Mobile: +61 (0) 414 488 851
Email: swilson@lockstep.com.au

Digital Identity (or something)

A range of papers, looking at how to make robust strategic decisions about digital identity and authentication technologies, especially in a "technology neutral" policy environment.

I have long called for a rethink of IDAM orthodoxy, its metaphors and patterns (especially "Federated Identity") in a string of articles and blogs. I have recently reached the conclusion that Digital Identity is a confusing and really terrible term for what should be a simpler concern: the attributes we need to know about parties online, and mechanisms for proving their provenance.


In the late 1990s, when critics said “Quality is Dead!” they didn’t mean quality doesn’t matter, but that the formalities, conventions and patterns of the Quality Movement had become counterproductive. That's what I mean about digital identity.

IEEE IoT Paper: A Digital Identity Stack

This is the first peer reviewed paper to arise from my PhD studies, presented to the IEEE World Forum on the Internet of Things, Singapore, 2018.

The evolution and ecology of digital identity - PhD proposal

This is the abstract of my PhD proposal, recently confirmed, in the Australian Centre for Cyber Security, at the School of Engineering and IT, UNSW Canberra (ADFA).

PKI post blockchain

A presentation at the Cloud Identity Summit 2017 on new applications for digital certificates to convey provenance of attributes.

DHS "Cydentity" 2015, Rutgers University

Guest provocateur at the DHS Identity & Privacy planning workshop

Rationing Identity on the Internet of Things

I made this presentation to the 2015 Cloud Identity Summit, on the risks to privacy of 'over identifying' the data that increasingly gushes from all our smart devices.

Conveying the pedigree of identifiers using digital certificates

A short one page paper on how to "notarise" personal data in smartcards or similar personal chip devices.
There are ways of issuing personal data to a chip that prevent those data from being copied and claimed by anyone else.

The Authentication Family Tree

My presentation to the 2014 Cloud Identity Summit in Monterey California

Forget Identity!

I was selected in a call-for-papers to present my ecological theory of digital identity to the Australian Information Security Association 2013 annual conference. My talk was titled as a gentle provocation: "Forget identity!"

"The IdP is Dead! Hail the Relyingpartyrati"

I was honoured to be a speaker in the Iconoclasts stream on the final day of the Cloud Identity Summit in Napa (#cisNAPA), where I presented my ecological theory of identity.

Fractionating Identity

A presentation to the first MIT Legal Hackathon, in February 2013.

The Natural Limits to Federated Identity

An updated slide deck introducing the memetics of digital identity, and showing how business system ecology puts natural limits on Federated Identity.

An ecological theory of digital identity

Stephen presented a major new paper at the AusCERT 2011 security conference, on how identity evolves and why federated identity is easier said than done. This is a fresh and powerful explanation of the shortcomings of other contemporary identity theories. It provides an alternative way forward based on conserving the perfectly good identities we already have in the real world.

The False Allure of Federated Identity

A presentation to the Cyber Security Summit, Sydney, 2nd August 2012.

Identity Plurality

Orthodoxy in e-security holds that we must separate "authentication" of who someone is, from "authorisation" of what they can do. The distinction is actually arbitrary and unhelpful.

See also http://lockstep.com.au/blog/2011/01/22/forget-authentication.

A positive review of Identity Silos

It's not for nothing we call them "silos": they're strong, elegant, safe and under-appreciated!

Towards a uniform solution to identity theft

A high level comparison of all major two factor authentication solutions, with a close look at their vulnerability to phishing via the Man In The Middle attack.

A Practical Guide to Authentication for ICT Executives

Lockstep Consulting holds interactive workshops aimed at providing non-technology managers and executives with 'everything they need to know' about authentication, and equipping them to engage better with technologists.

Two factor authentication and second class citizens

An unfortunate side-effect of user-pays security could be the creation of two classes of Internet banking customer.

Making Sense of your Authentication Options

A sophisticated, business-focused framework for analysing authentication requirements. First published in the Quarterly Journal of the PricewaterhouseCoopers Cryptographic Centre of Excellence, October 2001. Reproduced with permission.

Current issues in the rollout of a National Authentication Framework

Early in the development of national authentication policy, and the struggle with PKI, this presentation to the 1998 Information Industry Outlook Conference provided an optimistic and innovative vision, involving communities of interest and digital credentials instead of a focus on personal identity.