Welcome. I'm here with Tom Bruggeman, and we're here to talk about his experience in working, dealing with OAuth, OIDC, and overall authentication and how he tackled the challenges his organization is facing here. Welcome, Tom. Maybe you introduce quickly yourself, then your role, the organization, and the use cases.
Yeah, thanks, Martin. Nice to be here. I'm Tom. I'm what we call an area manager with DPG Media within IT. I'm responsible for a number of teams. One of them is the Alexa team, and this is the team on our side who are responsible for building our identity platform, which is an identity platform focused specifically on customers. Customers, users, anyone who logs into one of our apps, websites, who registers in accounts, who wants to take part in a voting, for example, on live TV. These are the things that the platform enables. And I do this with DPG Media. DPG Media is a large media group in the Dutch language space of Belgium and the Netherlands. We do have a small part in Denmark. So that's a different, different, slightly different language space. But my team works across these two countries, we do this both for Netherlands and Belgium.
Okay. And so what you're doing as a media crew is you're providing digital services, apps to your consumers. So which types of apps are we talking about? Is this typical sort of access to news and stuff like that? And maybe you can give a bit of an insight about the size and scale of this.
Yeah, we started off, the group started off quite traditionally in publishing. So these would be newspapers and magazines. But the group grew across over the last really 10-ish years. So now we build everything. We build apps, the typical iOS and Android apps to consume news. be sort of deep dives, could be very popular news. We also do streaming, so we have a quite a sizable streaming application that we run, that we provide. And this is interesting because it also has to work on TVs, a whole cluster of TV devices, which are often hard to support. We also do radios, which also again has its own specific needs, know, there's lots of interaction in radio shows. So these apps, the apps that we make for the radio brands, typically have lots of interaction. Many of these interactions require people to log in. And then we also do linear TV, which you may not expect has much to do with identity. Like the example I gave before, we also do things like Dancing with the Stars or other voting type linear TV, big TV shows where we ask our audience to vote.
So at the end of the day, have quite a number of users. You need a seamless access from a very wide range of devices when we look at this. So TV being very different to whatever mobile phone, being different to someone accessing via the web. As usual with these services, it really must be seamless. There might be, I could envision there might be some additional challenges. so when I look at some of the things on TV, then sometimes also this aspect of children versus parents becomes a quite interesting challenge. maybe you can provide a bit more insight into the concrete things you need to do here and how you see this world of authentication and why you finally adopted a solution, in this case, the one of Authlete to address these challenges.
We have an active user image, which is about 10 million identities. So these are a lot of people, especially within our language space. most important part for us was the ability to respond to a rapidly changing business. So we're in media and media is rapidly changing, our traditional models are very quickly being consumed less by people. You know, there's this big move from analog to digital, is very obvious, but this is very disruptive for us. So our main focus was being able to address business challenges. One of these are what you mentioned, how do we differentiate between, how do we protect children, which may be consumers, they would not be consumers, but they would be users of our platforms. Adults, the relationship between these two. That's really why we why we opted to go for this approach, which is we want to build our own platform. We don't want to rely on one single party to do everything for us because this is not flexible enough. We cannot address the business challenges that lie before us effectively. So this is why we chose to build our own platform and use specific partners, which is very, very hard, specific things. But we want to be the glue between all of these platforms and partners that we use so that we can really move quickly and build exactly what it is that we need to put our business forward.
And I think it stands for what we see in the digital business that, you know, in the early days of computing, computing was differentiating factor between companies. Then we moved a lot to whatever standards of there and so on. But over the past, probably almost two decades, at least, especially in the past decade, we really saw this shift to that most businesses, not every, but most businesses are in some sort of digital business. And then, again, the technology, the way you solve these problems becomes a differentiating factor. And you need the agility in that, which means you need to be able to quickly adapt to these changes. And I think we all know that we are still, so to speak, on the path of this evolution. are not yet done with where the digital age will lead us. So I fully get us. Looking at authentication, believe authentication is something which is where really digital identity becomes essential for the digital business because authentication is where people come in the first time, so you might lose them directly. Where they come back again and again, where they might say, okay, too annoying, I do something different. So authentication at the end of the day is something which is essential to make and a seamless authentication. Which still is strong enough as essential for making digital business a success. which standards did you decide for using? Why? And how did you implement this then?
We very consciously chose to adopt open standards. So we very consciously decided to go for OpenID Connect and OAuth, partly because there was not really that much choice. The other alternative was any number of proprietary technologies. But we really thought this set us free because it's an open standard, because it's widely available, because it's hugely supported by the community. It really helped us to roll this out because there are other cases for different TV platforms, for example, which may be sort of slightly obscure niche. It is an open standard. It is secure if we keep up because this is constantly changing. So we do need to keep up with this. We don't implement this once. We continuously have to look at new features. New changes to current improvements. So open standards was really something that set us free. I always say using the open standards set us free, it solved for us the integration problem. We had no or very little discussion with internal teams or external teams about integrations. We use OpenID Connect, very well known. Maybe a small downside is that it is still it's not the easiest specification. We've noticed that it still requires quite intensive coaching from our side towards an integrator to have them do the right thing because there's so many options, so many different ways you can integrate, so many different parts of the specification. we still, it still requires coaching. The way we cycle this anyway is we try to coach our integrator. So we have technical people talk to technical people in very intense pressure cooker-ish session.
And I think this is a very important point. think we need to be aware of OpenID Connect. are not in that sense, single specification. They are a set of specifications. They are continuously growing. So we see the next things like OpenID Connect for verifiable credentials emerging. So there's a sort of a constant innovation and it's not that this is something which is sort of put in stone and then it remains the same for years but it's really something which is continuous to evolve. And you touched the integration, the challenges here. So which solution did you finally pick to sort of simplify this challenge?
I don't think there's one... The integration challenge. You mean?
Yeah, from what I understand, you for instance opted for Authlete as a provider in that space. So the question was why and what does it serve that you don't get directly, so to speak, from using the open standards.
Yes. Yeah. Okay, an interesting, what we mentioned before is the constant change. were quite, when we started this journey four or five years ago, we were quite surprised how quickly even these pretty long standing, well known standards changed. I remember very clearly in the beginning of our journey, we had, when we started with Authlete we had, at same time, team had to solve a challenge in streaming, which is how do we authenticate and identify users on a TV device where using a remote is extremely difficult. Well, extremely difficult, but for some users it's least cumbersome. And that's exactly when sort of device flow was being launched and maturing. And so this is an example where using the open standard, they solved the problem for us. All we had to do was be the glue between these things. We just had to build a little bit of UI on the TV, roll it out, which was easy enough to do, and then relied on Authlete to do the hard work syncing these codes and verifying that these are indeed the users that we want them to be. So that was very easy. It took us, I think, two sprints to roll this out to TVs, for example. So that's a great example of where we're using it, part of my project.
Okay. So basically it allows you to focus on the UX, the business service, while, so to speak, all three does the heavy lifting in the backend around the standards.
Yep. Yep. Gave us the flexibility to do what we want to do, make it look like we want it to look. Obviously, within some limitations that we have within the standard, you know we can magically identify you to still have to have this back and forth. This will have to properly identify users. Do it in a secure way. Most of the security and the heavy lifting we just got for free. We didn't have to think about that much. didn't have to be worried about it at any point. It just works. We had to understand what it is and then implement it the way we think our users, it works for our users. Speed is absolutely one of the things that we constantly look for and in this case we very much managed to achieve.
Mm-hmm. So what do you have in mind? Which plans do you have for foreseeable future and further evolving this? Anything you could speak about?
Yeah, so We're typically not a leader in this in these type of technologies. We prefer to wait a little bit and then see where things go. But what we're seeing is wallets is a big one. You know, data wallets. We're kind of thinking about how should we tackle this? We look at these the wallet idea. We really look at it as a way for for our users to have more control over their privacy, which also requires them to identify themselves. So this ties in very nicely with the privacy initiatives that we do. So wallet is definitely a big one. And I think other than that, we're in a pretty stable place concerning our identity platform and the way we roll it out. And so we don't really see any particular big challenge or big things. We always like to say we're not a bank. We have very little regulatory overview or control over what we do with our entities. Obviously, we want to keep them safe, but we feel like we've done pretty much everything we can to keep these entities safe and we don't see any big new initiatives on that front.
Tom, great. Thank you for sharing all these insights. I think this is very helpful and provides a view on how to tackle the challenges of authentication in a fast moving digital world and why also it's, I think, important to choose the right standards, the right solutions to provide the agility to the business. Thank you.
Yes. My pleasure. It was a great talk today. Thank you, Martin.
