#373 - Going Passkey Phishing with Nishant Kaushik

This is identity at the center. Welcome to the Identity of the Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Not so bad yourself. Doing great, man.

Other than the fact that I've been working on writing identity access management policies all day. But I mean, hey, what thing can you do this more important than that to having a successful IAM program and having a good bedrock of solid IAM policies? Rules of the road are important. Got to know which side you're driving on, what speed limits you can go, you know all that good stuff. Prevents accidents. That's right. I mean, it's at least a good starting point.

And then you kind of you build your automation on top, you build your controls, but it's a good, it's a good approach to have that is like your foundation rather than starting with the technology. And then I'm trying to retrofit policies to fit the the technical capabilities that you have. See, I don't know if I would agree with that. I think you should write a policy is the way it should be, and not with your technology

limitations in mind. Those would be treated as either exceptions to the policy or some other kind of mechanism. So in other words, you agree with me completely because that's what I that's what I meant to say. However, it came out exactly what you said. OK, then yes, we're on the same page and I and I concur Dr. All right, Doctor. Yeah.

You know, the tough thing is sometimes taking some of the newer standards, like the newer standards around 863 B with the authentication insurance levels. I'm just trying to apply them because essentially what I think what they say is if your, if your data or your systems require this level of assurance, then you should apply these controls.

But you have to kind of come up with a framework for the, you know, how the organization decides what level of assurance is required for that data, right? Is it top secret systems or what is the classification or what are the those rules of the road that your organization, you know, maps to those assurance level? So I won't say that I won't use the word fun, but important work. Yeah, important, interesting, a thinking game, fun. I don't know about that one.

But good news is once you've got it down, you know, you kind of get your, you know, get your, your framework in place, get your templates in place and just start filling in blanks of what you want it to look like and, and stuff like that. This should not be like a very difficult exercise. Technically this is more of a political exercise. What can the organization tolerate?

Yeah, you're right. I mean, often times it's political because they, I think you and agree, you and I agreed in theory that you want to write your policies for the way things should be, not for the way they are. There's not many senior executives that want to put out a set of policies and immediately be out of compliance with their own policies and have no hope of getting there within

the the near term. So the reality is, is it's probably you're designing your policies somewhat based on where you are with the goal of hardening them over. Time. See, that's the catch 22 that comes up is as soon as you write a good policy, you're automatically out of compliance. And so like, you know, how do you how do you demonstrate that to auditors or whoever you got to show these to you is like, yeah, by the way, this policy, are you compliant? No, but it sure is.

You know, this is where we want to be. So you need to have a conversation with internal audit. You know, you know, there's C-Suite, etcetera, say, OK, how do we want to approach this? Because if you don't have a good policy, then that just means your security is weak. If you don't have the technology to support the policy or the people or the processes that

those are also deficiencies. So it really is a little bit of a political game and trying to make sure that everyone understands, you know, where you are today, where you should be and what is the approach to explain that, you know, policy wise. And then obviously getting make sure your auditors are on board as well so you can defend it. I mean, that's, that's ultimately what, you know, that's one of the real challenges for the practitioner

is dealing with. We all philosophically know the right way to do things and at the same time we have to apply pragmatism. I think you've got to find strike the right balance. I mean, if you only go for the lowest common denominator every time, it's just going to be the

definition of that term laggard. I think what's cool about being a consultant is that you get to work with a lot of different organizations and you have to kind of help your clients find that that right pragmatic level between the reality and the goals. And so, you know, obviously, like we agreed, there's something about fun.

But I'll tell you one thing that I do find fun is conferences. I think it's just fun to be there with our fellow identity practitioners and get to know them, for them to get to know us. We've got a bunch of discount codes. What do you think? I mean, we haven't been reading them off for the last few episodes, even saying go to the website. But maybe we ought to at least give the rundown of what conferences we're actually going to. And we have count I have discount codes for.

Yeah. Jim, would you say we have a plethora of discount codes for conferences? Yeah, and we have a guest, so we don't want to go through all of them and then we'll have to end the episode, right? This is a, a treatise on all of our conference discount codes, Part 1A of, you know, 48. Let's just run through them real

quick. So we've got the official Cybersecurity Summit. I think by the time people listen to this, the IT will be probably too late maybe for the one in Chicago that I'll be at, but Philadelphia should still be available September 25th. I will be there as well. So by the way, all these codes are on our website, idacpodcast.com. Just Scroll down a little bit, you'll see everything we've got listed there. And I'm constantly adding new ones as we as we get those in

partnership with those folks. So that's Cybersecurity Summit. Then we've got Authenticate 2025, which we're actually going to talk a little bit more about here today. That's coming up as well. So that's in October in the lovely Carlsbad, CA. I just got back from Monterey, CA like literally yesterday. So I'm heading back in a couple weeks to enjoy coastal California weather. You poor thing. I know, poor thing, I did come back to find 2 nails in my tire at the airport.

So that was good times at about 1:00 AM. But first of all problems, we're fine. So that's the Authenticate conference. Then we've got Infosec World, that's a new conference for both you and I, Jim, that we've never been to, but we're happy to partner with our friend, friends over at Sierra. So shout out to Shirley. That is in Lake Buena Vista, FL October 2728 and 29 discount code for that as well.

We got a couple special codes as well because they have like government discounts and things like that. And then we've got Ideniverse in DC in November. And then I think what will be the last conference of the year, which is the Gartner IM Summit in Grapevine, TX in December 8th through the 10th. So we have a discount code for Gartner coming soon. It's not up on the website yet, but it will be coming. I think in October is when we're we're able to post that. So keep an eye out for that.

IDC, podcast.com, Scroll down, everything's there. Did I miss anything, Jim? No, no, I mean, I'm excited for all of them, but special shout out for Infosec world. You have a little bit of Disney while we're there, right? And you know, I'm thinking if you're looking for a work vacation where it maybe you bring some family members, roll it all into one, why not? OK, So why don't we get to our

guest today? He is Nishant Kaushik. He is the new CTO at Fido Alliance. He's been with us before. But welcome back to the show, Nishant. Thanks, Great to be back. Yeah, so I was kind of shocked that it's been so long. This is actually your third appearance with us. You were way back on episode #73 and then episode 171. So we've got to cut your origin story back then. We'll ask people to go back and check that out.

And then I think this is going to be episode #373 if my math lines up. So welcome back again. And I did introduce you as the new CTO. That is relatively new role. So within the last month or so, I can't even write 2 weeks. OK, so, so there you go.

So what have you been up to now? You're with Fido Alliance as the CTO. I thought we had solved everything, you know, with pass keys. And now we're done. Like what do you have left to work on now? Well, I think. It's interesting, when I was interviewing for this role, it was one of the same, same thoughts was like, what's next? Like why, why do why would I want to take this job?

And I think part of the challenge is digital identity is getting so much broader that you kind of have to look at it in the full picture and passkey is, is a important, but a part of that picture. And I think we still have a long way to go from having the right solution to actually having that

solution making a difference. And when I, when we were discussing this role, one of the key things that I kept coming back to is my own frustration that, you know, we've been in this industry for so long, all of us, you know, on the vendor side, practitioner side and so on, and standards bodies, etcetera. And some of the smartest people I know, the best people I've done were doing great work.

And yet everyday you're still seeing stories about breaches and continuous, you know, stories about identities being stolen. It's like, why haven't we gotten there yet, right? Everyone says, are we there yet? No, we're not. And a big part of that is coming up with the solution isn't really the only thing. It now has to scale. It has to be deployed and it has to work for everybody. And I think there are still ways for us to go before we solve all of the problems required to

achieve that There there's. So it sounds like there's still ways to go here. And the really the reason that

we wanted to have you on, and this is kind of fortuitous timing, is there was an article that was on the ID Pro newsletter that just came out recently talking about Black Hat and RSA and some of the concerns that were popping up around past. He's on there. So shout out to Rusty Deaton. He's the author of the article. So I'll link in our show notes where people can kind of check out what we're going to be talking about here and kind of follow around. But have you read that article?

And if So, what are your sort of your initial thoughts on it? Yeah, you know, as a, as a founding member of ID Pro, I always pay attention to the ID Pro newsletters. So it was not surprising to see that article. You know, it's, there's been a few actually, right. Not just Rusty's, but there's been a number of things in the press where they people, journalists are going to the same conferences, Black Hat, etcetera.

And they're attending these sessions and just walking away with takeaways that are half the picture or are, you know, sort of not really examining in things in a full in a full way. And I think Rusty did a great job of sort of laying it out in terms of, well, it's A1 sided story being presented on stage. It's not looking at the entirety of the thing. And I think one of the important things to take away from Rusty's article, and there's a really good article on our Technica as

well. And I just wrote a blog post for the Fighter Alliance blog, official official blog, which is to understand that pass keys doesn't exist on its own. It exists as part of a broader authentication framework, digital identity framework. And so when you're looking at the threat models that you have to account for, you have to understand that pass keys operate within the threat model that your organization operates with.

And you have to put in place supporting infrastructure for any authentication framework, not just pass keys. Maybe you're rolling out, you know, username, password, and SMSOTPXOMER images still are doing. Maybe you've gone to authenticator apps, so you're using Microsoft Authenticator. Maybe you're using hardware tokens. It doesn't really matter what your authentication framework is.

It doesn't exist in silo. It still relies on the environment within which the user is going to be operating. And you still need to do the work to ensure that the operating environment can support the Security benefits of the authentication framework you're putting in. And Passkey is no different in that sense. So, yeah, it's great that it we have a technology that is phishing resistant, that is based on cryptography as opposed

to shared secrets. But you're still operating with browsers, you're still operating on a myriad of desktops and platforms and phones all over the world. And you have to account for the differences those bring in and map those back to sort of your threat model. It's it's what you were discussing earlier, right? Policy. You don't define policy in a vacuum. Policy has to work for the organization, but it also has to work for the people that you're going to be applying those policies to.

And you can't treat every end user as if they're the president of the United States or, you know, the CEO of a Fortune 5 company, right? You have to, you know, talk with the correct health model and therefore apply policies based on that. And PASI is going to solve all of that. Like, you know, PASI is not a silver bullet. It is in a pretty cool solution for a very specific problem, but it has to work beyond that.

Yeah, it seems to me kind of the take away I got from the article was I think where you're going with this is that passkey is one of the solutions you can use. And I guess what I'd want to know as a practitioner is like where is it meant to be used? Or maybe alternatively, it's looked at as where does it not make sense to use it because it could potentially fall prey to some of these things that Rusty brought up.

Yeah. So I think if you look at what Rusty was commenting on with respect to the some of those presentations and all those presentations were talking about how pass keys can be hacked or pass keys can be stolen. The fact of the matter is that pass key cannot be stolen. What you can do is work around the pass key and attack the authentication framework around it. So for example, you know, if you can trick the user into going through an account recovery flow, you know this is not new,

right? We've talked about this as practitioners and for a long time, which is the stronger you make the front door, the more likely the attacker is going to go look for the back door or the windows and so on and so forth. So a long time ago I wrote one of one of the body of knowledge articles for the I for ID Pro called, you know, MFA for

humans. And our key part of that is that when you implement MFA, you are making your authentication stronger, which means you are create creating more incentive for attackers to now start testing other parts of your authentication framework, including especially your account recovery flows. So anything that any organization that is implementing pass keys is going to get really good authentication characteristics

from that really good security. But now that means, OK, now let's make take a look at all these other aspects, right? So let's look at your account recovery post with look at look at things like your notifications are banned. Let's look at things like browser or hygiene, especially if you're in an enterprise environment, you can see some of the higher, higher risk enterprises going towards things like hardened browser. Why?

Because they want to eliminate the threat of malicious extensions that people can just deploy on their browsers if they're using their own devices, right? So stuff like that has to be accounted. For yeah, it kind of feels to me like you're not here just saying, OK, these aren't valid concerns, but you're saying, OK, yes, these, but these are things that are understood.

They are shortcomings to how authentication is done today, right until you truly solve how authentication was done, I mean, you know, yes, these these problems were going to continue to exhaust. Is that am I hearing it right? In in a nutshell, yeah, like we talk about identity programs for a reason, right? It's not deploy a product and you're done. You have to have identity

programs. So you're right, you know, as as more work is put into making passkey stronger, better, more easy to use, it means you're going to get better security. But it also means you now have to start looking at other aspects of your security program. Like, you know, there's such amazing work happening with things like shared signals as well as continuous identity continues to unintended, continues to evolve.

One of the reasons why for example, Fighter Alliance started working on identity verification and binding is because of the fact that you can't really rely on a strong credential if you don't secure the way in which the credential is created and bound to the identity in the 1st place as well as how you go through recovery rules for for re establishing a lost credential and so on.

So that's the reason why Fido Alliance went in and with the members worked on the identity verification and binding working group. So you have to continue to look at the full picture, absolutely. And all these, any technology never ends, right? So obviously we have to continue to listen to security researchers who work with, you know, the technology as it is today and can you to help identify ways novel, novel attack methods or different things that are being brought up.

We're always receptive to that. We have to be just because technology evolving means protocols, standards, solutions have to evolve. So it's a never ending cycle in that sense. And that's part of the one of the reasons why I I joined the fighter analysis. There is still a lot to be done and it has to continue to evolve as we continue to move in this, you know, increasingly digital

world. You know, one of the things I remember Rusty brought up in this article was if you're kind of, I mean, some of these attacks, I I think admittedly are kind of sophisticated, but it was around if you are, let's just say you're a journalist or human rights activist, right? And you might be somebody who is the target of a state sponsored actor, whatever your role might be in society and maybe pass

keys aren't for you. And I kind of thought to myself, you know, with the sophistication of these attacks is it was, I think tied to a lot of the, the fishing of sync pass keys, right? And I thought to myself, well, if you're in that kind of space, hopefully you, you're not as susceptible to being fish as the the common human being is. I don't know if that makes sense. But in other words, it's like I'm a human rights journalist, right? I shouldn't be sending money to

the Nigerian print scam. I think I think you're spot on in that. As I said earlier, threat models matter a lot, right? So as anybody who's deploying pass keys for their audience, for their user base needs to understand that it's one thing for you to be a retail organization that is selling online, you know, charge keys.

It's a very different thing if you're, as you said, you're a journalist who may be going into areas where you have to worry about your security, you have to worry about phones. A lot of the, one of the, I think one, if I remember correctly, one of the demonstrations that Rusty talked about requires proximity. So it's not a remote attack. You have to be near somebody to be able to launch that attack. And so proximity based attacks have add a whole different

dimension. Do this equation right. So all those things matter. The, the platform providers, the credential providers, they're all getting, you know, much, much better at securing your credentials, including your pass keys. If you're a journalist and you're using, you know, for I think it's advanced protection mode or something like that on, on, on app on iPhones that you can deploy that can help, you know, even secure your phone at

a much in a much better way. A a journalist who knows that they're likely to get targeted understands that and is probably taking those kinds of security measures anyway, comes back to environmental concerns. So absolutely sync passkey is aren't necessarily a bad thing, even if you're a targeted user. It just means that you have to understand you're in your

environment more accurately. And you know, it's going to be coming increasingly common, for example, for people who are going to be targeted to work, work with burner phones. You're not going to log in with the same credential provider on your burner phone that you are on your regular phone. And in that case, if you're making that decision, sync passing is it can still be a good solution for you on your regular phone as opposed to your burner phone.

Yeah, and hopefully you're avoiding installing potential malware and browser extensions and AD blockers and stuff like that. Well, I, I think I wanted to

kind of wrap this up by thanking Rossi for putting that information out there. Thank you for coming on to the podcast to kind of talk about it. And the way I'd like to wrap all this up would be surely folks out there, I mean, look, passkey's has been deployed in some of the largest tech and even financial environments that, you know, I've been pleasantly surprised with how

quickly this has taken off. But they're probably practitioners out there who are like this close to implementing pass keys for their organization who are now taking a pause. And I want to know what are the tips or tricks that you would, you know, maybe key takeaways that you would have for them on this topic so they can get smarter and, and feel more confident in them in their decision.

I think start by understanding how Passkeys fits into your authentication framework and what you're comparing it to. I think a lot of the concerns that people have at Passkeys tends to be because they're looking at in isolation as opposed to looking at it within the context of their overall

solution. This is a very simplistic example, but one of the key, one of the issues that folks bring up is, well, if I'm using a sync passkey now it's getting synced from one phone to another phone that the user has. How do I know that I've lost control of them? And my answer would be, well, what were you doing for passwords before that, right? If you, if they were using a password manager, that password manager may be on both phones.

If they were using Google Authenticator, they may have Google Authenticator deployed on both phones. They may be receiving their SMSODP on a virtual app on a so one of those communicator apps which is also on both phones. So actually understand within the context of what are you comparing it to and what are your alternatives? Understand your threat model and then figure out how it fits into

that. You're still looking at something that's far better than anything else that is out there because of the cryptographic, by nature of it, because of the phishing resistance of that that it brings to the table. And the platforms, you know, all of all of these are getting way, way better. So it's not like you're losing anything by going to that. In fact, you're gaining, but it needs to be looked at within comes back to threat models,

larger, larger identity program. It's no different than what I'm sure you both of you have done in the past where you've gone in and somebody's doing the what is it the the proverbial digital transformation project. And you have to show them, look, this is how you go from post it notes to a single sign on solution. And here's the benefits and so on and so forth. It's the same same thought process effectively. So really, it's a sliding scale, right? It's passwords are bad, we can

all agree on that. Pass keys are better, but they're not perfect, just like anything else in this space. So if you're worried about a pass key synchronization attack, a man in the middle attack, a phishing attack, those same attacks can happen whether or not you have a pass key. It's also true for passwords. It's also true for API credentials. It's also true for literally anything that could be intercepted. So I still fall on the side of look, pass keys are still better

than a password. It's one less thing I have to remember if someone's going to go to the the effort of, you know, trying to intercept my synced pass key from, you know, a wallet on one device into another. OK, I accept that risk because what's the alternative? A post it note on the back of my keyboard with a password.

Yeah. I mean, I'm not going to denigrate that because there are certain people who certain model means, you know, what is the the old lattice, the password diary that is sitting in somebody's desk is still valid for certain folks. I'm not going to say that that's a bad idea. It goes back to what are you trying to get it? What is your actual requirements? Yeah. You know, I've seen scenarios where you like you, you know, you write out the password and you lock it in a safe somewhere,

right? It's like a break, a truly a break glass account where you know, there are certainly needs for all that. But I think for the vast majority of consumers, when it comes to normal people doing normal identity account things, passwords, pass keys are still way better, way more convenient and just a better solution.

I'm curious, you know, I, I, it's kind of a good, good segue into the authenticate conference because authenticate conference tends to be the more technical group of people in this space really focused on authentication. And I know you've been there, you know, for many years at this point, and now you're the CTO. Are these the types of conversations that are already taking place either behind doors or in the hallways at places like authenticate?

Because I remember when passkeys first came out and said, well, that's cool. But now my pass key lives on my Windows device and I have no way to get it to my phone and my Mac and all those other things. And I was like, give me a way to sync it. Because until then it's just another, you know, another thing on my account that I, I can't really use. It's like, it's not, it doesn't.

It wouldn't surprise me that these types of issues all have already been thought about and are in the works of trying to figure out OK, how do we how do we solve for these, you know, criticisms or concerns around it, whether they are, you know, a specific attack nation state directed or if it's just a spray and pray and hope that you know, you get the point 1% to click on the thing to give you their account. Yeah, no, they're definitely happening.

And I think I'll actually give you a two-part answer, if you will, right. One is absolutely this conversation are happening at authenticate. There's there's the, there's the meetings that are for the the techiest of the tech folks who want to go in and really understand how things are working in at the lowest levels.

And then there's some there are case studies and presentations about how folks are rolling it out, whether it's Wells Fargo deploying pass keys and bringing it, bringing it to the market are really cool solutions for from Fido members who are solving things like how do folks who are working on the factory floor using Fido to authenticate and get access or be able to do specific tasks but not other tasks and so on and so forth.

And you get to see sort of the broad range within which Fido operates and you, you might and you also will discover things that maybe you didn't understand that Fido could help with, whether as Fido members providing solutions. So one of the coolest things that I've been learning about is this thing called Fido device on boarding, which you know, on at first blush, I was like, well, why do we have a standard called FDO, which is about IoT devices? There's no people whatever.

This is about device on boarding, edge computing, IoT devices. But it comes back to that. It's in supply. It's in support of the core mission of getting rid of passwords. And if you look at supply chain attacks and if you look at how those things are being deployed today, you always end up with the human involved in the process at a certain point

providing A credential, which can be stolen and can be fished. And when you start looking at the broader bigger picture of things like the Cyber Resiliency Act in Europe or supply chain attacks that have become been in the news, there's a lot of

really cool, you know, Fido members like Intel, Dell, Red Hat, who are all working, had built a standard and now working action version too. And these might be applicable to you or might give you ideas as you start looking at things like you're running your data center, are you looking at the cloud?

Are you looking at NHI oriented stuff, things like that, that you know, it's really, really cool to find all these members working on these really cool projects and you get to learn about them, discover them at conference, like authenticate. So I really love that part. And the second part is just get

the second part of that is and then you can figure out where to get involved, right? Some of the best conversations are happening in the working groups. So as if you join as a final member, I'm sitting and I'm sitting in the UX working group for the enterprise deployment

piece. A lot of the conversation that we just had where you're asking all these questions, the folks in the enterprise deployment working group are asking the same questions and saying, well, we have to cater to, to our to our enterprise users who maybe bringing their own device and somehow they're both a individual consumer user and an employee on the same device. How do I handle that?

How do I manage, how do I manage their credentials without interfering with what they're doing on their personal side or, and what are the security considerations, the US considerations? So they're having these really cool conversations and they're always looking for input. They're looking for requirements, they're running surveys to get feedback and understand these things. So just getting involved, even if just to participate as a

lurker sometimes can. I mean, I've been a lurker for two weeks now in all these calls and I'm just hearing the sheer volume of, you know, work that is happening in all of these. It's it's kind of amazing to see that.

The workers have a very good description of, of how I attend the Authenticate conference because there are way smarter people that are doing, you know, really the yeoman's work of getting these big behemoths from an IDP perspective to kind of play together and agree on standards. And so I learned a lot just being in the room and listening to stuff. So I think that's great advice to just kind of go and, and, and, you know, learn by osmosis

if that works for you. Historically, Authenticate has been more focused on authentication, right?

Is that still the focus for the conference as you see it as it comes up? Is it looking to expand into other areas around identity? Like how do you see the evolution of the conference itself and sort of the topics that are going in front of the in front of the numbers now?

It's definitely evolving because identity is evolving and authentication by its nature has to be playing in part in in different parts of it. I mentioned for example, earlier that identity verification and binding was identified very early on as a very critical piece that Fido had to get involved in because it was so crucial to the supply chain of authentication and identity, right? So they had to get involved in that.

You know, there's some really, like I mentioned FDO, there's an automotive special interest group. Like if you think about automotive and your computer on wheels, right? It's so many services, so many systems, but at the end there is a human in there that is a driver who has to authenticate to the car, authenticate to the services within it. And we're moving to an increase in digital world. And you don't want that to be left a chance. You want that to be secured as

well. So whether you're looking at things like the automotive, say in service, obviously been there for a long time, but you're looking at, you know, the biometrics working group, right? The biometrics working group is hard at work and figuring out how biometrics as it increasingly becomes part of the equation of our identity lives, How does that have to be there from a, from a assurance

perspective? So those kind of things sort of are all there being discussed and a lot, you know, some of these groups emerge from conversations that happen at authenticate, right? You come there and people start talking about their challenges and the next thing you know, they're like, well, we should create a study group. And then the next thing you know that's become a special interest group and the next thing is now a working group.

And so authenticate is a great place to kick start something. If you see your what you're working on not getting addressed somewhere, come be a catalyst. So how does that work?

So let me let me pick on the automotive side of things because I know digital key for automobiles is sort of like the big thing and for good reason, right? It's it's a great convenient thing. But for whatever reason, and I'm not going to name manufacturers, a lot of them still struggle with phone as a key or watch as a key. I have to assume there that there is some level of authentication hopefully being being done there, right to make sure that's the right device to

the right thing. Is this an area where you know for for instance, it's the automotive side of things can say, hey, look, this is a problem. Is this something to do with the way that people are authenticating and it's rejecting it, or is it, you know, something else in the software? I point on those the Apple and only as an example because I know that's a a common frustration point for a lot of the newer vehicles that struggle with it.

Fortunately, it's about the only thing that works right on my car, so I've never had that problem. I have other software issues, but I'm just curious if, you know, when you're having conversations with those types of folks, are those the type of things? Because it's like, OK, yeah, here's a problem. And a lot of people like, well, what am I going to do about it? I'm going to go on Reddit and complain.

Well, how about instead, why don't we go to like the source of where the things might be happening and start to like, yeah, build these, you know, special interest groups or working groups or whatever we want to call them. Walk me through like how that actually happens because I think there's a lot of really great keyboard worries out there. And here's like an opportunity to say, OK, let's, let's actually solve the problem instead of just complaining about it. Does that make sense?

Yeah. So to be clear, I'm not advocating that people come there and start using it as a support channel to say, hey, Micron is not working. But. Yeah, please don't do that. But that said, if you're in the industry, obviously if you're working with with these and you're trying to build solutions for this or you're trying to solve this problem, right, this is the right place to come and have those conversations.

So like I said, a lot of these things sort of emerge from conversations that starts and start in the hallways. Maybe you go and have a have a discussion about it in a plenary room. And then you discover that, hey, there's a critical mass of issues here. There's a critical mass of requirements here. We can actually put something together and have multiple people solving it because at the end of the day, the power of the

alliance is like anything else. It comes from the membership and the collective wisdom and intelligence that they have. So being in the room allows you to find those commonalities and allows you to understand and define, hey, we have a common set of requirements. I'm not the only one struggling with this. I don't have to keep doing this on my own or building my own proprietary solutions.

There is a way for me to find my community, my cohort, who I can work with on solving this problem, and by virtue of that, get access to the folks I can't directly interact with. Right? You're not going to be able to go in and talk with the head of identity and name your large automotive manufacturer by finding the coffee shop that they're frequent. Not recommending that. But not that it didn't happen in ideniverse over sushi with someone that I know me complaining about all the EV

problems. Not that would never happen. Exactly, but it can happen at authenticate and Idiverse and all these conferences because people are looking for their community to have these conversations and often times you find what you'll find is it's not like they don't know these problems exist, right? It's not like the folks at The Who are running identity at these at these at automotive or hardware or industry or don't know these problems.

Just often times they need enough people to help them make the business case to their own management that this is something we need to tackle, right. So there is a community project. It is working together as community to build that solution.

So, Nishan, I'm going to bring up kind of the heavy topic. We lost another great one in the identity industry recently. Internash, I know you're close with Andrew. What should people know about him? So, yeah, this is a hard one. I was just using the word community a lot, right? That's not a mistake. Like that's really something that that's really something

that came to me from him. Like I really understood that from him because he, as you said, he was one of the he's been one of the O GS for a long time. I was, I was lucky enough to be his partner on the program committee for the identity track at the RSA Conference for many, many years now running. And you know, he had this kindly and he had this convergently, you know, persona to him that hit one of the most generous people I knew, right.

He, whether he was, you know, sitting down and explaining the most obtuse topics and identity or taking you down to his basement to show you the machinery was machining work that he was doing. And, you know, they opened their home for so many years. Him and Pam opened their home for so many years for the annual Bootstrap party before the RSA Conference as a way of building community, as a way of making

connections, right? You know, a lot of us, I wouldn't have this job if I didn't have connections that exist because Andrew brought people together, right? That was what he understood. And so when, when you, when you when I was thinking about, you know, what did I want to do next before I took the final role, it came a lot, a lot of it came back to I want to make a difference. And I learned that idea. I learned that that's what I wanted to do because I saw how he went about his business,

right? He worked at some of the largest organizations and build start-ups. But he did it in such a generous, quiet manner. You know, those of us who knew him knew him, but he wasn't out there, like as the face of a company or, you know, doing all the doing, sort of a national tour, if you will. But he could have. He would have drawn crowds because he was amazing. He knew everything and he shared it generously. I loved it.

This was coincidental. I was having you on at this time, but for you to be able to pay homage to him like that means a lot. He's another one of these great people within our industry who's now no longer with us. But I do want to now lighten things up a little bit. You know, we don't have a whole lot of time, so let's kind of do

this like a lightning round. If I could bring up a few different topics, and a lot of times I bring up these topics like talk about the future of this side or the other thing, talk about AI in the future. Actually, what I'd like to do is challenge you a little bit differently, which is let's take

two minutes on each one of these topics to talk about where things are right now. And I will use AI, but AI is creeping into everything and everywhere, including identity. What is the state of AI and identity now? It is, as you said, it's creeping into everything. Everybody's trying to add AI to their products or say this, you know, whether they're doing it or not, right?

On the other hand, there's people who have been using AI for a very long time in their products without ever calling it AI. So I think it's here to stay, right? I think there is still a reckoning coming in terms of just the cost of adding AI to everything. Some people don't quite understand that. As you've seen before, a lot of the stuff is VC subsidized and a certain point. This idea that you can continue to leverage that is going to

become an issue. But the technology is going to continue to get better and it is going to stretch the boundaries and break things, you know, along the way. Like we see, you know, it just taking pass keys and an example, pass keys means you don't have a password that you can share with an agent for it to work to log in as you. So what does that mean from an authentication flow standpoint?

What does it mean when you're building agentic processes where you wanted to be able to operate on your behalf across services? How does that factor in? What is that equation looking like? So you see work happening feverishly across the board, whether it's in the Fighter Alliance, whether it's in the Open ID Foundation, whether it's in W3C and other other standards organizations. There's a lot that's going to be happening.

And as usual, the tech is going to outpace standards, the tech is going to outpace best practices and guidance.

So we kind of have to be prepared for things to break a little bit, but there are a lot of folks who are working really hard on it. Yeah, something I've thought about a lot about as well as what's going to happen with the intellectual property, it just seemed like the lines could blur where intellectual property, thoughts, things like that can be put into an AI and then what becomes to them they are you training a model that doesn't really keep track of what is

intellectual property where, where the thoughts belong? Do they belong to some person or some entity or are they in the public domain? So it's just a little thought that I've been having lately. Next topic Decentralized

identity. I think it's a very loaded term because it's been bandied about and used and misused many times over. But we're definitely moving towards a place where decentralized or Federated models are going to start to become practical, especially as we start seeing how wallets are becoming more, more and more

common. As people start building warrant infrastructure, people start building out the standards for being able to present credentials across organizational boundaries, across jurisdictional boundaries in a way that can be accepted and certified without, in a privacy preserving manner. So they think there's a lot of

work happening there. I am very hopeful about that aspect of what would have been called decentralized during the past that that is actually going to be really driving utility and value and creating a world where we can actually present an aspect of our identity in a privacy preserving manner much more seamlessly and easily than we used to be able to do before.

We've been here about decentralized identity for years now and we're just, we're we're, I don't feel like we're anywhere close to it in the US, at least Europe seems to be much further along with their plans on it. Just based on what I saw at the EIC conference earlier this year. What I've also noticed is nobody's calling it blockchain anymore. It's decentralized identity. And so is this a, is this a branding shift?

Is this a marketing strategy to kind of get away from, you know, the maybe the crypto sort of camp and more towards the broader technology as a solution? Because I can certainly see the benefit of it. I just don't see it happen anytime soon in the US because of either government, right, you know, and, and, and people not trusting if the government runs it or maybe if it's healthcare or if it's finance or if it's education.

Like who's going to run these giant rings of being able to, you know, have a decentralized identity? Because it's not like, you know, some the normal human being is going to say, well, yeah, just connect to my, you know, to, to my Ledger. Like that doesn't make sense for most people. How do you see this happening in the US, you know, going forward? Yeah.

So you know, as Jim said, I'm not, I'm not one to prognosticate the future, but I will say this and I I think the term decentralized, like I said, becomes overloaded. And therefore, I'm not, I try not to get too hung up on the word, especially not on the technology behind it. You know, there's, there's companies that are using permission blockchains, there are companies that are using

other stuff a lot. I think one of the shifts that we're seeing is people are starting to focus more on the use cases, which is always good. They're starting to focus on the utility, which is always good. And so I think wallets is, you know, and Heather Flanagan has an amazing post about should we still be calling it wallets? And I highly encourage folks to check that out and check out everything Heather Flanagan says, because that's always good.

But leaving that as sticking with the wallet term for a while, I do think that will help. Like in the US, for example. Yeah, we're not going to have a national identity that's going to be doing anything like that. But you have MDLS. And MDLS, our driver's licenses have been our de facto identity for a long time for many

different use cases. So can the MDLS become the way we do this in a decentralized manner, especially if you take into account some of the work that's happening on phone home versus no phone home and all these kind of things that are being discussed and you add in privacy considerations. Yeah, that could be a way to get there.

And then it'll evolve from it. Like the minute somebody sees something working, 500 other things are going to show up saying, oh, we can do that but better, or we can do that but slightly different and it'll mushroom from there. So I do think utility will drive it. And I think part of what will drive the US is seeing it happen everywhere else. Like Europe is obviously very visible in what they're doing on wallets. But actually this is happening all over the world now, right?

Every place, whether it's Southeast Asia, I saw a lot of work happening and the Middle East and Asia and in Africa, what people want this because they see how it unlocks the economic engine, right? Like they see the value of it. So there's a lot of efforts that are going to be happening. And I think in parallel, there's a lot of work happening at the standards bodies to try and enable it to happen in a good way, right? So that'll take some time, but I

think it'll happen. I was going to mention the MDL as well, but you know Jeff, with Jeff's entry, we definitely violated the two-minute answer in the Lightning realm. I'm going to allow it. As as the judge, I'll allow it. You're happy to judge I'm the jury, right? Sure I can. Anyway, we'll just do one more. It's 2025. Somebody's listening to this 800

years from now that there's a context. We're talking about non human identity. What do you think of non human identity? Is it even a good term? Well, 800 years from now, nobody's going to care about human versus non human identity. It's all going to be just identity and hopefully it's going to be invisible because it's just going to happen and people won't have to do anything for it.

But that's 800 years from now. I think the NHI wave that's happening right now, there's a, again, it's the same thing. There's a lot of old technology that's being rebranded NHI. There's a lot of new work happening. I think the AI stuff is going to trigger a lot of interesting work in that same same vein. But yeah, I'm not a, I'm not sold on the term because I think it encapsulates too many different things and, and blurs the boundaries a little bit too

much. Trying to put everything under one umbrella can make things confusing. And I think a little bit, just a little bit of precision can go a long way in making sure that people don't overestimate what something can do or miss misidentify what some, what value something can bring. And we've suffered from that a lot in our, in our, in our identity space, if you will. So I think a little bit more precision would be valuable.

But hey, you know, if nothing else, it's it's putting attention on the problem, and that's always a good thing. Like like all things, I think it comes down to context and context matters whenever you're having a conversation, whether it's NHI, whether it's machine identity, whether it's, you know, whatever term we want to use. Again, these are not new concepts.

They've been around forever. There's always been, you know, some sort of machine or non human identity operating behind the scenes, service accounts, etcetera. I just wish you would settle sort of like on a standard just way to call it because we are awesome as a as an industry of coming up with new acronyms and having like 8 different ways to

call the same thing. And so this is just an area that again, creates it creates unnecessary confusion if we can't agree to have the same at least, you know, vocabulary for things like that. It just it bugs me. Yes, that is unfortunately a problem with being, you know, struggling with since ever since I started working and itinerary. And that's been a long time. Well, let's wrap up this conversation on your background. So I noticed for people who are

listening to this and you're, if you're not seeing us on YouTube, come over, give us a like and subscribe. That helps us out a lot. You've got a couple pictures of New York stuff. I think I see Mariano Rivera behind you. I think I see the Giants behind you. Is this just you as a, as a New York sports fan, or is there some deeper significance? Or is this like a Taylor Swift thing where there's like hidden meaning between these, you know, pictures like what is what is

the the play here? Nishant The play here is to suck up the. Gym, right? Well, Jim is a is a Yankees fan, unfortunately. Yeah, the New York thing is just, I am a New Yorker at heart. Like growing up, I, you know, coming and being in New York was always my dream. It was like, that's where I want to be. That's where I that's where I want to go to succeed. So, and then I have a lot of family and, you know, that just meant adopting the New York sports teams.

And I don't do anything halfway. So if I'm in it, I'm in it all the way. So that meant the good stuff with the Yankees, the bad years with the Giants, then they'll make those two improbable runs with the Giants and what Jim and I are dealing with this year with the Yankees, which is not good for my heart rate. So is it an all New York sports or do you focus on just the Yankees and the Giants and you say forget about The Jets and the Mets? You cannot do both at the same time.

You have to choose, OK, Anybody who says they can, anybody who says they can do both is not a New Yorker, let's put it that way. And. I feel the same way as a as a recovering Chicago and you had the White Sox and you have the Cubs. And it will always bug me. And people say, well, I'm a fan of both teams. No, pick one. You have to pick one. And the right answer is always the Cubs. You, you definitely should not be a Sox fan. It's just dirty, dirty, dirty.

So. Any any Sox fan if the name has the Sox. You cannot be there. White Sox, Red Sox, whatever it may be, they're all, they're all the enemy. So sorry. You know Boston and the South Side of Chicago. Yeah, we just lost a whole bunch of listeners. Thanks chef. You know what worth it. That's fine. That's like hell. I'm ready to dive on it and I'll start taking people as they try to come up it. Deshot, thank you so much for

taking the time with us. Really excited to see you in your new role and seeing you here in a couple weeks here at the Authenticate conference. So I have. Yeah, I was going to say I'm going to be looking forward to seeing you at Authenticate and having Megan kick your ass at again on stage. No way. No way not. Mine, it'll be Jim's because I'm I'm the Steve Harvey here. But yes, Fido feud Round 2 is

underway. I am working feverishly on the questions that we're going to answer with Adrian 1 to 1. So only she and I know the questions and we'll have the answers. And so we'll be surprised if we're already involved when it comes up to it. But last year was a lot of fun and the goal is to make it even bigger, better and maybe even more tequila or than it was last year on stage. We'll see. I don't know if we can do that again. That might have been a problem that we just didn't ask for

permission last time. You know what though, I'm thinking now, maybe I should have Mishawn on my team. So hey, if they kick our ass, they kick our. Ass the Royal, Ass the. Royal yeah gets kicked. All right, let's leave it there. Nishant, thanks so much. I'm going to have links in our show notes for people to connect with you on LinkedIn, link to Fido Alliance.

Don't forget the conference discounts on our website for things like authenticate as well as cybersecurity summits as well as ideniverse and Gartner coming soon. So check those out. Also have link to the article by Rusty Deaton. So again, great article by Rusty. Glad to see it out there. We need to have conversations like that kind of put out into the forum where we're going to have discussions around it.

And then let's see, Nishant, you mentioned Heather's wallet article, so Kill the Wallet, Rethinking the Metaphors Behind Digital Identity by Heather Flanagan. We'll have that link in her show as well. So encourage people to check that out. And she's got a very cool podcast that she does where she kind of talks through her blog as she's kind of written it, which is very neat. So yeah. Yeah, I keep driving around having the soothing voice of Heather reading out Identity Toss to you.

It's a good way to go. See, the only thing missing is like the cat in the background and she just can't get on, you know, without the video component of it. But maybe maybe there's an editing tip there to like put maybe a a slow soft, you know, purr behind is like, you know, a little bit of what's the, you know, what's the voice thing that you do with like, you know, people like soothing ASMR, like something like that, right? For for the podcast.

Maybe we'll do that on ours. Maybe we'll do it for next the next April Fool's joke. Sounds good like and subscribe, share with friends, share with enemies doesn't matter as long as they hit like and subscribe idacpodcast.com. And with that, we'll leave it there for this week. Thank you everybody for watching and or listening and we'll talk with y'all in the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show.

Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.