Internet Identity Workshop XXVIII and Me being part of it.

Almost travelling halfway around the world from home, the last couple of days has been “first time” for several of my journal events; the first time travel crossing the IDT, the first time in Silicone Valley and most importantly the first time at Internet Identity Workshop(IIW) which eventually ended up bringing much more first-hand first-time experiences.

As much as excited I was to be in @idworkshop, not even a fraction of time at IIW spent without amazement there. Starting from the breakfast with a random set of people at the table, who turn out to be pillars of the identity domain, everything that I experienced @IIW during last three days was eye-opening.

“Unconference” is not that much of a familiar word or a practice back home. Everybody sitting in a circle as peers, bringing ideas into the arena, creating an instant agenda to discuss them through the day and executing it collaboratively regardless of being an oldie or a newbie was a totally new experience for me.


As IIWXXVIII #28 wraps, I spent quality three days in following sessions where I got to be in multiple discussions convened by the resource persons where they root to the very core of the relevant parts of the identity domain.

WebAuthn - An Introduction to the Specification

WebAuthn Level 1 is a freshly published W3C Recommendation that guides to go authenticate passwordless and towards hardware security model. This protocol defines an API that uses cryptographic key-pair to provide strong authentication for your application using a hardware device. The support for webAuthn is now built into most of the leading browsers and platforms.

Later, I came across webauthn.guide by @codekaiju, the convener himself, which sum-up webAuthn.

Introduction to Open ID Connect

Having read the OpenID Connect for a good many times and being part of the WSO2 IAM team who implemented it, it was a great pleasure to be in a room where one of the spec author himself explained the concept. And hey, WSO2 is listed as OpenID Connect certified Identity Provider; check-out https://openid.net/certification/.

JWT Profile for Access Tokens

OAuth specification does not state anything of the nature of the access token and authorization server has the freedom to decide the format of the access token that it is issuing. However, it is trendy that Authorization Servers issue a JWT as an access token for the use of the resource server. This form of JWT which represents an access token needn’t have all the claims that are represented in ID token and now is a good time to define a standard profile as drafted in https://tools.ietf.org/id/draft-bertocci-oauth-access-token-jwt-00.html

Introduction to FIDO

FIDO showcases webAuthen in action and during the session we discussed how to prevent phishing attacks using FIDO device for authentication. Even when you enable two-factor authentication such as OTP based authentication factor, there are possibilities that an attacker might intercept these flows and make a successful login to a system. However, when you place FIDO device-based authentication in place, as long as you don’t lose to the device to an attacker, the system remains safe.

OpenID Connect for Identity Assurance

Work in progress OpenID Connect extension on how to share verified personal data with relying parties. Most of the personal data are now stored in digital format mostly relies on authorization servers and verified by the user. Hence, rather than obtaining a physical form of verification on user’s information now the relying parties can directly obtain this information from the authorization server directly. These verified data can be requested in the suggested format for multiple cases such as during user-info request or id-token request. Then the AS will include the identity information of a person in the response in defined format for the observing parties to validate the information in compliance with a certain law. Draft of the spect can be read at https://openid.net/specs/openid-connect-4-identity-assurance.html

XYZ Transactional Authorization

OAuth has its own grace as well as limitations. With OAuth, too much information flow through the browser, protocol depends on multiple redirections and the list can go on. Oauth.XYZ is ongoing construction and proposed as an alternative protocol for OAuth. This new protocol is based on a transactional model and transactions are interacted as JSON documents.

OAuth 2.0 on single page Applications

Redirections become a pain for single page applications. Still these applications need to authenticate, obtain access tokens, invoke APIs and do all the magic that any other application is supposed to do. During this session, a hidden iFrame based mechanism is proposed where a hidden iframe to do the authorization request and instead of in-browser redirect use a different pop-up window to complete the authentication flow and once completed then push the responsibility to parent window or application. During the session, there were many suggestions from the community to shape this up and standardize to meet security and other aspects of the flow.

Women In Identity @womeninID *Plans for 2019 * How do we create success? (Allies & Supporters Welcome!)

This is where I got to meet and greet with all the cool female brains engaged in the Identity business. Having met at the breakfast table earlier in the day, and to hear their great achievements, it was a great privilege to be seating with these pillars in the domain.

By being at IIW I realized, not only back home, but also everywhere in the world participation of women in the Identity Domain is significantly less. Though the number is gradually increasing, only there were about 10% of female participants were at IIW 28. Women in Identity is a group where women in the domain and allies get together and help each other to upscale and leverage, share and care for each other. Follow them on twitter @womeninid.

Why “Specific & Informed Consent” is Nonsense (or Not)

It is inevitable that we humans increasingly feed personal information into digital form in day to day basis. As these (personally identifiable information)PIIs are fed to various digital devices, applications and storages, it is important that a particular user is informed what information is obtained for what purpose and consented for particulars. We discussed whether the Specific and Informed Consent will scale, how the norms and rules need to be generated around the PIIs to protect the user, the objective of obtaining user consents should not make the user responsible rather it should provoke the responsibility to the party whoever to consume this PIIs. Conclusion of the gathering is that there should be government enforced rules and regulations to protect personal data and its flow as well as specific and informed consent to be applied whenever this information is obtained from the user.

Me2B — Have YOU Changed Activity Because of Unethical Data Company?

Discussion on “What are the behavioural changes that we have taken while interacting with the internet during recent times, knowing that the bad things happen on the internet.”

Let’s Make a Map! Of OAUTH Specs

OAuth specification is broad in terms of pages, so are the extensions and extensions on top of OAuth are everywhere. It is hard to figure out which questions to ask when you start to implement something related to Oauth and which exact sections to refer relating to your work. This discussion was based on an approach to build a portal where all the related specifications and extensions are accessible. Anyone can narrow down their search to find what exactly they need to read in order to implement a client or a server.

Formal Security Analysis of Web Protocols

The traditional methods of security analysis may have loopholes. They are built to detect known threats and attacks. Day by day the web become complex, hackers get smarter and finding vulnerabilities get harder. @dfett42 presented an innovative way of finding security vulnerabilities using a model-based approach, which can unveil new attacks on top of known threats and guarantee strong security aspects. Later I found out his work published in https://danielfett.de/publications/2018-10-19-an-expressive-formal-web-model/

Above is just a glance at the IIWXXVIII #28 proceeding. There was so much in action during these three days and I haven’t even mentioned anything on DID, SSI or Blockchain related sessions, which were hot topics and occupied most of the space in the billboard.

IIW is not only a gathering of the community who shape up the digital identity world. It is a place to bring ideas into action, knowledge into the table, work in progress into work done and most importantly individuals to network. My colleague @mpsiriwardena and I enjoyed these couple of days a lot, met people, saw work in action and extended the friend-list around the globe.


IIW is a place where it brings food for thoughts as well as for the stomach. WSO2 had sponsored the IIW28 to cater both. Thank you so much Prabath Siriwardena, WSO2, Inc and the IAM team for sending me off this eye-opening journey.


“It is not that you cannot do something that you wish you could, it is just that you haven’t found out how yet” — random, but powerful phrase I picked up at IIW-XXVIII.