KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
The Art of CIAM is to converge user Experience (UX) , security and privacy in a way that is seamless and unobtrusive for the user. In this panel session we will discuss the role of decentralized technologies, biometrics, and AI in Digtal ID, allowing for more secure and efficient authentication processes.
The Art of CIAM is to converge user Experience (UX) , security and privacy in a way that is seamless and unobtrusive for the user. In this panel session we will discuss the role of decentralized technologies, biometrics, and AI in Digtal ID, allowing for more secure and efficient authentication processes.
Victoria the stage. Sure, why not?
Let's, let's be the opener
You have to give emails, you have to deal with documents, you have to make sure that people don't breach. But in cm, if you're working for an airline or for a health organization or for a government, you have a dramatically different requirements. And so of course, developers are the ones that help you to cross the last mile. And so we are very, very important. Thank you. I'm Matt Brazinski. Hi. Nice to meet you guys here. I am a senior product manager from, for dr. I've been in identity management for long enough to have way too much gray hair that I like to admit.
So anyhow, My background is all identity and biometrics. And when it comes to Siam and being able to provide that great experience for, for end users, whether they're citizens, whether they're customers, whoever they are, it really comes down to being able to take all that data that we have on customers and being able to orchestrate journeys in ways that make them feel secure, make them feel that they can trust your organization. And as we've heard about earlier and all the other presentations make it easy as well.
So what I see is our customers customers now demand absolute easy experience, but they, they must have ultimate security. And so that's the trick in the balance when it comes to Siam. Good. So my name is from tall. I'm working on the product strategy over there.
For us, the the three main topics in that strategy to deal with consumer identity is all about making sure that you minimize data, so maximize the use of self-sovereign identity, that you focus more on the authorizations rather than on the identity of a user. And that you also orchestrate actually the journey of the dent user. And combining these things, these three things actually brings us to a point where we can actually have a convenient security, security that consumers actually do not, do not see anymore. Very transparent. Hi James. Lap Palm.
I'm the GM of the identity business unit at Interests. So interests has been in the identity game for about 50 years in the Siam and workforce game for about 15 years. So I head up their, their business unit. Our view on Siam, especially at a keynote, especially on the evolutionary side of Siam, it's, we're really taking a look at securing the customer journey, which means from everything from id proofing, onboarding account, opening credit, risking fraud assessment, all the way into issuance and all the way into transacting.
So, you know, step up, mfa, cert based mfa, risk-based mfa, and all the way into digital signatures and beyond. So, so our views I am is kind of a bit bit broad. So Rob Otto, cto, ping Identity. I'm a passionate European from South Africa who lives in the uk. I love all people, especially the Italians.
Most, most of all from a Siam point of view, the wonderful thing about Siam is that every single one of us uses it every day. Well, every single one of us uses a lot of services every day. Most of it sucks, let's be honest, right? We all have amazing ideas about what we could do to help organizations improve their experiences. And I don't know, maybe I just feel like being controversial today after too many drinks last night, but something is, something is not translating there, there are still way too many things that you do that are just difficult.
I mean, not to point fingers at anybody in the room here. Did, did anybody figure out how to actually like sign into the app for this conference? Somebody says, somebody sent me a pass, a password in clear text.
Yeah, we, we, we have a, we have a lot to do and, and we, we we're spending a lot of time here talking about almost like going over our skis, right, in terms of amazing things like decentralized and wallets and all of the rest of it. But there's still a massive getting up to speed with, with the stuff from five, 10 years ago that we, we need to help our customers with. I'll stop. You have all the Answers, so Yeah, it's finally on me to be brief. The others did, the chief did.
So yeah, my name is Cedric, I'm CEO O of CDAs. We are the leading European customer at Nexus management solution both in B2C and B2B use cases. And obviously we do the same as all the others and more The same and more number Of users. The first question I have here is to you Victoria, but I'm sure Rob you're gonna jump in as well.
Victoria, in your view, is it possible today to converge user experience, security and privacy in a way that is seamless and obtrusive and secure? And if yes, what is the key enabler of this? And if not, what do you consider to be the remaining challenges? It depends. Classic. I think that the, today more than any other time in the past, we have extraordinary tools for achieving all the things that you list you listed, but the, as William Gibson likes to say, the feature is already here, is just not uniformly distributed. I love It.
So for example, I'm sure you heard talking a lot about PAKEs. Pakis are a fantastic technology and the support for it is not uniformly distributed. So if you are on iOS or Androids, you have a visa wonderful publicly cryptography mechanism, which is largely rooted in biometric gesture. So very easy is very privacy, preserving is fishing resistant, it's fantastic. And if your customer comes from windows, it kind of not really work that way. That's to say that you can use this technology, but the pasky that you create will be limited to the local device.
And so a lot of the challenges which led to the creation of multi-device credentials, like the syncing PAs, like for example, user loses the device user have more one device they camera rushing back. And so today as a, someone uses the CIM system that supports fasts is you can have a solution which works really great for a subset of your potential users. And this is just one example of a fractal complexity of these kind of things because like every situation will have a different constraints.
Like you mentioned privacy, privacy in itself is a nightmare because on one side of course you want to do the right thing and preserves your users on the other. Our customers expect to extract intelligence from the use of their products. They expect to be able to lubricate their funnel so that people can more easily do signups. They expect to be able to understand the sequence in which they needed to present things to people so that they will engage with their product and maybe buy more or whatever.
So we as the CM providers, we needed to walk with extremely fine line of not being patronizing because people needed to have tools that allow them to do their job while at the same time helping them to do the ethical right choices without becoming experts in identity because they lazy alternative for us is to just give people a huge dashboard of switches and for which you need to be a certified pilot to use it instead. A lot of people look at us to provide them with their knowledge about identity that helps them to use helpful defaults.
And so a lot of a burden is on us to try to give them a right default. And I stop here, otherwise a blah too long. Does anyone else want to chip in a yard drop? Go for it. Okay.
I will, I will say one thing quickly and then I'll then I'll keep going. I, I, I thought your answer to that was gonna be yes, of course. So the answer is to by Octa and I would say no, the answer is to by ping, but in, in a way I almost feel like, look, everything, everything you said is, is completely right. I I almost wonder if we are looking at this from the wrong perspective, right?
We, we we're starting and we are coming, we're bubbling up terms that we, we understand as identity people, you know, what, what should we do with passwordless? What should we do with, you know, verification?
I, I found myself wondering, does does Siam exist? Is is Siam a thing, right, or is is the thing the way that businesses interact with their consumer users, right? And is Siam rarely just a part of that? Something that empowers it and underpins it, but not actually a, a separate discipline? Because I get very worried and I've gone completely off topic, so I'm gonna stop talking in a second.
I get very worried that we get together in a room with a whole bunch of identity people and we talk about a whole bunch of cool stuff about Siam and the people who are actually concerned with getting interactions with their customers, right? Aren't, aren't in that room.
So, oh, there we go. Here's a thought.
Oh No, that's fair Point. I'll say something that, That's a fair point. And this morning one of my colleagues, Dr. Phillip Messerschmidt made that very point is that it's not just about the the technical side, the user experience is all Cedric, you wanted to add something?
Yeah, I think that's completely right. I think what we are missing from the vendor's side, partially, I think we all have great tools. We have cool features set all, and we're talking about passwordless privacy and all that. But what we need to help customers with is showing them the path, how to achieve the customer experience. So how to use the tools, passwordless, how is the transformation from password to passwordless, how the transparency in the privacy and all that can be achieved. So it's more about highlighting the use case that also brings into the game.
CM may be a different discipline, but we need to consider the complete story more. Yeah, sure. But then it, it needs to be achieved in the background.
So I mean, over the past couple of days we've been talking a lot about decentralized identity and those kind of supporting technology. So I wanted to ask you, what is your perspective on, on for, you know, for this audience, the role of decentralized in the Siam context?
Yeah, I think there are different things about decentralized identities. We decentralized in general, we have decentralized identities which can play a, a bigger role. So we have seen different concepts in that story. We also have decentralized architectures. Basically it's not only about our IDE identity, we, it'll be much more distributed around the world. So all the edges will be included. It might be identification. We are currently discussing a lot about identification in the digital world. You will have all the edges in the real world too.
So I think decentralization will be a big, a big thing. Not about only decentralized identities. Also about our decentralized architectures, what we'll have And in terms of interacting, oh, Sorry. And I still want to add on that the, for me, the big challenge is that it will change the way how, how we have to deal with consumer data. So decentralized identity means that the data will no longer live in our Siam repository. So at the end we will not have a Siam repository anymore.
We will only have data that actually passes by, but we will not be able to store, we will not be allowed to store it anymore. So sure you disagree. Where did you hear that? That you will not be able to store with data? Will we still be allowed to store data Yeah. From the consumers. Yeah. Will the consumer still allow you From the decentral, decentralization Means?
So, so so the storage, the storage of that identity data, is that something that we as a SI vendor should keep? Or is that data that actually belongs to the CRM platform?
Sure, that which, which is a true already today that's say vendor. The sheer fact that people now will be able to have a cash token on their device instead of having to ask for the token from a centralized place changes nothing from our side as a verifi fire, you just get this token, whether this token was just freshly signed and squeezed from a IDP or it's something that was in the wallet of a user. From our point of view, nothing changes.
What might change is that the regulator, once those things will be in the wallet of people, and once people will be able to do what they do today with dialogue, accept all cookies, but instead of cookies they'll be shining verified information about themselves. Then maybe regulator will wake up and say, hmm, I mean it's a bit dangerous. Correct. And then there might be laws for which we will have to comply, which might mean now some of the functions that we do in cim, we will no longer be able to, but from a technical perspective until the regulator doesn't show up, nothing changes.
And it, it might change a little, the the customer experience, right? It might not change technically, but it might change the story. What we are telling users when they, when they onboard. So you might have different identity sources, you might have different ways how you get all the data, you might have different concepts, how you have privacy. So if you have a decent right identity and the user's control of that identity, he might just trigger the deletion from any other ways or the, the technical level.
What we do on our, on the vendor side might be still the same or might change slightly. Can you expand on that story? The thing about it you just said about there will be different like internal of experience, like the user gets the phone and they navigated to one website, which is protected by our stuff. And now instead of just sanin with your directory sanin with Google, there will be sanin with your mobile driving license. Once we click that, how is their experience gonna be different and how is this privacy thing that you're saying is gonna change?
I'm like, so every time I look at this, people say this will change, but when, when you look at the sequence is exactly the same as before. So it's, it's, so we were just having a side brief here. So it's really around con consent management, right?
So, so, so privacy is a choice if, if I choose to be private or I don't choose to be private privacy is a choice. PII because an individual subscriber, like all of us can or cannot control it in a centralized manner. Verifiable credentials offers the ability with correct consent management so that people get to make a choice. If they choose to share their privacy, then has a, as a consumer of data, then that's, that's fine, but it adds a level of ability for people to do consent and consent management. I'm sorry, but I disagree.
That's to say that from a point of view of the consumer, like the thing that you are mentioning is classic gospel from a people that talk about verifiable credentials. But the selective disclosure is an ability that we already have today.
In fact, the verbal credentials needed to do cryptographic magic in order to bring it back. Because today when I go to the identity provider, open connect SAML of all the protocols we have, have the ability to say exactly, I would like to have a visa list of claims. And ity provider can give you just that list of claims in every single interaction. The problem we are now, but you talking about that you are cashing, we're token and the token is signed so you cannot change it.
So we add to add the capability of doing new selective disclosure, but from the capability perspective and gentleman was talking about the user experience, the dialogue that you see whether this thing does a crypto magic for selecting visa, the claims that you have or whether it asks for the claims for the IDP and gets only those claims. From the user perspective, it doesn't change. If we want, if there is a business reason for doing consent, nothing prevents us from doing it today is that the fire doesn't do it because the more data we can get, the happier they are.
So they they have no business incentive to do it. It's not a technological problem. Sorry for my passion, but No, no. Every time we talk about this stuff, no, But I think you, you're right on a technical level, but the story, what you tell the user changes, right? So I take the the l example, what you mentioned at the beginning, you obviously can tell them, okay, sign up for the airline, provide me your email, first name, last name, whatever password or password list.
If you, if you go once step ahead next you say later, okay, give me your, your whatever passport details and so on. If I have the, the decentralized credentials or decentralized identities later and other things I might, might already pass certain details. So the customer experience, the customer journey itself changes the technical level I'm on, on your side, we have open id, we have all two, we have different things how we can handle that.
But the customer journey and how I or the customer experience what I deliver can be completely different on the, on the communication level as well as on the, on the customer journey itself. Yeah.
Sorry, can I just interject to say that we're kind out of time, you know, like you, you have zero seconds, you have zero seconds to summarize the The last guy, the last guy went over by six minutes. So we there are The 20, you were allocated 20 minutes. So Basic Matts Well yeah, basic Matthias. So we're 30, it's 1236. So we can Start, should we move onto Summarizing?
You know, kind of thing. But seeing it's just us and between you and lunch, I think you're the worst of all the unruly reallys. Yeah. So bearing in mind that, that we're, we are between everyone and lunch.
Yeah, your point was Start are izing give your pitch. Great. So I think that we are putting too much like now just launching to the decentralized thing, the decentralized thing as an enormous potential. But it is a call to start problem with multi parts. And I'm sure that marketing wants to rush into capitalizing on the interest of this thing. But in practice right now, until we don't have powerful credentials issued from organic authorities, this thing is not particularly actionable.
And if you want to achieve things like selective disclosures, things like do not save and similar, we don't need to wait for that. We can do it already today. The problem is that usually there is no business incentive and there is no regulator incentive to do it. These will not change once we will have the technology widely adopted until the regulator doesn't step in, there will be no difference in term of the experience that we give to people other than we will have a powerful credentials which now are harder to get.
Instead then people will be able to do it with a tap, which is fantastic, but I don't think we should overstate what that will mean in practice for C. So wow, that was a really great passionate debate. And the one thing I love about being up here and listening to all that is I got to learn a lot, but I also see the passion that all of us as vendors have for providing the right solutions to our customers. The trick though, and Rob pointed out to begin is our customers are five years behind us.
And I was talking to one of our customer, one of our customers yesterday, he said he feels bad when he leaves these shows because they talk about this is what I'm supposed to be doing and I get back to my system and I can't get there. So what we have to think about Yeah, yeah, yeah, exactly.
So, but what we have to think about as our, as vendors when we talk to our customers and we have to help our customers move from what they have to what we're talking about. And that's, that's the big key because Rob, as you said, most of the interactions suck because they're five years old and we have customers ourselves that are on five year old technology and we just constantly try to tell 'em they need to upgrade. So look for how do you move from old to new is the most important thing. Yeah. But it's not only the customer that's also the consumer.
So there is, there is one word that I still wanted to add in this that is actually a word that comes from ai. It's explainability.
We, we, we do a bad job as an industry to explain to our consumers what we actually do and why we do certain things and boils down to consent balls down to, to journey boils down to all different things. Yeah, I mean there's doing it for a while. There's a very long road to, to trek.
I mean, 15 years ago Siam was a single factor MFA that was painful and password reset on 80% of occasions and et cetera, et cetera. So I mean, I think we've made great leaps and bound, I'm a big advocate. I've decentralized as the great tsunami of our industry, right?
So, you know, verifiable credentials, proper consent management. We're years away, but it's coming. So yeah. All right. All right. So I just have a few slides on user experience orchestration.
No, I'm kidding. So I mean, le less lesson learned from me is don't try to be the controversial one on a panel with, with Victoria on it. Cuz you're, you're never, you're never gonna, I think, I think it's just that the hair, the hair sets him a apart immediately.
So for me, I think there are things that I, that I touched on here. I might, I might say this in a very blunt way. Let's stop wasting time with internal discussions amongst ourselves with staff that our customers and their customers don't really care about. And to be honest with you, don't, don't see the difference. I love some of the things that I think decentralized identity, verifiable credentials and wallets will empower user privacy is not one that anybody I know cares about. Gonna be honest.
And the last thing I will say one more thing is make first party greats, again, Kind of cellers of the hair right Say was even better With who these multicolor To summarize, yeah, I think some good statements, statements were done. I think we need to change perspective to support our customers in the journey to help them utilize really features also include the consumers of end users basically. We also need to get rid of the fear failure in that to just drawing out things might help in that perspective. And I think it was a good round, good emotional discussion. That's great.
Well, clearly we needed 40 minutes or more, but once again, thank you very much guys. A big hand.
