A Few Thoughts About Identiverse 2023
Identiverse 2023 has come and gone. For one week the Identerati descended on the Aria Hotel in Las Vegas for a week-long exploration of all things related to digital identity. For over a decade, Identiverse has been the preeminent conference to learn the latest information on digital identity for the consumer, workforce, or citizen. If you have anything to do with digital identity in your organization you should never miss this event.
There were numerous informative sessions this year. So what did I learn? Well, frankly, a lot. Here are my top three takeaways for Identiverse 2023:
Passkeys are Ready for Prime Time
I've written about Passkeys in a previous post. I'm very bullish on this technology and so were many speakers at Identiverse. The FIDO Alliance has managed to advance the standard to the point of wide industry adoption. The talks this year focused more on practical advice for implementation rather than tutorials on how Passkeys work. I believe the consensus that Passkey is ready for customer authentication applications alongside traditional username/password login methods. This means integrating invitations to users to set up Passkeys during login and password recovery flows, as well as when users view their profile screens, specifically their security settings.
Not convinced? Use your browser to navigate to g.co/passkey, sign-in with your personal Google Account and set up Passkey as your authentication for your Google account. Google Workspaces will be enabled with Passkey in the near future. Apple has released the ability to share Passkeys via iCloud Keychain across your devices and if you watched the WWDC 2023 Keynote they announced Passkey Sharing in MacOS, iPadOS, and iOS 17.
Verifiable Credentials and SSI are not yet ready for prime-time
Verifiable Credentials(VCs) and Self-Sovereign Identity(SSI) have been slowly making strides with standards and initial implementations but these new conventions of digital identity are not quite ready for practical applications yet. I'd say we are closer today to achieving initial use cases for Verifiable Credentials over full SSI.
Personally, I'm relieved to see these technologies decoupled from blockchain which I view as an unnecessary complication. Two sessions in particular seemed to sum up the state of things best. Jeremy Grant's titled "The Four Horsemen of the SSI Apocalypse" raised (surprise!) four problems with VCs and SSI that will need to be overcome. The majority of his points were centered on separating the hype from the reality. E.g. With respect to privacy, what's to stop Relying Parties (RPs) from collecting the VCs of anyone that uses them on their site. RPs have an incentive to collect as much data on you as possible. There is nothing special about VCs that will stop that type of harvesting.
The second talk was by Vittorio Bertocci titled "Verifiable Credentials for the Identity Practitioner". Vittorio's talk was focused on the practical technical issues related to implementing VC securely at scale. He laid out three major technical problems that will need to be solved. To be clear, these technologies are necessary and have a lot of power to enhance privacy. They put users back in control of key aspects of their digital identities. We need them. There is just more work to be done.
The Identity Community is Thriving
Identiverse 2023 was possibly the largest Identiverse in terms of attendance. It's clear this is the conference for a growing and very passionate group within the larger cybersecurity community. Most of us never chose to be identity professionals. We sort of stumbled into the field because no one was doing the job. However, once we rolled up our sleeves and dove into the work we realized we care deeply about seeing digital identity done right. We keep coming back to Identiverse year after year to connect with the community, to learn from each other, and to re-ignite that passion.
Take a look at Lance Peterman's talk titled "Lessons Learned from Lessons Taught". Lance and I, like so many others, share a genuine desire to teach and encourage a new generation of practitioners to take up the field. We need to grow our community and to see it re-invigorated with new faces and fresh ideas. Identiverse is one of the largest gatherings where that can happen. I'll be back next year. I can't wait to learn new things and see the continued growth of our community.