A while back we recorded some of the Burton Group analysts and consultants talking about a wide variety of topics. I thought I’d share them with you. So in lush mono and 2D, here’s me talking about:
I’ve been a bit quiet on Tuesdaynight lately… sorry – it has been a bit crazy around here lately.
At any rate, we are 7 days away from Burton Group Catalyst EU! In the 7+ years that I’ve been involved in one way shape or form with Burton Group, I’ve never been to a Catalyst EU – so I am very excited. For those of you joining us, you are in for a treat – John Seely Brown will delivering the keynote for us. Besides Mr. Brown, the IdPS team has got some great content waiting for you:
- Bob will kick things off with a look to the future identity architecture
- I’ll be talking about the IdM market as a whole
- Lori and I will have a serious conversation with our dear friend – provisioning
Fun for the whole family…
For those of you not heading to Prague, follow the conversation on Twitter. We’ll be using the #cat10 for the conference and the identity conversation will be on #idps.
See you there either in person or virtually…
This does bring the number of analyst firms focused on identity, privacy, and relationships down to a very small number. It will be interesting to watch how the market responds.
What is with Tuesdays in my life? 9/11 – a Tuesday. IBM buys Access360 on a Tuesday. Gartner buys Burton Group on a Tuesday. In keeping with this odd streak of Tuesdays, I think I’ll be at Toledo Lounge tonight – see you there?
A friend in the industry recently asked me for my thoughts on OpenID, InfoCards, and the US federal government’s work to consume non-government issued credentials. Letting the question rattle around in my head for a while, here’s what I’ve got so far.
My hope is that the overall ICAM initiative is successfulâ€”not because I have been eagerly waiting to interact with the federal government using some form of authenticated credentialâ€”but because we (citizens, enterprises and government) are at a pivotal moment in the history of the web. With the US government working with both the OpenID and InfoCard Foundations, there exists an opportunity to change how individuals interact with large organizations, both public and private. For the first time, individuals would be able to (even encouraged to) interact with a large organization (such as the US federal government) using an identity asserted, not by the large organization, but by the individual. In this case, the State is no longer the sole provider of identity. This breaks the monopoly that the State has had on credentials and is indicative of the future to come.
But there is a long road to walk before getting there. There are numerous concerns with these plans. Among these are notable security concerns, especially with OpenID, that the identity community is not blind to. These are not my primary concerns.
My primary concern is with the establishment of standard user behavior that could prolong existing problems. Today, after decades of enterprise training and a decade of consumer training, people naturally expect to see two text boxes on web sites. One is for their username and the one with the little stars is for their password. This behavior is ingrained. Changing this behavior is no small feat – just ask the OpenID and InfoCard groups. But it is a change that must occur to normalize people using something stronger than username and passwords to authenticate themselves.
My concern is that the behavior that is being established as a norm – the use of either an identity selector or some other user interface means – will become the username/password for the next generation. This isn’t a hypothetical problem; the writing is already on the wall. Currently, OpenID will only be accepted for low-value transactions with the government known as Level of Assurance 1 (LOA1). Activities like filing tax returns requires a far greater assurance that the person is who they claim to be and thus require a Level of Assurance 3 identifier. And there is problem. The way people use an LOA3 credential may be very different than how they do so with an LOA1 credential.
If we, as an industry, normalize user behavior that meets LOA1 needs but not LOA3, we are training in behavior that has to get untrained in a near future. What the government and its partners are on the path to doing is effecting real cultural change. This kind of change doesn’t happen often and is hard to do, and especially hard to undo.
I definitely want a future in which I can assert my own identity without validation from the State, but I am very willing to wait for that future to assure that the behavior the industry normalizes is one that will work for generations to come.
(Cross-posted from Burton Group’s Identity blog.)