Identity Evolution: Navigating the Digital Landscape with Andrew Hindle

Christine Owen:
Hi, good morning, afternoon or evening whenever you end up seeing this. My name's Christine Owen. I'm the host of Identiholics. Today, I have a very lovely guest all the way from across the pond, Andi Hindle. Andi, would you like to tell us a little bit about yourself and what you're drinking?

Andi Hindle:
I would be happy to do that. Let me start by saying two things. Firstly, I love the name of this thing. Identiholics is just awesome. And the second thing is usually I start, whenever I do podcasts and things, I always start with, good morning, good afternoon, good evening, and you stole my line. So now I can't say anything and it's very difficult and I don't know what to do. What am I drinking? Well, it is afternoon-


Andi Hindle:
So yes, what am I drinking? It's the afternoon here in the UK where I am. And so I did, when we spoke about this a few weeks ago, I promised that I would consider bringing a small glass of whiskey, which as many people, many of my friends know, is my drink of choice. But two o'clock in the afternoon is a little bit challenging for whiskey and I'm looking at what I have to do for the rest of the day and thinking that would not be very professional. So I apologize to everyone for not having brought a lovely glass of whiskey, but instead I have this very fine artisanal mug of, I don't know if everyone can see that, of green tea, which I made for myself, which is something I tend to drink in the afternoon. So there we go. Green tea is my drink of choice today.

Christine Owen:
I think that's great for you, in honor of you. I'm actually not drinking this week, which is very unlike me as well. So I made iced tea, so I made it more Southern American, but I used English breakfast tea from Lidl.

Andi Hindle:
Very good.

Christine Owen:
I like Lidl.

Andi Hindle:
Yeah.

Christine Owen:
Actually quite good. It's almost as good as Lipton.

Andi Hindle:
There you go.

Christine Owen:
So anywho. So Andi, you do a lot of things. A lot of people probably know you as the guy who runs Identiverse because you've been doing that for about a decade. You also have a consulting firm and you've done all these things before you even started doing Identiverse and consulting. So I'd like to start off by understanding a little bit about how you got to where you are, what it is that you're doing now, and yeah.

Andi Hindle:
I'm wondering how long we have.

Christine Owen:
We're here for as long as you want.

Andi Hindle:
Okay, this is very bad. This could go wrong. So let's see, where's the best place to start? You are absolutely right that I've been variously involved in the digital identity space for probably 15 years or so now, maybe a little more than that actually. I fell into identity as many people seem to have done from actually elsewhere in the software industry. And I fell into the software industry almost entirely by accident after university. So I studied Japanese at university, hence the mug and the green tea, and you get to the end of your course at university, unless you've done something very vocational, which for some of my contemporaries, Japanese was, but for me it wasn't that. It was always about learning the language and experiencing the culture and those things. I had no clue what I was going to do. And this opportunity came up with a software company to go and look after their website, essentially here in the UK.
Started there, moved on to do some pre-sales technical consulting and subsequently some, what we used to call field product marketing, field product management for a software company that got acquired by Acro Media, that got acquired by Adobe. And then I left Adobe and started work for Ping Identity. Now lots of people recognize the Ping Identity name. I worked for them for about seven years very early on. So I was the first feet on the ground here in Europe, helped develop the business here, helped develop the business in Asia Pacific. Evidently, based on all of that, you can tell that I have a fairly mixed, fairly broad business technical background. And then I left Ping, having pretty much done the things that I wanted to do at the end of, I want to say 2013, and that was probably about five years into the early years of what was then Cloud Identity Summit, which became Identiverse.
So I'd attended those obviously as part of my role at Ping, having left, Andre Durand who's still the CEO over at Ping, founder of Ping, founded Cloud Identity Summit, which became Identiverse, phoned me up and said, "Look, if you're not otherwise occupied, would you like to come and help pick up some of the content responsibilities at the conference." At the time, a member of the CTO office, then at Ping, Mark Diodati, who went on to become an analyst at Gartner, he was running it, was just about to leave. And so it was essentially a case of pick up what Mark had built and then start to develop it from there. So yeah, that's the history of me picking up the Identiverse side of things and we can talk some more about what happened after that. At the same time, obviously I left Ping, I didn't really know what I was going to do next, and so I did the thing that lots of people do, which is I started consulting.
And so I've done and continue to do a variety of engagements with a variety of organizations ranging from go-to-market, strategic planning for startups in the space, right the way through to market landscape briefings or specific technical area briefings for much larger global scale enterprises. Obviously do less of that at certain times of the year given the amount of work that goes into Identiverse these days. But it's still a really important part of where I'm engaged in the industry. And now I'm involved in a number of the industry associations. So I was very closely involved with IDPro when we originally set that up a few years ago. I now sit on the emeritus board there. I'm involved with Kantara and have been in a variety of ways for some years now. Currently sit on the board at Kantara.
I also have a board seat with a well established startup out of Sweden. I'm involved with them. And there's a few other things that I get stuck into. So yeah, that's the overview. There's all sorts of threads we can pick up from there, but I should stop talking for a second.

Christine Owen:
I love it because first off, I think when you talk to anyone in identity, like you said, generally people don't come out of college and go, "Boy, I want to get into identity." Maybe they do now, but they definitely didn't then. People just end up accidentally in identity somehow. I liked the fact that you were a Japanese major because I was a German major, so I definitely had a lot of options when I got out of college as well. So I ended up figuring out my path that eventually got me here. But the one thing that I think, obviously the reason why we're talking a lot about Identiverse right now is because this will be airing right before Identiverse, and this is actually my first year where I get to see how Identiverse works on the inside because I was very graciously picked to be on the advisory board, and boy is it a lot of work. It is really quite amazing, and I don't know how you have done all of this for the past 10 years because it's so much work and I love it.

Andi Hindle:
The answer is, I have wonderful people like you on the content committee to do all the stuff.

Christine Owen:
Yeah. But still you see everything. So the one thing that I, this year when I got to see all of the submissions and then we whittled it down and then now I'm seeing all of the decks coming in, what's really interesting is, is that in this year's theme, I think of people who submitted things, it was all ABAC related. And what I found really interesting on our thread was that a lot of people said, "You guys haven't done ABAC in a long time, and we don't think there's enough ABAC." And so it just seemed like everyone got together and decided to throw some ABAC into the ring, which is good because I think we're finally at a spot where ABAC might actually work out. And I'm really excited about this piece. But I think, I then started thinking about this when I started preparing for this that there must always be every year people start thinking about a particular topic and there's just a larger submission of topics each year. So how are the trends, in your mind, how are they chosen by people who organically are making this decision?

Andi Hindle:
That's a really interesting, it's more than a question. It's a whole area that we can dig into. And you are right. It's been fascinating over the, you said decade earlier, and that sounds way longer than 10 years. I'm going to go with 10 years, it sounds better. So over that period of time, i`t's really interesting to see how things have evolved. And on the one hand, it's a little bit artificial because clearly as the event, as the conference gets bigger, better attended, more well-known by necessity, you end up with a lot more proposals from a much wider group of people. So that the selection criteria changes over time, which makes it hard to do that longitudinal analysis. But I think macro trend is that we very much see things come and go.
So my favorite example of this is the whole area of, and I'm hesitating only because in a minute you'll understand why. People call this thing by all sorts of different names and it evokes different responses from different people depending on which name you use. So the whole area of personal identity, self-sovereign identity, blockchain, distributor, all of that whole thing. In the last, let's say six years, we had, and I might be out plus or minus one, we had a whole track essentially, not that we really do tracks at the conference, but essentially a whole track specifically on distributed ledger blockchain, how we were going to do with identity, pretty technical, pretty early heartfelt opinions and deep discussion and all of that. And then there was nothing to talk about for two or three years after that. Why? Because people were off trying to figure stuff out.
And then to be fair, I think there was a little bit of extra delay on account of the whole pandemic situation, which kind of got in the way of some of the flow of all of this. But you look at last year and suddenly we've got all sorts of much more practical things happening. So we see topics arrive, drift off, not that nothing's happening in industry, it is. Not that we didn't cover it, because we did, but instead of having eight or 10 things, we had one or two, and then suddenly last year we had, again, a whole track, but much what does this look like in practice? How do we deploy it? How do things like trust frameworks work, which lots of our downy professionals haven't gotten anywhere near yet, and many won't, but a lot will, I suspect more than realize it.
Identity for internet connected things is another area that's like that. We had a lot of material on that maybe eight years ago, and then frankly, not much has happened. Suddenly and a little bit to your authorization point, we're starting to see some things emerge in that area. Some of it cross-pollinates with robotic processes, that kind of thing. So how do you authorize a software process to carry out an action on behalf of somebody and how do you monitor that. Kind of niche, except not because increasingly people are impacted by both those sorts of things in their routine, kind of I'm just a digital identity professional doing my job, and suddenly I have to think about how do I authorize these processes? And if you happen to work in the industrial sector or an industrial sector, then things are likely to be something that matters. So you've got sensors, you've got machinery and plant, you've got all of those things. Or if you're on the consumer side, you might be looking at it as well.
So you are right. This year there has been, and I'm kind of pleased about this, we sort of predicted it coming out of Identiverse at the end of 2023. There's a lot happening in the authorization space, and I'm pleased that we're able to cover that. I think that one's going to run for a while. There's a lot of work to do there. Some of it is, calling it long tail is maybe wrong, but it's kind of bringing everybody up to the current state of the art. But the current art needs to evolve a lot in my view, and I don't think I'm alone in expressing that view. That work is ongoing, so that's very positive. As a result, I suspect that we're going to be covering that in much more depth probably for another year or two even.
One of the things that has been really interesting and exciting and fun to be able to do over the last couple of years is that, so Identiverse, as most people will now be aware, Ping Identity sold the conference essentially to CyberRisk Alliance. And so with CRA's help, we've been able to do some things at the conference that we've not been able to do before. And one of those things is to start analyzing all of the responses that we get from the CFP, looking at that as a set essentially, and then saying, okay, well what trends and pull out of that. Is it rigorous and academic? No, but it's also more than just a nice piece of marketing. There's actually some really interesting nuggets in there and it's top of mind for me. I just finished writing a little introduction to it this morning. And there are some really interesting things that we start to see during the course of the year, not only in terms of I guess technical topics like authorization or personal identity or wallets or whatever it might be.
Like last year there was an awful lot of passkey as you might expect, but we also start to see some differences in who is putting proposals in. And so we get an increasing, and I'm really pleased about proposals from large enterprises, small enterprises, enterprises of all sizes and other organizations. So I don't want to exclude public sector and government from that. We get plenty of proposals from there as well. But really specific, I went out, I tried to solve this business problem by deploying passkey or externalized authorization or whatever it might be. Here's how I went about it. Here are the problems I ran into doing it. Here are the integration things I had to do. That's really valuable. It's as valuable as having somebody who works on a standard come in and explain this is how the standard works. You kind of need both of those things. So the more of that we get the happier I am.

Christine Owen:
Yeah, we have some pretty cool ones that are like that, and I've been working on those and I'm really excited about seeing some of them. The more I see them, the more excited I am. I think there's some really good lessons learned from large scale implementations. There's one in particular that's a migration, and I mean I can't wait to see the talk because the migration looks quite challenging, but it happened, so they got through it. So they have some good lessons learned from that as well. So I want to talk a little bit about the way that... This is Chauncey by the way. The way that the conference has changed, because my first conference was right before the pandemic when it was in D.C., and the conference used to go from city to city. Then we had the pandemic and it went to virtual, and then it was in Denver for a couple of years.
And that first one after the pandemic was really teeny tiny, but it was amazing. I went to that one and I am so glad I did because it was kind of like this intimate gathering of identity professionals, and that's where you got to really meet a lot of the people in the profession. Actually, I'm wearing my shirt from that year. I got an Auth0 shirt that Vittorio, they were doing a printing pass and he did it for us. So that was really exciting. But last year you had quite a few attendees, and I know this year there's going to be even more in Vegas, and I think this is my theory, maybe it's because I'm biased, but I feel like the industry is primed to have more and more attendees in the future just because people are starting to wake up and realize how important identity is. And you, Identiverse of course, covers everything, not just one sliver of identity. So what have you seen from the early days to now?

Andi Hindle:
Yeah, so I think that's interesting, right? I think the demographic has maybe changed a little bit, and I think this speaks to your observation about the understanding of the recognition of the importance of identity in the context of an overall business. And again, I'm using business as a catch-all term here, but I think for most practitioners, for most professionals in the space, it's probably not exclusively, but probably still the case that they sit within overall cybersecurity part of the organization, which generally speaking, and again, I want to make clear that there are exceptions that prove the rule, but by and large, that tends to be from a business standpoint, a risk mitigation function. It's about how do you protect customers, consumers, the workforce, the assets of the organization from cyber attack. And we all know that those intrusions are becoming more rapid, more numerous, more widespread, increasingly automated and increasingly targeting identity since we all know, and this is going back years now, but identity is well established as the new perimeter.
And so that's where most organizations tend to put identity. And that's very important and that's wonderful, and that needs to continue to be the case. But we also know that there's lots of overlap with the privacy side of the house, and I have some experience there, as you know. And increasingly, the more technically minded individuals within the privacy sector are starting to say, hey, actually there's a whole bunch of things happening in digital identity that can really help us make sure that we're doing things the right way, that we've got privacy built in by default, by design from the very start of a project. It's the identity people who are going to help us make sure that that happens. The third piece of this is... And so that process I think is underway. We've started to see, I guess the privacy voice being heard better at the executive level.
Again, it's patchy still. There's a lot of organizations for whom it's a very important and rigorously executed box-checking exercise rather than saying, and we see examples of this and increasing examples of, okay, how can privacy help my business as opposed to what do I need to do to make sure I'm behaving properly? And so we're now starting to see that happen in the business. So those organizations that are really thinking hard about what does their, and I hate buzzwords and buzzphrases, but digital-first strategy, what does that look like? And the answer is, the first thing that a customer is going to do, whether they're a consumer or a business customer, the first thing they're going to do when they interact with your system is log in. They're going to authenticate by some mechanism. That's your front door. So if you think about this in really traditional kind of, I have a shop and I have a front door, you want to make it as easy as possible, as pleasant as possible for people to come into that front door.
But most businesses don't do that or haven't done that. And we're just now starting to see this recognition that, oh, wait, that authentication stuff that sits with the, maybe those people know how to do this better. To which the answer is yes. And we've got some really good answers now in the form of passkeys, but we've known how to do that well for a while. We've known how to do authorization that's a smooth, sensible, upfront, proactive process. We've known how to do that for a while. But finally the business is starting to hear that and go, okay, right now we probably ought to come and have a conversation about how you can help with these top line objectives that we have in terms of things like customer acquisition, customer retention, reducing churn, driving top line revenue. Those are not conversations that the cybersecurity group gets involved in generally speaking, but they are things that the identity teams need to be involved in.
So that's the big thing, I think that is starting slowly starting to change, which is we're starting to see people come to the conference now who have that perspective, who've been working on that angle. And these really sort of the early stage of the companies that, the organizations that are starting to understand this coming along and sharing their experiences and saying, "Look, this is what we've been doing and this is how we've been explaining it to the business." That conversation for me is as important as understanding how SAML works or how XACML works or how OpenID Connect works. As important is how can I go and make the case to my organization to invest in this thing that's actually going to help the business, because really frustrating to be sat on a bunch of technology that could really help and not have the opportunity to use it.

Christine Owen:
Yeah, I totally agree with a lot of that. One in particular, I think it's really telling that you guys have gotten Fortune 500 companies to start coming regularly to Identiverse where sometimes they are presenting, but many times they're really just sitting and listening and learning. And I think that's really important because they're starting to see where the trends in the technology's going. But to your point, there's also an ROI attached to it. And that ROI is really important because with the customer engagement, if the customer doesn't believe that you're going to actually take good care of whatever information they're giving you, that's the privacy aspect, then they're going to abandon their cart or abandon their sign-in, and they're going to walk away. The same as if sign-up takes too long. And if there's too much friction when it comes to authentication to be able to buy something or to interact with something that also drives down customer engagement, which also drives down revenue.
That's things that we hear from our customers all the time that we have to help solve for that. And so we have to come up with very simplistic and very streamlined workflows to be able to make sure that the customers don't disengage halfway through the process. So I think it is really nice because also you also have a decent amount of the public sector that likes to come. And so then they start interacting with the commercial side and they start learning more about what best practices are on usability and other things that they don't think about because they're thinking about protecting the data behind.

Andi Hindle:
And I think the other piece of this, and it would be wrong of me to not mention it, is we've obviously got this enormous expo show floor area at the conference as well. The reason that that's relevant in this context is there's so much activity in the vendor space. I mean, the number of new things, not just startups, lots of startups in the space, but also lots of innovation happening in some of the established players in the sector. So there's two sides to this. One is, for these professionals who are starting this journey of, okay, how do I help the business understand what I can do? As you've just pointed out, a lot of vendors are actually ahead of this in terms of messages, some really useful information that you can get if you drift around, you pick up some of that material and then just glom it all together and turn it into a presentation that you can stick in front of the CFO.
There's some really, really helpful information in that sense. There's also lots of useful stuff in terms of, okay, well, how do I stitch different things together to solve a problem in an interesting way or a way that integrates well with my existing estate? The flip side of this, and I think this gets missed more often than not, is the benefit to the vendor of taking the opportunity to listen to what professionals are actually, what practitioners are actually looking to achieve. You don't get that opportunity very often, and I've been on the product side, so I know this, you don't get the opportunity very often to have several thousand individuals all in different industries with different backgrounds, with different problems drifting around, willing to have a conversation about, this is what I'm trying to do.
And I certainly, I mean personal anecdote, but I always found it much more productive when I had to go and stand at a booth years ago, right? I'm very, very pleased I don't have to do that anymore, but used to do it for sure, and always had much better conversations if I started out with, "Hey, tell me a little bit about the business. Tell me a little bit about what you're doing?" As opposed to, "Let me show you my thing." So I think there, there's a huge opportunity for collaboration for cross-fertilization, not just between vendors, but also to hear what it is that practitioners are really looking for, even if they're not necessarily your target customer today, that could be tomorrow.

Christine Owen:
Yeah, I definitely agree with that. 1Kosmos, of course, we have a pretty big booth at Identiverse, but Identiverse has a massive floor space for the Expo, which is really nice to see how, I mean, it's obviously not RSA size, but for a conference the size of Identiverse, the Expo hall is pretty large, I think because the vendors understand that that is the one place to really get in front of identity buyers. First off, I also want to add, I'm so excited to learn today that you are a booth babe, Andi, that's very exciting.
But I also think that not only that, but the companies who come and have a booth, it's very important for them to bring additional people so that they can go to the conference and actually listen. Because there's a lot of things that you learn at the conference, and also during the question and answer period of which there is always one in Identiverse, you get to see what different company's issues are and how they're thinking through the issue that has just been presenting to their mind and whether they have something similar, in which case then, yep, that's something that you know, it's not just in one place, it's in multiple places. And how can you solve for X, right? So I think that it's a really good spot.
There's also just a lot of places I can't believe, but I'm not shocked because I've been going to Identiverse for so long, but there's a lot of places where you can just go and have a really good conversation with someone new and meet someone and learn about what they do. And I think that's really important because the community that goes to Identiverse are all really nice. The people who've been there for forever are all extremely nice, and they're very willing to help out. But then the new folks that come in, once they start warming up and asking questions, it's really nice to bring them into the fold as well. So I find that it's a really welcoming community.

Andi Hindle:
Yeah, I'm really glad that you said that Christine, in part because it's very hard for me to judge, right? I'm so close to it, and during the week itself, I'm pretty buried in things I have to do, but it's really helpful to get that perspective. And it also reminds me of something that we actually introduced last year, and we'll do it again this year, but better, is that with the help of a couple of the associations, so IDPro, Women in Identity and a couple of others, we did essentially a newcomer session right before the first set of breakouts at the very beginning of the conference last year. So we did not know how many people were going to show up, and I think there was a certain amount of trepidation. We'd experimented with it very loosely actually, the prior year. And it was very last minute, very kind of grassroots, and it didn't entirely work, but for reasons that I think we all understood, but there was still a certain amount of nervousness, is anyone going to come?
So the answer is lots of people came. We probably had about 150 people, maybe 200 people in, well, not in actually crowding outside of a room that realistically would've sat about 75. So that was really good. And one of the key things about that is helping people who either haven't been to Identiverse before or came a long time ago and then for whatever reason, weren't there for a while, and it's evolved. It's bigger, it's different. Some things are still the same, but there's some new things too, is helping everybody understand what you just said, which is make the most out of the opportunity to be together with these people. They're all friendly, they're all approachable and leverage that, make use of that.
And I think it turns out to be very helpful to have a couple of folks stand up at the beginning of the show and say, it's actually okay. It's okay to go and talk to if you see a presentation, it's really interesting. Find the speaker, maybe not right afterwards, because they're probably a little amped up from having just done their talk, but find them over a break, tell them how great it was and get in conversation with them. The worst that can happen is somebody says, "Hey, not right now, but could you follow up with me later?" Nobody's going to be upset and taking advantage of that, we don't get these opportunities to have those kinds of conversations very frequently. Absolutely worth doing.

Christine Owen:
Yeah, and I think in the day-to-day, when you're trying to solve identity issues or figure out how to patch your network because of the breaches that you've had, and how do we re-architect for that? I think people forget that they're not the only ones that are trying to solve these problems, and they're not the only ones that are trying to re-architect. And there is someone out there that has a similar architecture, it might not be the same, but it's at least similar and has attempted to solve for that. That's something that I see in the public sector a lot, but I also see it in the private sector. What we see is that a lot of companies have done things similarly, or there's a buying trend where they're buying certain pieces of vendor technology around the same time, and so they all have to do a very similar architecture at the end of the day. So as long as it's not a ton of legacy, that still is mainframes in the back end, everybody. But you know what? There's still companies that have that exact same problem.

Andi Hindle:
I was going to say, legacy is my favorite word. We integrate with legacy technology. What you mean is that you will actually run with the stuff that actually runs my company, right?

Christine Owen:
Yeah. Well, I think what they mean is we'll just firewall off that whole piece and then we can punch you through that firewall.

Andi Hindle:
Ignore the Cobolt. It's fine. It does its thing, Jeff looks after it, it's okay.

Christine Owen:
Yeah, exactly. Only Jack knows, but it's okay because he'll be here forever, we swear. So I really appreciate your time today. I want to ask you, this is a question you asked me when we were up in New York and I was on a panel, which was a very fun panel, so it's not the same question, but what do you think is going to be the biggest topics in Identiverse or in identity in five years? So think a little bit ahead and what do you think is really going to be standing out in the trend then?

Andi Hindle:
Yeah, so hopefully we'll save this somewhere and then in five years time we can come back and go, yeah, no, you were completely wrong. Just wrong.

Christine Owen:
It's going to be on the internet, so it'll always be there forever.

Andi Hindle:
Yeah, well, that's true, yes, in perpetuity. So I think there's a couple of things. One, maybe three. The first is I would be shocked if in five years time, at minimum, we were working on the assumption that the default authentication process was not passkey. He says, making sure that he got all the negatives. In other words, in five years time, I expect that passkeys will be the norm for logging into stuff. There's going to be a long tail. There's always a long tail, but I think that will be pretty well established by then. I actually think it might come sooner, but certainly by then. Second thing is something we've already talked about, which is authorization. There are plenty of challenges still to solve there. I think architecturally we understand how to externalize authorization within the enterprise, within the organization. Externalizing across organizational boundaries is the Wild West. There's no really good answer to that.
If you roll the clock back again, eight-ish years, the same was true for provisioning and then SCIM came along and things are better, not fixed, but better. We kind of have to go through that journey, but it's a lot more complicated with authorization. There's lots of really good work going on. I think it would be premature to say that we'll have that solved in five years, but I think it's a reasonable bet that we'll have made a ton of progress by then, not just technically solving those problems, but in getting things implemented and deployed. The third thing is a much, much bigger topic, which I think is going to impact in all sorts of ways that we haven't even really started to think about yet, and that is the advent of the digital identity wallet and all of the things that go along with that.
I actually wrote a blog piece about this a couple of weeks, a couple of weeks. It might be longer than that now. It might be three or four weeks ago. I think there's some really interesting, so very straightforward things in terms of, you talked about the initial account creation process earlier on, and you can absolutely see ways in which that could be tremendously simplified even beyond where we are today with, okay, well, I use a password manager and it's got a bunch of stuff in it, and I autofill the fields, or I use my web browser to do that. Even beyond that, in a much more secure, much more privacy preserving way, at least theoretically, the idea that you can actually use your digital identity wallet to do some of that stuff. There's a whole set of additional considerations that come alongside that in terms of, well, how do we properly maintain privacy? How do we make sure that we're not over-proofing, over-verifying, and I'm actually doing a talk at Identiverse this year with Steve Wilson about exactly that question.
But I also think that there may be some really deep architectural changes that come along once identity wallets are established in terms of the ability for the identity stack, if you will, to make decisions in real time with real time data. We've started to see early instances of that more from a security perspective with some of the shared signals, the CAEP and RISC work that's going on. Full disclosure, I had some involvement in some of the very early work there together with Andrew Nash and others. Most of that today orients around security risks and that kind of data sharing, right? It's a great place to start, but I think we're going to see some interesting opportunities in terms of getting data much more frequently during the course of a transaction and making really subtle changes to what the authorization state, the permission state, all of those things look like.
I don't know exactly what that looks like yet, but it feels to me as though we might be heading in that direction. And if we are, then our existing identity stack architecture, call it what you will, all of the processes that go along with that, none of that is ready. So that to me is a really interesting frontier to start to go and explore and say, well, okay, if that's where we're going, I think there are lots of reasons why it would be good to go in that direction, to be clear. There are also some risks that we have to be very, very cognizant of. But if that's direction we're going in, what do we need to do? What do we need to change?
And that isn't just about technology and product and integrations and all those things. It's about people and it's about process, and it's about integrating identity with the rest of the business in a way that in a lot of cases it still isn't today. Lots to work on. But that's my sort of back pocket prediction for five years time is I think we're going to be some distance along that journey. How far remains to be seen?

Christine Owen:
Yeah, so I totally agree with you. Obviously, I don't think I'd be in this company if I didn't, but I do agree with you, and part of the reasons why I agree with you is because there's a couple of things that I see movement happening. The ABAC piece is really starting to truly actually gain traction for the first time in a really long time, where we're really talking about true ABAC and not RBAC. Whereas in the past, whenever we talked to ABAC, it would always be RBAC, this is completely different. But if we're going to have this true ABAC, we actually have to have attributes to pass over to them. So the best way to do that would be for the individual users to have privacy preserving digital wallet to be able to pass attributes, especially whenever they're signing up for something. Boy, I'd really just like to say, yeah, I consent to give someone my name, my email address, my home address, so that I can quickly and easily buy that shoe that I like to buy or whatever.
But at the same time, there's this other thing that has to be layered in, which is a trust framework, which you kind of touched on it before. And I think we're seeing that with the way that the standards are written, and then we're going to have to be able to enter into that as well. Because much like passkeys where you need to make sure that the provider is a reputable provider with passkeys. And that's why we have the FIDO Alliance to be able to say, yep, this meets our specifications and standards, or no, it doesn't. You're going to need to have something similar in that digital wallet in that VC space because we need to be able to know who we can trust and who we can't, because we're seeing a lot of companies start to get into this space as well. So I am really excited about that prospect.

Andi Hindle:
Yeah. Yeah. No, there's lots to do. It's funny you talked about the idea of trustable providers. There's a whole set of new risks, or at least they're not necessarily new, but they're risks that we have to really think quite hard about in terms of what could go wrong, how things could be exploited, even, not necessarily just by somebody with criminal intent, but more broadly by people who don't understand what their doing as it were. So again, it's just top of mind because in the UK we've just had some legislation go through that essentially requires manufacturers of internet connected devices to make sure that they are properly protected, that they don't have random default passwords like admin and password one and that kind of thing. There's a whole bunch of other stuff, really, really important piece of legislation, but you amplify that up across wallets and verifiable credentials and passkey providers and all of that, and it's suddenly like, oh, okay, yeah, there's some work to do in terms of just making sure that things are being done properly, so as to protect people from accidental misuse as to deliberate misuse.
But yeah, lots of opportunity too. I think if you're a vendor in this space, there's lots of new things to look at, which is very exciting. But if you're a professional in this space, huge amounts of things to learn and things to explore and new avenues to go down and all the rest of it. It's pretty exciting. So yeah, I'm kind of looking forward to the next five years, I think.

Christine Owen:
Yeah, I agree. Who knew? I thought we were going to be stuck in the password manager and all the other spaces that we've had for years. But no, I think we're starting to accelerate the technology, which is even more fun.

Andi Hindle:
Sure.

Christine Owen:
All right. Well, thank you so much for joining us today, Andi. It's been a pleasure as always.

Andi Hindle:
It's been a joy. Thank you for having me.

Christine Owen:
Yep. All right. And I will definitely see you in the States soon, so thanks so much.

Andi Hindle:
All right, thanks. You take care.