Apidays Paris 2025 - From AuthN to AuthZ: The Future of Identity By Dick Hardt.

Presenters

Source

🚀 The Future of Identity: Beyond “Oopsies” and Towards Agent-Centric Security ✨

Identity management. It’s the unsung hero of our digital lives, quietly working behind the scenes to keep our data safe. But as technology evolves at warp speed, so too must our approach to identity. Dick Hart’s recent presentation at [Conference Name - Assume a conference name here] offered a fascinating glimpse into the future of identity, tackling complex challenges and introducing some exciting new solutions. Let’s dive in!

🎯 The Core Problem: Complexity and the Risk of “Oopsies” 🛠️

Hart kicked off by highlighting a persistent issue in enterprise Identity and Access Management (IAM): overly complex deployments of established protocols like SAML and OpenID Connect (OIDC). While powerful, these systems often become tangled webs, leading to what Hart playfully termed “oopsies” – security breaches or unauthorized access. The root cause? A lack of standardized, testable specifications and a reluctance to update existing, albeit potentially insecure, setups. The need for more opinionated and rigorously testable specifications is clear.

🌐 Key Protocols: A Critical Look 🧐

Hart didn’t shy away from critiquing existing protocols, offering valuable insights:

• OAUTH 2: A common misconception! Hart clarified that OAUTH 2 is fundamentally for authorization, not authentication. He suggested simply calling it “O” to avoid confusion.
• SAML: While flexible, SAML suffers from a lack of conformance testing. This makes it difficult to verify proper implementation and leaves the door open to vulnerabilities.
• SCIM: This REST API for directory synchronization is powerful, but its manual configuration and lack of a specified authentication mechanism have limited its adoption to primarily Fortune 5000 companies.
• OpenID Provider Commands (OPC): A game-changer! Developed by Hart and Carl McInness, OPC standardizes commands from the OpenID Provider (OP) directly to applications. This eliminates intermediaries, simplifies account lifecycle management (especially offboarding), and supports the full ISO lifecycle (create, delete, archive).
• Interoperable Profiling for Secure Identity (Ipsy): Ipsy provides crisp, opinionated specifications for identity management, enabling conformance testing and certifications. It introduces maturity levels for session and account lifecycles, promoting a more robust and secure approach.

🤖 The Rise of Agent Identity & New Solutions 🦾

The conversation then shifted to a rapidly growing area: agent identity – think AI chatbots and other automated entities. Hart argued that OAUTH 2 isn’t a good fit here due to its reliance on pre-registration and limited dynamic client registration support outside of enterprise environments.

Here’s where things got really exciting:

• Agent OAuth: A brand new protocol specifically designed for agent identity! It leverages HTTP message signing for authentication, supports a gradient of identity verification (akin to authorization), and enables independent delegation.
• Email Verification Protocol (EVP): Hart is spearheading the development of EVP, aiming for a seamless email verification experience that eliminates app-switching and manual code entry. It’s currently live in Hello and undergoing testing in Chrome.
• Hello Interchange: Acting as a privacy-focused interchange layer, Hello allows users to choose their preferred login method, giving them more control over their data.
• GitHub Offboarding (Hello): A brilliant free service from Hello that automatically deprovisions users from GitHub upon directory removal, addressing a common and often overlooked security vulnerability.

🌍 The B2C Identity Landscape: Navigating Fragmentation 🧩

Hart also shared his perspective on the B2C identity landscape:

• Mobile Driver’s License (MDL): He expressed skepticism about widespread US adoption due to state-specific implementations.
• EU Digital Wallets & EIDAZ: While the EU is leading the charge in digital wallet adoption, fragmentation across jurisdictions remains a challenge. He believes EIDAZ might introduce another login method rather than unifying existing systems.
• Passkeys: Hart sees passkeys as “just another way to log in,” acknowledging user experience challenges and potential security concerns related to key syncing.
• Social Login: Remains a strong contender thanks to robust anomaly detection by major providers, but privacy and vendor lock-in are valid concerns.

💾 Key Takeaways & Quantifiable Insights 💡

Let’s recap some key points and numbers:

• 80% Value of IAM: Hart emphasized that offboarding accounts represents a significant 80% of the value in enterprise identity access management. This highlights the importance of robust deprovisioning processes.
• Limited SCIM Adoption: As mentioned earlier, SCIM’s adoption is largely confined to Fortune 5000 companies.
• Dynamic Client Registration: Dynamic client registration in OAUTH 2 is rarely utilized outside of enterprise settings.

🛠️ Tools & Technologies to Watch 📡

Here’s a quick rundown of the technologies and protocols discussed:

• OpenID Connect (OIDC)
• SAML
• SCIM
• OpenID Provider Commands (OPC)
• Ipsy
• HTTP Message Signing
• GitHub
• Chrome
• Hello (Interchange)
• MCP (Machine-to-Machine Communication Protocol)
• Agent OATH

The Bottom Line: Dick Hart’s presentation underscored the need for a more streamlined, secure, and adaptable approach to identity management. By embracing new protocols like OPC and Agent OATH, and prioritizing account lifecycle management, we can move beyond the era of “oopsies” and build a more robust and user-friendly identity ecosystem for everyone. 🚀

Appendix