1 00:00:04,760 --> 00:00:11,120 This is identity at the center. Welcome to the Identity of the 2 00:00:11,120 --> 00:00:12,800 Center podcast. I'm Jeff, and that's Jim. 3 00:00:12,800 --> 00:00:14,920 Hey, Jim. Hey, Jeff, how are you? 4 00:00:15,520 --> 00:00:18,160 Not so bad yourself. Doing great, man. 5 00:00:18,240 --> 00:00:22,240 Other than the fact that I've been working on writing identity 6 00:00:22,240 --> 00:00:24,160 access management policies all day. 7 00:00:24,480 --> 00:00:28,760 But I mean, hey, what thing can you do this more important than 8 00:00:28,760 --> 00:00:33,200 that to having a successful IAM program and having a good 9 00:00:33,560 --> 00:00:38,880 bedrock of solid IAM policies? Rules of the road are important. 10 00:00:38,880 --> 00:00:41,240 Got to know which side you're driving on, what speed limits 11 00:00:41,240 --> 00:00:43,120 you can go, you know all that good stuff. 12 00:00:43,360 --> 00:00:45,840 Prevents accidents. That's right. 13 00:00:45,840 --> 00:00:47,840 I mean, it's at least a good starting point. 14 00:00:49,000 --> 00:00:52,440 And then you kind of you build your automation on top, you 15 00:00:52,440 --> 00:00:58,240 build your controls, but it's a good, it's a good approach to 16 00:00:58,240 --> 00:01:02,000 have that is like your foundation rather than starting 17 00:01:02,000 --> 00:01:04,959 with the technology. And then I'm trying to retrofit 18 00:01:04,959 --> 00:01:08,480 policies to fit the the technical capabilities that you 19 00:01:08,480 --> 00:01:10,600 have. See, I don't know if I would 20 00:01:10,600 --> 00:01:12,120 agree with that. I think you should write a 21 00:01:12,120 --> 00:01:15,600 policy is the way it should be, and not with your technology 22 00:01:15,600 --> 00:01:18,800 limitations in mind. Those would be treated as either 23 00:01:18,800 --> 00:01:22,000 exceptions to the policy or some other kind of mechanism. 24 00:01:22,800 --> 00:01:25,000 So in other words, you agree with me completely because 25 00:01:25,000 --> 00:01:27,040 that's what I that's what I meant to say. 26 00:01:27,240 --> 00:01:30,080 However, it came out exactly what you said. 27 00:01:30,440 --> 00:01:35,040 OK, then yes, we're on the same page and I and I concur Dr. All 28 00:01:35,040 --> 00:01:36,360 right, Doctor. Yeah. 29 00:01:36,720 --> 00:01:39,960 You know, the tough thing is sometimes taking some of the 30 00:01:39,960 --> 00:01:45,760 newer standards, like the newer standards around 863 B with the 31 00:01:46,960 --> 00:01:50,880 authentication insurance levels. I'm just trying to apply them 32 00:01:50,880 --> 00:01:56,040 because essentially what I think what they say is if your, if 33 00:01:56,040 --> 00:02:00,440 your data or your systems require this level of assurance, 34 00:02:00,440 --> 00:02:02,560 then you should apply these controls. 35 00:02:03,000 --> 00:02:06,440 But you have to kind of come up with a framework for the, you 36 00:02:06,440 --> 00:02:10,520 know, how the organization decides what level of assurance 37 00:02:10,520 --> 00:02:12,760 is required for that data, right? 38 00:02:12,760 --> 00:02:16,960 Is it top secret systems or what is the classification or what 39 00:02:16,960 --> 00:02:21,840 are the those rules of the road that your organization, you 40 00:02:21,840 --> 00:02:24,200 know, maps to those assurance level? 41 00:02:24,200 --> 00:02:29,000 So I won't say that I won't use the word fun, but important 42 00:02:29,000 --> 00:02:35,600 work. Yeah, important, interesting, a 43 00:02:35,600 --> 00:02:38,360 thinking game, fun. I don't know about that one. 44 00:02:38,360 --> 00:02:41,600 But good news is once you've got it down, you know, you kind of 45 00:02:42,240 --> 00:02:44,680 get your, you know, get your, your framework in place, get 46 00:02:44,680 --> 00:02:46,880 your templates in place and just start filling in blanks of what 47 00:02:46,880 --> 00:02:48,720 you want it to look like and, and stuff like that. 48 00:02:48,720 --> 00:02:51,200 This should not be like a very difficult exercise. 49 00:02:51,480 --> 00:02:53,600 Technically this is more of a political exercise. 50 00:02:54,000 --> 00:02:55,240 What can the organization tolerate? 51 00:02:56,720 --> 00:02:58,640 Yeah, you're right. I mean, often times it's 52 00:02:58,640 --> 00:03:02,000 political because they, I think you and agree, you and I agreed 53 00:03:02,160 --> 00:03:05,440 in theory that you want to write your policies for the way things 54 00:03:05,440 --> 00:03:07,320 should be, not for the way they are. 55 00:03:07,960 --> 00:03:12,400 There's not many senior executives that want to put out 56 00:03:12,400 --> 00:03:15,200 a set of policies and immediately be out of compliance 57 00:03:15,200 --> 00:03:18,960 with their own policies and have no hope of getting there within 58 00:03:18,960 --> 00:03:23,120 the the near term. So the reality is, is it's 59 00:03:23,320 --> 00:03:26,920 probably you're designing your policies somewhat based on where 60 00:03:26,920 --> 00:03:31,080 you are with the goal of hardening them over. 61 00:03:31,080 --> 00:03:33,520 Time. See, that's the catch 22 that 62 00:03:33,520 --> 00:03:36,480 comes up is as soon as you write a good policy, you're 63 00:03:36,480 --> 00:03:40,080 automatically out of compliance. And so like, you know, how do 64 00:03:40,080 --> 00:03:42,320 you how do you demonstrate that to auditors or whoever you got 65 00:03:42,320 --> 00:03:44,160 to show these to you is like, yeah, by the way, this policy, 66 00:03:44,160 --> 00:03:46,200 are you compliant? No, but it sure is. 67 00:03:46,280 --> 00:03:47,480 You know, this is where we want to be. 68 00:03:47,480 --> 00:03:50,360 So you need to have a conversation with internal 69 00:03:50,360 --> 00:03:52,480 audit. You know, you know, there's 70 00:03:52,480 --> 00:03:54,800 C-Suite, etcetera, say, OK, how do we want to approach this? 71 00:03:54,800 --> 00:03:57,720 Because if you don't have a good policy, then that just means 72 00:03:57,720 --> 00:04:00,360 your security is weak. If you don't have the technology 73 00:04:00,360 --> 00:04:03,400 to support the policy or the people or the processes that 74 00:04:03,480 --> 00:04:06,640 those are also deficiencies. So it really is a little bit of 75 00:04:06,640 --> 00:04:10,040 a political game and trying to make sure that everyone 76 00:04:10,040 --> 00:04:13,760 understands, you know, where you are today, where you should be 77 00:04:14,080 --> 00:04:16,920 and what is the approach to explain that, you know, policy 78 00:04:16,920 --> 00:04:18,800 wise. And then obviously getting make 79 00:04:18,800 --> 00:04:20,760 sure your auditors are on board as well so you can defend it. 80 00:04:21,680 --> 00:04:24,880 I mean, that's, that's ultimately what, you know, 81 00:04:24,880 --> 00:04:27,720 that's one of the real challenges for the practitioner 82 00:04:27,720 --> 00:04:31,080 is dealing with. We all philosophically know the 83 00:04:31,080 --> 00:04:35,640 right way to do things and at the same time we have to apply 84 00:04:35,640 --> 00:04:38,920 pragmatism. I think you've got to find 85 00:04:38,920 --> 00:04:41,640 strike the right balance. I mean, if you only go for the 86 00:04:41,640 --> 00:04:45,880 lowest common denominator every time, it's just going to be the 87 00:04:45,880 --> 00:04:49,920 definition of that term laggard. I think what's cool about being 88 00:04:49,920 --> 00:04:53,480 a consultant is that you get to work with a lot of different 89 00:04:53,480 --> 00:04:58,760 organizations and you have to kind of help your clients find 90 00:04:58,760 --> 00:05:04,000 that that right pragmatic level between the reality and the 91 00:05:04,000 --> 00:05:08,040 goals. And so, you know, obviously, 92 00:05:08,040 --> 00:05:10,920 like we agreed, there's something about fun. 93 00:05:11,160 --> 00:05:15,360 But I'll tell you one thing that I do find fun is conferences. 94 00:05:15,960 --> 00:05:20,840 I think it's just fun to be there with our fellow identity 95 00:05:20,840 --> 00:05:23,840 practitioners and get to know them, for them to get to know 96 00:05:23,840 --> 00:05:25,920 us. We've got a bunch of discount 97 00:05:25,920 --> 00:05:27,600 codes. What do you think? 98 00:05:27,600 --> 00:05:29,720 I mean, we haven't been reading them off for the last few 99 00:05:29,760 --> 00:05:32,680 episodes, even saying go to the website. 100 00:05:33,360 --> 00:05:36,680 But maybe we ought to at least give the rundown of what 101 00:05:36,680 --> 00:05:38,600 conferences we're actually going to. 102 00:05:38,600 --> 00:05:41,080 And we have count I have discount codes for. 103 00:05:41,680 --> 00:05:43,520 Yeah. Jim, would you say we have a 104 00:05:43,560 --> 00:05:46,480 plethora of discount codes for conferences? 105 00:05:47,240 --> 00:05:49,680 Yeah, and we have a guest, so we don't want to go through all of 106 00:05:49,680 --> 00:05:53,400 them and then we'll have to end the episode, right? 107 00:05:53,640 --> 00:05:56,520 This is a, a treatise on all of our conference discount codes, 108 00:05:56,520 --> 00:06:00,680 Part 1A of, you know, 48. Let's just run through them real 109 00:06:00,680 --> 00:06:01,920 quick. So we've got the official 110 00:06:01,920 --> 00:06:03,840 Cybersecurity Summit. I think by the time people 111 00:06:03,840 --> 00:06:07,280 listen to this, the IT will be probably too late maybe for the 112 00:06:07,280 --> 00:06:10,040 one in Chicago that I'll be at, but Philadelphia should still be 113 00:06:10,040 --> 00:06:12,680 available September 25th. I will be there as well. 114 00:06:13,240 --> 00:06:15,960 So by the way, all these codes are on our website, 115 00:06:15,960 --> 00:06:18,640 idacpodcast.com. Just Scroll down a little bit, 116 00:06:18,840 --> 00:06:20,120 you'll see everything we've got listed there. 117 00:06:20,120 --> 00:06:23,680 And I'm constantly adding new ones as we as we get those in 118 00:06:23,680 --> 00:06:26,800 partnership with those folks. So that's Cybersecurity Summit. 119 00:06:27,120 --> 00:06:29,560 Then we've got Authenticate 2025, which we're actually going 120 00:06:29,560 --> 00:06:31,600 to talk a little bit more about here today. 121 00:06:31,600 --> 00:06:34,880 That's coming up as well. So that's in October in the 122 00:06:34,880 --> 00:06:37,160 lovely Carlsbad, CA. I just got back from Monterey, 123 00:06:37,160 --> 00:06:41,280 CA like literally yesterday. So I'm heading back in a couple 124 00:06:41,280 --> 00:06:43,480 weeks to enjoy coastal California weather. 125 00:06:43,720 --> 00:06:46,520 You poor thing. I know, poor thing, I did come 126 00:06:46,520 --> 00:06:49,600 back to find 2 nails in my tire at the airport. 127 00:06:49,600 --> 00:06:51,480 So that was good times at about 1:00 AM. 128 00:06:52,000 --> 00:06:54,000 But first of all problems, we're fine. 129 00:06:54,760 --> 00:06:56,280 So that's the Authenticate conference. 130 00:06:56,640 --> 00:06:59,160 Then we've got Infosec World, that's a new conference for both 131 00:06:59,160 --> 00:07:01,280 you and I, Jim, that we've never been to, but we're happy to 132 00:07:01,280 --> 00:07:03,000 partner with our friend, friends over at Sierra. 133 00:07:03,040 --> 00:07:07,120 So shout out to Shirley. That is in Lake Buena Vista, FL 134 00:07:07,160 --> 00:07:11,120 October 2728 and 29 discount code for that as well. 135 00:07:11,120 --> 00:07:13,080 We got a couple special codes as well because they have like 136 00:07:13,080 --> 00:07:14,560 government discounts and things like that. 137 00:07:15,520 --> 00:07:18,760 And then we've got Ideniverse in DC in November. 138 00:07:19,080 --> 00:07:21,640 And then I think what will be the last conference of the year, 139 00:07:21,640 --> 00:07:25,840 which is the Gartner IM Summit in Grapevine, TX in December 8th 140 00:07:25,840 --> 00:07:28,560 through the 10th. So we have a discount code for 141 00:07:28,560 --> 00:07:30,440 Gartner coming soon. It's not up on the website yet, 142 00:07:30,440 --> 00:07:32,800 but it will be coming. I think in October is when we're 143 00:07:32,800 --> 00:07:35,160 we're able to post that. So keep an eye out for that. 144 00:07:35,160 --> 00:07:38,120 IDC, podcast.com, Scroll down, everything's there. 145 00:07:38,640 --> 00:07:42,200 Did I miss anything, Jim? No, no, I mean, I'm excited for 146 00:07:42,200 --> 00:07:45,880 all of them, but special shout out for Infosec world. 147 00:07:46,280 --> 00:07:48,720 You have a little bit of Disney while we're there, right? 148 00:07:48,720 --> 00:07:53,160 And you know, I'm thinking if you're looking for a work 149 00:07:53,160 --> 00:07:57,240 vacation where it maybe you bring some family members, roll 150 00:07:57,240 --> 00:08:00,840 it all into one, why not? OK, So why don't we get to our 151 00:08:00,840 --> 00:08:03,800 guest today? He is Nishant Kaushik. 152 00:08:03,840 --> 00:08:07,000 He is the new CTO at Fido Alliance. 153 00:08:07,000 --> 00:08:08,960 He's been with us before. But welcome back to the show, 154 00:08:08,960 --> 00:08:11,800 Nishant. Thanks, Great to be back. 155 00:08:12,960 --> 00:08:15,360 Yeah, so I was kind of shocked that it's been so long. 156 00:08:15,360 --> 00:08:17,280 This is actually your third appearance with us. 157 00:08:17,640 --> 00:08:22,520 You were way back on episode #73 and then episode 171. 158 00:08:22,520 --> 00:08:24,920 So we've got to cut your origin story back then. 159 00:08:24,920 --> 00:08:26,680 We'll ask people to go back and check that out. 160 00:08:27,080 --> 00:08:30,520 And then I think this is going to be episode #373 if my math 161 00:08:30,520 --> 00:08:33,200 lines up. So welcome back again. 162 00:08:33,240 --> 00:08:35,760 And I did introduce you as the new CTO. 163 00:08:35,760 --> 00:08:39,720 That is relatively new role. So within the last month or so, 164 00:08:39,720 --> 00:08:41,880 I can't even write 2 weeks. OK, so, so there you go. 165 00:08:42,720 --> 00:08:46,160 So what have you been up to now? You're with Fido Alliance as the 166 00:08:46,160 --> 00:08:48,560 CTO. I thought we had solved 167 00:08:48,560 --> 00:08:50,120 everything, you know, with pass keys. 168 00:08:50,120 --> 00:08:51,840 And now we're done. Like what do you have left to 169 00:08:51,840 --> 00:08:56,440 work on now? Well, I think. 170 00:08:56,840 --> 00:09:02,120 It's interesting, when I was interviewing for this role, it 171 00:09:02,120 --> 00:09:05,440 was one of the same, same thoughts was like, what's next? 172 00:09:05,440 --> 00:09:08,480 Like why, why do why would I want to take this job? 173 00:09:09,080 --> 00:09:15,160 And I think part of the challenge is digital identity is 174 00:09:15,160 --> 00:09:19,320 getting so much broader that you kind of have to look at it in 175 00:09:19,320 --> 00:09:23,760 the full picture and passkey is, is a important, but a part of 176 00:09:23,760 --> 00:09:26,800 that picture. And I think we still have a long 177 00:09:26,800 --> 00:09:31,200 way to go from having the right solution to actually having that 178 00:09:31,200 --> 00:09:35,520 solution making a difference. And when I, when we were 179 00:09:35,520 --> 00:09:39,480 discussing this role, one of the key things that I kept coming 180 00:09:39,480 --> 00:09:44,640 back to is my own frustration that, you know, we've been in 181 00:09:44,640 --> 00:09:47,400 this industry for so long, all of us, you know, on the vendor 182 00:09:47,400 --> 00:09:50,960 side, practitioner side and so on, and standards bodies, 183 00:09:50,960 --> 00:09:54,080 etcetera. And some of the smartest people 184 00:09:54,080 --> 00:09:57,040 I know, the best people I've done were doing great work. 185 00:09:57,600 --> 00:10:00,520 And yet everyday you're still seeing stories about breaches 186 00:10:00,520 --> 00:10:04,520 and continuous, you know, stories about identities being 187 00:10:04,520 --> 00:10:07,240 stolen. It's like, why haven't we gotten 188 00:10:07,240 --> 00:10:10,040 there yet, right? Everyone says, are we there yet? 189 00:10:10,160 --> 00:10:14,160 No, we're not. And a big part of that is coming 190 00:10:14,160 --> 00:10:17,040 up with the solution isn't really the only thing. 191 00:10:17,040 --> 00:10:21,280 It now has to scale. It has to be deployed and it has 192 00:10:21,280 --> 00:10:24,800 to work for everybody. And I think there are still ways 193 00:10:24,800 --> 00:10:28,240 for us to go before we solve all of the problems required to 194 00:10:28,240 --> 00:10:32,520 achieve that There there's. So it sounds like there's still 195 00:10:32,520 --> 00:10:36,800 ways to go here. And the really the reason that 196 00:10:36,800 --> 00:10:38,880 we wanted to have you on, and this is kind of fortuitous 197 00:10:38,880 --> 00:10:42,760 timing, is there was an article that was on the ID Pro 198 00:10:43,680 --> 00:10:47,200 newsletter that just came out recently talking about Black Hat 199 00:10:47,200 --> 00:10:50,360 and RSA and some of the concerns that were popping up around 200 00:10:50,360 --> 00:10:51,240 past. He's on there. 201 00:10:51,240 --> 00:10:55,080 So shout out to Rusty Deaton. He's the author of the article. 202 00:10:55,480 --> 00:10:57,680 So I'll link in our show notes where people can kind of check 203 00:10:57,680 --> 00:10:59,200 out what we're going to be talking about here and kind of 204 00:10:59,200 --> 00:11:01,880 follow around. But have you read that article? 205 00:11:01,920 --> 00:11:04,200 And if So, what are your sort of your initial thoughts on it? 206 00:11:04,600 --> 00:11:09,080 Yeah, you know, as a, as a founding member of ID Pro, I 207 00:11:09,080 --> 00:11:11,520 always pay attention to the ID Pro newsletters. 208 00:11:11,960 --> 00:11:15,400 So it was not surprising to see that article. 209 00:11:15,440 --> 00:11:20,080 You know, it's, there's been a few actually, right. 210 00:11:20,120 --> 00:11:24,280 Not just Rusty's, but there's been a number of things in the 211 00:11:24,280 --> 00:11:28,520 press where they people, journalists are going to the 212 00:11:28,520 --> 00:11:30,520 same conferences, Black Hat, etcetera. 213 00:11:30,960 --> 00:11:34,080 And they're attending these sessions and just walking away 214 00:11:34,080 --> 00:11:39,040 with takeaways that are half the picture or are, you know, sort 215 00:11:39,040 --> 00:11:43,320 of not really examining in things in a full in a full way. 216 00:11:43,320 --> 00:11:47,080 And I think Rusty did a great job of sort of laying it out in 217 00:11:47,080 --> 00:11:51,280 terms of, well, it's A1 sided story being presented on stage. 218 00:11:51,280 --> 00:11:53,400 It's not looking at the entirety of the thing. 219 00:11:53,840 --> 00:11:57,480 And I think one of the important things to take away from Rusty's 220 00:11:57,480 --> 00:12:01,520 article, and there's a really good article on our Technica as 221 00:12:01,520 --> 00:12:04,560 well. And I just wrote a blog post for 222 00:12:04,560 --> 00:12:08,120 the Fighter Alliance blog, official official blog, which is 223 00:12:08,120 --> 00:12:11,840 to understand that pass keys doesn't exist on its own. 224 00:12:11,840 --> 00:12:15,000 It exists as part of a broader authentication framework, 225 00:12:15,000 --> 00:12:18,520 digital identity framework. And so when you're looking at 226 00:12:20,240 --> 00:12:23,320 the threat models that you have to account for, you have to 227 00:12:23,320 --> 00:12:25,880 understand that pass keys operate within the threat model 228 00:12:25,880 --> 00:12:27,600 that your organization operates with. 229 00:12:28,040 --> 00:12:30,480 And you have to put in place supporting infrastructure for 230 00:12:30,480 --> 00:12:32,480 any authentication framework, not just pass keys. 231 00:12:32,960 --> 00:12:35,400 Maybe you're rolling out, you know, username, password, and 232 00:12:35,400 --> 00:12:38,280 SMSOTPXOMER images still are doing. 233 00:12:38,600 --> 00:12:40,360 Maybe you've gone to authenticator apps, so you're 234 00:12:40,360 --> 00:12:43,600 using Microsoft Authenticator. Maybe you're using hardware 235 00:12:43,600 --> 00:12:45,480 tokens. It doesn't really matter what 236 00:12:45,480 --> 00:12:47,120 your authentication framework is. 237 00:12:47,520 --> 00:12:50,360 It doesn't exist in silo. It still relies on the 238 00:12:50,360 --> 00:12:52,720 environment within which the user is going to be operating. 239 00:12:52,960 --> 00:12:56,080 And you still need to do the work to ensure that the 240 00:12:56,080 --> 00:13:00,400 operating environment can support the Security benefits of 241 00:13:00,400 --> 00:13:02,040 the authentication framework you're putting in. 242 00:13:02,040 --> 00:13:03,680 And Passkey is no different in that sense. 243 00:13:03,920 --> 00:13:07,920 So, yeah, it's great that it we have a technology that is 244 00:13:08,240 --> 00:13:11,400 phishing resistant, that is based on cryptography as opposed 245 00:13:11,400 --> 00:13:14,280 to shared secrets. But you're still operating with 246 00:13:14,280 --> 00:13:17,080 browsers, you're still operating on a myriad of desktops and 247 00:13:17,080 --> 00:13:19,720 platforms and phones all over the world. 248 00:13:20,120 --> 00:13:24,560 And you have to account for the differences those bring in and 249 00:13:24,560 --> 00:13:27,600 map those back to sort of your threat model. 250 00:13:27,600 --> 00:13:29,520 It's it's what you were discussing earlier, right? 251 00:13:29,800 --> 00:13:31,760 Policy. You don't define policy in a 252 00:13:31,760 --> 00:13:34,640 vacuum. Policy has to work for the 253 00:13:34,640 --> 00:13:38,200 organization, but it also has to work for the people that you're 254 00:13:38,200 --> 00:13:40,840 going to be applying those policies to. 255 00:13:41,360 --> 00:13:44,800 And you can't treat every end user as if they're the president 256 00:13:44,800 --> 00:13:49,520 of the United States or, you know, the CEO of a Fortune 5 257 00:13:49,520 --> 00:13:53,760 company, right? You have to, you know, talk with 258 00:13:53,760 --> 00:13:56,000 the correct health model and therefore apply policies based 259 00:13:56,000 --> 00:13:57,960 on that. And PASI is going to solve all 260 00:13:57,960 --> 00:13:59,600 of that. Like, you know, PASI is not a 261 00:13:59,600 --> 00:14:04,760 silver bullet. It is in a pretty cool solution 262 00:14:04,920 --> 00:14:08,920 for a very specific problem, but it has to work beyond that. 263 00:14:09,640 --> 00:14:13,360 Yeah, it seems to me kind of the take away I got from the article 264 00:14:13,360 --> 00:14:18,400 was I think where you're going with this is that passkey is one 265 00:14:18,400 --> 00:14:21,880 of the solutions you can use. And I guess what I'd want to 266 00:14:21,880 --> 00:14:26,200 know as a practitioner is like where is it meant to be used? 267 00:14:26,600 --> 00:14:31,360 Or maybe alternatively, it's looked at as where does it not 268 00:14:31,360 --> 00:14:36,960 make sense to use it because it could potentially fall prey to 269 00:14:37,200 --> 00:14:40,040 some of these things that Rusty brought up. 270 00:14:40,880 --> 00:14:45,080 Yeah. So I think if you look at what 271 00:14:45,080 --> 00:14:47,640 Rusty was commenting on with respect to the some of those 272 00:14:49,040 --> 00:14:51,200 presentations and all those presentations were talking about 273 00:14:51,200 --> 00:14:54,800 how pass keys can be hacked or pass keys can be stolen. 274 00:14:55,520 --> 00:14:58,040 The fact of the matter is that pass key cannot be stolen. 275 00:14:58,640 --> 00:15:03,320 What you can do is work around the pass key and attack the 276 00:15:03,320 --> 00:15:04,640 authentication framework around it. 277 00:15:04,640 --> 00:15:10,080 So for example, you know, if you can trick the user into going 278 00:15:10,080 --> 00:15:14,000 through an account recovery flow, you know this is not new, 279 00:15:14,000 --> 00:15:15,240 right? We've talked about this as 280 00:15:15,240 --> 00:15:19,000 practitioners and for a long time, which is the stronger you 281 00:15:19,000 --> 00:15:22,040 make the front door, the more likely the attacker is going to 282 00:15:22,040 --> 00:15:25,560 go look for the back door or the windows and so on and so forth. 283 00:15:25,920 --> 00:15:30,640 So a long time ago I wrote one of one of the body of knowledge 284 00:15:30,640 --> 00:15:33,720 articles for the I for ID Pro called, you know, MFA for 285 00:15:33,720 --> 00:15:36,240 humans. And our key part of that is that 286 00:15:36,240 --> 00:15:40,000 when you implement MFA, you are making your authentication 287 00:15:40,000 --> 00:15:45,000 stronger, which means you are create creating more incentive 288 00:15:45,000 --> 00:15:47,640 for attackers to now start testing other parts of your 289 00:15:47,640 --> 00:15:49,960 authentication framework, including especially your 290 00:15:49,960 --> 00:15:53,400 account recovery flows. So anything that any 291 00:15:53,400 --> 00:15:58,480 organization that is implementing pass keys is going 292 00:15:58,480 --> 00:16:01,480 to get really good authentication characteristics 293 00:16:01,480 --> 00:16:05,360 from that really good security. But now that means, OK, now 294 00:16:05,360 --> 00:16:08,600 let's make take a look at all these other aspects, right? 295 00:16:08,600 --> 00:16:11,040 So let's look at your account recovery post with look at look 296 00:16:11,040 --> 00:16:13,160 at things like your notifications are banned. 297 00:16:13,480 --> 00:16:16,040 Let's look at things like browser or hygiene, especially 298 00:16:16,040 --> 00:16:18,640 if you're in an enterprise environment, you can see some of 299 00:16:18,640 --> 00:16:21,560 the higher, higher risk enterprises going towards things 300 00:16:21,560 --> 00:16:23,320 like hardened browser. Why? 301 00:16:23,600 --> 00:16:26,520 Because they want to eliminate the threat of malicious 302 00:16:26,520 --> 00:16:30,440 extensions that people can just deploy on their browsers if 303 00:16:30,440 --> 00:16:32,280 they're using their own devices, right? 304 00:16:32,280 --> 00:16:34,280 So stuff like that has to be accounted. 305 00:16:34,280 --> 00:16:39,920 For yeah, it kind of feels to me like you're not here just 306 00:16:39,920 --> 00:16:44,120 saying, OK, these aren't valid concerns, but you're saying, OK, 307 00:16:44,120 --> 00:16:47,680 yes, these, but these are things that are understood. 308 00:16:47,680 --> 00:16:52,360 They are shortcomings to how authentication is done today, 309 00:16:52,360 --> 00:16:57,920 right until you truly solve how authentication was done, I mean, 310 00:16:58,560 --> 00:17:01,320 you know, yes, these these problems were going to continue 311 00:17:01,320 --> 00:17:04,440 to exhaust. Is that am I hearing it right? 312 00:17:06,119 --> 00:17:10,960 In in a nutshell, yeah, like we talk about identity programs for 313 00:17:10,960 --> 00:17:13,520 a reason, right? It's not deploy a product and 314 00:17:13,520 --> 00:17:15,240 you're done. You have to have identity 315 00:17:15,240 --> 00:17:17,480 programs. So you're right, you know, as as 316 00:17:17,880 --> 00:17:21,760 more work is put into making passkey stronger, better, more 317 00:17:21,760 --> 00:17:25,599 easy to use, it means you're going to get better security. 318 00:17:25,880 --> 00:17:28,000 But it also means you now have to start looking at other 319 00:17:28,000 --> 00:17:29,560 aspects of your security program. 320 00:17:29,680 --> 00:17:32,360 Like, you know, there's such amazing work happening with 321 00:17:32,360 --> 00:17:37,840 things like shared signals as well as continuous identity 322 00:17:37,840 --> 00:17:41,880 continues to unintended, continues to evolve. 323 00:17:42,480 --> 00:17:45,880 One of the reasons why for example, Fighter Alliance 324 00:17:46,200 --> 00:17:50,080 started working on identity verification and binding is 325 00:17:50,080 --> 00:17:54,360 because of the fact that you can't really rely on a strong 326 00:17:54,360 --> 00:17:57,640 credential if you don't secure the way in which the credential 327 00:17:57,640 --> 00:18:01,920 is created and bound to the identity in the 1st place as 328 00:18:01,920 --> 00:18:04,560 well as how you go through recovery rules for for re 329 00:18:04,560 --> 00:18:06,600 establishing a lost credential and so on. 330 00:18:06,840 --> 00:18:10,200 So that's the reason why Fido Alliance went in and with the 331 00:18:10,200 --> 00:18:12,400 members worked on the identity verification and binding working 332 00:18:12,400 --> 00:18:14,800 group. So you have to continue to look 333 00:18:14,800 --> 00:18:19,800 at the full picture, absolutely. And all these, any technology 334 00:18:19,800 --> 00:18:24,000 never ends, right? So obviously we have to continue 335 00:18:24,680 --> 00:18:28,680 to listen to security researchers who work with, you 336 00:18:28,680 --> 00:18:31,600 know, the technology as it is today and can you to help 337 00:18:31,600 --> 00:18:36,680 identify ways novel, novel attack methods or different 338 00:18:36,680 --> 00:18:38,200 things that are being brought up. 339 00:18:38,200 --> 00:18:41,720 We're always receptive to that. We have to be just because 340 00:18:41,720 --> 00:18:45,880 technology evolving means protocols, standards, solutions 341 00:18:45,880 --> 00:18:48,840 have to evolve. So it's a never ending cycle in 342 00:18:48,840 --> 00:18:51,480 that sense. And that's part of the one of 343 00:18:51,480 --> 00:18:54,360 the reasons why I I joined the fighter analysis. 344 00:18:54,920 --> 00:18:59,160 There is still a lot to be done and it has to continue to evolve 345 00:18:59,160 --> 00:19:03,720 as we continue to move in this, you know, increasingly digital 346 00:19:03,720 --> 00:19:06,160 world. You know, one of the things I 347 00:19:06,160 --> 00:19:09,720 remember Rusty brought up in this article was if you're kind 348 00:19:09,720 --> 00:19:13,000 of, I mean, some of these attacks, I I think admittedly 349 00:19:13,000 --> 00:19:18,480 are kind of sophisticated, but it was around if you are, let's 350 00:19:18,480 --> 00:19:21,240 just say you're a journalist or human rights activist, right? 351 00:19:21,240 --> 00:19:25,920 And you might be somebody who is the target of a state sponsored 352 00:19:25,920 --> 00:19:31,040 actor, whatever your role might be in society and maybe pass 353 00:19:31,040 --> 00:19:34,360 keys aren't for you. And I kind of thought to myself, 354 00:19:34,560 --> 00:19:37,000 you know, with the sophistication of these attacks 355 00:19:37,320 --> 00:19:43,440 is it was, I think tied to a lot of the, the fishing of sync pass 356 00:19:43,440 --> 00:19:46,080 keys, right? And I thought to myself, well, 357 00:19:46,440 --> 00:19:51,000 if you're in that kind of space, hopefully you, you're not as 358 00:19:52,040 --> 00:19:57,000 susceptible to being fish as the the common human being is. 359 00:19:58,040 --> 00:19:59,440 I don't know if that makes sense. 360 00:19:59,440 --> 00:20:03,320 But in other words, it's like I'm a human rights journalist, 361 00:20:03,320 --> 00:20:05,960 right? I shouldn't be sending money to 362 00:20:05,960 --> 00:20:12,280 the Nigerian print scam. I think I think you're spot on 363 00:20:12,320 --> 00:20:14,360 in that. As I said earlier, threat models 364 00:20:14,360 --> 00:20:18,560 matter a lot, right? So as anybody who's deploying 365 00:20:18,560 --> 00:20:23,040 pass keys for their audience, for their user base needs to 366 00:20:23,040 --> 00:20:27,880 understand that it's one thing for you to be a retail 367 00:20:27,880 --> 00:20:32,200 organization that is selling online, you know, charge keys. 368 00:20:32,640 --> 00:20:35,320 It's a very different thing if you're, as you said, you're a 369 00:20:35,320 --> 00:20:40,480 journalist who may be going into areas where you have to worry 370 00:20:40,480 --> 00:20:42,920 about your security, you have to worry about phones. 371 00:20:42,920 --> 00:20:46,120 A lot of the, one of the, I think one, if I remember 372 00:20:46,120 --> 00:20:50,120 correctly, one of the demonstrations that Rusty talked 373 00:20:50,120 --> 00:20:53,000 about requires proximity. So it's not a remote attack. 374 00:20:53,000 --> 00:20:56,440 You have to be near somebody to be able to launch that attack. 375 00:20:56,920 --> 00:21:00,960 And so proximity based attacks have add a whole different 376 00:21:00,960 --> 00:21:03,320 dimension. Do this equation right. 377 00:21:03,320 --> 00:21:06,760 So all those things matter. The, the platform providers, the 378 00:21:06,760 --> 00:21:09,560 credential providers, they're all getting, you know, much, 379 00:21:09,560 --> 00:21:12,840 much better at securing your credentials, including your pass 380 00:21:12,840 --> 00:21:14,720 keys. If you're a journalist and 381 00:21:14,720 --> 00:21:17,840 you're using, you know, for I think it's advanced protection 382 00:21:17,840 --> 00:21:21,840 mode or something like that on, on, on app on iPhones that you 383 00:21:21,840 --> 00:21:26,440 can deploy that can help, you know, even secure your phone at 384 00:21:26,440 --> 00:21:31,200 a much in a much better way. A a journalist who knows that 385 00:21:31,200 --> 00:21:33,800 they're likely to get targeted understands that and is probably 386 00:21:33,800 --> 00:21:36,640 taking those kinds of security measures anyway, comes back to 387 00:21:36,640 --> 00:21:39,480 environmental concerns. So absolutely sync passkey is 388 00:21:39,480 --> 00:21:43,120 aren't necessarily a bad thing, even if you're a targeted user. 389 00:21:43,120 --> 00:21:46,680 It just means that you have to understand you're in your 390 00:21:46,680 --> 00:21:50,640 environment more accurately. And you know, it's going to be 391 00:21:50,640 --> 00:21:53,280 coming increasingly common, for example, for people who are 392 00:21:53,280 --> 00:21:55,800 going to be targeted to work, work with burner phones. 393 00:21:56,720 --> 00:21:59,080 You're not going to log in with the same credential provider on 394 00:21:59,080 --> 00:22:00,960 your burner phone that you are on your regular phone. 395 00:22:01,440 --> 00:22:05,160 And in that case, if you're making that decision, sync 396 00:22:05,160 --> 00:22:09,400 passing is it can still be a good solution for you on your 397 00:22:09,400 --> 00:22:10,880 regular phone as opposed to your burner phone. 398 00:22:12,600 --> 00:22:15,880 Yeah, and hopefully you're avoiding installing potential 399 00:22:15,880 --> 00:22:20,880 malware and browser extensions and AD blockers and stuff like 400 00:22:20,880 --> 00:22:24,320 that. Well, I, I think I wanted to 401 00:22:24,320 --> 00:22:28,040 kind of wrap this up by thanking Rossi for putting that 402 00:22:28,040 --> 00:22:31,280 information out there. Thank you for coming on to the 403 00:22:31,280 --> 00:22:33,160 podcast to kind of talk about it. 404 00:22:33,560 --> 00:22:38,400 And the way I'd like to wrap all this up would be surely folks 405 00:22:38,400 --> 00:22:41,040 out there, I mean, look, passkey's has been deployed in 406 00:22:41,040 --> 00:22:45,280 some of the largest tech and even financial environments 407 00:22:45,280 --> 00:22:49,800 that, you know, I've been pleasantly surprised with how 408 00:22:50,080 --> 00:22:53,440 quickly this has taken off. But they're probably 409 00:22:53,800 --> 00:22:59,520 practitioners out there who are like this close to implementing 410 00:22:59,520 --> 00:23:05,200 pass keys for their organization who are now taking a pause. 411 00:23:05,480 --> 00:23:10,640 And I want to know what are the tips or tricks that you would, 412 00:23:10,960 --> 00:23:14,320 you know, maybe key takeaways that you would have for them on 413 00:23:14,320 --> 00:23:17,720 this topic so they can get smarter and, and feel more 414 00:23:17,720 --> 00:23:20,200 confident in them in their decision. 415 00:23:21,600 --> 00:23:26,080 I think start by understanding how Passkeys fits into your 416 00:23:26,080 --> 00:23:28,680 authentication framework and what you're comparing it to. 417 00:23:28,680 --> 00:23:32,880 I think a lot of the concerns that people have at Passkeys 418 00:23:32,880 --> 00:23:35,040 tends to be because they're looking at in isolation as 419 00:23:35,040 --> 00:23:38,680 opposed to looking at it within the context of their overall 420 00:23:39,480 --> 00:23:42,920 solution. This is a very simplistic 421 00:23:42,920 --> 00:23:47,360 example, but one of the key, one of the issues that folks bring 422 00:23:47,360 --> 00:23:51,560 up is, well, if I'm using a sync passkey now it's getting synced 423 00:23:51,560 --> 00:23:56,480 from one phone to another phone that the user has. 424 00:23:56,840 --> 00:23:58,640 How do I know that I've lost control of them? 425 00:23:58,640 --> 00:24:01,280 And my answer would be, well, what were you doing for 426 00:24:01,280 --> 00:24:04,800 passwords before that, right? If you, if they were using a 427 00:24:04,800 --> 00:24:08,240 password manager, that password manager may be on both phones. 428 00:24:08,480 --> 00:24:10,800 If they were using Google Authenticator, they may have 429 00:24:10,800 --> 00:24:13,320 Google Authenticator deployed on both phones. 430 00:24:14,320 --> 00:24:18,560 They may be receiving their SMSODP on a virtual app on a so 431 00:24:18,560 --> 00:24:21,360 one of those communicator apps which is also on both phones. 432 00:24:21,680 --> 00:24:27,200 So actually understand within the context of what are you 433 00:24:27,200 --> 00:24:30,080 comparing it to and what are your alternatives? 434 00:24:30,920 --> 00:24:34,320 Understand your threat model and then figure out how it fits into 435 00:24:34,320 --> 00:24:35,600 that. You're still looking at 436 00:24:35,600 --> 00:24:39,440 something that's far better than anything else that is out there 437 00:24:39,440 --> 00:24:43,160 because of the cryptographic, by nature of it, because of the 438 00:24:43,440 --> 00:24:46,200 phishing resistance of that that it brings to the table. 439 00:24:46,200 --> 00:24:50,560 And the platforms, you know, all of all of these are getting way, 440 00:24:50,560 --> 00:24:54,520 way better. So it's not like you're losing 441 00:24:54,680 --> 00:24:58,160 anything by going to that. In fact, you're gaining, but it 442 00:24:58,160 --> 00:25:01,040 needs to be looked at within comes back to threat models, 443 00:25:01,040 --> 00:25:05,560 larger, larger identity program. It's no different than what I'm 444 00:25:05,560 --> 00:25:08,440 sure you both of you have done in the past where you've gone in 445 00:25:08,440 --> 00:25:12,200 and somebody's doing the what is it the the proverbial digital 446 00:25:12,200 --> 00:25:15,600 transformation project. And you have to show them, look, 447 00:25:15,920 --> 00:25:20,200 this is how you go from post it notes to a single sign on 448 00:25:20,200 --> 00:25:22,080 solution. And here's the benefits and so 449 00:25:22,080 --> 00:25:24,360 on and so forth. It's the same same thought 450 00:25:24,360 --> 00:25:28,040 process effectively. So really, it's a sliding scale, 451 00:25:28,040 --> 00:25:30,240 right? It's passwords are bad, we can 452 00:25:30,240 --> 00:25:33,320 all agree on that. Pass keys are better, but 453 00:25:33,320 --> 00:25:35,240 they're not perfect, just like anything else in this space. 454 00:25:35,240 --> 00:25:40,000 So if you're worried about a pass key synchronization attack, 455 00:25:40,000 --> 00:25:43,400 a man in the middle attack, a phishing attack, those same 456 00:25:43,400 --> 00:25:46,080 attacks can happen whether or not you have a pass key. 457 00:25:46,120 --> 00:25:49,920 It's also true for passwords. It's also true for API 458 00:25:49,920 --> 00:25:52,000 credentials. It's also true for literally 459 00:25:52,000 --> 00:25:53,240 anything that could be intercepted. 460 00:25:53,240 --> 00:25:57,520 So I still fall on the side of look, pass keys are still better 461 00:25:57,920 --> 00:25:59,840 than a password. It's one less thing I have to 462 00:25:59,840 --> 00:26:03,160 remember if someone's going to go to the the effort of, you 463 00:26:03,160 --> 00:26:07,400 know, trying to intercept my synced pass key from, you know, 464 00:26:07,600 --> 00:26:09,800 a wallet on one device into another. 465 00:26:10,440 --> 00:26:13,080 OK, I accept that risk because what's the alternative? 466 00:26:13,400 --> 00:26:15,640 A post it note on the back of my keyboard with a password. 467 00:26:16,320 --> 00:26:19,040 Yeah. I mean, I'm not going to 468 00:26:19,040 --> 00:26:21,440 denigrate that because there are certain people who certain model 469 00:26:21,440 --> 00:26:26,760 means, you know, what is the the old lattice, the password diary 470 00:26:26,760 --> 00:26:30,000 that is sitting in somebody's desk is still valid for certain 471 00:26:30,000 --> 00:26:31,480 folks. I'm not going to say that that's 472 00:26:31,480 --> 00:26:33,880 a bad idea. It goes back to what are you 473 00:26:33,960 --> 00:26:35,800 trying to get it? What is your actual 474 00:26:35,800 --> 00:26:37,640 requirements? Yeah. 475 00:26:38,400 --> 00:26:40,200 You know, I've seen scenarios where you like you, you know, 476 00:26:40,200 --> 00:26:42,880 you write out the password and you lock it in a safe somewhere, 477 00:26:42,880 --> 00:26:44,280 right? It's like a break, a truly a 478 00:26:44,280 --> 00:26:47,600 break glass account where you know, there are certainly needs 479 00:26:47,600 --> 00:26:48,880 for all that. But I think for the vast 480 00:26:48,880 --> 00:26:53,240 majority of consumers, when it comes to normal people doing 481 00:26:53,240 --> 00:26:58,760 normal identity account things, passwords, pass keys are still 482 00:26:58,760 --> 00:27:02,960 way better, way more convenient and just a better solution. 483 00:27:03,880 --> 00:27:06,880 I'm curious, you know, I, I, it's kind of a good, good segue 484 00:27:06,880 --> 00:27:10,040 into the authenticate conference because authenticate conference 485 00:27:10,040 --> 00:27:12,600 tends to be the more technical group of people in this space 486 00:27:12,600 --> 00:27:14,280 really focused on authentication. 487 00:27:15,120 --> 00:27:17,560 And I know you've been there, you know, for many years at this 488 00:27:17,560 --> 00:27:20,320 point, and now you're the CTO. Are these the types of 489 00:27:20,320 --> 00:27:23,480 conversations that are already taking place either behind doors 490 00:27:23,480 --> 00:27:25,600 or in the hallways at places like authenticate? 491 00:27:26,280 --> 00:27:28,600 Because I remember when passkeys first came out and said, well, 492 00:27:28,600 --> 00:27:30,880 that's cool. But now my pass key lives on my 493 00:27:30,880 --> 00:27:33,720 Windows device and I have no way to get it to my phone and my Mac 494 00:27:33,720 --> 00:27:35,960 and all those other things. And I was like, give me a way to 495 00:27:35,960 --> 00:27:37,560 sync it. Because until then it's just 496 00:27:37,560 --> 00:27:40,680 another, you know, another thing on my account that I, I can't 497 00:27:40,680 --> 00:27:42,800 really use. It's like, it's not, it doesn't. 498 00:27:43,120 --> 00:27:45,480 It wouldn't surprise me that these types of issues all have 499 00:27:45,480 --> 00:27:48,120 already been thought about and are in the works of trying to 500 00:27:48,120 --> 00:27:51,520 figure out OK, how do we how do we solve for these, you know, 501 00:27:51,520 --> 00:27:55,120 criticisms or concerns around it, whether they are, you know, 502 00:27:55,120 --> 00:27:59,040 a specific attack nation state directed or if it's just a spray 503 00:27:59,040 --> 00:28:02,080 and pray and hope that you know, you get the point 1% to click on 504 00:28:02,080 --> 00:28:03,400 the thing to give you their account. 505 00:28:04,520 --> 00:28:06,320 Yeah, no, they're definitely happening. 506 00:28:06,320 --> 00:28:11,520 And I think I'll actually give you a two-part answer, if you 507 00:28:11,520 --> 00:28:14,160 will, right. One is absolutely this 508 00:28:14,160 --> 00:28:16,280 conversation are happening at authenticate. 509 00:28:16,320 --> 00:28:20,640 There's there's the, there's the meetings that are for the the 510 00:28:20,640 --> 00:28:23,520 techiest of the tech folks who want to go in and really 511 00:28:23,520 --> 00:28:28,320 understand how things are working in at the lowest levels. 512 00:28:28,640 --> 00:28:31,760 And then there's some there are case studies and presentations 513 00:28:31,760 --> 00:28:35,480 about how folks are rolling it out, whether it's Wells Fargo 514 00:28:35,480 --> 00:28:39,000 deploying pass keys and bringing it, bringing it to the market 515 00:28:39,320 --> 00:28:45,960 are really cool solutions for from Fido members who are 516 00:28:46,200 --> 00:28:49,240 solving things like how do folks who are working on the factory 517 00:28:49,240 --> 00:28:54,920 floor using Fido to authenticate and get access or be able to do 518 00:28:55,640 --> 00:28:58,480 specific tasks but not other tasks and so on and so forth. 519 00:28:58,880 --> 00:29:01,840 And you get to see sort of the broad range within which Fido 520 00:29:01,840 --> 00:29:06,640 operates and you, you might and you also will discover things 521 00:29:06,640 --> 00:29:10,560 that maybe you didn't understand that Fido could help with, 522 00:29:10,600 --> 00:29:13,720 whether as Fido members providing solutions. 523 00:29:13,720 --> 00:29:16,760 So one of the coolest things that I've been learning about is 524 00:29:16,760 --> 00:29:21,280 this thing called Fido device on boarding, which you know, on at 525 00:29:21,280 --> 00:29:25,360 first blush, I was like, well, why do we have a standard called 526 00:29:25,360 --> 00:29:29,240 FDO, which is about IoT devices? There's no people whatever. 527 00:29:29,240 --> 00:29:32,360 This is about device on boarding, edge computing, IoT 528 00:29:32,360 --> 00:29:34,480 devices. But it comes back to that. 529 00:29:34,480 --> 00:29:36,520 It's in supply. It's in support of the core 530 00:29:36,520 --> 00:29:38,120 mission of getting rid of passwords. 531 00:29:38,440 --> 00:29:41,960 And if you look at supply chain attacks and if you look at how 532 00:29:42,320 --> 00:29:46,200 those things are being deployed today, you always end up with 533 00:29:46,200 --> 00:29:49,240 the human involved in the process at a certain point 534 00:29:50,200 --> 00:29:53,680 providing A credential, which can be stolen and can be fished. 535 00:29:53,920 --> 00:29:56,360 And when you start looking at the broader bigger picture of 536 00:29:56,360 --> 00:30:00,320 things like the Cyber Resiliency Act in Europe or supply chain 537 00:30:00,320 --> 00:30:03,960 attacks that have become been in the news, there's a lot of 538 00:30:03,960 --> 00:30:08,000 really cool, you know, Fido members like Intel, Dell, Red 539 00:30:08,000 --> 00:30:11,520 Hat, who are all working, had built a standard and now working 540 00:30:11,520 --> 00:30:14,960 action version too. And these might be applicable to 541 00:30:14,960 --> 00:30:19,600 you or might give you ideas as you start looking at things like 542 00:30:19,840 --> 00:30:21,920 you're running your data center, are you looking at the cloud? 543 00:30:21,920 --> 00:30:27,840 Are you looking at NHI oriented stuff, things like that, that 544 00:30:27,920 --> 00:30:31,080 you know, it's really, really cool to find all these members 545 00:30:31,280 --> 00:30:34,280 working on these really cool projects and you get to learn 546 00:30:34,280 --> 00:30:37,400 about them, discover them at conference, like authenticate. 547 00:30:37,400 --> 00:30:40,000 So I really love that part. And the second part is just get 548 00:30:40,000 --> 00:30:42,760 the second part of that is and then you can figure out where to 549 00:30:42,760 --> 00:30:44,880 get involved, right? Some of the best conversations 550 00:30:44,880 --> 00:30:46,200 are happening in the working groups. 551 00:30:46,640 --> 00:30:51,680 So as if you join as a final member, I'm sitting and I'm 552 00:30:51,680 --> 00:30:54,880 sitting in the UX working group for the enterprise deployment 553 00:30:54,880 --> 00:30:56,680 piece. A lot of the conversation that 554 00:30:56,720 --> 00:30:59,640 we just had where you're asking all these questions, the folks 555 00:30:59,640 --> 00:31:02,200 in the enterprise deployment working group are asking the 556 00:31:02,200 --> 00:31:08,320 same questions and saying, well, we have to cater to, to our to 557 00:31:08,320 --> 00:31:13,080 our enterprise users who maybe bringing their own device and 558 00:31:13,080 --> 00:31:18,040 somehow they're both a individual consumer user and an 559 00:31:18,040 --> 00:31:21,720 employee on the same device. How do I handle that? 560 00:31:21,760 --> 00:31:24,640 How do I manage, how do I manage their credentials without 561 00:31:24,640 --> 00:31:29,120 interfering with what they're doing on their personal side or, 562 00:31:30,200 --> 00:31:31,920 and what are the security considerations, the US 563 00:31:31,920 --> 00:31:33,920 considerations? So they're having these really 564 00:31:33,920 --> 00:31:36,240 cool conversations and they're always looking for input. 565 00:31:36,240 --> 00:31:38,080 They're looking for requirements, they're running 566 00:31:38,080 --> 00:31:41,000 surveys to get feedback and understand these things. 567 00:31:41,200 --> 00:31:45,720 So just getting involved, even if just to participate as a 568 00:31:45,720 --> 00:31:48,760 lurker sometimes can. I mean, I've been a lurker for 569 00:31:48,760 --> 00:31:52,200 two weeks now in all these calls and I'm just hearing the sheer 570 00:31:52,200 --> 00:31:55,800 volume of, you know, work that is happening in all of these. 571 00:31:55,800 --> 00:31:57,720 It's it's kind of amazing to see that. 572 00:31:58,200 --> 00:32:00,880 The workers have a very good description of, of how I attend 573 00:32:00,880 --> 00:32:03,520 the Authenticate conference because there are way smarter 574 00:32:03,520 --> 00:32:06,520 people that are doing, you know, really the yeoman's work of 575 00:32:06,640 --> 00:32:10,120 getting these big behemoths from an IDP perspective to kind of 576 00:32:10,120 --> 00:32:11,800 play together and agree on standards. 577 00:32:12,320 --> 00:32:15,480 And so I learned a lot just being in the room and listening 578 00:32:15,560 --> 00:32:17,640 to stuff. So I think that's great advice 579 00:32:17,640 --> 00:32:21,200 to just kind of go and, and, and, you know, learn by osmosis 580 00:32:21,880 --> 00:32:25,720 if that works for you. Historically, Authenticate has 581 00:32:25,720 --> 00:32:28,680 been more focused on authentication, right? 582 00:32:29,200 --> 00:32:32,040 Is that still the focus for the conference as you see it as it 583 00:32:32,040 --> 00:32:33,680 comes up? Is it looking to expand into 584 00:32:33,680 --> 00:32:36,160 other areas around identity? Like how do you see the 585 00:32:36,160 --> 00:32:39,120 evolution of the conference itself and sort of the topics 586 00:32:39,120 --> 00:32:41,760 that are going in front of the in front of the numbers now? 587 00:32:43,120 --> 00:32:47,000 It's definitely evolving because identity is evolving and 588 00:32:47,000 --> 00:32:50,880 authentication by its nature has to be playing in part in in 589 00:32:50,880 --> 00:32:53,000 different parts of it. I mentioned for example, earlier 590 00:32:53,000 --> 00:32:57,480 that identity verification and binding was identified very 591 00:32:57,480 --> 00:33:00,680 early on as a very critical piece that Fido had to get 592 00:33:00,680 --> 00:33:04,800 involved in because it was so crucial to the supply chain of 593 00:33:04,800 --> 00:33:06,480 authentication and identity, right? 594 00:33:06,480 --> 00:33:08,760 So they had to get involved in that. 595 00:33:08,880 --> 00:33:12,760 You know, there's some really, like I mentioned FDO, there's an 596 00:33:12,760 --> 00:33:14,440 automotive special interest group. 597 00:33:14,440 --> 00:33:16,880 Like if you think about automotive and your computer on 598 00:33:16,880 --> 00:33:19,200 wheels, right? It's so many services, so many 599 00:33:19,200 --> 00:33:22,200 systems, but at the end there is a human in there that is a 600 00:33:22,200 --> 00:33:25,840 driver who has to authenticate to the car, authenticate to the 601 00:33:25,840 --> 00:33:28,560 services within it. And we're moving to an increase 602 00:33:28,560 --> 00:33:30,720 in digital world. And you don't want that to be 603 00:33:30,720 --> 00:33:33,360 left a chance. You want that to be secured as 604 00:33:33,360 --> 00:33:34,760 well. So whether you're looking at 605 00:33:34,760 --> 00:33:38,280 things like the automotive, say in service, obviously been there 606 00:33:38,280 --> 00:33:42,240 for a long time, but you're looking at, you know, the 607 00:33:42,240 --> 00:33:44,920 biometrics working group, right? The biometrics working group is 608 00:33:44,920 --> 00:33:47,760 hard at work and figuring out how biometrics as it 609 00:33:47,760 --> 00:33:51,040 increasingly becomes part of the equation of our identity lives, 610 00:33:51,640 --> 00:33:56,800 How does that have to be there from a, from a assurance 611 00:33:56,800 --> 00:34:00,000 perspective? So those kind of things sort of 612 00:34:00,000 --> 00:34:04,720 are all there being discussed and a lot, you know, some of 613 00:34:04,720 --> 00:34:08,360 these groups emerge from conversations that happen at 614 00:34:08,360 --> 00:34:10,760 authenticate, right? You come there and people start 615 00:34:10,760 --> 00:34:13,000 talking about their challenges and the next thing you know, 616 00:34:13,000 --> 00:34:15,840 they're like, well, we should create a study group. 617 00:34:16,600 --> 00:34:18,760 And then the next thing you know that's become a special interest 618 00:34:18,760 --> 00:34:20,280 group and the next thing is now a working group. 619 00:34:21,000 --> 00:34:24,000 And so authenticate is a great place to kick start something. 620 00:34:24,000 --> 00:34:27,480 If you see your what you're working on not getting addressed 621 00:34:27,480 --> 00:34:32,960 somewhere, come be a catalyst. So how does that work? 622 00:34:33,000 --> 00:34:36,320 So let me let me pick on the automotive side of things 623 00:34:36,320 --> 00:34:40,719 because I know digital key for automobiles is sort of like the 624 00:34:40,719 --> 00:34:42,560 big thing and for good reason, right? 625 00:34:42,560 --> 00:34:43,920 It's it's a great convenient thing. 626 00:34:44,520 --> 00:34:47,880 But for whatever reason, and I'm not going to name manufacturers, 627 00:34:47,960 --> 00:34:53,360 a lot of them still struggle with phone as a key or watch as 628 00:34:53,360 --> 00:34:55,600 a key. I have to assume there that 629 00:34:55,600 --> 00:34:59,000 there is some level of authentication hopefully being 630 00:34:59,240 --> 00:35:01,600 being done there, right to make sure that's the right device to 631 00:35:01,600 --> 00:35:04,440 the right thing. Is this an area where you know 632 00:35:05,040 --> 00:35:07,360 for for instance, it's the automotive side of things can 633 00:35:07,360 --> 00:35:08,880 say, hey, look, this is a problem. 634 00:35:08,880 --> 00:35:11,520 Is this something to do with the way that people are 635 00:35:11,520 --> 00:35:13,360 authenticating and it's rejecting it, or is it, you 636 00:35:13,360 --> 00:35:14,600 know, something else in the software? 637 00:35:14,960 --> 00:35:17,480 I point on those the Apple and only as an example because I 638 00:35:17,480 --> 00:35:19,800 know that's a a common frustration point for a lot of 639 00:35:19,800 --> 00:35:21,280 the newer vehicles that struggle with it. 640 00:35:22,080 --> 00:35:24,320 Fortunately, it's about the only thing that works right on my 641 00:35:24,320 --> 00:35:26,080 car, so I've never had that problem. 642 00:35:26,600 --> 00:35:30,840 I have other software issues, but I'm just curious if, you 643 00:35:30,840 --> 00:35:33,920 know, when you're having conversations with those types 644 00:35:33,920 --> 00:35:35,760 of folks, are those the type of things? 645 00:35:35,760 --> 00:35:37,480 Because it's like, OK, yeah, here's a problem. 646 00:35:37,480 --> 00:35:39,680 And a lot of people like, well, what am I going to do about it? 647 00:35:39,680 --> 00:35:41,000 I'm going to go on Reddit and complain. 648 00:35:41,160 --> 00:35:44,640 Well, how about instead, why don't we go to like the source 649 00:35:44,640 --> 00:35:46,520 of where the things might be happening and start to like, 650 00:35:46,720 --> 00:35:49,280 yeah, build these, you know, special interest groups or 651 00:35:49,280 --> 00:35:51,560 working groups or whatever we want to call them. 652 00:35:51,600 --> 00:35:55,360 Walk me through like how that actually happens because I think 653 00:35:55,360 --> 00:35:57,200 there's a lot of really great keyboard worries out there. 654 00:35:57,200 --> 00:36:00,000 And here's like an opportunity to say, OK, let's, let's 655 00:36:00,000 --> 00:36:02,200 actually solve the problem instead of just complaining 656 00:36:02,200 --> 00:36:03,280 about it. Does that make sense? 657 00:36:04,240 --> 00:36:07,560 Yeah. So to be clear, I'm not 658 00:36:07,560 --> 00:36:10,000 advocating that people come there and start using it as a 659 00:36:10,000 --> 00:36:12,600 support channel to say, hey, Micron is not working. 660 00:36:12,880 --> 00:36:14,040 But. Yeah, please don't do that. 661 00:36:15,360 --> 00:36:19,520 But that said, if you're in the industry, obviously if you're 662 00:36:19,520 --> 00:36:22,920 working with with these and you're trying to build solutions 663 00:36:22,920 --> 00:36:25,520 for this or you're trying to solve this problem, right, this 664 00:36:25,520 --> 00:36:28,120 is the right place to come and have those conversations. 665 00:36:28,120 --> 00:36:32,040 So like I said, a lot of these things sort of emerge from 666 00:36:32,040 --> 00:36:34,760 conversations that starts and start in the hallways. 667 00:36:35,120 --> 00:36:38,360 Maybe you go and have a have a discussion about it in a plenary 668 00:36:38,360 --> 00:36:41,200 room. And then you discover that, hey, 669 00:36:41,240 --> 00:36:44,400 there's a critical mass of issues here. 670 00:36:44,960 --> 00:36:46,920 There's a critical mass of requirements here. 671 00:36:47,680 --> 00:36:50,240 We can actually put something together and have multiple 672 00:36:50,240 --> 00:36:52,360 people solving it because at the end of the day, the power of the 673 00:36:52,360 --> 00:36:56,400 alliance is like anything else. It comes from the membership and 674 00:36:56,400 --> 00:36:58,800 the collective wisdom and intelligence that they have. 675 00:36:59,200 --> 00:37:06,320 So being in the room allows you to find those commonalities and 676 00:37:06,320 --> 00:37:09,600 allows you to understand and define, hey, we have a common 677 00:37:09,600 --> 00:37:11,920 set of requirements. I'm not the only one struggling 678 00:37:11,920 --> 00:37:13,640 with this. I don't have to keep doing this 679 00:37:13,640 --> 00:37:17,360 on my own or building my own proprietary solutions. 680 00:37:19,720 --> 00:37:25,960 There is a way for me to find my community, my cohort, who I can 681 00:37:25,960 --> 00:37:31,640 work with on solving this problem, and by virtue of that, 682 00:37:32,080 --> 00:37:35,200 get access to the folks I can't directly interact with. 683 00:37:35,200 --> 00:37:36,560 Right? You're not going to be able to 684 00:37:36,560 --> 00:37:42,200 go in and talk with the head of identity and name your large 685 00:37:42,240 --> 00:37:45,400 automotive manufacturer by finding the coffee shop that 686 00:37:45,400 --> 00:37:47,640 they're frequent. Not recommending that. 687 00:37:48,840 --> 00:37:52,560 But not that it didn't happen in ideniverse over sushi with 688 00:37:52,560 --> 00:37:54,680 someone that I know me complaining about all the EV 689 00:37:54,720 --> 00:37:56,560 problems. Not that would never happen. 690 00:37:56,960 --> 00:38:00,560 Exactly, but it can happen at authenticate and Idiverse and 691 00:38:00,560 --> 00:38:03,680 all these conferences because people are looking for their 692 00:38:03,680 --> 00:38:07,160 community to have these conversations and often times 693 00:38:07,160 --> 00:38:10,520 you find what you'll find is it's not like they don't know 694 00:38:10,520 --> 00:38:12,840 these problems exist, right? It's not like the folks at The 695 00:38:13,080 --> 00:38:17,760 Who are running identity at these at these at automotive or 696 00:38:17,760 --> 00:38:21,000 hardware or industry or don't know these problems. 697 00:38:21,000 --> 00:38:24,600 Just often times they need enough people to help them make 698 00:38:24,600 --> 00:38:27,160 the business case to their own management that this is 699 00:38:27,160 --> 00:38:28,600 something we need to tackle, right. 700 00:38:28,960 --> 00:38:31,760 So there is a community project. It is working together as 701 00:38:31,760 --> 00:38:33,360 community to build that solution. 702 00:38:33,880 --> 00:38:36,640 So, Nishan, I'm going to bring up kind of the heavy topic. 703 00:38:36,760 --> 00:38:40,600 We lost another great one in the identity industry recently. 704 00:38:41,000 --> 00:38:44,200 Internash, I know you're close with Andrew. 705 00:38:44,840 --> 00:38:46,400 What should people know about him? 706 00:38:47,320 --> 00:38:54,240 So, yeah, this is a hard one. I was just using the word 707 00:38:54,240 --> 00:38:57,080 community a lot, right? That's not a mistake. 708 00:38:57,080 --> 00:39:00,680 Like that's really something that that's really something 709 00:39:00,680 --> 00:39:03,800 that came to me from him. Like I really understood that 710 00:39:03,800 --> 00:39:08,920 from him because he, as you said, he was one of the he's 711 00:39:08,920 --> 00:39:10,600 been one of the O GS for a long time. 712 00:39:10,600 --> 00:39:14,520 I was, I was lucky enough to be his partner on the program 713 00:39:14,520 --> 00:39:17,520 committee for the identity track at the RSA Conference for many, 714 00:39:17,520 --> 00:39:23,800 many years now running. And you know, he had this kindly 715 00:39:23,800 --> 00:39:30,120 and he had this convergently, you know, persona to him that 716 00:39:30,280 --> 00:39:33,160 hit one of the most generous people I knew, right. 717 00:39:33,160 --> 00:39:36,800 He, whether he was, you know, sitting down and explaining the 718 00:39:36,800 --> 00:39:41,480 most obtuse topics and identity or taking you down to his 719 00:39:41,480 --> 00:39:45,600 basement to show you the machinery was machining work 720 00:39:45,600 --> 00:39:49,560 that he was doing. And, you know, they opened their 721 00:39:49,560 --> 00:39:52,320 home for so many years. Him and Pam opened their home 722 00:39:52,320 --> 00:39:55,400 for so many years for the annual Bootstrap party before the RSA 723 00:39:55,400 --> 00:39:58,720 Conference as a way of building community, as a way of making 724 00:39:58,720 --> 00:40:01,640 connections, right? You know, a lot of us, I 725 00:40:01,640 --> 00:40:04,760 wouldn't have this job if I didn't have connections that 726 00:40:04,760 --> 00:40:08,320 exist because Andrew brought people together, right? 727 00:40:08,320 --> 00:40:12,920 That was what he understood. And so when, when you, when you 728 00:40:13,200 --> 00:40:16,280 when I was thinking about, you know, what did I want to do next 729 00:40:16,480 --> 00:40:20,920 before I took the final role, it came a lot, a lot of it came 730 00:40:20,920 --> 00:40:23,320 back to I want to make a difference. 731 00:40:23,320 --> 00:40:27,280 And I learned that idea. I learned that that's what I 732 00:40:27,280 --> 00:40:30,520 wanted to do because I saw how he went about his business, 733 00:40:30,520 --> 00:40:32,080 right? He worked at some of the largest 734 00:40:32,080 --> 00:40:34,960 organizations and build start-ups. 735 00:40:35,320 --> 00:40:39,080 But he did it in such a generous, quiet manner. 736 00:40:39,280 --> 00:40:42,920 You know, those of us who knew him knew him, but he wasn't out 737 00:40:42,920 --> 00:40:48,640 there, like as the face of a company or, you know, doing all 738 00:40:48,680 --> 00:40:52,000 the doing, sort of a national tour, if you will. 739 00:40:52,000 --> 00:40:54,520 But he could have. He would have drawn crowds 740 00:40:54,520 --> 00:40:58,480 because he was amazing. He knew everything and he shared 741 00:40:58,480 --> 00:41:01,840 it generously. I loved it. 742 00:41:03,040 --> 00:41:06,120 This was coincidental. I was having you on at this 743 00:41:06,120 --> 00:41:09,600 time, but for you to be able to pay homage to him like that 744 00:41:09,920 --> 00:41:13,240 means a lot. He's another one of these great 745 00:41:13,240 --> 00:41:17,200 people within our industry who's now no longer with us. 746 00:41:17,200 --> 00:41:21,520 But I do want to now lighten things up a little bit. 747 00:41:23,160 --> 00:41:26,080 You know, we don't have a whole lot of time, so let's kind of do 748 00:41:26,080 --> 00:41:29,240 this like a lightning round. If I could bring up a few 749 00:41:29,240 --> 00:41:32,560 different topics, and a lot of times I bring up these topics 750 00:41:32,560 --> 00:41:35,400 like talk about the future of this side or the other thing, 751 00:41:35,400 --> 00:41:38,800 talk about AI in the future. Actually, what I'd like to do is 752 00:41:39,200 --> 00:41:41,960 challenge you a little bit differently, which is let's take 753 00:41:41,960 --> 00:41:44,880 two minutes on each one of these topics to talk about where 754 00:41:44,880 --> 00:41:49,800 things are right now. And I will use AI, but AI is 755 00:41:49,800 --> 00:41:54,520 creeping into everything and everywhere, including identity. 756 00:41:54,680 --> 00:41:57,640 What is the state of AI and identity now? 757 00:41:59,880 --> 00:42:02,480 It is, as you said, it's creeping into everything. 758 00:42:02,600 --> 00:42:06,840 Everybody's trying to add AI to their products or say this, you 759 00:42:06,840 --> 00:42:09,920 know, whether they're doing it or not, right? 760 00:42:10,200 --> 00:42:12,280 On the other hand, there's people who have been using AI 761 00:42:12,280 --> 00:42:15,000 for a very long time in their products without ever calling it 762 00:42:15,000 --> 00:42:17,680 AI. So I think it's here to stay, 763 00:42:17,920 --> 00:42:19,400 right? I think there is still a 764 00:42:19,400 --> 00:42:24,000 reckoning coming in terms of just the cost of adding AI to 765 00:42:24,000 --> 00:42:26,240 everything. Some people don't quite 766 00:42:26,240 --> 00:42:28,800 understand that. As you've seen before, a lot of 767 00:42:28,800 --> 00:42:31,800 the stuff is VC subsidized and a certain point. 768 00:42:32,280 --> 00:42:36,480 This idea that you can continue to leverage that is going to 769 00:42:37,280 --> 00:42:39,760 become an issue. But the technology is going to 770 00:42:39,760 --> 00:42:42,480 continue to get better and it is going to stretch the boundaries 771 00:42:42,480 --> 00:42:45,880 and break things, you know, along the way. 772 00:42:45,880 --> 00:42:51,400 Like we see, you know, it just taking pass keys and an example, 773 00:42:52,280 --> 00:42:56,040 pass keys means you don't have a password that you can share with 774 00:42:56,040 --> 00:42:59,920 an agent for it to work to log in as you. 775 00:43:00,320 --> 00:43:03,120 So what does that mean from an authentication flow standpoint? 776 00:43:03,120 --> 00:43:06,320 What does it mean when you're building agentic processes where 777 00:43:06,320 --> 00:43:10,040 you wanted to be able to operate on your behalf across services? 778 00:43:10,400 --> 00:43:13,400 How does that factor in? What is that equation looking 779 00:43:13,400 --> 00:43:14,960 like? So you see work happening 780 00:43:15,120 --> 00:43:18,000 feverishly across the board, whether it's in the Fighter 781 00:43:18,000 --> 00:43:21,600 Alliance, whether it's in the Open ID Foundation, whether it's 782 00:43:21,600 --> 00:43:25,040 in W3C and other other standards organizations. 783 00:43:25,400 --> 00:43:27,160 There's a lot that's going to be happening. 784 00:43:29,400 --> 00:43:33,040 And as usual, the tech is going to outpace standards, the tech 785 00:43:33,040 --> 00:43:35,480 is going to outpace best practices and guidance. 786 00:43:35,840 --> 00:43:39,000 So we kind of have to be prepared for things to break a 787 00:43:39,000 --> 00:43:42,440 little bit, but there are a lot of folks who are working really 788 00:43:42,440 --> 00:43:45,280 hard on it. Yeah, something I've thought 789 00:43:45,280 --> 00:43:49,160 about a lot about as well as what's going to happen with the 790 00:43:49,160 --> 00:43:53,200 intellectual property, it just seemed like the lines could blur 791 00:43:53,200 --> 00:43:56,680 where intellectual property, thoughts, things like that can 792 00:43:56,680 --> 00:44:01,480 be put into an AI and then what becomes to them they are you 793 00:44:01,480 --> 00:44:08,000 training a model that doesn't really keep track of what is 794 00:44:08,000 --> 00:44:12,000 intellectual property where, where the thoughts belong? 795 00:44:12,160 --> 00:44:15,920 Do they belong to some person or some entity or are they in the 796 00:44:15,920 --> 00:44:19,280 public domain? So it's just a little thought 797 00:44:19,280 --> 00:44:23,160 that I've been having lately. Next topic Decentralized 798 00:44:23,160 --> 00:44:28,480 identity. I think it's a very loaded term 799 00:44:28,600 --> 00:44:33,480 because it's been bandied about and used and misused many times 800 00:44:33,480 --> 00:44:35,840 over. But we're definitely moving 801 00:44:35,840 --> 00:44:42,400 towards a place where decentralized or Federated 802 00:44:42,560 --> 00:44:45,360 models are going to start to become practical, especially as 803 00:44:45,360 --> 00:44:49,120 we start seeing how wallets are becoming more, more and more 804 00:44:49,920 --> 00:44:51,960 common. As people start building warrant 805 00:44:51,960 --> 00:44:56,040 infrastructure, people start building out the standards for 806 00:44:56,440 --> 00:45:00,800 being able to present credentials across 807 00:45:00,800 --> 00:45:03,880 organizational boundaries, across jurisdictional boundaries 808 00:45:03,880 --> 00:45:07,720 in a way that can be accepted and certified without, in a 809 00:45:07,720 --> 00:45:09,880 privacy preserving manner. So they think there's a lot of 810 00:45:09,880 --> 00:45:13,400 work happening there. I am very hopeful about that 811 00:45:13,400 --> 00:45:17,040 aspect of what would have been called decentralized during the 812 00:45:17,040 --> 00:45:23,720 past that that is actually going to be really driving utility and 813 00:45:23,720 --> 00:45:30,080 value and creating a world where we can actually present an 814 00:45:30,080 --> 00:45:35,480 aspect of our identity in a privacy preserving manner much 815 00:45:35,480 --> 00:45:38,920 more seamlessly and easily than we used to be able to do before. 816 00:45:40,720 --> 00:45:43,000 We've been here about decentralized identity for years 817 00:45:43,000 --> 00:45:47,880 now and we're just, we're we're, I don't feel like we're anywhere 818 00:45:47,880 --> 00:45:51,120 close to it in the US, at least Europe seems to be much further 819 00:45:51,120 --> 00:45:53,480 along with their plans on it. Just based on what I saw at the 820 00:45:53,480 --> 00:45:55,040 EIC conference earlier this year. 821 00:45:55,640 --> 00:45:57,720 What I've also noticed is nobody's calling it blockchain 822 00:45:57,720 --> 00:45:59,880 anymore. It's decentralized identity. 823 00:46:00,360 --> 00:46:03,000 And so is this a, is this a branding shift? 824 00:46:03,000 --> 00:46:06,600 Is this a marketing strategy to kind of get away from, you know, 825 00:46:06,600 --> 00:46:10,760 the maybe the crypto sort of camp and more towards the 826 00:46:10,760 --> 00:46:12,640 broader technology as a solution? 827 00:46:12,640 --> 00:46:15,240 Because I can certainly see the benefit of it. 828 00:46:15,640 --> 00:46:19,320 I just don't see it happen anytime soon in the US because 829 00:46:19,320 --> 00:46:23,160 of either government, right, you know, and, and, and people not 830 00:46:23,160 --> 00:46:25,520 trusting if the government runs it or maybe if it's healthcare 831 00:46:25,840 --> 00:46:27,840 or if it's finance or if it's education. 832 00:46:27,840 --> 00:46:33,000 Like who's going to run these giant rings of being able to, 833 00:46:33,040 --> 00:46:34,480 you know, have a decentralized identity? 834 00:46:34,480 --> 00:46:37,520 Because it's not like, you know, some the normal human being is 835 00:46:37,520 --> 00:46:41,000 going to say, well, yeah, just connect to my, you know, to, to 836 00:46:41,000 --> 00:46:42,960 my Ledger. Like that doesn't make sense for 837 00:46:42,960 --> 00:46:44,680 most people. How do you see this happening in 838 00:46:44,680 --> 00:46:47,200 the US, you know, going forward? Yeah. 839 00:46:47,200 --> 00:46:51,480 So you know, as Jim said, I'm not, I'm not one to 840 00:46:51,480 --> 00:46:56,160 prognosticate the future, but I will say this and I I think the 841 00:46:56,160 --> 00:46:59,480 term decentralized, like I said, becomes overloaded. 842 00:46:59,480 --> 00:47:04,240 And therefore, I'm not, I try not to get too hung up on the 843 00:47:04,240 --> 00:47:07,480 word, especially not on the technology behind it. 844 00:47:07,600 --> 00:47:10,600 You know, there's, there's companies that are using 845 00:47:10,640 --> 00:47:12,880 permission blockchains, there are companies that are using 846 00:47:13,120 --> 00:47:16,600 other stuff a lot. I think one of the shifts that 847 00:47:16,600 --> 00:47:21,160 we're seeing is people are starting to focus more on the 848 00:47:21,160 --> 00:47:24,800 use cases, which is always good. They're starting to focus on the 849 00:47:24,800 --> 00:47:31,880 utility, which is always good. And so I think wallets is, you 850 00:47:31,880 --> 00:47:36,000 know, and Heather Flanagan has an amazing post about should we 851 00:47:36,000 --> 00:47:38,480 still be calling it wallets? And I highly encourage folks to 852 00:47:38,480 --> 00:47:41,160 check that out and check out everything Heather Flanagan 853 00:47:41,160 --> 00:47:42,280 says, because that's always good. 854 00:47:42,560 --> 00:47:45,800 But leaving that as sticking with the wallet term for a 855 00:47:45,800 --> 00:47:47,560 while, I do think that will help. 856 00:47:47,560 --> 00:47:50,520 Like in the US, for example. Yeah, we're not going to have a 857 00:47:50,520 --> 00:47:53,600 national identity that's going to be doing anything like that. 858 00:47:53,600 --> 00:47:58,160 But you have MDLS. And MDLS, our driver's licenses 859 00:47:58,160 --> 00:48:01,920 have been our de facto identity for a long time for many 860 00:48:01,920 --> 00:48:07,000 different use cases. So can the MDLS become the way 861 00:48:07,000 --> 00:48:11,240 we do this in a decentralized manner, especially if you take 862 00:48:11,240 --> 00:48:13,440 into account some of the work that's happening on phone home 863 00:48:13,440 --> 00:48:15,760 versus no phone home and all these kind of things that are 864 00:48:15,760 --> 00:48:20,040 being discussed and you add in privacy considerations. 865 00:48:20,040 --> 00:48:22,200 Yeah, that could be a way to get there. 866 00:48:23,760 --> 00:48:26,240 And then it'll evolve from it. Like the minute somebody sees 867 00:48:26,240 --> 00:48:29,600 something working, 500 other things are going to show up 868 00:48:29,600 --> 00:48:31,920 saying, oh, we can do that but better, or we can do that but 869 00:48:31,920 --> 00:48:34,920 slightly different and it'll mushroom from there. 870 00:48:34,920 --> 00:48:39,160 So I do think utility will drive it. 871 00:48:39,200 --> 00:48:43,840 And I think part of what will drive the US is seeing it happen 872 00:48:43,880 --> 00:48:47,240 everywhere else. Like Europe is obviously very 873 00:48:47,240 --> 00:48:49,320 visible in what they're doing on wallets. 874 00:48:49,680 --> 00:48:52,640 But actually this is happening all over the world now, right? 875 00:48:52,680 --> 00:48:55,960 Every place, whether it's Southeast Asia, I saw a lot of 876 00:48:55,960 --> 00:48:59,880 work happening and the Middle East and Asia and in Africa, 877 00:49:00,080 --> 00:49:03,920 what people want this because they see how it unlocks the 878 00:49:03,920 --> 00:49:06,680 economic engine, right? Like they see the value of it. 879 00:49:07,120 --> 00:49:09,000 So there's a lot of efforts that are going to be happening. 880 00:49:09,000 --> 00:49:13,640 And I think in parallel, there's a lot of work happening at the 881 00:49:13,640 --> 00:49:17,240 standards bodies to try and enable it to happen in a good 882 00:49:17,240 --> 00:49:20,920 way, right? So that'll take some time, but I 883 00:49:20,920 --> 00:49:24,320 think it'll happen. I was going to mention the MDL 884 00:49:24,320 --> 00:49:30,720 as well, but you know Jeff, with Jeff's entry, we definitely 885 00:49:30,720 --> 00:49:34,680 violated the two-minute answer in the Lightning realm. 886 00:49:34,840 --> 00:49:37,520 I'm going to allow it. As as the judge, I'll allow it. 887 00:49:39,040 --> 00:49:41,080 You're happy to judge I'm the jury, right? 888 00:49:41,080 --> 00:49:45,600 Sure I can. Anyway, we'll just do one more. 889 00:49:45,640 --> 00:49:49,440 It's 2025. Somebody's listening to this 800 890 00:49:49,440 --> 00:49:52,000 years from now that there's a context. 891 00:49:52,000 --> 00:49:54,120 We're talking about non human identity. 892 00:49:55,000 --> 00:49:56,800 What do you think of non human identity? 893 00:49:56,800 --> 00:50:02,280 Is it even a good term? Well, 800 years from now, 894 00:50:02,480 --> 00:50:05,200 nobody's going to care about human versus non human identity. 895 00:50:05,200 --> 00:50:08,520 It's all going to be just identity and hopefully it's 896 00:50:08,520 --> 00:50:12,880 going to be invisible because it's just going to happen and 897 00:50:12,880 --> 00:50:14,640 people won't have to do anything for it. 898 00:50:15,280 --> 00:50:20,520 But that's 800 years from now. I think the NHI wave that's 899 00:50:20,520 --> 00:50:25,160 happening right now, there's a, again, it's the same thing. 900 00:50:25,160 --> 00:50:27,840 There's a lot of old technology that's being rebranded NHI. 901 00:50:27,840 --> 00:50:29,920 There's a lot of new work happening. 902 00:50:29,920 --> 00:50:33,400 I think the AI stuff is going to trigger a lot of interesting 903 00:50:33,400 --> 00:50:39,560 work in that same same vein. But yeah, I'm not a, I'm not 904 00:50:39,560 --> 00:50:43,240 sold on the term because I think it encapsulates too many 905 00:50:43,240 --> 00:50:45,920 different things and, and blurs the boundaries a little bit too 906 00:50:45,920 --> 00:50:47,200 much. Trying to put everything under 907 00:50:47,200 --> 00:50:49,840 one umbrella can make things confusing. 908 00:50:50,280 --> 00:50:54,160 And I think a little bit, just a little bit of precision can go a 909 00:50:54,160 --> 00:51:00,360 long way in making sure that people don't overestimate what 910 00:51:00,360 --> 00:51:04,840 something can do or miss misidentify what some, what 911 00:51:04,840 --> 00:51:07,640 value something can bring. And we've suffered from that a 912 00:51:07,640 --> 00:51:11,120 lot in our, in our, in our identity space, if you will. 913 00:51:11,480 --> 00:51:14,000 So I think a little bit more precision would be valuable. 914 00:51:15,320 --> 00:51:17,840 But hey, you know, if nothing else, it's it's putting 915 00:51:17,840 --> 00:51:19,680 attention on the problem, and that's always a good thing. 916 00:51:21,280 --> 00:51:23,680 Like like all things, I think it comes down to context and 917 00:51:23,680 --> 00:51:26,600 context matters whenever you're having a conversation, whether 918 00:51:26,600 --> 00:51:30,360 it's NHI, whether it's machine identity, whether it's, you 919 00:51:30,360 --> 00:51:32,440 know, whatever term we want to use. 920 00:51:32,880 --> 00:51:34,280 Again, these are not new concepts. 921 00:51:34,280 --> 00:51:36,920 They've been around forever. There's always been, you know, 922 00:51:36,920 --> 00:51:40,120 some sort of machine or non human identity operating behind 923 00:51:40,120 --> 00:51:41,760 the scenes, service accounts, etcetera. 924 00:51:42,120 --> 00:51:46,000 I just wish you would settle sort of like on a standard just 925 00:51:46,000 --> 00:51:49,680 way to call it because we are awesome as a as an industry of 926 00:51:49,680 --> 00:51:52,200 coming up with new acronyms and having like 8 different ways to 927 00:51:52,200 --> 00:51:54,440 call the same thing. And so this is just an area that 928 00:51:54,560 --> 00:51:57,560 again, creates it creates unnecessary confusion if we 929 00:51:57,560 --> 00:52:02,480 can't agree to have the same at least, you know, vocabulary for 930 00:52:02,480 --> 00:52:04,240 things like that. It just it bugs me. 931 00:52:05,760 --> 00:52:09,560 Yes, that is unfortunately a problem with being, you know, 932 00:52:10,000 --> 00:52:13,280 struggling with since ever since I started working and itinerary. 933 00:52:13,280 --> 00:52:16,840 And that's been a long time. Well, let's wrap up this 934 00:52:16,840 --> 00:52:21,400 conversation on your background. So I noticed for people who are 935 00:52:21,400 --> 00:52:23,840 listening to this and you're, if you're not seeing us on YouTube, 936 00:52:23,840 --> 00:52:25,200 come over, give us a like and subscribe. 937 00:52:25,200 --> 00:52:28,320 That helps us out a lot. You've got a couple pictures of 938 00:52:28,440 --> 00:52:31,800 New York stuff. I think I see Mariano Rivera 939 00:52:31,800 --> 00:52:34,240 behind you. I think I see the Giants behind 940 00:52:34,240 --> 00:52:36,760 you. Is this just you as a, as a New 941 00:52:36,760 --> 00:52:39,760 York sports fan, or is there some deeper significance? 942 00:52:40,000 --> 00:52:42,360 Or is this like a Taylor Swift thing where there's like hidden 943 00:52:42,360 --> 00:52:45,920 meaning between these, you know, pictures like what is what is 944 00:52:45,920 --> 00:52:49,800 the the play here? Nishant The play here is to suck 945 00:52:49,800 --> 00:52:50,760 up the. Gym, right? 946 00:52:52,160 --> 00:52:54,440 Well, Jim is a is a Yankees fan, unfortunately. 947 00:52:54,960 --> 00:52:58,480 Yeah, the New York thing is just, I am a New Yorker at 948 00:52:58,480 --> 00:53:01,240 heart. Like growing up, I, you know, 949 00:53:01,240 --> 00:53:03,760 coming and being in New York was always my dream. 950 00:53:03,800 --> 00:53:05,640 It was like, that's where I want to be. 951 00:53:05,640 --> 00:53:08,080 That's where I that's where I want to go to succeed. 952 00:53:08,080 --> 00:53:12,040 So, and then I have a lot of family and, you know, that just 953 00:53:12,040 --> 00:53:14,120 meant adopting the New York sports teams. 954 00:53:14,120 --> 00:53:19,520 And I don't do anything halfway. So if I'm in it, I'm in it all 955 00:53:19,520 --> 00:53:23,520 the way. So that meant the good stuff 956 00:53:23,520 --> 00:53:26,840 with the Yankees, the bad years with the Giants, then they'll 957 00:53:26,840 --> 00:53:31,080 make those two improbable runs with the Giants and what Jim and 958 00:53:31,080 --> 00:53:33,840 I are dealing with this year with the Yankees, which is not 959 00:53:33,840 --> 00:53:38,320 good for my heart rate. So is it an all New York sports 960 00:53:38,320 --> 00:53:40,640 or do you focus on just the Yankees and the Giants and you 961 00:53:40,640 --> 00:53:42,880 say forget about The Jets and the Mets? 962 00:53:44,360 --> 00:53:48,360 You cannot do both at the same time. 963 00:53:48,360 --> 00:53:51,360 You have to choose, OK, Anybody who says they can, anybody who 964 00:53:51,360 --> 00:53:53,800 says they can do both is not a New Yorker, let's put it that 965 00:53:53,800 --> 00:53:54,000 way. And. 966 00:53:54,520 --> 00:53:57,960 I feel the same way as a as a recovering Chicago and you had 967 00:53:57,960 --> 00:53:59,320 the White Sox and you have the Cubs. 968 00:53:59,840 --> 00:54:01,880 And it will always bug me. And people say, well, I'm a fan 969 00:54:01,880 --> 00:54:03,400 of both teams. No, pick one. 970 00:54:03,400 --> 00:54:06,000 You have to pick one. And the right answer is always 971 00:54:06,000 --> 00:54:07,840 the Cubs. You, you definitely should not 972 00:54:07,840 --> 00:54:10,440 be a Sox fan. It's just dirty, dirty, dirty. 973 00:54:10,440 --> 00:54:13,760 So. Any any Sox fan if the name has 974 00:54:13,760 --> 00:54:14,760 the Sox. You cannot be there. 975 00:54:14,760 --> 00:54:17,800 White Sox, Red Sox, whatever it may be, they're all, they're all 976 00:54:17,800 --> 00:54:19,440 the enemy. So sorry. 977 00:54:19,480 --> 00:54:21,520 You know Boston and the South Side of Chicago. 978 00:54:22,920 --> 00:54:24,960 Yeah, we just lost a whole bunch of listeners. 979 00:54:25,000 --> 00:54:26,760 Thanks chef. You know what worth it. 980 00:54:26,760 --> 00:54:27,720 That's fine. That's like hell. 981 00:54:27,720 --> 00:54:30,520 I'm ready to dive on it and I'll start taking people as they try 982 00:54:30,520 --> 00:54:34,600 to come up it. Deshot, thank you so much for 983 00:54:34,600 --> 00:54:36,640 taking the time with us. Really excited to see you in 984 00:54:36,640 --> 00:54:39,480 your new role and seeing you here in a couple weeks here at 985 00:54:39,760 --> 00:54:41,880 the Authenticate conference. So I have. 986 00:54:43,120 --> 00:54:44,920 Yeah, I was going to say I'm going to be looking forward to 987 00:54:44,920 --> 00:54:48,200 seeing you at Authenticate and having Megan kick your ass at 988 00:54:48,240 --> 00:54:50,640 again on stage. No way. 989 00:54:50,840 --> 00:54:53,360 No way not. Mine, it'll be Jim's because I'm 990 00:54:53,440 --> 00:54:56,640 I'm the Steve Harvey here. But yes, Fido feud Round 2 is 991 00:54:56,640 --> 00:54:59,200 underway. I am working feverishly on the 992 00:54:59,200 --> 00:55:02,840 questions that we're going to answer with Adrian 1 to 1. 993 00:55:02,840 --> 00:55:05,200 So only she and I know the questions and we'll have the 994 00:55:05,200 --> 00:55:07,000 answers. And so we'll be surprised if 995 00:55:07,000 --> 00:55:08,400 we're already involved when it comes up to it. 996 00:55:08,400 --> 00:55:11,520 But last year was a lot of fun and the goal is to make it even 997 00:55:11,520 --> 00:55:15,760 bigger, better and maybe even more tequila or than it was last 998 00:55:15,760 --> 00:55:17,160 year on stage. We'll see. 999 00:55:17,160 --> 00:55:18,240 I don't know if we can do that again. 1000 00:55:18,240 --> 00:55:20,840 That might have been a problem that we just didn't ask for 1001 00:55:20,840 --> 00:55:24,280 permission last time. You know what though, I'm 1002 00:55:24,360 --> 00:55:27,600 thinking now, maybe I should have Mishawn on my team. 1003 00:55:28,200 --> 00:55:32,400 So hey, if they kick our ass, they kick our. 1004 00:55:32,400 --> 00:55:38,720 Ass the Royal, Ass the. Royal yeah gets kicked. 1005 00:55:39,880 --> 00:55:42,200 All right, let's leave it there. Nishant, thanks so much. 1006 00:55:42,200 --> 00:55:44,480 I'm going to have links in our show notes for people to connect 1007 00:55:44,480 --> 00:55:47,080 with you on LinkedIn, link to Fido Alliance. 1008 00:55:47,520 --> 00:55:50,120 Don't forget the conference discounts on our website for 1009 00:55:50,120 --> 00:55:53,120 things like authenticate as well as cybersecurity summits as well 1010 00:55:53,120 --> 00:55:55,840 as ideniverse and Gartner coming soon. 1011 00:55:55,840 --> 00:55:59,600 So check those out. Also have link to the article by 1012 00:55:59,600 --> 00:56:01,800 Rusty Deaton. So again, great article by 1013 00:56:01,800 --> 00:56:03,480 Rusty. Glad to see it out there. 1014 00:56:03,920 --> 00:56:05,720 We need to have conversations like that kind of put out into 1015 00:56:05,720 --> 00:56:07,320 the forum where we're going to have discussions around it. 1016 00:56:07,600 --> 00:56:10,320 And then let's see, Nishant, you mentioned Heather's wallet 1017 00:56:10,320 --> 00:56:13,560 article, so Kill the Wallet, Rethinking the Metaphors Behind 1018 00:56:13,560 --> 00:56:15,320 Digital Identity by Heather Flanagan. 1019 00:56:15,320 --> 00:56:16,840 We'll have that link in her show as well. 1020 00:56:16,840 --> 00:56:17,960 So encourage people to check that out. 1021 00:56:18,080 --> 00:56:20,120 And she's got a very cool podcast that she does where she 1022 00:56:20,120 --> 00:56:23,800 kind of talks through her blog as she's kind of written it, 1023 00:56:23,800 --> 00:56:26,200 which is very neat. So yeah. 1024 00:56:26,440 --> 00:56:28,960 Yeah, I keep driving around having the soothing voice of 1025 00:56:28,960 --> 00:56:31,160 Heather reading out Identity Toss to you. 1026 00:56:31,360 --> 00:56:34,640 It's a good way to go. See, the only thing missing is 1027 00:56:34,640 --> 00:56:38,320 like the cat in the background and she just can't get on, you 1028 00:56:38,320 --> 00:56:39,760 know, without the video component of it. 1029 00:56:39,760 --> 00:56:42,480 But maybe maybe there's an editing tip there to like put 1030 00:56:42,480 --> 00:56:46,320 maybe a a slow soft, you know, purr behind is like, you know, a 1031 00:56:46,320 --> 00:56:50,440 little bit of what's the, you know, what's the voice thing 1032 00:56:50,440 --> 00:56:52,960 that you do with like, you know, people like soothing ASMR, like 1033 00:56:52,960 --> 00:56:55,440 something like that, right? For for the podcast. 1034 00:56:55,480 --> 00:56:58,000 Maybe we'll do that on ours. Maybe we'll do it for next the 1035 00:56:58,000 --> 00:57:03,320 next April Fool's joke. Sounds good like and subscribe, 1036 00:57:03,480 --> 00:57:06,000 share with friends, share with enemies doesn't matter as long 1037 00:57:06,000 --> 00:57:08,920 as they hit like and subscribe idacpodcast.com. 1038 00:57:09,320 --> 00:57:10,840 And with that, we'll leave it there for this week. 1039 00:57:10,960 --> 00:57:13,560 Thank you everybody for watching and or listening and we'll talk 1040 00:57:13,560 --> 00:57:18,360 with y'all in the next one. You've been listening to 1041 00:57:18,400 --> 00:57:22,280 Identity at the Center. We hope you've enjoyed the show. 1042 00:57:22,520 --> 00:57:26,600 Make sure to like, rate and review, and we'll be back soon. 1043 00:57:26,880 --> 00:57:29,120 But in the meantime, hit the website at 1044 00:57:29,120 --> 00:57:35,520 identity@thecenter.com. See you next time on Identity at 1045 00:57:35,520 --> 00:57:36,400 the Center.