Looking Back at Identiverse 2025

Identiverse took place last month and I had the opportunity to speak on identity standards (more on that below). It is always a great opportunity to see friends and colleagues, old and new, as well as hear the latest from the global breadth of identity practitioners and organizations. Key topics of the conference as a whole were agility, trust, and continuous identity. As with any conference, each year has its own buzzword bingo. Among this year’s candidates are verifiable digital credentials, mDLs, passkeys, Agentic AI, and non-human identities.

While I have issues with Las Vegas as a destination, the Mandalay Bay served as a great home base for this year’s conference. The biggest issue, and common to most conferences in Vegas, was the length of the walk from the hotel core to the conference center (about 15 minutes). The other usual complaint for Vegas is the weather; in this respect, we couldn’t have had a better week — warm, but not oppressive. I definitely have to commend the conference on the refreshment and meal package this year. Breakfasts were standard fare (breads, fruits, and beverages), but lunches and afternoon snacks were some of the best I’ve had, especially for a conference of this size.

After an uneventful flight from IND, I arrived to the unmistakable sensory overload of LAS. Whoever thought that air gates surrounding a core of slot machines was both a certified genius and should be prosecuted for crimes against good taste. Gladly, LAS generally runs pretty efficiently and the wait for my checked bags and a taxi was brief. The same was true for both the taxi ride and hotel check-in.

After getting settled in, my first task was running over to the conference center to square away registration. The badge ribbon station was brimming with flair to highlight your badge as a speaker, prior attendance, and the like. My collection of flair wasn’t extreme, but still drew some attention throughout the conference from newer attendees wondering how often I had attended the conference. I’ll admit the first couple of times it happened, there was definitely a feeling of impostor syndrome knowing that many of my friends have been attending for several years before I started coming. It didn’t take long, however, to realize that I’m now truly in the old guard of attendees.

I had planned to have a quiet night and give my deck another run through, just to be prepped for Wednesday’s session. Luckily, I ran into a couple of friends who encouraged me to attend the IdentiBeer event a couple hours later. I’m very glad I took their suggestion, as it was heavily attended and was a great way to touch base with friends and meet some new people as well. If you have a chapter near you, or are attending a conference where a meetup is scheduled, I would highly recommend going and continue building our community.

Tuesday was a split day between paid workshops in the morning and the kick-off of the general conference. While I would have liked digging in to Continuous Identity with Andrew Cameron and Sean O’Dell, I took the morning to catch up on my prep and explore a little bit.

After a quick lunch, my first general conference session was a panel on IPSIE. While I participate in the working group, it was good to hear what questions were coming from the audience. If you aren’t aware, IPSIE is a work in progress to build out a profile of standards to ensure interoperability for single sign-on and user lifecycle. While the work is in its early stage, the reception from the audience provides some confirmation that there is a definite opportunity to improve how enterprises interact with identity technologies.

Next up, another panel covering the latest in verifiable digital credentials. There are a lot of moving parts in this space, including use cases for citizen identity (think mobile drivers licenses) and business use cases as well. While VCs have been gaining traction in the past few years, we are definitely going to see them used more and more outside of tech-heavy scenarios.

Keynotes rounded out the day before the expo hall and various receptions started up. I was incredibly impressed by the number of first-time attendees this year. The main thrust of the first day of keynotes was trust — who or what is granted trust, how is trust determined, and any number of other considerations. Of course, non-human identities were a huge part of that discussion. There are definitely challenges in this space, but I believe there are huge opportunities as well.

The expo hall was sizable and well setup. The highlight of the hall on Day 1 was the “Identiquibble” hosted by the Identity at the Center podcast. Congrats to Team IDPro — Heather Flanagan, Mike Kiser, and Tina Srivastava — on their win!

Keynotes led off Wednesday. John Prichard from Radiant Logic started the morning discussing his concept of “Multiplayer AI” where AI is leveraged to enhance human capabilities in cybersecurity. I find this model for using AI to be a generally viable and the most desirable approach. There a definitely challenges on the identity side of this approach, but NHI is one of the opportunities for our community as we keep moving forward. Hannah Rutter followed with a discussion of the UK’s approach for digital IDs. With the multiple discussions of VDCs at this year’s conference, I definitely need to spend time digging more into those technologies. The last keynote was a discussion of collaboration and creativity to achieve success by adventure racer Robyn Benincasa. This last discussion was interesting, and some of the examples inspiring, but it did feel a bit of a stretch to find the immediate relevance within the identity community. This, of course, could just be my general thick-headedness…

I took some time in the first part of the day to explore the expo hall and make a few contacts. In doing so, I missed some great sessions: Allan Foster using his experience as a pilot to explain planning for failure; Jon Lehtinen’s discussion on how IGA programs fail; and Brian Campbell’s bravura revisit of a 2013 presentation on how OpenID Connect and OAuth were the next generation of identity standards and, in doing so, revisiting moments in the history of Identiverse and remembering friends no longer present. I had the pleasure of hearing an earlier version of Brian’s presentation at OAuth Security Workshop in February, and I can’t wait to hear this version of it once it is published.

My afternoon was dedicated to standards. Aaron Parecki led the afternoon capturing the current state of OAuth. As I talked about in my presentation, OAuth is a collection of many specs and many moving parts. Getting the right combination of parts is essential to doing OAuth correctly and securely. Workload identity standards, featuring WIMSE and SPIFFE, was next up presented by Pieter Kasselman and Joseph Salowey. There are a lot of innovations in the hopper here, with more on the way like proof-of-possession tokens and transaction tokens. This was followed by a deep dive on OpenID for Verified Credentials by Joseph Heenan. These are key technologies to interoperable VDCs, and I need to dig in a bit more here.

I kicked off the late afternoon with a presentation on dealing with how standards in identity change over time. The feedback I received was that the presentation was well-received and well-done. I have a separate post on the full presentation. Andy Barlow capped off the day with an excellent personal take on the complexities on learning standards like OAuth. There was a definite thread among Aaron, Andy, and I discussing the changes in OAuth and the complexities in getting it right.

I took the night off from social events and decided to visit the Battlebots arena — when in Vegas… I had a great time at the show and loved watching the fights in person. I also got to meet David Rush of Team Malice and Ray Billings of Tombstone infamy. Both David and Ray, along with all the technical team behind the scenes, were incredibly giving with their time and stories when I took the tour after the show. The combat robotics community seems to align with the identity community in their welcoming and friendly nature.

Keynotes led the day again on Thursday. While the first two were interesting, they were eclipsed by an emotional keynote from Alex Weinert, formerly at Microsoft and now at Semperis. He discussed the importance of taking care of one’s own mental health. By extension, this also means ensuring your team is taking care of themselves at the same time. This is hugely important, and often missed in organizations. I also commend Alex in recognizing the team that he built at Microsoft for what they’ve accomplished after he left.

After the keynotes were a selection of panel discussions. First on my list was an “innovation workshop” from Alex Weinert, Tina Srivastava, Lance Peterman, and Nishant Kaushik. There was quite a bit of discussion of what I called “big-I” innovation, driving toward new products and patentable ideas, but I appreciated that everyone agreed that “little-I” innovations that support operations or enhance an offering without being a dramatic change can be found using similar approaches. This was followed by “The Recovery Session” covering challenges with account recovery and verifying user identities. A great selection of resources was posted on GitHub for future reference.

After lunch, Arynn Crow detailed AWS’s push to require MFA for all users. This is an insanely important development, and Arynn’s story is inspiring in how successful the push was. This was followed by Heather Flanagan’s overview of FedCM and how the browser has become an active participant in the authentication process. You’ve seen FedCM in action via login with Google flows, among others. This was one of three talks by Heather, on top of her other duties as chief of staff to Identiverse’s conference chair Andi Hindle.

After the break, Libby Brown gave an Alice in Wonderland themed overview of VDCs and their various standards and interop challenges. Again, even more to learn in this space (curiouser and curiouser…). I followed this with a discussion of approaching a more business-centric product mindset in the enterprise identity space, rather than a project or program approach. Lance Peterman makes a compelling case here, but it is a huge shift and would require significant buy-in from leadership over the identity function. Finishing up the day was George Fletcher presenting a framework for evaluating authentication transactions for risk equivalence. This is a huge challenge, as often account recovery scenarios (which are treated as an authentication transaction) are demonstrably weaker than strong login scenarios. George’s approach is to simplify the assessment to math and set a minimum value for any transaction. While his presentation used a simplified algorithm for demonstration purposes, I believe the overall approach is sound and more work is needed in this vein.

Probably the biggest value to me in attending Identiverse is getting to spend time with friends. We are generally spread across the country and world and don’t often get to see each other in real life. Getting time to have a gathering, a drink or two, and telling stories is a breath of fresh air. Thursday night was one such gathering — not driven by any vendors, away from the conference itself, and just having the ability to relax. It was definitely needed and refreshing.

The last day of the conference is a morning-only affair. Attendance on this last day is historically pretty low as people deal with hotel checkout and logistics for outbound travel. I took a little bit of a longer breakfast before catching a final few sessions.

I started with learning a bit more about authentication and authorization for GraphQL deployments with George Fletcher and Alex Babeanu. This session will be helpful as I work on a project related to learning more about identity standards. This is work that I’m doing with help from Alex and Andy Barlow and will have a post on shortly. This was followed by another presentation by Heather Flanagan, in her role as Executive Director of IDPro, discussing the IDPro Job Specifications Library. This is a template library of various identity-related job roles that are meant to provide a starting point for building an identity management team. It can also be used by those seeking a role to refine their resume around the position they would like to seek out.

The final keynotes closed the show. First, Sean and Andrew discussed the principles of Continuous Identity. This included visibility into the near-term where signals from across the enterprise can be used to drive zero standing privilege and assist with continuous governance. Lastly, Berthold Kerl of KuppingerCole Analysts discussed his view that the identity fabric of 2040 really starts with developments made today. This takes into consideration the time developing the standards, implementing products and solutions, and then planning and executing on deployments. On reflection, this makes so much sense as change in any aspect of identity is somewhat like turning the Titanic.

Finally, Andi closed the show thanking everyone involved with the conference including the advisory committee, content track leads, and all the technical staff assisting with AV needs. These individuals put in quite a lot of work to make the conference what it is. That said, Andi and Heather put so much of themselves into the show both ahead of it in prep and so much during it. I’m amazed at their dedication and cannot thank them enough for their work.