Each of us perform countless ceremonies throughout our days. Those series of acts the perform with steps prescribed by ritual or convention. This is true in both the the analog and digital worlds. But when it comes to how we are known to others, the ceremonies that we do in in the digital world differ greatly from those in the analog world… and that leads to real problems.
I was introduced to the notion of ceremonies in the digital identity space by my good friend, Kim Cameron. In a quiet moment at the Europe Identity Conference many years ago, we talked about fundamental changes coming to how one identifies oneself to an online service. With loving remembrance, I pulled on threads from that memory combined with strong influences of my friend and mentor, Bob Blakley’s, foundational talk on recognition.
What follows is both the original text of the talk, including a variety of jokes and bits that ended up on the cutting room floor, as well as a video of me giving the talk at KuppingerCole’s European Identity and Cloud Conference. Additionally here is the version I gave at Identiverse as well! You’ll notice differences between the text and talks… I include these because I’ve received feedback that people like to see the process by which I write and deliver my keynotes. Enjoy and with that I bring you Ceremonies!
Thank you. It is an honor and a pleasure to be back at Identiverse, and this year we are in Las Vegas! It’s interesting to note that we are the same distance to downtown Denver, here in Vegas, as we would be if we were back at the Gaylord.
I’d like to thank Andi and the entire content review team for allowing me to speak on this topic. I have to also acknowledge two other people for this talk today. First, my good friend and mentor, Bob Blakley. He gave a talk from the then Cloud Identity Summit stage about recognition that continues to inspire me and this talk… and should inspire us all. Second, I want to thank Kim Cameron. Kim was the first person to introduce me to the concept of ceremonies in the context of identity.
And with that… ceremonies!
I thought I’d start with a grounding definition. And when I need to get a definition for a talk, I go where most of you go… the National Cancer Institute. Yes this definition comes from their website and I have no idea why they include the word “ceremonies” in their dictionary but there you go.
I guess for completeness sake here is the definition from Webster’s. I like the first definition the best: a formal act or series of acts prescribed by ritual, protocol, or convention.
The disconnect between our analog world ceremonies and our digital world ceremonies is profound. In the analog world, we perform introduction ceremonies; in the digital space we perform registration. In the analog world we perform recognition ceremonies; in the digital space, we perform authentication. I will be focusing on these authentication ceremonies and differences between them throughout this talk.
So what do authentication ceremonies look like? Let’s take a tour!
First up we have this [it’s a blank slide.] I know… deep. [click – reveals the title “0 Box”] This is a zero box authentication ceremony in which the user appears before a service and is authenticated… at least in a very loose sense. Through browser fingerprinting, IP, geoIP, and other methods the service recognizes the user to a limited degree of accuracy.
Next, we invented – the box! Behold! The One Box experience. In this case, the individual provides an email address or phone number on a, typically marketing, microsite. The service then can “authenticate” the individual based on that string.
The 0 and 1 Box ceremonies are very low assurance and basically the equivalent of seeing a crowd of people and recognizing one of them because they are wearing a funny hat. At best you can recognize the funny hat again, but you have really no idea if the same person is wearing it.
But the need to know if the same person is wearing the funny hat is strong, so we created… the 2 Box experience! This is the classic user experience in which the service asks for an identifier and a password. This experience is older than some, many?, of us. If there ever was a “convention” this is it. 2 box. Username here. Password there. And what felt like an eternity, it stayed the same.
Yes there were minor advancements such as Lotus Notes’ animated login screen which could only serve to either make you forget what you were doing or distract someone trying to shoulder surf.
But for the most part we were here for a long time.
We also started to see a bit of a strange variant appear. It was a 2 Box + 1 Box e.g username and password plus code. An alternative is 2 Box and 1 Checkbox which substitutes the code for a “Are you human? If so check this box please. ROBOTS BEWARE.”
And then we grew this innovation: 2 Box with Thingy. I have no idea what these icons are called. But for the purpose of this talk, they shall be called thingies. And the 2 Box experience grew thingies. Besides the MASSIVE innovation of the caps lock indicator thingy, a thingy to launch a password manager was a big deal.
And then Eric Sachs and the team at Google had a moment of inspired thinking. They created 1 Box + 1 Box. Any guess when GMail’s login went from 2 Box to 1 Box + 1 Box? Anyone? May 2015. TechCrunch said this. And given some of the reactions they saw, you’d have thought they harmed puppies to do this. There was a massive freak out. Why? Because they dared to change convention. They dared to change a ceremony so entrenched that it was like oxygen.
Now this truly was innovation because it gave services optionality on what to do. You collect an identifier, a username, and then the service has the freedom to do something… anything… even nothing. Kick off SSO. Prompt for OTP. Ask for good ole password. Reconnect you with a pre-existing session. Anything. And this is important… really important, because I believe this is the first time that we see a separation between the front end ceremony and the back end process. Each can serve different needs for different audiences. That is truly powerful.
And this is my first major point: The front-end ceremony needs to be thought of as distinct from what happens on the backend.
The separating of front-end ceremony from back-end processing lead to a fertile garden in which new flowers are blooming.
One such flower is the use of a mobile device and its onboard biometric capabilities. In this case, the person just looks at the app or device and is reconnected to the service. This is, however, predicated on successfully logging in previously using a traditional static secret.
And most recently, there’s become a new take on this and the 1 Box experience, in which the individual says who’s there (aka provides a username) and then something other than a classic static password is asked for. Most recently, and more excitingly, the service does some cryptography with the client and the device provides a secret which the service recognizes. This is WebAuthn. The ceremony is familiar, provide a “who’s there”, but the backend is different.
Another flower blooming in this garden is this one: the QR code. In this case the individual, assumed to have a mobile device, scans said code to begin a flow in which they prove they have some sort of credential. This could be an OAuth device flow or the presentation of a verified credential but it really could be anything.
When things go wrong
That brief tour only discussed when things go right; it only talked about the “happy path.” But what about when things don’t go so well? Maybe the individual entered the wrong username or a mismatching password or doesn’t have the security key. What happens then?
Let’s look at the analog world for a moment. In olden times, if you performed a rain ceremony and it didn’t rain, you were shunned… or thrown into a volcano. Although we may not spend any time thinking about it, when recognition fails, when a person fails to recognize someone else, there is an elaborate response system. It isn’t a full re-introduction but more like a hinting process whereby the person provides useful nudges, often in the form of contextual clues, to the other person as to who they are. “We met on a boat in Germany.” “You mistook me for David Grohl.” “I am your father.”
But what about the digital world? Up until recently, there was some degree of convention when things go wrong. These mostly directed the individual to reset their password, which is the most drastic of processes.
Furthermore, we’ve started to see that reset password processes don’t behave identically. Sometimes forgot password leads to a bootstrapping process from a previously authenticated device. Here I give great great thanks to Disney and what they have done to make my life better in setting up my father-in-law’s smart TVs.
Some failure ceremonies look a little like the analog ones in which the service attempts to nudge the user into remembering their username. But this is a very strange inversion of how things work in the analog world. The person who failed to recognize basically plays charades with the person who hasn’t been recognized until they recognize them.
And what do failure ceremonies look like for things other than username/password authentication? Are they consistent across all platforms and form factors? Increasingly these failure ceremonies are not under the control of the service but instead the mobile operating system or digital wallet. And arguably, the “success” of username and passwords is not in their efficacy but in the nearly ubiquitous consistency of the failure ceremonies.
Long way around, my second point: we do not have ceremonies for where things go wrong. At best we have localized techniques but nothing that has reached the definition of a ceremony for all of our new authentication mechanisms.
Performing in public
We do not have registration and authentication ceremonies that are designed to be performed in public. Inherently, we have to do these ceremonies in private to protect the static secret used to identify ourselves.
And this is completely the opposite to our analog world ceremonies of introduction and recognition.
Now it’s not all bad news, biometric logins can be done in public however older forms cannot… because they required you to previously successfully login using a static secret. WebAuthn, however, does not suffer the same problem.
Furthermore, the ceremonies that we have today are primarily meant as solo practices. I register, by myself, on a site. I log in to something by myself, in private. We do not have a ceremony purpose-built to facilitate someone else helping us perform it.
This leads to challenges when we consider different kinds of constituents like our parents, our children, and those who cannot represent themselves. This also leads to challenges when we consider trying to perform these ceremonies on public or shared devices such as those at a public library or in a school.
My third point: we lack wide-spread public ceremonies; we lack ceremonies that involve more than one person.
Where we must go
We need to get to ceremonies that look more like our analog world and less like our current digital versions. What would this look like?
Yes, we need to get back to a 0 Box experience in which I am recognized. Recognized. Not identified e.g. tracking cookies, geolocation, but instead truly recognized. And achieving this is not as far-fetched as you might initially think.
Observe that anti-fraud tools have a general sense of whether you are “you” at least within a specific domain. Observe that anti-bot tools have a sense for whether the actor roaming around your website is human or not. Meanwhile the massive AdTech industry is trying to ensure that the person clicking on an ad, or even seeing an ad, is in fact, a person.
The pieces are coming into place to actually perform recognition… or at least through the process of elimination we are winnowing down that the entity performing a ceremony isn’t a hostile actor. Said differently today’s ability to recognize may only generate a low fidelity picture of the person, but it is improving.
So what would be the next steps we need? I believe there are three:
- A means by which things like passkey and WebAuthn are more generally used as strong “hints” about the individual
- A language to describe disclosing more data for the purposes of generating a higher fidelity picture of the person for the purposes of recognition
- Both of those are facilitated by active clients such as mobile operating systems, browsers, password managers, and even potentially digital wallets. These active clients are what I like to think of as counselors.They are needed to broker the disclosure of hints on a person’s behalf to facilitate recognition
I fully recognize that not everyone in this room works on technologies and techniques to facilitate recognition. But everyone in this room, in one way or another, works with authentication ceremonies… even if it just in their personal lives… so we all have a vested interest in making things better. There are three things we can do to do that:
- Separate front-end ceremony from backend requirements in your mind and your implementations. Too often we jumble the two together and this limits both.
- Consistent failure ceremonies are needed. I would suggest you start with the unhappy paths, the places a person will be if things go wrong, and work to make them as straightforward, usable, and secure as possible… then move on to the happy paths where everything just works.
- Explicitly design for non-solo ceremonies if at all possible. People help people in all facets of their lives and performing authentication ceremonies should be no different. If you cannot find affordances in your technology to help assisted-authentication, at least give your call center scripts to help facilitate it securely.
These three will help but we must get to recognition. The journey is underway; we need to look to adjacent industries like fraud prevention for help; we need more active clients to push us forward. Through recognition we can and must shrink the gap between our analogue and digital ceremonies.
And with that I deeply thank you for allowing me to participate in this ceremony with you.