My second son arrived a few weeks ago, six days late but at the same time somewhat early, in slightly haphazard circumstances. This article is a chance for me to ponder what changes I expect to see happen across a number of topics in the digital identity industry between now and when both my kids are teenagers, and reflect on some of my experiences.
If you’re reading this kid – however many years later it may be – love ya :-)
Growing up, my first experience of a computer was playing with the tape-loaded ZX spectrum that sits behind me in my office. I didn’t log in to it. My concept of authorisation was to ask my mum and dad for permission to plug it into the television. It didn’t have accounts.
My first experience of authentication caused me mild anxiety. In the first week of secondary school, and before my first IT class, my best friend and I went to the “computer room”, where he showed me how to log in to use the machines. After typing my username, it asked me to set a password. On my friend’s advice, as it was simple to remember, I used “password”.
That night, I remember vidily laying in bed, worrying that the next day when our teacher asked us to log in for the first time he would tell us exactly what password to use, and that I’d be spotted having already set mine. Yes, I was a nervous child. I’m a fairly nervous adult. Suffice to say the next day came, and the teacher instructed us to log in and set whatever password we’d like. Outside of video game high score tables, this was the first time I had digital identity that was mine – all mine! I quickly changed the password so my friend didn’t know it, and that small lesson on individuality has stuck strongly in my mind ever since.
My first son is shortly to turn three. His first experience of authentication was to notice when our iPad locked itself, and to ask his mummy or me to “put in the numbers” to unlock it. Similar to my naivety in setting my own password, he hasn’t yet reached the level of understanding of free will to consider that when the profile select screen shows on iPlayer that he doesn’t have to press the icon that corresponds to the child account. As any parent, I fear the day he does. It will likely be a little over a year before my second son no doubt attempts the same.
I want my children’s experiences with computers, the internet and applications, and the friends they chat with and meet online to be as varied as mine have been. While the recent announcement of Apple’s Vision Pro implies a continuation of the trend of growing AR and VR tech, I hope that these are not the main mediums that my kids use to interact – at least, not while in their teenage years!
The majority of my experiences with computers have been controlled through keyboard and mouse. While I like video calls, the time to think that typing gives, and the comfort that something once written is retractable before being sent is incredibly valuable. With voice and video, that luxury is lost.
Often, it can feel like the whole world is video-focused. YouTube, TikTok, and FaceTime are everywhere in our media. Tablets and phones seem to have replaced laptops and desktops, and even basic skills like the use of operating systems to manipulate and store files seem to be falling out of favour in place of web-focused everything.
I hope to prepare my kids with the skills to not rely entirely on Google Drive to locate every file they write. I fear that if I don’t, then they will have some harsh lessons in losing access to their work, their photos, their creative pieces, to anything that they may have generated using a computer, should access to the account associated with that data be rescinded, or that service disappear.
I’ve been online for about thirty years. I have forgotten the details of hundreds of online accounts. I frequently use hundreds more. Almost all of these hold siloed stores of data about me. I hope that this is not the experience my children have. I fear, however, that things are not changing quickly enough, and they will have similar digital detritus left in their wake.
Federated login has reduced that number somewhat, but at the cost of giving those login providers unrestricted access to the services that I use. I hope that this sacrifice isn’t one that my kids have to make. My hope is that the improvements in authentication are strongly tied to improvements in personal identity management as a whole. I sincerely hope for the widespread adoption of user-centric tech like wallet-based credentials.
While I expect to see a number of changes in how pervasive the current crop of emerging technologies are, I don’t expect there to be many significant new advancements around authentication beyond what is already being developed. That isn’t to say that authentication is “solved”, but the advancements in the last decade certainly feel like enough to see us through until my kids are teenagers. Federated, social login, the continued use of defacto IdPs like Google and Apple, the passwordless world, and digital wallets will likely set the tone for typical authentication processes for the next decade.
On the death of the password
As most requests for authorisation boil down to an exercise in authentication it makes sense to start with what seems more likely to change by the time my children are teenagers and managing their own digital identities. Though the death of the password has been announced almost every month in the last two decades, the increasing adoption of passwordless solutions – be they magic links, passkeys, or others, gives me hope that the tide is turning.
The growing adoption of passkeys means that by the time my kids are teenagers passwords won’t be quite as ubiquitous as they are today. Many major sites already implement passkeys alongside passwords, and that number should only grow.
The major hurdles left for passkeys other than rollout are to standardise the user experience cross-platform, browser, and authenticator; and to develop suitable methods of managing the passkeys themselves. The former of these issues will be solved over time by the various powers that be at Google, Apple, Microsoft, and the browser vendors. The latter is a trickier issue.
Ideally – eventually – a user will only have to manage a single key for each service (similar to only a single password for each service) regardless of the device they’re using. This means more co-operation between Microsoft, Google, and Apple including better sync fabric, and/or the emergence of higher-tier “passkey providers”. Creating secondary and tertiary passkeys on different devices via QR codes already feels clunky and old-fashioned in 2023. If my kids are still doing this in 2035, something will have gone seriously wrong!
Well, as I’m writing this things are moving quickly, and hopefully in the right direction. Apple has just updated their Passkeys page to reflect that “Passkeys can now be synced using external providers”, specifying that “Password manager apps can save and offer passkeys on iOS, iPadOS, and macOS”; and 1Password have announced the beta of their first external passkey provider, though it’s currently limited to feeding via browser-extensions only and doesn’t seem to store the passkey in the device’s secure storage layer or sync across the ecosystem fabric, it’s certainly a good step forward.
The rise and adoption of wallet-based credentials has the possibility to stop WebAuthn (and therefore passkeys) in its tracks. While the storing of passkeys in a wallet could be considered “wallet-based credentials”, passkeys are only authentication credentials. They are not identity credentials. That is, they can be used to make a claim about who the user is and to verify that the user still controls the factor to authenticate them, but they doin’t make claims about the person. A passkey cannot attest to a third party my ownership of a bank account, or my capabilities in a video game.
If the drivers of wallet-based credentials – social, technical, and regulatory – continue to grow in influence, it’s a possibility my children will be the first generation to grow up with the majority of their everyday credentials not stored in discrete, centralised silos. Rather, they will be stored and managed in cloud-based and mobile-based wallet applications.
It’s possible that by the time my boys are grown, logins will change from simply requiring authentication credentials to requiring more useful identity credentials.
Personal Identity Management
A wallet full of identity credentials also enables the choice of the presentation of persona. These are constructs that I’ve had to manage myself, often carefully, over the years.
I’ve chosen to present myself in a number of ways online. To my friends, my family, my work colleagues, my gaming companions, to strangers on forums and services, and anywhere else there’s interaction to be had. Each situation is an opportunity for a re-use of an existing persona, or a re-imagining – a new presentation. All of us act in different ways, use different vernacular, have various levels of authority, share different stories and types of humour… all of these things are part of who we are, but no single presentation of ourself is by itself ourselves. This is true both on and offline.
Many of the aspects of my personas overlap, but some are kept entirely discrete. A lot of the variety in personas is not controlled by claims or credentials, but rather by mannerisms. However, for those aspects that are presented by claims, I’ve had to go out of my way to ensure separation where I want it. Multiple email addresses, new online handles, different accounts to be used on different services – sometimes even multiple accounts for the same service!
All of this identity management has an overhead, and takes its toll. Personally, I’m not at much risk if my personas happen to overlap. I have no great secrets, and while I may be embarrassed if some aspects of my life intersect, it’s not likely to do me significant harm, either reputationally, mentally, or physically. That’s not true for everyone. It may not be true for my children.
There are no “identity provider” companies that simply help individuals manage their online personas. Perhaps there should be. Perhaps, by the time my children are grown, there will be. Wallet-based credentials could certainly help move this vision along, as the wallet and cloud-based interfaces are great interaction points for the management of personas.
Relationships and Reputation
By the time my kids are grown, AI will have touched and changed almost every industry we know. The threat to our day-to-day understanding of digital identity here is hard to overstate.
When it’s possible to easily fake the exact sound of a voice, writing style, and recorded look of an individual, forming trust with a new party will be a daunting task. The current underlying presumption, “this party I’m interacting with is represented by a human”, will hold no water in the brave new world that the rapid pace of AI developments is set to deliver.
This is true for both personal (person to person) and corporate trust (person to service). Though they differ in a number of ways, there are some core elements that are shared between these two types of trust if that trust is to grow:
- reciprocity – trusting, and being trusted;
- repeated interaction – growing numbers of interactions without trust breeches between parties;
- explicit and implicit cues – being open about intents and following through, and not using “dark pattern” techniques to disguise untrustworthy acts:
- transparency – be open about what you’re doing,
- consistency – do what you said you would,
- integrity – don’t change on a whim the things that you’re doing;
- transference of trust between parties – having a reputation;
I think it’s the last of these that has the opportunity for the most growth in the next decade. While I believe firmly in the need for reciprocal trust relationships between users and services, the transference of trust will be paramount in personal relationships. New techniques will need to be developed to aid in the assurance of humanity when communicating over digital services – text, video, and voice.
I believe that methods relating to the reputation of the identifier, alongside strong authentication associated with that identifier, will be needed if folks are ever to be able to trust interaction mediums that aren’t face-to-face. Currently social-reputation (having mutual friends, or proven family members attest to the “real” humanness of an individual) patterns aren’t much explored.
While I hope that the Chinese Social Credit Rating is not the model that is followed elsewhere, sincere thought must be placed into solving the challenges that will be posed by AI. I hope that development on this front will be well underway by the time my kids are grown enough to use their own smartphones, laptops, and desktops.
I want my kids to be able to trust their interactions online, in the same way that I’ve been able to – without really thinking too much about it. Having concerns about trust and identity fade into the background, and focusing on the experiences, knowing that they’re safe and will be rightly alerted to anything suspicious.
Part II, Section 4, Trust and Sharing, Ari Ezra Waldman