The original post was written by Jacob Ideskog and published in the Curity blog. You can read it here.
There’s a lot of activity in the identity community currently. Financial Grade APIs (FAPI), OAuth 2.1, WebAuthn, decentralized identity, and other facets are being actively maintained and updated. In addition, entirely new standards are being proposed to replace existing ones. This is the natural progression of Internet standards.
However, it’s easy to forget the stable toolset in place when blinded by shiny new things. Both OAuth 2.1 and FAPI primarily restrict the array of options introduced by OAuth and OpenID Connect to something secure and interoperable. Large standards such as OAuth can be properly implemented in high-security scenarios but can also be misused to provide a false sense of security.
I also see that some new initiatives are trying to solve already solved problems in a more modern way. Appealing (and sometimes handy) as this may be, it does not necessarily provide any useful new security. There are two main drivers for new standards. There is a need for modernization and simplification, essentially adapting the standards to current use cases. On the other hand, there are advanced cases where novel problems are being addressed, such as generalizing out of band authentication, sharing identity information, and building large-scale interoperable identity networks. The latter is often being driven by legislation.
The Evolution of Identity
The identity space has been through many iterations. In many respects, it is a very mature technical area where various problems have been solved many times over. However, we are at the crossroads of a bigger shift. For the first time, many governments have repositioned themselves from the point of indifference to having codified opinions about your digital identity and the data attached to it. There is a contradiction in the need for more oversight and stronger privacy. Thankfully, we can accommodate both if done right. What needs to be done can be broken down into the following three areas:
- Interoperability
It means that we need to heavily restrict, or profile, the usage of the standards. This ensures that the same baseline security is present over all regions.
2. Stronger identity assurance
Knowing who a user is important, but for an online service, it’s more important to know particular claims associated with them. Asserting these claims in a general way will lead to more safe transactions on the Internet and lead us to the last point in this blog post.
3. Privacy
As we start building large-scale interoperable identity systems, the need for increased privacy is multiplied. The digital footprint left must be reduced to a minimum, and it needs to be controlled by the end-user.
Combining proper identity assurance with pseudonymous identity information is possible if we trust the issuer of the information.
Read the full article on our blog to learn more.
