Ceremonies

Look, I'm, I'm keenly aware. I'm keenly aware of where we are in terms of in the day. So I will be prompt. I want to thank everyone. I want to thank the whole KuppingerCole family. Thank you for having me back. It is great to be yet again. Just a few miles outside of Central Munich. So I wanna thank a couple other people. They're not in the room. The first is my good friend and mentor, Bob Blakely. He gave a talk now many years ago about recognition and it continues to be, inspires me today. And it was just an amazing talk and I hope to just get a fraction of that. Awesome.

The second I want to thank our dear friend Kim Cameron, in a quiet moment, an EIC in Munich. He talked to me about this concept of ceremonies and identity and I was like, what are you talking about? Which is pretty much every conversation with Kim, but it was so meaningful to me. So ceremony.

Well, let's, let's go with the basic like definitional thing. Like I like this first definition, a formal act or series of acts that are prescribed by ritual or protocol or convention. We do a lot of these like, but we notice there's an interesting disconnect.

You see, the ceremonies that we do in the analog world are often really different than what we do in the digital world. For example, in the analog world, we do introduction. I introduce flat to someone, but online it's registration, which just has a horrible name to begin with. But the other thing is, in the analog world, we have a process of recognition how one party recognizes another in the digital world, we have authentication. And I wanna spend some time mostly on authentication because I believe that our existing ceremonies for authentication do two things simultaneously.

First, they set a bar too high for all people, all people about whom we want to interact with at high assurance. And second, it sets a bar too low to prevent adversaries from clearing it. This is simultaneously horrible.

Okay, so what are these authentication ceremonies? Let's take a quick tour. It begins here.

Yes, I know my slide making skills have gotten so much better through covid. Thank you. Thank you for noticing. So what you don't see is a box. In this scenario, which I'm calling zero box authentication, the individual presents themselves in front of a service and through some means of browser fingerprinting or IP or G O I P, they are very loosely authenticated.

Now, we needed to do more. We needed to actually have a little bit more high assurance or higher assurance. And so we invented the box in the one box style of authentication. Typically, we find these on marketing microsites, and the individual goes and presents an identifier, email address, phone number, and they are used again, very loosely. Subsequently. Now we will both, we will all agree that both of these techniques are incredibly low assurance at best, but they exist.

We actually know them, we're familiar with them, but the need to have higher assurance was actually, well pretty darn strong. So we took what was already good and made it better. Two boxes.

All right, what do we got? This is the classic right identifier here, password there. This is older than some many, maybe not George, but many in the room. And it feels like it's been here for eternity, but it has changed, right? If we just do this out of convention, we all do it. But there've been changes. There's been growth. For example, there's this variant, right? Two box, got it. Plus another box. Get some numbers, give 'em. To me. This isn't a ceremony. Why? Because the means by which I get those numbers is kind of well inconsistent. There's no actual convention about it.

We had other innovations. This is actually one of my personal favorites. The widget, right? The thing that tells you your password's gonna be wrong cuz your caps lock key is down kind of important.

Or, Hey, thank you for having a really long password, but you screwed it up in the 18th character. Go fix it.

Or, and this one actually is really important. Sum your password manager. That's powerful.

This too, however, is not a ceremony. Why? Because these things fight when you try to put them all together. It's a technique at best, but we could do better. We knew it. So in an act of inspired thinking, our friends in Google gave us this. This is a big deal. This is one box plus one box authentication. Does anybody remember when this came out?

No, not George. Shout it out, sir. Kind sir. In the audience who? I don't know Justin when, Yes, but when did they do it? They did it in May of 2015.

It was, it's almost 10 years old. And when they rolled this out, you would have thought they harmed puppies in the creation of the solution. The internet went nuts. Why? Because they dared to change convention. And this is actually true innovation. Reason being is when the individual presents themselves, now this service has a freedom to respond as appropriate for the situation. It might mean I'm gonna redirect you to an enterprise SSO provider, or I want you to gimme some numbers or give me a hardware token or give me a good old password.

Or maybe I'm gonna do nothing because I can connect you to an existing session. And I have assurances about that. But the important point here, and my first point is they clearly separated front end ceremony that we all understand from their backend process. And this is hugely important because we often combine these two things that it actually makes harder to do innovation on either. And innovation continued on, right? We've seen recently mobile biometrics. I look at the phone, I'm in the app now that happens to be predicated on previously authenticating by another means, but I'll take it.

We also have this, right? Which is scan one of these could be an OAuth code flow. It could be present your verified credential. It could be, well frankly, anything but this brief tour, I think we really only have three ceremonies and the rest are techniques. They haven't sort of graduated to that level of protocol. Something we do by convention.

Now, so far we have only talked about when things go right, what happens when things go wrong? Well, in the analog world, and we have a failure to recognize someone, we actually have a very well established process for hinting where one party can send a hint to the other about who they are. For example, we met on a boat in Berlin. You confused me with your musician, David Graw, or I am your father.

You know, these are very common hints. But in the digital world, what happens when you fail to authenticate? We have a really well established pr. We have a kind of crappy process for setting a new static secret. It's a reset password. We go to the most nuclear option when we fail to authenticate more often than not, and certainly our customers do. And I would pause it that username and passwords success is not actually tied to the efficacy of when it goes right, but to the ubiquity of when it goes wrong, their success is in how they fail.

And the story gets even worse when we think about, what about non username password authentication techniques? Does it look the same in every browser on every mobile operating system? In every form factor? I would assert, and this is my second major point, is that we don't actually have ceremonies outside of username and password for when things go wrong. That's actually a really big deal. But it gets worse. Consider for example, this oddball thing, which is authentication. Ceremonies have to be done in private. But in the analog world, I could be recognized in public.

In fact, we do recognition ceremonies in public all the time. Why? Why this difference? These right? Most authentication is predicated on a static secret. And you have to by nature keep that a private ceremony.

Now, an exception to this is emergent mobile biometrics plus something like wbn, where now we actually remove the static secret or the potential to remove the static secret. And we rely on P K I to do some of this for us without all the ickiness of certificates. And that's actually really powerful because now I can perform authentication in public.

Also, authentication ceremonies are by their very nature solo ceremonies. But interestingly enough, recognition ceremonies are not, people can help other people be recognized by someone else. And this difference means that for children, for elderly parents, for those who cannot represent themselves, for those who are working on a shared device like in a public school or in a library, there is real challenge in the authentication process. We are not serving everyone everywhere. And so this lack of public and group or assisted ceremonies is actually a massive problem.

Okay, great. Fine. Let's say you buy into it. What do we do? So I actually think the answer is where we started. And I don't mean tracking and I don't mean identification. I mean actual recognition. We're an individual comes to a service and they are recognized. This is not as crazy as you might think. Consider in the anti-fraud space. So at the time of checkout, anti-fraud technology can at least give us a picture of whether it's plausible that this set of data is a person and that in fact this is gonna work. This is a less risky transaction.

Also, in the anti bot space, we have a lot of technology and investment to know whether the thing that is on your service is in fact a human or not. And even in the ad tech space, which let's face it, this is not a source of security identity stuff that we would recognize, but they're spending a lot of time and effort to ensure the people that see an ad and click on that ad are in fact people. It's a big deal in online advertising.

And so you can think about that these technologies are the beginning, at least through the process of elimination, that I have a human on a site and maybe I can start to build a low resolution picture of the person. Is it the complete solution?

No, of course not. But it's a step in the right direction. So what do we want to take? What's in that next step? I think we need three things. The first is we need what I'm calling a language of disclosure. A way to tell an individual, Hey, if you gimme this information, I will use it to recognize you and for no other purpose. And I'll throw it away when I'm done. Because we don't have a way to talk to an individual that isn't really username and password. And we are just in those emergent techniques for authentication, trying to establish other languages.

Number two, we need really strong hints. Now, in my mind, something like web Athen presents the strongest hint. It's a nice, interesting cryptographic use to say, Hey, this is the individual. But those two things alone are insufficient. We need a third thing, which is what I like to talk about is active clients. I talked about it last year and it continues to be on my mind. An active client is your mobile operating system, your browser, your password manager.

Heck, it can even be a wallet, I suppose. And they're going to this agent for you. This active client is going to broker the hinting process for you with the service. We need an agent that can actually do this for us.

Now look, not all of us build authentication technologies. Not all of us deploy those technologies, but all of us interact with those things. And so as identity practitioners, I think we actually have a a shared interest to make this better. And for those of you who do build authentication technologies or do deploy them, consider it this way. If we can make authentication safer and usable for all of these constituents, you have grown your addressable market, whether you're in public sector or private sector, that matters. Okay? So how do we make authentication be less horrible?

First off, clearly, clearly, clearly separate the front end ceremony from the back end process. If you tightly wed those things, you'll have a world of challenges when you try to innovate or you try to address a new use case in which you need a different kind of response or a different piece of information or a different factor. So clearly separate these things. Number two, fail consistently. What I mean by that is don't start with the happy path of, hey, look, someone logs in.

How's, ah, start with the ways it goes wrong. Are those consistent across your entire landscape? Is are those consistent across all the devices that you wanna reach? All of the browsers? If you can't have consistency, you've gotta drive towards it, right? If you haven't started with it, you've gotta drive towards it. And I think more than ever, we gotta start in the failure conditions and not the happy path. And three, and I fully recognize what this means, it's the hardest one.

But can you think of a world in which your authentication capabilities are actually have a path that can help someone be authenticated through assistance or through a group of people? We see concepts of it in some places, and I will acknowledge that this is not widespread at all. But what would it mean if you could give your call center a process and a script to take an individual through to securely keyword, actually go through some form of assisted authentication process? We have got to get to this one. Here's the reality folks.

That separation, right, that separation between what we do in the analog world and the digital world cannot continue to persist because it will at the very least, leave some constituencies out. Not acceptable. So we've gotta get to a place where we can do the things that we do in the real world. We do that online. And the reason why I'm so keen on focusing our transition from authentication ceremonies to recognition ceremonies is because, well, recognition ceremonies have three things I think are interesting and needed. First is they're usable by everybody. Everybody can be recognized.

It is possible to do. They are pretty darn high assurance, at least from the moment of recognition. And they're adversary resistant. We recognize one another all the time, regardless of the context. I could be filled with a plain full of adversaries. I could still be recognized. That doesn't change the experience. So I believe that this journey to recognition is when we actually have to go on.

If we all, we wanna reach everyone that we wanna reach. Now, I fully acknowledge that sitting in a keynote is a sort of ceremony and I deeply appreciate you coming along. But I also note that getting the hell out of the keynote room and to the party is an even bigger and more important ceremony. So with that, thank you everybody. Let me start is, is this where you asked the question that Martin made up Guys? Did I promise too much? Thank you again. Oh boy. Does it say who? Who? Who's it from? I'm gonna guess. Okay. Alright. What you got? Yeah.

Ooh, dang. Into the problem For changing it. So there's a moment in every talk when you realized, I have not considered all the eventualities here. You see a speaker in that moment. I actually think it's all in this sort of two box plus something bucket, right?

This, these are all techniques and they all leave someone out of the story, right? And our, our intent around like NASCAR and the and social sign on is, I wanna reach more people, right? That's why you put them on your sites. I wanna reach more people. But in the same act of doing that, it's already exclusionary. I'm gonna address this population or that population. So I think it's still sort of the same variant as two box plus one box. But thank you anonymous audience member who I will hunt down mercilessly for the next four months and oh, okay, good.

Awesome, awesome. Again, thanks. But that is, I think taking that lens of, from an inclusionary perspective, what Emma and Melissa were talking about is really powerful because we have left it out of the conversations oftentimes for just authentication. Not necessarily the full proofing story or we've gotten better there, but just in that moment of authentication, we can do better there. Minute left. Thank you everybody. Thank You. Very good.