TBW ADVISORS LLC

Tag: Passwordless

  • Whisper Report: What are the latest advancements in decentralized identity and verifiable credentials?

    Whisper Report: What are the latest advancements in decentralized identity and verifiable credentials?

    Published to clients: July 30, 2025                                        ID: 2085

    Published to Readers: July 31, 2025

    Whisper Club: December 15, 2025

    Public: January 20, 2026

    Analyst(s): Dr. Doreen Galli

    Photojournalist(s): Dr. Doreen Galli

    Abstract:

    “Recent advancements in decentralized identity include passwordless authentication, time-bound credentials, and dynamic identity chaining. These innovations reduce risk, improve privacy, and enhance user control. Separation of authentication from authorization enables more precise access management. One-way functions protect biometric data in cloud environments. Emerging standards like SPIFFE and CSA’s agentic identity frameworks offer scalable, interoperable solutions. Together, these developments support secure, flexible identity ecosystems without relying on centralized authorities.”

    Computer Talk Radio coverage of document.

    Target Audience Titles:

    • Chief Information Security Officer, Chief Technology Officer, Chief Digital Officer, Chief Privacy Officer, Chief Product Officer, Chief Data Officer
    • Identity and Access Management Engineers, Security Architects, Cloud Infrastructure Engineers
    • Privacy Engineers, Standards and Compliance Analysts

    Key Takeaways

    • Passwordless authentication removes friction and improves security.
    • Time-bound credentials limit exposure from compromised access.
    • Identity chaining enables dynamic, temporary access provisioning.
    • Authentication and authorization are increasingly separated for clarity and control.

    What are the latest advancements in decentralized identity and verifiable credentials?


    We took the most frequently asked and most urgent technology questions straight to the Technologists gathering at Identiverse 2025 held at Mandalay Bay in Las Vegas. This Whisper Report addresses the question regarding the latest advancements in decentralized identity and verifiable credentials.  But what is a decentralized identity. Panini’s Jim Harris explained, “identity – being able to capture that information using nearfield technology and then verifying that issue issuing information with the agency that issue it to certify that customer is legitimately who they say they are so we believe that’s one of the ways we can support authentication in a digital decentralized environment.” Let’s dive into six advancements in decentralized identity for you to add to your environment as depicted in Figure 1.

    six advancements in decentralized identity 1 .passwordless 2 time bound credentials 3 identity chaining 4 separate authentication and authorization 5 one-way functions for storage 6 leverage standards

    1. Passwordless

    Frequently involved in moving authentication from something you know to something you are, Passwordless takes those pesty passwords out of the equation. As Simeio’s Octavio Lopez observed, “I’ve been seeing a lot of a lot of organizations are pushing towards passwordless.” For vendor examples that provide biometric identity options see Conference Whispers: Identiverse 2025 and Conference Whispers: ISC West 2025.

    2. Time Bound Credentials

    A favorite tactic to limit any damage from stolen credentials is to time bound them. As GitGuardian’s Dwayne McDaniel explained, “How do we not store a long-term credential but instead expose only the bit of the credential you need to verify that entity should be doing that thing and then issue a very short live jot or 509 Cert (X.509 certificate) that will expire immediately.” Any compromised short-lived credential is useless thereby limiting the blast radius in the system.

    3. Identity Chaining

    Related to time bound credentials is the dynamic identity chaining. As Apono’s Ofir Stein revealed the key to decentralization of identities is, “it’s the ability to create dynamic changes in the identity that exist in the environment. Meaning by that we keep what we call identity chaining while if I need access to some resources let’s say in cloud we create all the identities that needed for me to work and then we revoke them so dynamic approach to decentralized identity in a panel the dynamic approach is the decentralized identity when we create identity when needed and we work them when they when they don’t need them.”

    4. Separation Authentication and Authorization

    “Although commonly associated together, as the namespace identity and access management imply, the decentralized identity world is seeing a separation. Authentication — the verification you are who you say you are — is being distinguished from authorization — the granting of some authority to some resource. As GitGuardian’s Dwayne McDaniel highlighted, “we’re going to see some major advancements with this idea of I can prove on me but that doesn’t automatically authorize me for things the authorization is starting to be separated from authentication in a way that should have probably done in the first place.”

    5.One-way Functions for Storage

    As one might suspect, many identity solutions involve the cloud. The concern becomes, how to store the data in such a way that even if the data stored is compromised – the identity information is not?  Keyless’ Alex Jones elaborated on the use case. “when you’re talking about privacy in the biometric space it’s all about where your biometric data goes does it stay on the device does it stay on the cloud so within cloud-based biometrics which is what Keyless does,  there’s different ways of making sure that the biometric data on the cloud is kept really safe and this is where a decentralized biometric system come in it’s basically transforming the biometric data when it goes on the cloud so that when it’s there it is completely unrecognizable so even if the cloud server is compromised the biometric data or the data that’s stored there is kept safe.” This is the same approach we saw leveraged during our coverage of ISC West. A hash of the data is stored not the data itself. This hash function can be used against new data presented to see if the two results match properly. There is no reverse of this hash function thus the original data cannot be disclosed even if the resulting hash is compromised.

    6. Leverage Standards

    Finally, when you are creating your roadmap or architecture you do not have to reinvent the wheel. As GitGuardian’s Dwayne McDaniel denoted, “we’re seeing the standards emerge right now about 7 years ago we saw SPIFFE the secure production identity framework for everyone emerge and that came out of what Google was doing internally. Number of working group that sprung up at Netflix and they wrote a beautiful book on it called solving the bottom turtle. The CSA has just put out a new paper May 25th on how dissolve this multi- agent system problem and introducing concepts like agentic name spacing and a distributed ID like as name spaces and it’s just a fascinating time now.”

    Final note

    For those wishing to see a case study about how to bring a massive, decentralized identity solution to life, Identiverse had a keynote for you. Specifically,  a case study of the UK mobile identity deployment featuring Hannah Rutter, Deputy Director, Digital Identity of the United Kingdom. If your organization is on the decentralized identity path, there is no reason to go alone. Reduce the risk and increase your chances of success by working with TBW Advisors LLC. Schedule an inquiry at the beginning of the process and each critical step to stop missteps.

    Analysis available only to clients at this time. Join the YouTube Whisper Club at the Whisper Club Level to get access to the video edition today.

    Related playlists & References

    1. Whisper Report: How can organizations implement zero-trust security without disrupting user experience?
    2. Conference Whispers: Identiverse 2025
    3. Conference Whispers: Identiverse
    4. UK Identity Case Study Keynote
    5. CSA’s Publication, “Agentic AI Identity and Access Management: A New Approach”
    6. Conference Whispers: ISC West 2025
    7. SPIFFE

    Corporate Headquarters

    2884 Grand Helios Way

    Henderson, NV 89052

    ©2019-2026 TBW Advisors LLC. All rights reserved. TBW, Technical Business Whispers, Fact-based research and Advisory, Conference Whispers, Industry Whispers, Email Whispers, Whisper Club, Whispers, The Answer is always in the Whispers, Whisper Reports, Whisper Studies, Whisper Ranking, The Answer is always in the Whispers, and One Change a Month, are trademarks or registered trademarks of TBW Advisors LLC. This publication may not be reproduced or distributed in any form without TBW’s prior written permission. It consists of the opinions of TBW’s research organization which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, TBW disclaims all warranties as to the accuracy, completeness or adequacy of such information. TBW does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by the TBW Usage Policy. TBW research is produced independently by its research organization without influence or input from a third party. For further information, see Fact-based research publications on our website for more details.

  • Conference Whispers: Identiverse 2024

    Conference Whispers: Identiverse 2024

    Analyst: Dr. Doreen Galli

    Photographer: Dr. Doreen Galli

    ABSTRACT

    After over 1500 minutes of recording and 14 escalator rides, and some 35 factchecks, our coverage of 2024 Identiverse comes to a close. Identiverse was at Aria Hostel in Las Vegas from May 28-31. It is the premier event for identity professionals. It spans 4 days, 250 speakers on over 100 topics, 150 exhibitors and 3000 onsite attendees. Attendees witnessed endless examples of identity and privacy solutions including many jokes about SAML (it is NOT dead), examples of passwordless as well as talks about the value of identity.

    Conference Vibe

    After over 1500 minutes of recording and 14 escalator rides, and some 35 factchecks, our coverage of 2024 Identiverse comes to a close. Registration for the four-day event kicked off after the long holiday weekend. The event featured 250 speakers on over 100 topics, 150 exhibitors and 3000 onsite attendees. There was so much packed in it was impossible to catch all of the exhibits. They had sessions in the Joshua rooms as well as Marisopa rooms. Opening day was then capped by  a mighty keynote featuring John Whelan, President of the Cyber Risk Alliance and Andre Durand, CEO of Ping Identity and Founder of the Identiverse Conference. The event provided food for the attendees. We were able to capture breakfast Wednesday. The attendees did explicitly find me to let me know they were disappointed with the breakfast due to the lack of protein. I do understand the Microsoft Breakfast did feature sufficient protein.  Many attendees complimented the lunch which was served Wednesday as well as on Thursday. The exhibits* were open on Wednesday after the opening keynote. They were spread between two large rooms across from each other.

    Our entire playlist of video research at Identiverse is available at our YouTube Channel. Save the list to capture related shorts when they are released.

    Digital Identities

    As one might expect, Identiverse is all about identity. Much to my delight, an entire panel was presented on confidential computing. Confidential computing strength lies in multiparty computations among untrusted parties – something that occurs in the identity space quite often. The session immediately following was on digital identity where they pondered how one could achieve such an exchange – unfortunately those panelists did not attend the Confidential session. On the digital ID panel, it was exciting to see that California is live with a digital driver’s license. Many are still trying to get their real id into their wallet! Australian Bank was on stage for a keynote making the case for the Bank ID. Admittedly this talk created a bit of déjà vu to the days in the bid to become primary certificate authorities. There is no shortage of information to make the business case to adopt passwordless for your organization.

    More than Passwords

    Thursday morning’s keynote concluded with the Power of Passwordless sign-on. This session includes a number of guest speakers from the FIDO Alliance, Clarkson University, Bank of America and Amazon. The net result is that companies love it, their customers are more engaged, and the security posture is improved. Numerous examples of passwordless solutions were shown in the exhibits. AllAUthenticate shared their passwordless solution. Bringing blue collar workers who need to punch in and out into this century, Bio-Key displayed their product leveraging MFA Mellon RFID. If you would prefer your identity solution to eliminate any and all standing privileges, SGNL can get you there and help you stay in that security posture. Zluri is available to handle access control for all SaaS solutions. Aserto is an identity service that considers policy and relationship-based access control. If your service accounts are your pain point or you don’t even know how many you have of what – a start-up just out of stealth mode called Anetac may be someone you want to evaluate. If your organization’s problem is more about non-human identity issue, Natoma can assist in provisioning, deprovisioning and maintenance of non-human IDs. The word of the conference was service and non-human IDs is an area exploding with a reported over a dozen just announced at RSA.

    Google hosted an entire detailed workshop on Google Sign-On, Passkey and the use of FedFCM to deal with 3rd party cookies. It was exciting to see they are working to push privacy forward with browser.

    Identity in Practice

    An attention-grabbing keynote Thursday morning alerted to the Darkside of identity. Reminding all that identity is the most common entrance point for the uninvited. Another keynote reminded all attempting to forge a path in identity, that the most important thing is to just get going! Furthermore, pay attention to the point of no return. Identity and security are all about depth of defense, spend the effort when there is a big payout. Do not insist on 100% for each program as the last percentages take resources without improving security posture. It is far better to find a new program that will affect the remaining identities with the remaining resources.

    One often too difficult aspect of identity is customer onboarding. To that end, Strivacity specializes in the end user aspect of identity. If you challenge is too many identity services and you are having difficulty getting a complete picture, TenableOne provides a unified dashboard to see the entire threat attack surface. If your difficulty is all about connecting identity platforms to other sources and targets, Aquera Platform provides identity connector along with automation and governance in their solution. Saviynt provided a demonstration of their identity cloud with a visual display. RSA Shared their Unified Identity platform that is available on prem or in cloud for SAS saps as well as supporting SAML. Radiant Logic also provides an identity middleware heavily focusing on the data and metadata of identity. This point was also shared during John Pritchard of Radiant Logic’s keynote.

    There were options if one is seeking assistance with their identity solutions. AOH offers identity consulting spanning assessment, architecture, execution and maintenance. ProofID offers global managed identity services and are key partners with many of the top identity technology providers such as PING Identity.

    Cisco provided an in-depth workshop on defining and building an identity graph. It was very insightful, and the audience was glued to the screen. What caught our eye was the end when they said, “look at that picture – you know what that means. You know what that means you are supposed to do” Even in 2019 when I was at Gartner, augmented intelligence was present so hearing, “look at the picture” was surprising. More commonly is generative AI incorporated so it suggested actions based upon what is seen. Fortunately, Microsoft was there to bring it all back to 2024. There was an Microsoft Entra deep-dive by Nichole Peterson as well as a Microsoft Entra with Co-pilot demo that allowed attendees to zoom back to 2024.

    Next Year’s Conference

    Next year’s Identiverse is held June 3-6, 205. Furthermore, next year’s conference will be at Mandalay Bay.

     *When vendors’ names are shared as examples in this document, it is to provide a concrete example of what was on display at the conference, not an evaluation or recommendation. Evaluation and recommendation of these vendors are beyond the scope of this specific research document. Other examples products in the same category may have also been on display.                                

    ©2019-2024 TBW Advisors LLC. All rights reserved. TBW, Conference Whispers, Industry Whispers, Vendor Whispers, Technical Business Whispers, Whisper Reports, Whisper Studies, Whisper Ranking, The Answer is always in the Whispers, and Fact-based Research and Advisory are trademarks or registered trademarks of TBW Advisors LLC. This publication may not be reproduced or distributed in any form without TBW’s prior written permission. It consists of the opinions of TBW’s research organization which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, TBW disclaims all warranties as to the accuracy, completeness, or adequacy of such information. TBW does not provide legal, or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by the TBW Usage Policy. TBW research is produced independently by its research organization without influence or input from a third party. For further information, see Fact-based research publications on our website for more details.