Shaking Up the Identity Space at the Internet Identity Workshop

At last week’s 14th Internet Identity Workshop in Mountain View, California, this workshop newbie was initiated into the dynamic world of Internet identity.  I was finally able to put a few faces to names from the various Internet specifications we consult with frequently while building the social web at Janrain.  And, who knew some of them could sing?

Interesting new technologies shaking up the identity world include the new OpenID Connect standard which is currently “functionally complete” and now exists as an implementer’s draft.  OpenID Connect provides identity services over the top of the successful OAuth2 protocol.  Several technology companies demonstrated prototypes of how distributed claims may be presented in one unified context.  This is an interesting development, moving forward from a paradigm of one identity provider being the sole source of all claims in a particular session.  Attribute brokering was discussed at the last meeting six months ago, but at this workshop it was clear that the ecosystem was still growing steadily.

Several multi-factor authentication technology demos were presented from simple integration with a secondary device like your smart phone verifying your identity via a pin to analyzing blood vessel patterns in your hand with the phone’s camera.  There was a cool hardware device enabling on the fly configuration of different security standards to protect a set of resources.  Mozilla demonstrated their innovative “Persona” product based on BrowserID.  Rather than tip off the identity provider that you are logging into your favorite site, BrowserID embeds your credentials in the user agent.  One attendee expressed concern that BrowserID was “yet another identity protocol” but new ideas were generally welcomed at this workshop.

And, of course, the attendees visited the contentious “privacy” space and what it means in today’s Internet.  Are we entitled to it, how and when?  Who owns our data?  In one session, an interesting discussion ensued on how to balance an attribute provider’s responsibility to silo and secure user data while still having the flexibility to verify and assert some authority about the data.  In an era where we occasionally see large wholesale data breaches, balancing privacy, availability and trust is a big issue to get right.

I also found the engineering “best practices” sessions interesting.  One was a deep dive into the finer grained details of the OAuth2 bearer token and the best approaches to securing this resource.  How does a trusted partner application refresh an access token when they don’t possess the refresh token or the client credentials?  How does this life-cycle flow work?  Questions like these are not addressed in the specifications and are intentionally left out-of-scope for various reasons.  Several interesting approaches were proposed, but to me the best part of the session was simply to work through familiar problems with some very smart people.

Fellow Janrain engineer Johnny Bufu and I also presented two sessions on the new Backplane 2 protocol.  Vlad Skvortsov, Vice President of Engineering from Janrain partner Echo joined us for the second session to help discuss the details of building an implementation for the new protocol, which Janrain released as open source software (https://github.com/janrain/janrain-backplane-2) the day before the workshop.  Backplane 2.0 is an exciting new secure messaging framework built on top of the OAuth2 protocol.  See http://backplanex.com for more details.

I left the conference feeling like the Conversation was just starting.  There were so many new ideas to digest and many existing technologies to learn more about.  Stay tuned!