Leaving slide mode.
Identity on the Web
Heather Flanagan
AC 2024
Hiroshima, Japan
hybrid meeting
8–9 APRIL 2024
Play List
- Introducing Digital Identity
- Understanding Digital Identity
- Current Landscape and Challenges
- W3C's Role and Opportunities
- Future Directions
- Wrap Up
Digital Identity on the Web - By The Numbers
- 66% of the world’s population have access to the Internet (Statista)
- Global retail e-commerce sales = approx. USD $5.8 trillion in 2023 (Statista)
- 26 million+ e-commerce sites in the world (Digital Commerce 360)
- Identity and Access Management (IAM) as a market is expected to grow to USD $43 billion by 2029 (Statista)
- Cybercrime, including identity theft and fraud, is expected to grow to USD $10.5 trillion (CyberCrime Magazine)
The W3C’s (Potential) Role
![[Vector graphic of people surrounding a super large monitor as they hold web page components up to it]](iStock-1265041897.jpg)
- Accessibility
- Usability
- Security & Privacy
- Interoperability
Identity is a foundational aspect of that vision.
Understanding Digital Identity
Defining Digital Identity
- “An attribute or set of attributes that uniquely describes a subject within a given context.” (IDPro Terminology)
- “[D]igital identity is the unique representation of a subject engaged in an online transaction. A digital identity is always unique in the context of a digital service, but does not necessarily need to uniquely identify the subject in all contexts. In other words, accessing a digital service may not mean that the subject’s real-life identity is known.” (NIST SP 800-63-3)
Identities and Identifiers are not the same thing (but we often treat them as if they are). (Internet Society)
Identity & the W3C
![[Vector graphic of people surrounding a super large monitor as they hold web page components up to it]](iStock-1263039073.jpg)
The W3C oversees best practices concerning user experience, safeguarding both users and the websites they engage with by facilitating the alignment of appropriate user identities with the requirements of each website.
Non-Human Identities
- “Any account not used by a person, such as accounts used for devices, services, and servers.” (IDPro Terminology)
- “Any unique combination of hardware and software firmware (e.g., device) that utilizes the capabilities of other programs, devices, or services to perform a function. Non-person entities (NPE) may act independently or on behalf of an authenticated individual or another NPE.” (IDPro Terminology)
- "Identity for workloads, software stacks, transactions, users, authorities, and other entities can all have a part to play in determining the rights associated with a request and its response." (WIMSE)"
Balancing Interests (examples)
- Of course the Identity Provider (IdP) needs to know which Relying Party is asking for an authentication request! Our IdPs don’t talk to just anyone!
- Of course the IdP shouldn’t know anything about the RP! The IdP might track the sites the user visits!
- There are only 5-7 IdPs that really matter in the world.
- There are 5000+ IdPs that really matter in the world.
All these statements are true. Browsers must support them all in the most privacy-preserving fashion possible.
Competing Standards
![[Vector graphic of people surrounding a super large monitor as they hold web page components up to it]](iStock-1693844423.jpg)
- Underlying assumptions, requirements, and use cases matter
- Firmly structured identity like a passport or driver’s license?
- Flexibly structured for transit cards, concert tickets, memberships?
Accessibility, Usability, Security & Privacy, Interoperability
![[A Venn diagram of Standards, Expectations, and Regulations, with "You Are Here" pointing at the center.]](Venn-diagram.png)
Suggested Breakout Topics
- Envisioning the next 30 years: challenges and opportunities
- Potential actions for W3C: fostering common understanding, standards development, and ecosystem leadership
- Collaborative efforts and stakeholder engagement strategies
