Decentralized Identity and the IdP
Today, at the European Identity and Cloud Conference #eic2023 in #berlin I had some interesting talks about #decentralizedidentity vs. #accessmanagement and traditional #idp approaches. Is it that DID (Decentralized Identity) #did is disruptive to today's IdPs (Identity Providers) and Access Management solutions?
I don't think so. In the whiteboard scribble (admittedly, this is simplified), there is Access Management at the center. Users can authenticate with a range of different methods such as traditional username/password, #passwordless authentication (frequently utilizing #fido2 standards) or #oauth2 / #oidc .
The Access Management servers than connect to the backend services, again commonly supporting a range of different methods, from http header injection to #saml etc, etc.
FIDO2 already is changing a lot. #webauthn allows for direct interaction between FIDO2 authenticators / tokens and the backend services, with various Java libraries etc. being available for implementing support for WebAuthn. While this allows bypassing Access Management solutions, it also allows for extending Access Management solutions to support WebAuthn and then connect to backends.
DID also allows for direct user/endpoint to backend communication. On the other hand, it also allows for user/endpoint to Access Management communication, for all the targets that don't come with support for the emerging DID standards.
While several digital services will come with built-in support for FIDO2 / WebAuthn and/or DID, many don't support these standards (yet). Legacy solutions tend to be very resilient against change.
领英推荐
Thus, looking at the benefits of an interplay between DID and Access Management solutions instead of being in fear of disruption is the better choice. The obvious benefit is the support for backends not supporting the emerging standards.
But there is more. DID, the wallets, and the proofs or verified credentials in the wallets can leverage #adaptiveauthentication. They provide additional context information. The verified credential that proofs the identity of someone based on information derived from an #eid card, the additional proofs issued by an employer, the proof from LinkedIn and all the other potential proofs factually are additional attributes for the authentication policies the Access Management system can implement. They are additional context for making better decisions.
This is one of several areas where DID can integrate seamlessly with existing IAM solutions and improve these. DID adds to today's IAM. It allows for fundamentally new solutions, but it also helps in improving what we use today.
When discussing the disruptive potential of DID, we should differentiate between disruption for today's IAM infrastructures and disruption from a conceptual perspective. DIDs can bypass and replace some of our IAM, but they also can help improving and adding value to today's IdPs and Access Management architectures. Little disruption here.
From a conceptual perspective, DID is very disruptive. It allows for new architectures (as in the graphic), new types of solutions (handing control about identities back to the user, etc), new business processes (efficient onboarding in the age of Work from Anywhere) and new business models (Web 3 etc).
It is very worth spending time to fully understand the potential of DIDs.
Sales | Identity Security
1 年Adaptive Authentication is a great way to describe the way forward.
Trailblazing Human and Entity Identity & Learning Visionary - Created a new legal identity architecture for humans/ AI systems/bots and leveraged this to create a new learning architecture
1 年Martin, My take is quite different than yours. This will be a long reply, because there's lots to explain... 1. At the centre of the diagram should be legal identities for humans, AI systems and bots. Upon this must be built trusted identity services. 2. My first point is today's existing legal identity sucks. To see why, skim problems 1 and 2 in “Legal Identity Problem Statements” - https://www.dhirubhai.net/pulse/legal-identity-problem-statements-guy-huntington/ . 3. Before leaving human legal identity I strongly suggest readers skim “AI Leveraged Smart Digital Identities of Us” - https://www.dhirubhai.net/pulse/ai-leveraged-smart-digital-identities-us-guy-huntington/. This is already starting to happen. Yet, there is no legal identity architecture being able to register a digital legal identity against the underlying legal physical identity of a person, which works locally and globally. I'll continue on in the next message...
Specialist in trustworthy identity, security and data sharing
1 年Except of course that the analysis is flawed and vastly overselling a mathematical property of ZKP (that in isolation is great but far from that easy to apply). There is massive difference if you look at security as "identification" or "to establish identity-based security for multi-stakeholder transactions to work trustworthy". The later would default - among all the other requirements - assume no personal data created as that involves transfer of control from citizen to system. An identity is never just one credential and you need to take the entire ecosystem into account according to the contextual problem - hic sunt dracones.
Decentralized transactional ecosystem enabler
1 年DIDs & VCs (Verifiable claims) == BYOID Bring your own identity, which we have all talked about forever. a clunky process: 1. user get a DID and presents it to relying party 2. Relying party challenges use to prove possession of DID private key 3. User proves control of private key 4. Relying part requests VCs 5. user gets VCs , countersigns and presents VCs to Relying party 6. Relying party verifies signatures of issuance authority and user (There is a lot of hidden trust (Yikes) in this identity proofing sequence) The relying party then must issue an access credential that they control and bind it to the user/DID. note: industry framework / standards are not yet in place to support BYOA (Bring your own authentication ~NIST 800-63 AAL3 ). Europe is potentially heading in that direction with EIDAS X. A lot of great progress but let's hold-off on the high fives, just yet. The Gold standard has to be high-assurance "anonymous trust"
Director, Trust Services at Gen Digital
1 年Martin, thanks for this very cogent analysis of how DIDs and SSI architecture enhances — not replaces — existing IAM architectures. It's very much like the Web itself — it didn't replace existing LAN architectures, but connected them and gave them new superpowers. It is gratifying to see that the seven years of my life spent developing and ultimately standardizing DIDs at W3C was worth the effort. I think we've only seen the very start of the real impact of DIDs — it will take a decade or so to see the full effects.