to improve the state of account management. But we cannot only think about digital identity by itself; we have to think about the technological landscape that surrounds our industry.
The Adjacent World
If we are going to talk about the future of identity we cannot do so without looking at adjacent technology and trends:
- Active Clients Will be Mainstream
- Quantum Computing and PKI
- Balkanization of the Internet
Active Clients Will be Mainstream
The next 10 years will be dominated by digital things acting on our behalf: active clients. Our password managers, personal digital assistants, and digital wallets will take a far greater role in finding, delivering, and interacting with online services.
In the next 5 years, the mobile OS and its features will be the primary active client for the vast majority of the online world. Using alternatives to mobile OS provided wallets, password managers, strong authentication clients, will be possible but will struggle to gain widespread adoption. That might change in 10 years with regulatory action or significant market externalities, but it is unlikely.
Similarly, when it comes to digital assistants, as my colleague Peter Schwartz, futurist, said to me, â€œIf you arenâ€™t Alexa, Siri, or Google Assistant you have no chance. Everything will be brokered through one of those three.â€ Your digital assistant service will be brokered through one of those 3 or possibly a mega-platform such as WeChat.
All of this has implications in the death of passwords. If the mobile OS vendor doesnâ€™t want to support WebAuthn, DID Auth, or the next great thing we can dream up, it is going to be extremely difficult to gain meaningful adoption by people and thus service providers will be unlikely to adopt as well.
Quantum Computing and PKI
In the next ten years, we will see quantum computing effect cryptography. For the most part, our hashing algorithms will be okay in a post-quantum world. But it is our key exchange algorithms that might fall. As my colleague Taher Elgamal, noted mathematician and father of SSL, told me, â€œWe need to get moving.â€ We have 5 years to adopt new key exchange mechanisms assuming we get a new method by 2025â€¦ which we may not. A failure to act will undermine cryptographic trust. And that has profound implication for not just our industry but all industries.
Balkanization of the Internet
In the next 10 years we will see the internet split into at least 2 separate internets. There will be an internet for China (and possibly a separate one for Russia) and one for the rest of the world. Even if these internets are not physically separated, national policy, censorship, and enterprise risk management will drive logically separated ones.
What this likely means for identity professionals is that within these separate Internets, separate identity schemes will arise. If today identity is the perimeter of the enterprise, in 10 years, identity will be the perimeter of these Balkanized Internets. We can see the beginnings of this with WeChat and given nationalism on the rise around the world, one can easily imagine non-interoperable identity perimeters to our online worlds. And this an outcome we must fight.
Predicting where currently successful things will continue to be successful is often the role of an industry analyst – a role I used to do. But I think there is a more challenging and exciting way to think about the future – one isnâ€™t based on likely successfully and frankly reasonably obvious things.
The Discontinuous Future
A third way to think about the future is to imagine one not as a smooth path forward but one abruptly shifts and radically changes. This discontinuous future is hidden by our biases, our investment in our current projects and approaches, and our natural tendency to rely on the familiar to navigate the dimly lit room that is the future.
I believe that the discontinuous future is focused, not on account management, but actual identity management. So what if we choose, just for the next few minutes, to imagine this hidden, discontinuous future? What would we see there?
I believe we will see 3 actions and 1 actor in this discontinuous future.
- Data Handling
The act of introducing someone is the act of creating a relationship.
One can imagine digital assistants managing our introductions. In this case, one service says to another â€œThis is an entity which I know about and with whom you should have a relationship.â€ In some regards you can think of this a social sign-on++.
The act of recognition is a way to acknowledge parties in a relationship and is a way to demonstrate the existence of the relationship to some other entity or service. For example, I am a member of IDPro or I am an employee of Salesforce or I am a citizen of Japan. I think the act of acknowledging a relationship will supersede our current forms of consent. The relationship defines â€œnormalâ€ acceptable behavior between the parties. So long as actions are within the regular boundaries of the relationship then the person doesnâ€™t need to provide additional consent. The partiesâ€™ behavior within the context of the relationship would be monitored by active clients.
Counselors are new actors in this discontinuous future. They are entities who can:
- Act on your behalf
- Vouch for you and your relationships
- Create and sever relationships on your behalf
- Can counsel you on your behavior
Counselors can provide data needed to form a relationship. They can step in before you share data with a service that could be considered risky. Imagine something stepping in before you hand over your form of payment and email address and suggest using an anonymous one instead. Imagine that service can even generate that anonymous forms of payment and a pseudonymous email for you. That is the future role of a counselor.
For some a counselor could be a government or a private-sector supplied service. These counselors are true value-add active clients.
How we handle data will change in the discontinuous future. I believe that pseudonymization and differential privacy will have to be applied at the time of introduction. We will finally have an infrastructure that supports the idea that data gathered at the time of use is superior to previously stored away data. Provenance and relationship metadata will be applied all the time, even for insights derived from shared information. Finally, common privacy-preserving processing fabrics will arise to enable industry sectors to derive industry-specific insights and industry-shared risks; think of this as an industry-specific shared signals and attribute exchange.
I believe focusing on these actors and actions will enable use to move toward true digital identity management.
The Fourth Way
There is a fourth way to think about the future: They say that the way to predict the future is to create it. This might seem daunting. Not everyone can create a new protocol, not everyone can write a specification, not everyone can build something that has never been seen before.
But, each of us, in our own way, can create the future. We create the future by hiring without bias to form diverse work environments. We create the future by respectfully using data shared with us. We create the future by ensuring that our systems run in an environmentally sustainable manner. We create the future by ensuring the algorithms we use are ethical and without bias. We create the future by providing something wonderful for all of our stakeholders. And in these ways, we create a future far more meaningful than any talk about the future can describe.