Month: April 2026

OpenID Presentations at April 2026 OpenID Workshop and IIW

On April 28, 2026

I gave the following presentation on behalf of the OpenID Connect Working Group at the Monday, April 27, 2026 OpenID Workshop at Cisco:

OpenID Connect Working Group Update (PowerPoint) (PDF)

And as has become traditional, I also gave this invited “101” session presentation at the Internet Identity Workshop (IIW) on Tuesday, April 28, 2026:

Introduction to OpenID Connect (PowerPoint) (PDF)

Once again, there was an engaged and informed set of participants who brought their own perspectives and questions to the session, making it more useful for everyone.

Presentation on the OpenID Federation Journey at TDI 2026

By Mike Jones

On April 27, 2026

In Events, Federation, OpenID, Specifications

I gave the presentation “The Journey to OpenID Federation 1.0 and the Road Ahead” at the 4th International Workshop on Trends in Digital Identity (TDI 2026) in Verona, Italy. My talk abstract was:

The OpenID Federation 1.0 specification was completed in February 2026 after a 9½ year journey, starting with the challenge from Lucy Lynch to Roland Hedberg at the TNC 2016 conference “If there is someone who should be able to bring the eduGAIN identity federation into the new world of OpenID Connect, it is you.” It enables establishing trust among parties in a federation without them having to have a bi-lateral relationship. It establishes a protocol-independent framework for trust establishment that can be employed with any protocol and ecosystem.

Along the road, there have been 9 interop events, from which the authors used feedback from developers and deployers to improve the specification. Early deployments, especially in Italy, provided real-world experience. A security analysis identified an actionable vulnerability not just in OpenID Federation, but also in OAuth, OpenID Connect, and FAPI.

The road ahead includes continued adoption and developing extensions needed for particular use cases and protocols. Those include extensions used by the Italian EUDI Wallet deployment and open finance deployments in Australia. I am confident that the inherent benefits of the scalable and modular OpenID Federation framework will continue to win adherents the world over.

It was an honor to discuss this topic in Italy and with researchers from FBK, who were among the first to deploy OpenID Federation in production and at scale.

See the presentation deck I used (pptx) (pdf).

Thanks to the FBK Center for Cybersecurity for the dynamic and enjoyable conference!

OpenID Federation Journey at TDI 2026

Post-Quantum Presentation at TDI 2026

By Mike Jones

On April 27, 2026

In Cryptography, Events, IETF

I gave the presentation “The Post-Quantum Apocalypse Is Already Upon Us” at the 4th International Workshop on Trends in Digital Identity (TDI 2026) in Verona, Italy. My talk abstract was:

“The future is already here — it’s just not evenly distributed” is an apt description of the impact of quantum computers on cryptography and its use in our identity systems. We all know that quantum computers are predicted to be able to break the cryptographic algorithms used in today’s identity systems (RSA, Elliptic Curve, etc.) at some unknown point in the future. But this possibility has huge implications right now. “Disruptive” is an understatement. Every piece of software using cryptography has to be updated before Cryptographically Relevant Quantum Computers (CRQCs) are created (and we don’t know when that will be). “Store now — decrypt later” attacks require action now, not later. Are you using software and protocols that may never be updated for the post-quantum world (such as SAML)? Are you comfortable with your migration path to fully quantum-safe software? This presentation will help you evaluate what you need to do when and how and why to avoid being a victim of the Post-Quantum Apocalypse.

This resulted in an active and useful discussion on what the practical barriers are to updating our computing environments to be secure in the advent of Cryptographically Relevant Quantum Computers (CRQCs), and why it’s critical to start now. Topics included cryptographic algorithms, standards, updating software, and possibly the most difficult thing of all – acting in the presence of uncertainty.

See the presentation deck I used (pptx) (pdf).

Thanks to the FBK Center for Cybersecurity for the great event!

Post-Quantum Presentation at TDI 2026

FIDO2 CTAP 2.3 standard and Server Requirements published

By Mike Jones

On April 15, 2026

In Cryptography, FIDO, Phishing Resistance, Privacy, Specifications, W3C

The FIDO Alliance has published the CTAP 2.3 Specification. No breaking changes were introduced between CTAP 2.2 and CTAP 2.3. Implementations of CTAP 2.2 are thus conformant to CTAP 2.3, therefore, a decision was made to provide certification of CTAP 2.3 implementations and not have a separate certification category for CTAP 2.2 implementations.

These are the features added and refined in CTAP 2.3:

Multiple Data Transfer Channels for Hybrid Interactions: CTAP 2.3 adds support for multiple data transfer channels for Hybrid interactions. Specifically, QR-Initiated transactions can now specify the data transfer channel to use. The default is Websockets (which was supported by CTAP 2.2). The new data transfer channel that can be specified is Bluetooth Low Energy.
Long Touch for Reset: CTAP 2.3 adds support for Long Touch for Reset. This feature allows the authenticator to communicate to the platform that the authenticator reset ceremony requires a long touch.
Added “FIDO_2_3” to Supported Versions List: The value “FIDO_2_3” was added to the list of supported versions in authenticatorGetInfo to indicate support for CTAP 2.3. Note that no value was created to indicate support for CTAP 2.2.
ISO7816 (NFC) Evidence of User Interaction: Clarified intended behaviors providing Evidence of User Interaction for authenticators supporting the ISO7816 contact interface or the ISO14443 contactless interface (NFC) without a method to collect a user gesture inside the authenticator boundary other than through a power on gesture.
setMinPINLength: Clarified in authenticatorGetInfo that setMinPINLength may be used when the Authenticator supports PIN entry via built-in User Verification.
authenticatorReset: Stated that either authenticatorReset SHOULD be supported or the authenticator MUST provide an alternate way to reset of the device back to a factory default state.
pinComplexityPolicy and setMinPINLength: The description of the interactions between pinComplexityPolicy and setMinPINLength was refined.
smart-card: smart-card was added to the list of FIDO Interfaces.
FIDO Applet Selection: Prohibited the authenticator from allowing the FIDO Applets to be implicitly selected or enabled.
NFCCTAP_GETRESPONSE: Refined NFCCTAP_GETRESPONSE timeout behaviors.

A corresponding version of the Server Requirements document was also published: Server Requirements (WebAuthn Level 3 and CTAP2.3). Recent server requirements additions are:

ML-DSA Algorithms: The ML-DSA algorithms ML-DSA-44, ML-DSA-65, and ML-DSA-87 were added as Recommended.
Fully-Specified Algorithms: The fully-specified algorithms ESP256, ESP384, ESP512, and Ed25519 were added.

More good working moving passkeys forward!