Some on the next 10-ish years in identity management.
[This was originally written in December 2019: pre-pandemic, pre-US presidential election, pre-George Floyd. Truly, it was written in the “Before Times.” I thought about updating this before posting but that felt wrong – somehow dishonest. So here is the lightly touched up text of my talk which was given first in Tokyo at the OpenID Foundation Summit and then again as part of the all-virtual Identiverse. If you want to skip the text and go straight to the video, you can!
My deepest thanks go to Naohiro Fujie and Nat Sakimura for prompting me to write this, Andi Hindle for his feedback. – IG 11/24/2020]
It is my honor to present to you today. Today, it is my privilege to talk to you about my vision of the future of digital identity. When Naohiro-san asked me to speak on this topic, I was both honored and panicked. In my daily role, I focus on a 12 to 18 month time frame. My primary task is to help my stakeholders and, yes I have a multi-year vision, but I primarily focus on how my team can execute in the next few months to help those stakeholders. I don’t, as a matter of my daily routine, think about the future.
So I was a little panicked. I am not a futurist. I am no longer an industry analyst. I am just a practitioner trying to help where I can. How then should I talk about the next ten years of our industry?
I can name 4 ways to think about the future and with your permission I will briefly try all 4.
Looking at the Past to See the Future
One way to talk about the future is to look back at past predictions and see how they fared. I’ll choose 3 predictions:
[What follows are some thoughts on usernames and identifiers. This was an extremely fun talk to put together. Many thanks as always to everyone who helped improve this talk including Chuck Mortimore and George Fletcher. – IG Sept 3 2019. If you don’t feel like reading everything, you check me out giving this talk at Identiverse in June of 2019.]
What I want to talk about
Usernames. They are the most forgotten, the most overlooked thing in our industry. They are, as we would say in the US, the “Gen X” of identity management. They show up; they do their job; they don’t get any credit. In fact, they do not get the same attention that their big brother “Password” and their little sister “Password-less” get. Instead, usernames do their job without thanks or recognition. But failing to pay attention to usernames can have major negative impacts to both B2B and B2C scenarios.
Why this talk?
been incredibly wrong about many things when it comes to identity, I have
developed a habit: I like to re-examine my believes from time to time and make
sure they are still valid. I like to root out the assumptions and the implicit
principles, hold them up to the light, and see if they are correct.
needs have driven me to think more about usernames. The very large program I am
in the midst of at Salesforce has spurred this on as well.
most of all – usernames are incredibly important, especially given how much use
they get every day. And yet we don’t often talk about them.
5 Aspects of Usernames
are 5 aspects of usernames that I’d like to discuss. These aspects overlap and,
in the intersections, there are lessons to be learned.
A few months ago, I had the honor and pleasure to sit down with one of the most awesome people in Privacy, Michelle Dennedy, Chief Privacy Officer at Cisco, and record one of her Privacy Sigma Riders podcasts. We were in Austin. We were pumped to finally get together. We were heavily caffeinated. And we didn’t actually record anything… save for the last 25 secs of what was a 45 minute conversation. Fail… fail… fail!
So semi-undaunted, we tried again in November. This time we had professionals helping out… and we needed it. Good news is we actually got it recorded! Michelle and I wander about topics of ethics, empathy, how privacy and identity are related, and IDPro, the professional organization for identity management.
(Thanks to Kim Cameron for prompting me to write this down. Special thanks to Chuck Mortimore for his insight and probing questions and who helped me improve this.)
In the identity industry, there’s been a lot hype these days around self-sovereign identity. The latest permutation in the quest for user-centric identity, self-sovereign revisits the laudable goal of enabling people to be in better control of how information about them passes to enterprises and organizations (but now with added blockchain.) To be clear, increased individual control is an important goal and one that incredibly sharp people have been working on for 15+ years, going back to InfoCard and Higgins.
Before I discuss why self-sovereign has a real chance at widespread adoption, it’s important to understand why identity technologies and approaches get adopted in the first place. At least, three things are required:
People who will use the identity system
Organizations willing to consume identities from the system
Significant and relatively equivalent value for both groups
You need a lot of people to use an identity system for mainstream adoption. You get those people by providing enough value to them either in hard currency (e.g. you give them a cut of what their personal data is worth, extend discounts in lieu of currency, or free services) or in efficiencies (e.g. never fill out an account registration form ever again) or in security (e.g. your account will be harder to hack) or in privacy (e.g. your data will never be resold or your data is anonymized.)