Episode 41: National ID Challenges
What are the priorities and tradeoffs of certain approaches to building a national identity infrastructure? How can you build a system that enables people to assert their identity and claims, and also protects their privacy ?
What are the most pressing use cases? Voting? Healthcare? Opening bank account ? Other private sector RPs?
How to balance the tradeoffs of privacy, fraud reduction, and poverty reduction presented by a system like Aadhaar.
Do Verifiable Credentials offer a “leapfrog opportunity”?
What to put on the blockchain (if anything) ?
What did Singpass get right in Singapore ?
Whether to engage with the 50-in-5 initiative, DPGA, or Govstack
Sovereignty vs availability ?
Accessibility v. progress ?
Episode 40: You got the JWT… now what?
Once you have obtained a JSON Web Token (JWT), the next steps involve understanding, securely storing, and effectively using it for authentication and communication within your web application. A JWT comprises three parts: the Header, Payload, and Signature. It is crucial to store the JWT securely on the client-side, often in local storage or an HTTP-only cookie, to prevent cross-site scripting (XSS) attacks. For API requests, the JWT should be included in the Authorization header using the Bearer schema. On the server-side, you must verify the token’s signature, check its expiration, and validate its claims to ensure its authenticity and relevance. Handling token expiration through refresh tokens, decoding the JWT to access user information, and protecting your endpoints with role-based access control (RBAC) are essential steps to maintain security. Additionally, monitoring and logging JWT usage are vital for auditing and troubleshooting. Proper handling of JWTs ensures the security and efficiency of your authentication processes, safeguarding your application against potential vulnerabilities.
Episode 39: Blockchain vs. The Right To Be Forgotten – one Solution
1. Can a blockchain be made to support the many new regulations that require the “Right of Erasure”?
2. If so, how can it then remain an immutable source of truth?
3. Does a solution require a specialized blockchain or can it be applied to existing blockchains?
4. What are the issues that arise from incorporating the solution?
Episode 38: Immortal passwords versus vulnerable humans
Immortal Passwords refers to the concept of password practices and protocols that are designed to be incredibly secure and resistant to various forms of cyber-attacks, essentially making them ‘immortal’ in the face of evolving threats. These passwords typically adhere to stringent security standards, including long character lengths, a mix of symbols, numbers, and letters, and regular updates. Additionally, they are often managed through sophisticated password management systems or algorithms that can generate and store complex passwords securely.
Vulnerable Humans, on the other hand, highlight the inherent weaknesses in human behaviors and practices when it comes to password security. Despite the availability of strong password guidelines, many individuals still use weak passwords, reuse passwords across multiple sites, or fail to update them regularly. This makes them susceptible to common cyber threats such as phishing, brute force attacks, and credential stuffing.
Episode 37: The Rise of Browser Identity APIs
In the last few years, there have been a number of new browser APIs proposed and implemented that assist developers to authenticate people or establish identity. This talk will discuss a few of these, like WebAuthn, WebOTP, FedCM, DBSC and the Digital Credentials API.
Episode 36: Deepfakes II: BioID’s Combat Strategy
The applications for Deepfake Detection are numerous, especially as generative AI has advanced significantly. The question arises: can online media and identity verification processes still be deemed reliable? Discover methods to protect your identity and systems against impersonation and learn how to identify deepfakes on your own – or is that even possible?
Episode 35: Next Gen Open Banking and Bank ID is beginning
The increased mobility of users and their demand for personalized, unified omnichannel access experiences has stretched federated IAM beyond its limits. Meanwhile, the need for organizations to collaborate more to compete, and build communities of trust and value for those same users affordably and securely, cannot be met by existing federated IAM solutions. Learn how banks are embracing the new paradigm of decentralized identity (DCI) to improve existing experiences and create the opportunity for new, valuable user experiences and increased levels of engagement and collaboration with business partners across multiple jurisdictions, without the need to replace their infrastructure. Simultaneously, understand why starting their journey now, enables banks to future-proof their ecosystem to rapidly support the EUDI and official digital credentials that will become available. Get a glimpse into the solution architecture being deployed at banks and an understanding of the benefits and how they can be communicated to executive leadership and business partners. Learn how DCI can also solve today’s problems in a practical way, including fighting fraud from adversarial and generative AI, and work in harmony with existing IAM systems enhancing existing federation platforms, and still set the banks up for the art of the possible tomorrow.
Episode 34: Fear not the rise of the machines, for we have standards
Machine identities have been proliferating, outnumbering human identities by a considerable margin. Despite often having far more privilege than humans, they remain under governed relative to user identities. In this episode we will discuss the drivers behind this rise in machine identities and the work happening in standards working groups like the Workload Identity in Multi-System Environments (WIMSE) and OAuth working groups that will help make these environments safer and more secure.
Episode 33: Consent Is Dead: How Bad Is It Really?
At EIC24, Eve laid out a case that digital consent is a fiction. How bad is the situation? How does it impact identity, security, and privacy? And do identitarians need to start getting their heads around the identity resolution industry?
Episode 32: No things in IGA: Considering non-human account management
Often vendors suggest our customers to manage things–robotic process automation (RPA), service accounts, etc–in an IGA system. Naaahh, that’s not how you manage those type of accounts!