Event Recording

EU Wallet – eIDAS 2.0: The New European Identity Framework is a Gamechanger

Show description
Speakers
Dr. Dominik Deimel
Founder and CEO
comuny
Dr. Dominik Deimel
As an entrepreneur and expert in digital change management, Dominik Deimel has many years of experience in accompanying change processes in companies and their transformation into digital technologies. With comuny, he also demonstrates how new digital business models are translated into concrete...
View profile
Sven Schreyer
Director in the Cybersecurity & Privacy
PwC
Sven Schreyer
Sven Schreyer is Director in the Cybersecurity & Privacy practice at PwC Germany and leads a team of experts in the area of Identity & Access Management (IAM) and IT Security. He has over 22 years of experience in planning and managing of projects and programs in the field of...
View profile
Playlist
European Identity and Cloud Conference 2023
Event Recording
Best and Worst Practices of Digital Wallets User Experience
May 10, 2023

Digital identity wallets are central components for Decentralized and Self-Sovereign Identity (SSI) approaches. They are the interface for users to manage their identities and gain access to services. Hence, the usability and user experience of these wallets is pivotal for the adoption of those popular and privacy friendly identity management concepts.  This talk will summarize research findings into naming some of the Best and Worst Practices to be considered in the further development of the user experience of Digital Wallets.

This talk would highlight multiple studies, publications, and projects that I have done on this topic.  However, if you would prefer another topic, I could propose another talk idea that would be related to other identity topics in either the Digital Wallets, mGov/eGov Services, or Trust Management.

Event Recording
Utilizing Verifiable Credentials for Vendors and Contractor Access
May 10, 2023

The W3C Verifiable Credential standard is getting traction in many circles. How can you use this today to help contractors and partners access your systems? It's easier than you think. See how this is an amazing alternative to federated authentication.

Event Recording
eIDAS 2.0 & EU Digital Identity Wallet - Potential, Challenges, Use Cases
May 12, 2023
Event Recording
Opening Session
May 09, 2023
Event Recording
Policy Based Authorization Architecture Considerations
May 10, 2023

Policy Based Authorization is becoming the new normal when it comes to identity-centric access controls. However, there is no standard approach to PBAC deployment that fits all use cases. In this session we will look at PBAC requirements for common use cases such as microservices, cloud, API, data & analytics.

Event Recording
Together. Stronger. Why Community is Important
May 10, 2023

There are many benefits when we cross over the silos of vendors, clients and service providers

In this panel discussion, we will talk with community leaders in our industry about the benefits of community, how the power of community extends beyond peer-to-peer support, and accelerates business innovation, grows market share, and increases customer retention. 

We will also talk about how they work to foster and engage the greater community,  and why you should get envolved.

Event Recording
Graph-Based Access Control: What, Why and How ?
May 11, 2023

“Graph-Based Access Control'' (GBAC) is a generic term that refers to the use of graphs and networked data to solve Identity and Access Control problems. You may have seen this before through the disguise of acronyms such as ReBAC (relationship-based), KBAC (knowledge-based), PBAC (policy-based), NGAC (Next-Generation), FGA (fine-grained), and even some implementations of ABAC (attribute-based). All of these terms refer to techniques that use graphs to enforce access-control for any level of coarseness.

In this session you will learn why all the latest Dynamic Authorization offerings on the market use GBAC in a way or another, and how you can successfully adopt the technique yourself. Graphs are becoming ubiquitous - one can just look at the rise of the GraphQL API model to witness their popularity first-hand. Through concrete, real-life examples we will showcase the use of graphs to solve common access problems using the same modern and future-proof techniques that you see in the current authorization market.

As a result, storing all identity data in graphs truly unlocks its full potential. Graphs are data-science and analytics enablers, and have the potential to transform the IAM practice from a cost centre to a true revenue generator. We’ll explore how this can happen for you too…

Event Recording
Fallacy of Decentralisation
May 10, 2023

Common Web3 narratives go like this: Web1 was decentralised. Web2 is centralised and dominated by GAFAM/BigTechs. Web3 will be decentralised.

Is this real?

Let us look back. Web1 was about publishing web pages that were linked to other pages. The publishing sites were decentralised all over and were connected by links. Schematics resembled spider webs. Thus, the name “web”. 

Web2 was the read-write web. In other words, API Economy. Was it a centralised architecture? Definitely not. What we imagined as Web 2.0 back in 2004 was that instead of monolithic systems, each site provides a function as REST API, and new services quickly emerge by combining these APIs like LEGO. APIs were decentralised and distributed all over the internet. API calling relationships connected those sites; the schematics resembled a spider web. Thus, the name Web 2.0.

Note, in 2004, none of Google, Amazon, Facebook/Meta, or Apple resembled what we have now.
Google just acquired Double Click, but it still had the banner word “Do not do evil.” The size of the company was 1/10 of Hitachi. Amazon still was an internet merchant. Facebook was just founded, but it still was primarily confined to Harvard and other American university students. Apple was an iPod and Mac company. Were they BigTechs? No! Big guys were IBM, Hitachi, etc., and Google, Facebook etc. were carrying the liberation torch!

Then, how come we end up here, despite the fact that the architecture was completely decentralised?

It was the combination of free market competition and technology that exhibited increasing returns. Any IT technology has decreasing cost/increasing return on investment. Under the circumstances, it will end up in Cournot equilibrium in a fashionable vocabulary - in a common word; winner takes all - monopoly/oligopoly. That’s how we ended up.

What about web3 and decentralised identity? Would the decentralisation dream finally come true?

Well, they still are IT. They still exhibit increasing return necessarily. Then, how can you believe that it will not be dominated by large players just like it happened to Web 2.0? If you let the free market play, it will certainly be. Unlike in the case of Web 2.0 where there still were 100s of thousands of IdPs, we may end up with two Wallets where the wallet provider can come in and decide to delete your verified credentials or ban your account. How decentralised!

Wait, there is more.

How can you believe that code that runs on your phone adheres to what it says?
The data stored on your wallet that runs on your phone may be extracting your data and sending it to criminals. We have seen many times that the initially benign code turns malicious with an update.

According to the Devil's Dictionary of Linguistic Dark Patterns compiled at IIW 2022b, “Decentralised” means “We run our code on your machine at your own risk”. Yes, at your own risk. If it is completely “decentralised” and there is no “provider”, then there is nobody to go after from the point of view of a regulator. Having a “centralised” provider is much better from a consumer protection point of view in this respect.

Is there no light? Are we going to live in the darkness of decentralisation?

Let us briefly think about what web3 was supposed to be. Forget about something that is found between A and Z. I am not talking about that. I am talking about cypher-punks' idealistic dreams.
Many people believe that blockchain is just an immutable ledger. No, it is not! That’s not the innovation of blockchain. Chained immutable records were there long before Satoshi’s invention. It is called Hysteresis signature and was invented in 1999.
Then, what was the innovation? it was the committing of the code into the it to make it immutable and executing it by multiple machines to exclude the result from changed code. In other words, it was the establishment of trust in the running code.
The light could be diminishingly small, but it still is light. That’s the light that I see in web3 that’s not between A and Z.

Event Recording
A Sovereign Cloud for the German Government
May 11, 2023

You will learn about the Sovereign Cloud for the German Government, this solution is based on Azure and operated by Delos Cloud Gmbh

Event Recording
EUDI Wallet - Critical Success factors for Digital Single Market and Private Sector Use
May 10, 2023

Why the private sector is the major milestone for the European Identity Wallet to succeed ? Let’s discuss:
• Will the current EUDI-wallet enable or hamper eg the banking sector in future (in relation to KYC, Strong Customer Authentication, Payments, ….)?
• Which standards are the right ones to enable eg the travel / mobility sector (mdoc, icao, verifiable credentials)? Which give the most added value?
• How will current private sector wallets at large --like those used in ecommerce-- interact with the EUDI whilst ensuring citizen privacy-by-design?
• Which technologies are at hand to keep our wallets secure and combat identity theft/fraud/threats when Europe has no control over those mobile devices?

Event Recording
Street Cred: Increasing Trust in Passwordless Authentication
May 10, 2023

Good security gets out of the way of users while getting in the way of adversaries. Passwords fail on both accounts. Users feel the pain of adhering to complex password policies. Adversaries simply copy, break, or brute-force their way in. Why, then, have we spent decades with passwords as the primary factor for authentication? 

The industry needs to trust passwordless authentication (FIDO2). Adversaries and then criminals have circumvented our authentication controls for decades. From the very first theft of cleartext passwords to the very latest bypass of a second-factor, time and again improvements in defenses are met with improved attacks.

What holds us back from getting rid of passwords? Trust. In this session, we will propose a framework of technical controls to ensure only trusted sessions authenticate, regardless of faults or failures in any one factor, and to reassess based on shared signals (CAEP). We will share a path forward for increasing trust in passwordless authentication.

Event Recording
Modern Authorization Panel - Going Beyond RBAC
May 10, 2023

Every cloud-native application needs some form of access control. Most applications provide role-based access control (RBAC), which has limitations when it comes to enterprise scale and fine-grained access control. 
Zero trust architectures require us to go further. Following the principle of least privilege, modern cloud apps can implement just in time authorization with fine-grained controls. With a fine-grained model, access rules can be defined on the application’s resources, often down to individual items. And a just-in-time model helps ensure the user has access to what they need, when they need it.

Two ecosystems are emerging around modern authorization: Policy-as-code and policy-as-data. Open Policy Agent (OPA) brings a policy-as-code approach to fine-grained authorization, and Google’s Zanzibar is the most known representative of the policy-as-data camp.
Join the panelists to discuss new developments in modern authorization, and compare the strengths and weaknesses of policy-as-code and policy-as-data as foundational models for a robust access control system.