In a digital age where the management of identity wallets and credentials is becoming increasingly complex, the W3C's Web Incubator Community Group (WICG) has initiated a pivotal work item called Digital Identities. As co-chair of the newly formed Federated Identity Working Group alongside Wendy Seltzer, I delve into why this project may (or may not!) soon find a permanent home within our group. This post explores the dance between digital identity, browser behavior, and the broader ecosystem, including privacy advocates and tech developers.
Privacy and Personalization on the Web: Striking the Balance
This is the transcript to my YouTube explainer video on why privacy and personalization are so hard to balance. Likes and subscriptions are always welcome!
The Evolving Landscape of Non-Human Identity
This blog entry explores the insane world of non-human identity, a subject as complicated as the world’s many cloud computing environments. My journey from the early days of digital identity management to the revelations at IETF 119 serves as the backdrop, and I share what I’m learning based on those experiences. The post zips through the labyrinth of authorization challenges that processes and APIs face, highlighting the contributions of DevOps and IT teams (but not so much IAM teams). I also introduce some of the efforts from IETF 119 aimed at standardizing the non-human identity space and urge you to broaden your horizons and deepen your comprehension of this evolving field. Ready to read more?
A Cookieless Horizon: Navigating Browser Changes
Browser vendors are replacing third-party cookies for authentication services on the web. Learn more about what that means in this latest transcript of my YouTube channel! The post elaborates on the W3C's role in standardizing web functionality, introduces the Federated Credential Manager (FedCM) as a privacy-enhancing API, and mentions other initiatives by major tech companies. Organizations need to be proactive in shaping the future of web privacy so we can collectively create a more secure and private web experience.
Understanding Browser Tracking & Logins: The Invisible Trail
Step into the arena where web tools dual as privacy foes and friends. From cookies to link decorations, we unveil how tracking morphs under the web's surface. Discover the challenge browsers face in shielding you without stripping the web's soul. Excited for a cookieless future? We're laying the groundwork in our series' next chapter!
The Evolution of MFA: Beyond SMS and Email
Multi-factor authentication (MFA) has evolved since the 1980s and now requires two out of three options: something you have, are, or know. However, phishing poses a significant threat to MFA's security, emphasizing the need for better options. Biometrics, app-based authenticators, and FIDO-based authenticators offer more secure alternatives. FIDO2 stands out as it includes phishing resistance in its core design. Passkeys and strong MFA are essential for personal and organizational security. Users without MFA options should prioritize implementing a secure system. Ultimately, understanding the risks and choosing appropriate MFA is crucial for safeguarding data and systems.
Navigating the Passwordless Future: Enhancing Digital Security
Moving towards a passwordless future is crucial for cybersecurity. So many high-profile breaches highlight the vulnerability of relying on passwords. Embracing passkeys, digital credentials tied to user accounts, and applications, offers a more secure and user-friendly alternative. Organizations should advocate for enhanced security, cost savings, and smoother user experience. In the meantime, implementing multi-factor authentication (MFA) can mitigate risks associated with passwords. Transition strategies should involve pilot programs and user feedback. Despite the challenges, staying informed about emerging technologies and advocating for advanced security solutions will pave the way for a passwordless future.
More on the Options and Diversity of Verifiable Credentials
The blog post delves further into the complexity of verifiable credentials, addressing the challenges of understanding the landscape. It covers digital credentials, issuance and presentation formats, protocols, data serialization formats, and digital signatures. I emphasize the ongoing evolution and fragmentation in the field, advocating for constructive engagement. The post aims to aid readers in comprehending the interconnected components of this complex domain.
Verifiable Credentials and mdocs – a tale of two protocols
Ready to get a start on understanding the latest digital identity credential standards? Two influential standards, ISO/IEC 18013 and W3C's Verifiable Credentials, offer different solutions for digital identity. Is one clearly better than the other? Well, no. Whether one is better than the other depends on. your use case. Choosing among these standards depends on your users' needs, the browsers you primarily support, and geographic location. Let's dive in!
SSI: More than just Blockchain
Self-Sovereign Identity (SSI) is a system architecture guiding tech choices, not a software or service. It prioritizes the individual, allowing them to control their own information. Blockchain technology, as a decentralized database with data spread across nodes, seems a fit for SSI as it ensures accuracy and security. However, it has limitations like being computationally expensive and complex. Various alternatives like Decentralized Identifiers (DIDs) and OpenID for Verifiable Credentials exist. SSI is about control over digital identities, which is not solely dependent on blockchain technology.