00:00:00: RTP#13 – Digital identities and identity access management.

00:00:04: Security and trust at the heart of digital identity management.

00:00:10: Moin Moin — that’s our northern-German way of saying hello and offering exchange — and welcome to a new episode of the Rock the Prototype Podcast.

00:00:24: I’m Sascha Block, an IT architect based in Hamburg.

00:00:29: Today we’re taking a closer look at one of the foundational topics shaping our digital society: digital identities and Identity and Access Management.

00:00:44: As more of our interactions and transactions move into the digital realm, understanding the invisible architectures that support our online world has become essential.

00:00:57: In this episode, we’ll start with the fundamentals: What exactly is a digital identity, and why does it play such a crucial role in our online lives?

00:01:10: What does Identity and Access Management really mean — and how does it contribute to the security and reliability of digital services?

00:01:22: We’ll also explore the difference between authentication and authorization, and why this distinction is essential for protecting our digital identities.

00:01:33: Music: Rock the Prototype Song.

00:03:35: Digital identities — and the way they are managed — form the backbone of modern digital ecosystems.

00:03:42: They enable us to move securely and efficiently through an increasingly interconnected environment.

00:03:50: And today, this topic is more relevant than ever.

00:03:55: Across Europe, the EUDI Wallet and the Architecture Reference Framework are reshaping how digital identity, trust services, and cross-border interoperability are designed.

00:04:08: These frameworks are defining how citizens, companies, and public authorities will authenticate, authorize, and exchange verified information in the coming years.

00:04:24: Before we dive into today’s core topic, let’s take a moment to reflect on how often we use digital services throughout a single day.

00:04:36: From logging into our email accounts to sharing a post on social media — behind each of these actions lies an invisible yet essential component: our digital identity.

00:04:52: Today, we’ll uncover this hidden facet of our digital lives and understand why it plays such a crucial role in our online interactions.

00:05:01: What is a digital identity?

00:05:04: A digital identity refers to the virtual representation of a person, an organization, or an object within digital systems or their networks.

00:05:14: It consists of a set of information and characteristics used to recognize and verify an entity online.

00:05:22: Digital identities allow users to sign into various online services, conduct transactions, exchange information, and participate in digital interactions in general.

00:05:38: A digital identity typically includes elements such as:

00:05:42: Username and password: Traditional authentication methods commonly used to access online services.

00:05:52: Biometric data: Fingerprints, facial recognition, or iris scans — unique physical attributes used to identify a person.

00:06:05: These are often described as convenience features because they spare us from manually entering secrets like usernames or passwords.

00:06:18: Two-factor authentication (2FA) and multi-factor authentication (MFA): Additional layers of security beyond passwords.

00:06:29: For example, one-time codes sent via SMS or, ideally, generated through authentication apps.

00:06:42: Digital certificates: Cryptographic keys and certificates that confirm the identity of a user or entity in encrypted communications.

00:06:55: Social profiles: Information collected by social networks and online platforms to represent the online presence of a person or organization.

00:07:10: It is important, however, to be aware of the challenges this poses for data sovereignty.

00:07:18: In a world where our digital footprints can have far-reaching and long-lasting effects, the right to be forgotten — the ability to control and delete our online history — is a crucial principle for protecting our digital identities and safeguarding our privacy.

00:07:31: While the right to be forgotten and data sovereignty are central aspects when dealing with social profiles, there are other areas of digital identity management that require careful consideration as well.

00:07:48: One such area is blockchain technology.

00:07:53: While some experts view blockchain as a promising future-oriented solution for managing digital identities or artifacts — due to its decentralized and secure nature — we also face several challenges in this space.

00:08:13: Criticisms such as disproportionate resource consumption and potential security risks cannot be ignored.

00:08:20: For this reason, our discussion will focus on established and less controversial methods of identity management.

00:08:32: Managing and securing digital identities is essential to prevent identity theft, fraud, and misuse.

00:08:40: At the same time, digital identities can use biometric methods to provide convenient and efficient online experiences by enabling access to various services.

00:08:52: However, even biometric procedures are not considered unconditionally secure.

00:09:02: As we move from individual authentication methods towards the broader security ecosystem and compliance, it’s important to recognize that many of today’s identity and cybersecurity challenges cannot be addressed by single nations alone.

00:09:18: They require agreements that operate above national boundaries — what we often call supranational agreements and international IT standards.

00:09:34: In practice, this means that multiple countries must align on shared rules, shared trust models, and — most importantly — shared technical standards.

00:09:47: Without them, interoperability, security, and cross-border identity verification simply would not work.

00:09:56: This shared layer of security has become increasingly important in a world where digital threats are not limited to criminal actors.

00:10:07: State-sponsored cyber operations — including espionage, infrastructure attacks, and identity-related intrusions — are attributed to countries like China, Russia, and, in some contexts, even the United States.

00:10:27: It’s important to be clear: every nation operates intelligence services — the United States included, just like European countries, China, or Russia.

00:10:39: This is not surprising; it is simply how modern states protect their national interests.

00:10:48: But in the digital realm, this reality creates a structural tension:

00:10:53: Countries both cooperate on technical standards and simultaneously compete in intelligence, cyber capabilities, economic interests, and even in satellite orbit and space.

00:11:09: That’s why digital identity systems and cybersecurity standards must be designed in a way that remains trustworthy even when different geopolitical actors have conflicting incentives.

00:11:28: These realities have made digital sovereignty a strategic necessity, not just a political vision.

00:11:36: Standards bodies such as NIST, ISO, ETSI, and the OpenID Foundation play a crucial role here.

00:11:48: They define the cryptographic foundations, identity protocols, and interoperability models that allow countries and organizations to defend themselves effectively — and to build secure digital infrastructures that can withstand global-scale threats.

00:12:08: Within Europe, the eIDAS Regulation, the EUDI Wallet, and the Network Two Directive represent a coordinated effort to establish a sovereign, rights-based cybersecurity posture.

00:12:26: These initiatives aim to protect European infrastructures from external dependencies and geopolitical vulnerabilities while remaining fully compatible with long-standing international standards.

00:12:43: Germany’s Federal Office for Information Security — the BSI — operates within this context.

00:12:51: It is Germany’s national authority responsible for implementing and enforcing these supranational requirements, translating them into technical guidelines, cryptographic expectations, and operational security controls.

00:13:12: Now let’s ground this in a clear example.

00:13:16: Consider how you authenticate when making a digital payment by presenting a digital artefact of your banking card through a modern wallet — and today, this space is largely dominated by the Apple or Google Wallet.

00:13:32: In such cases, your identity assertion is backed by strong device-based security: protected hardware elements, biometric authentication, and standardized tokenization protocols.

00:13:49: These flows operate at significantly higher assurance levels than traditional login mechanisms and provide a controlled, verifiable link between the user, the device, and the service being accessed.

00:14:08: This stands in extreme contrast to older technologies such as traditional email systems, which were never designed for high-assurance interactions and do not provide end-to-end security by default.

00:14:24: Wallet-based transactions, by comparison, demonstrate how modern identity assurance can be implemented when cryptographic controls, device security, and standardized protocols align.

00:14:38: And when we shift to government services or highly sensitive data — such as health information or legally binding digital credentials — the required assurance level increases even further.

00:14:55: Here, strong identity verification becomes mandatory before any form of authorization is granted.

00:15:03: But what would an anonymous digital identity need to look like to protect both you and your personal data?

00:15:12: When it comes to privacy-preserving identity verification, technical foundations like the TOR network and Zero-Knowledge Proofs (ZKPs) offer contrasting approaches, each solving a different part of the puzzle.

00:15:29: TOR, short for The Onion Router, is a decentralized network of relay nodes designed to anonymize internet traffic.

00:15:41: Instead of sending data directly from A to B, TOR routes encrypted packets through multiple independent relays, so no single node knows both the origin and the destination.

00:15:57: It follows the onion principle: data layers are encrypted and peeled by each relay — revealing only what’s needed for the next hop.

00:16:13: This method protects where a request comes from, not necessarily what’s inside it — but it remains one of the most widely recognized technologies for digital anonymity.

00:16:24: Zero-Knowledge Proofs – identity validity without disclosure.

00:16:29: A different model is provided by Zero-Knowledge authentication protocols, where the goal is not to hide traffic paths, but to hide the secret itself.

00:16:42: A Zero-Knowledge Proof allows a Prover to convince a Verifier that a statement is true — without revealing the underlying information that proves it.

00:16:59: A well-designed ZKP must fulfill three properties:

00:17:03: Completeness → if the statement is true, an honest verifier will be convinced.

00:17:09: Soundness → false statements cannot be proven successfully.

00:17:15: Zero-Knowledge → nothing is revealed beyond the statement's validity itself.

00:17:31: This makes ZKP-based identities especially valuable in situations where verification is needed, but data exposure must be minimized.

00:17:45: Common Zero-Knowledge Proofs authentication structure:

00:17:49: Two parties interact: Prover (who wants to prove something) and Verifier (who checks the proof).

00:17:58: The verifier sends a random challenge (like a nonce or query value).

00:18:05: The prover responds with a mathematically valid transformation of that challenge.

00:18:12: The verifier checks correctness using a public reference (e.g., a proof commitment, digital identity claim, or key binding).

00:18:22: At no point is the underlying secret transmitted.

00:18:30: Imagine unlocking your smartphone with Face ID.

00:18:35: The device checks something internally that only you and your personal device have.

00:18:42: But your digital face representation or password never leaves the system.

00:18:49: Only the response is checked — and results in access for a service.

00:18:58: This is quite comparable: in Zero-Knowledge identity proofs, your secret remains private, but a correct response still demonstrates proven trust and ownership — without ever revealing the secret itself.

00:19:13: This idea reflects a fundamental security principle first formulated by Auguste Kerckhoffs in 1883:

00:19:25: A system should remain secure even when everything about it is public — except the key itself.

00:19:34: In other words: security cannot depend on secrecy of the method — only on secrecy of the secret itself.

00:19:47: Standards & Protocols.

00:19:52: Let’s now turn to standards and protocols in the context of digital identities.

00:20:00: When we talk about digital identity systems, we’re not talking about a single technology — we’re talking about an ecosystem of standards and protocols that enable authentication, authorization, and identity management at scale.

00:20:16: Especially in modern cloud-based IAM systems, these standards form the backbone of how access is granted, controlled, and secured.

00:20:29: Let’s take a closer look at some of the most relevant ones — and why they still matter today.

00:20:40: Kerberos.

00:20:43: Kerberos is one of the older, yet still widely used authentication protocols — particularly in enterprise environments.

00:20:54: It was originally designed for closed networks and on-premise infrastructures, but it continues to play an important transitional role in hybrid environments, where on-premise systems are connected to cloud services.

00:21:12: In many organizations, Kerberos acts as a bridge between legacy identity infrastructures — such as Active Directory — and modern cloud-based applications, enabling single sign-on across both worlds.

00:21:30: However, it’s important to be clear about its limitations.

00:21:36: Kerberos was not designed for cloud-native architectures, zero-trust models, or passwordless authentication.

00:21:47: As organizations move toward cloud-first or cloud-only strategies, Kerberos is increasingly being replaced by modern identity protocols such as OpenID Connect, OAuth 2.0, and device-bound credentials.

00:22:07: So while Kerberos remains relevant in certain enterprise contexts, it is no longer considered a future-proof foundation for digital identity on its own.

00:22:22: X.509, PKI, TLS.

00:22:26: Another foundational standard is X.509 — the basis for public key certificates and public key infrastructures.

00:22:37: X.509 plays a critical role in securing the internet, particularly through TLS — Transport Layer Security — which protects data in transit between clients and servers.

00:22:56: When you see the lock icon in your browser, you’re relying on X.509 certificates, certificate authorities, and PKI to verify that you’re communicating with the intended service — and not an attacker.

00:23:16: It’s important to understand the scope here:

00:23:20: TLS secures the transport layer — it does not provide end-to-end encryption between two human communication partners.

00:23:32: Nevertheless, X.509-based PKI remains one of the most important trust mechanisms we have today, enabling authentication, encryption, and protection against man-in-the-middle attacks at internet scale.

00:23:52: eIDAS, Trust Services & Critique.

00:23:56: Within the European Union, the eIDAS Regulation aims to harmonize electronic identification and trust services across member states.

00:24:10: Trust Service Providers issue qualified certificates and signatures that enable legally binding digital transactions — especially in regulated and governmental contexts.

00:24:25: At the same time, eIDAS has not been without criticism.

00:24:31: One recurring concern relates to trust anchor management — particularly the interaction between regulatory requirements and browser root certificate stores.

00:24:47: While interoperability is a key goal, it also highlights the importance of maintaining strict security standards, transparency, and operational rigor — especially when trust is enforced at scale.

00:25:05: With eIDAS 2.0 and the EUDI Wallet, the focus is shifting:

00:25:12: Away from browser-centric trust models.

00:25:16: Towards wallet-based identity architectures.

00:25:20: Selective disclosure.

00:25:24: And cryptographically verifiable credentials.

00:25:32: Certificate Revocation.

00:25:36: A critical operational challenge in any certificate-based system is revocation.

00:25:44: In small setups, certificate lifecycle management can be straightforward.

00:25:52: But in large organizations — involving multiple teams, vendors, and support chains — revoking certificates quickly and reliably can become surprisingly complex.

00:26:08: This makes clear policies, ownership, automation, and incident readiness absolutely essential.

00:26:24: ISO/IEC 27001.

00:26:28: Finally, standards like ISO/IEC 27001 provide a governance framework for managing information security risks.

00:26:39: While ISO 27001 is not an identity protocol, it plays a vital role in ensuring that identity systems are operated, monitored, and improved in a structured and auditable way.

00:26:54: Ultimately, certificates and standards are only as effective as their real-world implementation.

00:27:07: The key takeaway is this:

00:27:10: There is no single digital identity.

00:27:14: Instead, digital identity is shaped by a complex combination of standards, protocols, regulations, and technologies — each optimized for different contexts, risks, and trust requirements.

00:27:32: Building interoperable, secure, and privacy-preserving identity systems is an ongoing process — and one that continues to evolve with technology, regulation, and geopolitical realities.

00:27:52: I hope this episode gave you valuable insights into the complex world of digital identities — their standards, protocols, and the realities behind secure identity management.

00:28:05: Stay tuned, because we’ll continue this journey in the next episode of our Rock the Prototype podcast series on digital identities.

00:28:16: In part two of this series about digital identities, we’ll take a closer look at OpenID — one of the most important modern identity protocols.

00:28:29: We’ll explore OpenID Federation, its motivation, and how OpenID Connect builds on OAuth to enable secure authentication and identity verification across web applications, APIs, and apps.

00:28:48: If you’d like to go deeper into these topics, you’ll also find additional content on the Rock the Prototype YouTube channel.

00:28:59: You’ll find us on YouTube — or you’ll directly use the link in the show notes and follow our Rock the Prototype YouTube Channel.

00:29:12: If you have questions or would like to continue the conversation, feel free to reach out.

00:29:20: And if you enjoy the podcast, please consider subscribing, leaving a rating, or sharing your feedback — it really helps.

00:29:33: Thank you for listening, and see you in the next episode of the Rock the Prototype Podcast.

00:29:41: Yours, Sascha Block.