A range of papers, looking at how to make robust strategic decisions about digital identity and authentication technologies, especially in a "technology neutral" policy environment.
Guest provocateur at the DHS Identity & Privacy planning workshop
I made this presentation to the 2015 Cloud Identity Summit, on the risks to privacy of 'over identifying' the data that increasingly gushes from all our smart devices.
A short one page paper on how to "notarise" personal data in smartcards or similar personal chip devices.
There are ways of issuing personal data to a chip that prevent those data from being copied and claimed by anyone else.
My presentation to the 2014 Cloud Identity Summit in Monterey California
I was selected in a call-for-papers to present my ecological theory of digital identity to the Australian Information Security Association 2013 annual conference. My talk was titled as a gentle provocation: "Forget identity!"
I was honoured to be a speaker in the Iconoclasts stream on the final day of the Cloud Identity Summit in Napa (#cisNAPA), where I presented my ecological theory of identity.
A presentation to the first MIT Legal Hackathon, in February 2013.
An updated slide deck introducing the memetics of digital identity, and showing how business system ecology puts natural limits on Federated Identity.
Stephen presented a major new paper at the AusCERT 2011 security conference, on how identity evolves and why federated identity is easier said than done. This is a fresh and powerful explanation of the shortcomings of other contemporary identity theories. It provides an alternative way forward based on conserving the perfectly good identities we already have in the real world.
A presentation to the Cyber Security Summit, Sydney, 2nd August 2012.
Orthodoxy in e-security holds that we must separate "authentication" of who someone is, from "authorisation" of what they can do. The distinction is actually arbitrary and unhelpful.
See also http://lockstep.com.au/blog/2011/01/22/forget-authentication.
It's not for nothing we call them "silos": they're strong, elegant, safe and under-appreciated!
A high level comparison of all major two factor authentication solutions, with a close look at their vulnerability to phishing via the Man In The Middle attack.
Lockstep Consulting holds interactive workshops aimed at providing non-technology managers and executives with 'everything they need to know' about authentication, and equipping them to engage better with technologists.
An unfortunate side-effect of user-pays security could be the creation of two classes of Internet banking customer.
A sophisticated, business-focused framework for analysing authentication requirements. First published in the Quarterly Journal of the PricewaterhouseCoopers Cryptographic Centre of Excellence, October 2001. Reproduced with permission.
Early in the development of national authentication policy, and the struggle with PKI, this presentation to the 1998 Information Industry Outlook Conference provided an optimistic and innovative vision, involving communities of interest and digital credentials instead of a focus on personal identity.