SSOCircle

Going deep on Decentralized Identity (DID) and Artificial Intelligence, as they turned out to be the main topics of KuppingerCole European Identity Conference 2019 (EIC19), which was held in Munich from 14th-17th of May 2019. The leading Identity and Access Management event in Europe attracted almost 1.000 visitors and a growing exhibitors area expanding over two floors. Again KuppingerCole Analysts AG did a tremendous job of gathering the thought leaders and practitioners of the industry. And it is always a real roller coaster to be energized by visionary’s view and then be deflated by reality. For all students it is worth noticing: KupppingerCole introduced this year the Young Talents Program which offers all students to attend KC events free of charge.
The concept of the European Identity Conference is a well-established mixture of keynotes, workshops, breakout sessions and panel discussions. But the identity week itself already started on Monday with events like the half-day FIDO Authentication workshop and the AI Innovation night. On Tuesday morning pre-conferences were held on Blockchain ID, AI and meetings of the OpenID and Kantara initiatives.
Tuesday afternoon the conference is started as usual by Martin Kuppinger setting the tone for the conference with his opening keynote “Navigating IAM into the Digital Age: Connected Consumers, Connected Business, Connected Data & AI”. Connect consumers but leaving them in control of their identity by BYOD (bring your own identity). Having identity, payment, commerce going hand in hand and getting rid of the cumbersome KYC process. Sharing data to get artificial intelligence as the fuel of the business transformation which happens now. Rethinking the entire IAM and moving to a set of service which allows to connect everything “the identity fabric”

“We give people back their identity”

Evernym

Decentralized Identity (DID) or Self Sovereign Identity (SSI) is a solution approach in order to put users back into control of their identity. In general SSI/DI means that not a single company or organization owns the identities. Many speakers emphasized that for enterprises storing and owning identity data of consumers constitutes a risk which should be avoided. Most products and solutions for DID utilize blockchain technology. But in fact, that is not necessarily a must. There are some offers based on alternative technologies.
An intensively discussed topic at the conference was “Artificial Intelligence”. Ethical questions and the problem of liability as pointed out by Karsten Kinast by the need of a new legal framework for AI. Currently liability is only applicable to a person but not to AI, as no person can be attached to a real learning artificial intelligence machine an issue of liability arises. Ethics in AI also leaves many questions open, one example mentioned: Think of AI in autonomous cars, where the machine has to decide in a inevitable crash whether to kill the younger or the older person … a decision also not allowed in many jurisdictions.

The European Identity & Cloud award the ceremony hosted by Jennifer Haas, in which KuppingerCole honors outstanding IAM projects, is always the highlight of the conference. This year following winners in eight categories were presented:
 

• Best Enterprise IAM Project

BP and their IAM team for driving and supporting the company’s digital business initiatives.

• Best Consumer Identity and Access Management Project

Telia’s Identification Broker Service for the Finish trust network build on different modular services

• Best IoT Security Project

Rabobank for implementing a system for secure onboarding of customers by using the national ID card in combination with a smartphone and focusing on user experience

• Best Consumer Authentication Project

Allianz with IC Consult for building a central authentication API platform based on open standards supporting web and mobile clients.

• Best Blockchain ID in Self Sovereign Identity Project

Evernym was given the award for their trust platform based on blockchain. To quote them: “We give people their identity back”

• Best Identity Platform Project

The Economist for their one-click authentication platform helping them to meet GDPR requirements while still maintaining a good user experience. Technology based on Auth0.

• Best Blockchain ID in Consumer Identity Project

Traficom, the Finnish Transport and Communications Agency for their scalable personal data sharing MyData Wallet

• Best Future Technology / Standard Project

W3C’s WebAuthn as being most recognized and FIDO Alliance’s FIDO 2.0 standard for future development.

Some other conference picks worth mentioning:

Paul Fremantle from WSO2 introduced the OpenSource IAM Consortium with the members WSO2, Gluu and ZmartZone.

Ian Glazer gave a nice talk about such simple thing as the username: “the most forgotten thing in identity management”. Usernames are not secrets, are classified as public, should be memorable, unique and recoverable…

Mark Stephen Meadows, CEO of Botanic Technologies, introduced Seedtoken.io. Seed is providing an OpenSource economy for AI personalities, bot assistants and video bots. Blockchain enables seed to authenticate conversational user interfaces and compensate developers for their contributions.

Fooling machine learning systems was topic of another session. Frederic Stallaert gave this sample of a simple picture held in front of the body fooling a person recognition camera:

As a result of a recent formal security analysis of OAuth 2.0 it is recommended to not use implicit grant type and it is very likely it will become deprecated in the standard. Torsten Lodderstedt presented about OAuth security and introduced the upcoming OAuth 2.0 Security Best Current Practice RFC, a draft can be found: https://tools.ietf.org/id/draft-ietf-oauth-security-topics-10.html

Do not use the OAuth Implicit Grant any longer!

Torsten Lodderstedt

Last but not least, many thanks to the KuppingeCole team for putting such a conference together. And don’t forget to mark the date of EIC2020 in Munich from May 12th to 15th.