Episode 126 - GluuFederation/identerati-office-hours GitHub Wiki

Title: Personas: The Next Security+UX Control We Need for Identity?

Channels

Description

Humans are inherently complex creatures. Eve and Jacob suggest that using login accounts in a traditional fashion to solve access challenges is failing to address the challenges of protecting, connecting, and respecting users of online systems. Purposeful alignment of account usage to the different “characters” people assume online — personas — must not just involve issuing a user new credentials for each one. Instead, they propose a way to define a persona construct that can meaningfully refine security and experiential requirements for each system and each human being. Is this a viable approach? Let’s discuss.

Homework

Takeaways

  • ⚡ “First party fraud” or “credential abuse” are both names for things that happen when people are successfully authenticated, but are able to do something that would violate business intent or risk tolerance, even if technically permitted by current policy.”

  • ⚡ Web and mobile UX developers should adapt user interfaces to make it easier for people to understand the capabilities of their current persona. For example, the UX of a bank website might inactivate transfers of more then 80% of funds, and provide an alternate link "Request Funds Transfer" that explains all secondary account holders wait 24 hours to approve a transaction of this size.

  • ⚡ Enterprises need to express policies that deny a capability if it violates a "separation-of-personas" policy--similar to how certain business roles might require segregation of duties. Could Cedar policy analysis enable enterprises to prove these persona based universal statements?

  • ⚡ Issuing people more credentials is not the answer. This is a waste of money, has a terrible end user experience, and makes us less secure. You also lose the ability to correlate the person with his other actions from an ITDR perspective--at the end of the day, it's actually one person.

  • ⚡ Mike thinks personas are an important new entity that we need to model. What infrastructure would issue a token to assert a Persona? What kind of token would that even be, e.g. is it an OAuth transaction token? What is the schema of that token, and how would industries extend the schema for their business-specific requirements? How would personas map to each other, to assets, and to other entities, like organizations, AI agents, or other software entities? What would the trust model be, e.g. how could front end applications know they can trust these persona tokens? Is the glue made out of Cedar? All these are outstanding questions.

Livestream Audio Archive

here