Phil Windley is an Enterprise Architect in the Office of the CIO at Brigham Young University. He is also the co-founder and organizer of the Internet Identity Workshop (IIW), serves as an Adjunct Professor of Computer Science at BYU, writes the popular Technometria blog, and is the author of the books “The Live Web” (Course Technology, 2011) and “Digital Identity” (O’Reilly Media, 2005).
UnboundID: What were the hot areas of discussion at the latest IIW event?
Windley: Generally, it’s a mix of topics, those that have been part of IIW for a long time, like OAuth and multi-factor authentication. We also had a lot of discussions on block chain technology, the distributed decentralized ledger system for Bitcoin. The key idea of block chain is that it allows you to create an identity system that is not controlled by any single entity. Today, if I log into a website and I have the option of using Google or Facebook credentials to do that, it’s very convenient. It saves people a lot of headaches and also allows for some security wins because Google and Facebook put a lot of effort into building identity systems. Yet the identity is still controlled by those big companies. Not everyone likes that idea. They might be worried about privacy or maybe they don’t have an account at one of those sites and they don’t want to create one. Distributed ledger technology creates a system where everyone can join. It’s not controlled by a single entity, but rather by code written by a group of people. It completely decentralizes the identity management system.
UnboundID: How will block chain technology evolve?
Windley: It will go mainstream I think, because the idea is compelling for identity providers and identity owners. There won’t be one system, and it won’t undo other identity systems either. There are companies building these systems today, including Evernym, Blockstream, Blockstack and Hyperledger.
UnboundID: How are identity systems and practices changing with connected devices or IoT?
Windley: The Internet of Thingsis providing identity systems with a number of interesting challenges. It’s not a crisis, but new use cases are driving identity systems to do new things. As a consequence, this will increase the scope of identity systems and require new kinds of interactions and protocols. For example, OAuth assumes there is a person involved in the interaction, to get an access token and refresh token to access their account somewhere else. Once the initial connection is set up this process can occur without the user, but there are times when the refresh token fails. In that case, a window will pop up and ask the user to reauthorize access.
In an IoT scenario, the user is not there to help. We will see more automation, with policy-driven access control that users have available to them as a matter of course. There could be a policy that says: I want these accounts to be created, so always approve this request unless I have specifically cut off access. An agent can work on behalf of the user when the user’s things are interacting with each other.
UnboundID: What are the unique challenges for identity management at BYU?
Windley: We have tens of thousands of users and hundreds of thousands of identifiers because we give them to not just students and staff but people who sign up for a special course or camp. That is not unusual for a large institution. However we are also working very hard to move a lot of our systems to the cloud. That causes changes for how we deal with identity.
We are also very interested in allowing more social logins and external identifiers to be used than in the past. We are to the point where as an organization we are happy for a student to use another identifier. We still have to give them an account but a student may come to a soccer camp in high school and use their Facebook account to register. Then a few years later they apply to school and use the same Facebook login to register.
We also just rolled out two-factor authentication on campus. It’s still optional, but I can see that as more and more problems occur with passwords, we might push that more. We have a tiered strategy. For most people, using a code is good enough, but for some people, we want to give them a hard token because they deal with finances or mission-critical information.
UnboundID: Large companies especially in consumer-facing businesses are interested in developing a single identity for individual customers. But could this create trust issues with customers? Is there a balance here to consider?
Windley: Right now most people aren’t even aware of it. The ad blocking trend that we have seen recently, showed that literally millions of people want to block ads due to a growing fear that they are being tracked. This is a warning to companies that are consolidating lots of personal data. When people become aware of that they may not be happy. It’s a potential PR issue. And lots of data in one place presents an attractive target for someone who wants to steal it. Yet the other side of the argument is we can protect data better when it’s in one place. People might be more comfortable with this concept of a unified data set if they knew the companies were doing a good job managing and protecting it. For example, Apple has built a reputation that they are on the consumers’ side. They are a trusted brand. So companies really have to work at getting people to believe that they have customer interests at the heart of everything they are doing.