Identiverse, part of the SC Media and CyberRisk Alliance family of brands, takes place May 28-31 in Las Vegas. The following is an excerpt from the 2024 Identiverse Trends Report, informed by a review of hundreds of call-for-presentation responses and refined by discussions with members of the Identiverse Advisory Board and other industry luminaries. Key takeaways:
- Identity security: A significant proportion of proposals for talks centered around the security aspects of digital identity — specifically on the ways in which digital identity solutions are used as part of the overall cybersecurity design and response. In other words: architecting for identity as the security perimeter. MFA (and, increasingly, passkey) deployments, identity-based API protection with OAuth, and finer-grained access control with ABAC (and its cousins) generally take center stage here, with nods to zero-trust architectures. This year, however, we’re seeing an increase in the use of digital identity orchestration (including low-code/no-code orchestration) to help co-ordinate multiple systems; and in techniques like ITDR to better instrument monitoring of threats to these identity systems.
- Standards are still key: Modern digital identity is necessarily highly interoperable. Identity data is routinely exchanged between disparate systems within and across organizational boundaries; and, increasingly, between individual users and the online services they seek to use via digital wallets. Reassuringly, there’s a lot of activity in the identity standards world in support of this; and it’s crucial work. Foundational standards such as OAuth and OpenID Connect are being updated and advanced to respond to changing environments (particularly the deprecation of third-party cookies—and in this regard there’s consideration of SAML, too: a much older standard but on which a large volume of large-scale deployments still rely) and to take advantage of newer approaches like verifiable credentials. We’re also seeing advances in other infrastructure standards like SCIM and CTAP. Perhaps most notably, a raft of authorization specifications are being actively developed in order to allow vendors and practitioners alike to meet new requirements.
- Wallets on the rise: With the increasing adoption of user-held digital identity data such as Mobile Drivers’ License (mDL), and active progress on citizen-scale digital identity projects in Europe, Australia, and several others, it’s no surprise that we’re seeing more interest in supporting technologies such as verifiable credentials and digital wallets. The majority of proposals received, however, are still relatively theoretical in nature: large-scale deployments are still some way off, and for every proposal exploring the potential benefits of wallet approaches, there is another one discussing challenges to navigate and risks to mitigate. The impact both on existing systems and processes will be significant; but with the levels of interest and investment across the industry is high and the tangible progress at national scale in several regions around the world, it’s clear that practitioners need to start considering how to adapt to these new constructs.
- An expanding industry: Modern digital identity is necessarily highly interoperable. Identity data is routinely exchanged between disparate systems within and across organizational boundaries; and, increasingly, between individual users and the online services they seek to use via digital wallets. Reassuringly, there’s a lot of activity in the identity standards world in support of this; and it’s crucial work. Foundational standards such as OAuth and OpenID Connect are being updated and advanced to respond to changing environments (particularly the deprecation of third-party cookies—and in this regard there’s consideration of SAML, too: a much older standard but on which a large volume of large-scale deployments still rely) and to take advantage of newer approaches like verifiable credentials. We’re also seeing advances in other infrastructure standards like SCIM and CTAP. Perhaps most notably, a raft of authorization specifications are being actively developed in order to allow vendors and practitioners alike to meet new requirements.
Download the full report for the complete analysis.
