What does a world without passwords and usernames look like? What would a truly secure single sign-on system mean for your customer and employee experiences? What if multi-factor authentication was consistent and interoperable across the Internet? On our July 9th webinar, we were joined by our partners at Condatis to dive into these very questions around the future of authentication, covering: ◙ The four types of authentication supported by Evernym today ◙ The flaws in today’s password-based, security question, and social login models ◙ The benefits of using verifiable portable credentials for authentication ◙ Using self-sovereign identity for multi-factor authentication ◙ A showcase of live SSI-enabled authentication projects Presenters: ◙ Andy Tobin, EMEA Managing Director, Evernym ◙ Chris Eckl, Chief Technology Officer, Condatis ◙ James Monaghan, VP Product, Evernym

1. @evernym | @CondatisUK | July 2020
The Future of
Authentication
How portable credentials improve security and
reduce friction in authentication processes.

2. On the agenda
The problems with authentication today
A self-sovereign identity (SSI) refresher
Getting rid of passwords AND usernames
Four types of SSI-enabled authentication
Integrating the old and the new
Partner showcases: SSI-enabled authentication in action
Q&A

3. Andrew Tobin
Managing Director, Europe,
Evernym
Today’s presenters
Chris Eckl
Chief Technology Officer,
Condatis
James Monaghan
VP Product,
Evernym

4. If you have questions….
Please enter them in the Zoom Q&A, and
we’ll cover them after the presentation.
Please note, this webinar is being recorded and will be
available at www.evernym.com/webinars.

5. Before we go on, we have two very exciting announcements
Request access at www.evernym.com/plans
Register at www.evernym.com/webinars

6. The problems with
authentication today
Traditionally, authentication has revolved around
usernames and “secret” things only you should know
● Passwords
● Security questions (e.g., “What is your mother’s
maiden name?” “What was the name of your
first pet?”)
Yet, this knowledge-based method of authentication
is not only all-too-easy for a malicious party to guess,
it’s also a pain for all parties involved.

7. A step in the right direction?
Fortunately, the practice of relying on shared secrets
alone is becoming less common.
With federated approaches to single-sign on,
individuals are able to ditch many of those 191
username/password combinations by logging in
through a third party, like Facebook, Twitter, or
Apple.
And, with multi-factor authentication, organizations
can ensure greater security by matching that
“something you have” (a device) with “something
you know” (a password) and/or “something you are”
(a biometric). Peer-to-Peer
Trust
Intermediary
Trust

8. Yet… this all begs the question:
Why do we have to “log-in” at all?

9. A quick recap of the fundamentals of
self-sovereign identity

10. The 3 Pillars of Self-Sovereign Identity
1. secure
connections
2. digital data
watermarking
3. trusted, tamper-proof
public key directory
self-sovereign
identity
verifiable
data
verifiable
connections
private data
exchange
“The ability for people,
organisations and things to ,
manage and control their own
digital identity and relationships
without needing intermediaries.”

11. Technical Trust Tunnel
The Internet

12. Verifiers Can Do 4 Checks:
1. Who created it?
2. Has it been changed?
3. Was it given only to the
presenter?
4. Has it been revoked?
✅
Technical Trust Tunnel
The InternetThe Internet

13. Verifiers Can Do 4 Checks:
1. Who created it?
2. Has it been changed?
3. Was it given only to the
presenter?
4. Has it been revoked?
✅
Technical Trust Tunnel
The Internet
? The Internet

14. Codifying a Digital Trust Ecosystem
trustoverip.org

15. What does this mean for
authentication?

16. SSI: The true username and password killer
Username
✗ Short, memorable, human readable
✗ Often assigned by service provider
✗ Often reused across accounts
Password
✗ Guessable, breakable
✗ Hard to manage
✗ Often reused across accounts
Decentralized identifier (DID)
✓ Opaque, managed by wallet
✓ Generated & controlled by the user
✓ Globally unique for every account
Private key
✓ Prohibitively hard to crack
✓ Managed by wallet
✓ Globally unique for every account

17. Beyond two-factor
Self-sovereign digital wallet combines:
● Connected device
→ Possession, control & consent
● Cryptographic keys
→ Ownership of a given account
● Verifiable credentials
→ 3rd party assertion of identity
● Real-time biometrics
→ Likeness & liveness
Result: security + convenience

18. The four types of SSI-enabled
authentication

19. 1. DID authentication
Prove control over a relationship DID by signing
a challenge using the private key.
User initiates with their mobile wallet by:
⭑ Scanning a QR code
⭑ Clicking a link in mobile app or web page
⭑ Clicking a link via email or SMS
Similar to other passwordless schemes (e.g.
FIDO UAF), except:
✓ Identifier is decoupled from authenticator
✓ User can rotate their own keys
Placeholder
Are you logging in to
Faber College?
Faber College

20. 2. OpenID Connect SIOP
DID authentication over OpenID Connect, using
“self issued” OpenID Provider, which could be:
⭑ Browser plugin
⭑ Mobile wallet
Benefits include:
✓ Alignment with popular OIDC standard
✓ Backwards compatible with existing SIOP
implementations
✓ Avoids intermediary “identity providers”

21. 3. Structured messaging
Simple authentication using DID messaging:
⭑ Out of band (e.g. call centre)
⭑ Second factor (e.g. website)
Benefits include:
✓ Real-time challenge & response
✓ Ability to gather additional information
(e.g. for knowledge-based challenge)

22. 4. Proof presentation
Authenticate anyone, anywhere using
attributes from verifiable credentials
Enables authentication across domains with an
appropriate trust framework:
✓ Truly decentralized single sign-on
✓ No need for central repository of DIDs
✓ Can encapsulate authorization rules
✓ Can include biographical & biometric data

23. Safe credentials
Single sign-on without a single username
✓ Avoids unintended correlation
Selective & progressive disclosure of attributes
✓ Supports context-appropriate
authentication
Result: flexibility + privacy

24. How can we bridge the
old and the new?

25. Trust
Federation
condatis.com/ssi

26. Trust
Federation
Bilateral trust!
condatis.com/ssi

27. Trust
Federation SSI
condatis.com/ssi

28. Trust
Federation SSI
condatis.com/ssi
Who can i
trust?

29. How it looks integrated
condatis.com/ssi

30. How it looks integrated
condatis.com/ssi

31. Integrating SSI into today’s workflows and processes
condatis.com/ssi

32. Sequence
condatis.com/ssi

33. Staff Passporting
✔ Define organisations’ Trust Framework
✔ Directory service authentication (e.g., AAD)
✔ SSO between services and organisations
✔ Work with existing OIDC services
condatis.com/ssi

34. CULedger: Touchless credit union auth
Walk in, call in, log in
“Our members are already embracing this new
method of authentication and sharing their
excitement with our team. We’ve been told that
the enrollment process is simple and quick,
and that they feel more secure when calling
into the call center.”
Gordon Howe, President and CEO of UNIFY Financial Credit Union

35. Thank you
Questions?
Please drop them in the chat!
Connect with us via Twitter or Email
@evernym | info@evernym.com
@CondatisUK | info@condatis.com