Government-issued verifiable digital credentials (mDLs, digital passports, etc) have the potential to transform our online (and even IRL) experiences dramatically, and for the better. But with any such technology, their power and ease-of-use also runs the risk of being used in ways that aren't optimal, intended, or even appropriate. That's why I love that the Better Identity Coalition is working on a voluntary Code of Conduct for verifiable digital credentials aimed at preventing overuse. They're looking for feedback and comments, so please take a look and help shape the VDC ecosystem.
#VDC #VerifiableDigitalCredentials #IdentityProofing #DigitalIdentity #Privacy #IdentityAsInfrastructure
https://www.centerforcybersecuritypolicy.org/insights-and-research/a-new-approach-to-address-concerns-about-overuse-of-digital-ids

That's also why the work that the OpenID Foundation DADE Community Group has been doing is so incredibly important. Their paper on 'The Unfinished Digital Estate' explores the cultural, legal, and technological complexities of digital life after death, and is open for comment right now. Please check it out and provide input on this vital topic. Kudos to Dean H. Saxe, @saxe @sphcow, and @mikekiser for leading the charge on this.

https://openid.net/open-for-comment-the-unfinished-digital-estate/

What happens to our digital estate after we pass is an increasingly important topic, as this WIRED article shows. This isn't just about the difficulties that family and heirs left behind grapple with. Services trying to do the right thing and create a path also risk creating #security vulnerabilities, just like the ones we see emerge with account recovery flows. Happy to see the thoughtful features that FIDO Alliance members have built into their offerings highlighted in this article.
#DigitalEstate #Death #Legacy
https://www.wired.com/story/how-to-use-a-password-manager-to-share-your-logins-after-you-die/

@falken No, but the work is ongoing on CXP and CXF.
https://fidoalliance.org/fido-alliance-publishes-new-specifications-to-promote-user-choice-and-enhanced-ux-for-passkeys/

Unexpected new use for AI: Hackers behind a phishing campaign appear to have used artificial intelligence-generated code to hide malware behind a wall of overly complex and useless code.
https://www.databreachtoday.com/hackers-obfuscated-malware-verbose-ai-code-a-29541

Passkeys and Verifiable Digital Credentials (VDCs) are not competing technologies. They’re complementary tools that, together, help form a stronger, privacy-first digital identity ecosystem. To help clarify this, the FIDO Alliance Government Deployment Working Group has published a white paper on "Passkeys and Verifiable Digital Credentials: A Harmonized Path to Secure Digital Identity", which lays out how organizations can start adopting these technologies today.
By combining VDCs and passkeys in a way that lets them do what they do best (VDCs = verifiable, selective disclosure of identity attributes to prove who you are; passkeys = seamless, phishing-resistant authentication for everyday logins), they enable a secure, interoperable model that balances trust, convenience, and privacy across use cases from onboarding to high-risk transactions.
Check out the excellent work of the many contributors, and join the conversation at this years Authenticate conference
https://fidoalliance.org/passkeys-and-verifiable-digital-credentials-a-harmonized-path-to-secure-digital-identity/
#passkeys #VDCs #VerifiableCredentials #UsePasskeys #Authenticate2025 #privacy

The words were hard to come by, but once they came, it was hard to stop. Andrew Nash did so much to advance #identity and #security, and (together with Pam) even more to help foster a real sense of belonging in everyone, old-timers and newcomers alike. He was an inspiration and mentor to many of us, in so many ways. And he was one of my dearest friends. Writing this remembrance is one way for me to grapple with this profound loss.
#IdentityFamily #Personal #Identity #Security #Identirati

https://blog.talkingidentity.com/2025/09/so-much-universe-and-so-little-time.html

In my first FIDO Alliance blog post, I cut through the noise around “passkeys being hacked” and clarify that the real issues lie in compromised environments, not in the technology. For product teams and leaders evaluating authentication strategies, the takeaway is straightforward: passkeys remain one of our strongest defenses against phishing and credential theft — when they’re implemented thoughtfully and paired with good security hygiene.

If you’ve been hesitant because of scary headlines, I hope this helps turn things back to reality: passkeys are here to stay, and they’re a major step forward.

Read the full thoughts here: https://fidoalliance.org/passkeys-are-not-broken-the-conversation-about-them-often-is

#Passkeys #Security #Passwordless #Authentication #UsePasskeys #Misinformation

I finally got around to writing a follow-up to my previous blog post that was triggered by Patrick Opet's open letter, regarding the tradeoff organizations make: sacrificing foundational security for business velocity.

In this post, fueled by conversations I had at Identiverse, I explore how we can change that, by trying to answer the real question: Why aren’t we building secure-by-design systems, even when we know how? Spoiler: It's about incentives.

Check it out and let me know your thoughts.

https://blog.talkingidentity.com/2025/06/secure-by-design-has-an-incentive-problem.html

#SecureByDesign #RSAC2025 #CyberSecurity #ZeroTrust #Identiverse2025 #IdentitySecurity #Incentives #SaaS #Compliance #RiskManagement

This, right here, is art!

Europol's Internet Organised Crime Threat Assessment for 2025 confirms: the cybercrime economy is being supercharged by LLMs and your data — "access to your systems, your identity, and your most sensitive information"
#Security #Privacy
https://www.europol.europa.eu/media-press/newsroom/news/steal-deal-repeat-cybercriminals-cash-in-your-data

As the last day of Identiverse kicks off, and I bask in the warmth of this incredible, incredible community I call family (not gonna tag all of you because you know who you are), I couldn’t ignore what tugged at my heart every time I ordered coffee in the morning.

Miss you my friend. All the time.
#Identiverse2025 #Community #Identity

Goodbye Margaret. 😢
https://apnews.com/article/loretta-swit-dead-mash-09a0a00b8076256b57b27baf231b2240

Just a few days to go till Identiverse, the largest gathering of identity professionals on earth - all packed into the Mandalay Bay in Vegas. What could go wrong? Stories will be shared, lessons learnt, fun will be had. Can’t wait to meet up with friends old and new and figure out new ways to avoid having to take a shot someone says “Agentic AI”.
So many great sessions on the agenda, it’s going to be a tough time choosing between them. I will be taking the stage twice myself.
On Wednesday, I will be giving a talk about the dangers of “build fast, break fast” in digital identity projects, and how we can responsibly balance innovation with societal needs, especially when it comes to citizen identity initiatives. [https://identiverse.com/idv25/session/?idvid=2812757]
Appropriately enough, I will follow that up on Thursday by joining Tina as she once again leads a workshop on overcoming obstacles to innovation in identity and security. It got an amazing reception last year, and I’m sure will be a ton of fun again. [https://identiverse.com/idv25/session/?idvid=2835460]
Hope to see you there.
#Identiverse #Identitypalooza #Identity #security #Identiverse2025

On the one hand, this is a fascinating read about good old fashioned investigative work. On the other hand, it is a dire illustration of the #privacy implications of our digital exhaust, and the vast troves of data about us that is already out there and that we generate each day.
https://www.wired.com/story/find-my-iphone-arson-case/

JPMorganChase CISO Patrick Opet’s open letter at #RSAC2025 called out the security debt in SaaS + cloud. The message: we’re trading foundational security for speed, and it’s catching up to us.
My take: It's not a standards problem. It’s a will problem.
#identity #Infosec #SaaS #ZeroTrust #Security
https://blog.talkingidentity.com/2025/05/the-innovation-we-need-is-strategic-not-technical.html

This feels like the first (of probably many) truly meaningful AI-powered solutions I've seen. Importantly, the article highlights something inclusion advocates say all the time: great ideas emerge when you make sure you have a diverse team. #AI #Inclusion #Accessibility #ForAllByAll
https://www.wired.com/story/silence-speaks-deaf-ai-signing/

@thorsheim There are definitely signs of adoption, and success stories at scale. They’re just too few and far between. But there could be a snowball effect if folks pay attention.

My #RSAC2025 headline: #AI is everywhere, but trust & control haven’t caught up.
- Agent memory is a new attack surface.
- #Identity is fragmenting.
- #Security budgets aren't ready for AI costs.
We’re not securing users anymore - we’re securing decisions.
Check out my full thoughts below.
https://blog.talkingidentity.com/2025/05/rsac-2025-ai-is-everywhere-trust-not-so-much.html

As RSA Conference kicks off, it’s cool to see #identity management get highlighted in this CSO Online article as a topic that will “dominate” the agenda, as well as a callout that the #passwordless (re)evolution is finally here. Attendees should definitely check out the talks in the Identity track because there’s a little bit of everything in there: from best practices, technical solutions, and top concerns for those tackling today’s problems, to interesting developments that could shape tomorrow’s digital experiences.
#IAM #RSAC2025
https://www.csoonline.com/article/3965415/10-key-questions-security-leaders-must-ask-at-rsa-2025.html