I gave the closing keynote at the 2021 Fido Authenticate conference. Annotated slides are attached below.
It’s been received wisdom in the cybersecurity industry that the Internet is “missing an identity” layer — as if that’s enough to explain why authentication is hard and digital identity so elusive. But this is a case of being careful what you wish for in case you get it. Now we’re on the cusp of the Internet of Things, with calls for an “Identity of Things”.
We need a bigger idea. Digital Identity hasn’t worked for the subjects that actually have identities: people! So what do we really need to solve for in the world of smart connected but inanimate objects?
We must avoid over-identifying users and associates of smart devices, and over-collecting personal data about them, lest the IoT become “informatic grey goo”. The IoT is about to make authentication vastly more complex. Of course we need precise and reliable authentication of devices, and the many and varied users of devices. Interconnectivity means authentication subjects will expand enormously, to include owners, renters, affiliates, patients, passengers, researchers, certifiers, regulators, investigators, service personnel, sellers, agents and brokers. And the inanimate credentials and properties we need to verify will include certifications, performance figures, test results, component lifecycles, supply chain details, warranties, service histories, location histories … to name just a few.
So let’s focus on authentication carefully and with fresh eyes while we have the chance. What will we really need to know about the different actors in the Internet of Things, and how will we verify the many different signals?
Fortunately the identity industry has delivered a set of cryptographic patterns and sub-systems for verifiable credentials which can carry over into automated authentication of things and actors.
This closing keynote speech examined the importance of cryptographic key stores and data wallets ― functionality that lies adjacent to FIDO standards today ― and how these will become embedded into smart devices through IoT microcontrollers. APIs, cloud services and data sharing models will support the installation and verification of important attribute information across the IoT.