Identiverse 2018: Machine Learning and Progress Against Passwords

By Sean Deuby, Senior Architect

I’ve just spent a short but jam-packed few days at Identiverse 2018 in Boston. I’ve been fortunate enough to have attended this conference (known before this year as the Cloud Identity Summit) practically every year since its beginning in 2010. CIS started as a small gathering of about 100 identity and security focused professionals in the mountains of Colorado, hosted by Ping Identity and its visionary CEO, Andre Durand. Ping has always been its primary sponsor; a large number of its employees have pitched in over the years to help make it grow over the years as the recognition of identity’s importance in both personal and business life has itself grown.

Indeed, in his keynote Durand expressed the belief that the most explosive growth – a “Cambrian moment” in reference to the first explosion of life during the Cambrian Era on Earth – in identity security was just about to begin. Investment funding is up $650 million dollars in the last six months. There have been 28 merger and acquisition transactions in the last year, and the public market for identity solutions has grown have an estimated market size of $10B today.

Biometrics and Passwordless Identity

Durand also stated that biometric authentication has entered the mainstream, a remark that resonated with me: after 3 1/2 years on the road, my faithful Surface Pro 3 died peacefully in its sleep last week in Bellevue, Washington. (I figured it knew it was near its Microsoft home.) Thanks to some quick work by our IT guy, a new HP EliteBook showed up the morning of the day I had to fly to a class reunion in Detroit and then on to Boston.

As part of the new PC setup experience (Cortana actually talked me through it) I registered with the biometrics available on the EliteBook. The Hello for Business facial recognition setup was about as painless as it gets. It’s pretty slick; 90% of the time I don’t have to touch the keyboard to unlock my PC. For those few times when lighting is weird (backlit by a convention center window or on a Southwest flight), the fingerprint sensor I also registered authenticated me instantly. I haven’t had to unlock my PC with a password since I got it.

This also tied in with another big theme at Identiverse this year: passwordless identity. My friend John Fontana (Zdnet Identity Matters) moderated a panel on this subject, and naturally Brett McDowell, chairman of the FIDO (Fast Identity Online) Alliance. FIDO’s mission is simple, and should be welcome to anyone reading this post: supplant passwords on every internet-connected device with device-bound, cryptographic credentials. With the arrival of the FIDO2 web authentication protocol, device manufacturers are embracing this standard to authenticate without passwords.

Machine Learning and Artificial Intelligence

It’s been super interesting to watch trends evolve across successive conferences, and machine learning / artificial intelligence is a great example. I can go over my notes from previous years and see references to futures and emerging research…and in the 2018 conference machine learning was all over the place. Many of the keynote speakers – Durand, Andrew McAfee of MIT, Alex Weinert of Microsoft, Kriti Sharma of Sage – had their own perspective on how AI and machine learning are beginning to make a serious impact and the issues it raises. And it seemed like every third product on the expo floor used some kind of machine learning to help detect anomalous behavior.

Machine learning humor (courtesy of Microsoft’s Maria Puertas Calvo and XKCD)

To inject personal experience again, I got the full-on Azure AD risk-based conditional access MFA experience when I set up my EliteBook. As a good identity & security professional I have MFA on my work account, my personal Office 365 email, and my personal OneDrive account. Between new machine setup and data synchronization and traveling to a couple of places I rarely go to, I experienced probably the maximum number of security challenges I would ever get – and there were a lot. But I used push notifications on the Authenticator app –  so MFA challenges were actually a lot more convenient than password prompts. And that’s an interesting flip-flop, isn’t it?

Professional Skills

Finally, Ian Glazer gave a very different, personal – and I think relevant – keynote about the skills of an identity professional. He referenced survey data from the IDPro organization for identity professionals he leads in addition to his day job as a Salesforce identity leader. Almost all of the survey respondents reported moderate to strong experience in identity subjects, yet fully 27% stated they still don’t feel proficient in the field. Among other things, he recommended that everyone use this matrix to objectively evaluate where their strengths are – and how aware everyone else is about those strengths.

For its ninth year, Identiverse will be in Washington DC. Identity leaders from the technology companies shaping the way we work will be there to share their thoughts. Identity and security professionals from all types of industries will be there to learn and network with each other. Will I see you there?