Apps and Identities: Yesterday, Today, and Maybe Tomorrow

Jason Dunk, Chief Technology Officer at Saskatoon Public Schools.

There are few immutable maxims in technology. "No one was ever fired for buying IBM" is a classic. Seasoned IT pros are less likely to issue such credos; we have seen so-called 'absolutes' come and go. Yet I have tried to maintain a few rules of thumb throughout my career. One of the most challenging has been upholding the requirement that all software adheres to single-sign-on (SSO).

Unlike the corporate world, which might have an approved software count in the single digits, K12's software footprint is often astounding. Back when the software was traditional installs, SSO was not as big a factor. The real problem back then was getting 60+ titles installed and playing nicely together while waist-deep in the registry to make sure everything was saved to a custom-mapped drive. Fun times and I still enjoy the occasional registry flex. The traditional software sprawl has been slowly replaced with an online app sprawl. On the upside, techs will not get tripped up by mistakenly editing HKLM when they are supposed to be in HKCU (insert registry flex), but it has made it harder to stay true to SSO.

The scenario is common, getting an email from the EdTech department, the superintendent, or straight from the director. There is a new online app/website/service that we need to look at. The vendor will be in touch, and we will be asked to investigate. Hopefully, you have been given some background information, such as what problem is being solved with this tool, or what new value is being achieved. A recent personal experience follows this typical script. An online assessment tool is being considered for every 1-6 teacher, approximately 550 staff. The website is well-designed, the tool seems ideal, and the reporting is genuinely nice. Everyone on the EDU side is excited, and the licensing is reasonable. The problem? The vendor does not offer SSO. When brought to the vendor's attention, it is clear they have heard it before. The assurances come quickly, of being able to provide them with a spreadsheet to easily onboard all the users. The reality is teachers move and staff lists at the beginning of September ebb and flow to June. But the bigger red flag is asking staff to remember a separate password and redirecting them to a vendor when they forget it. We should be beyond unique accounts and passwords for each resource.

“Predicated on blockchain technology, a sovereign identity offers the digital equivalent of an ID that belongs to you, not a third party.”

To their credit, more vendors are offering SSO than not. OAuth has been around long enough to develop, and most schools are already using a directory that plays friendly with SSO. But with progress comes new challenges, and we are starting to see it in the consumer market. This new sprawl is a game of 'Sign in with' button roulette. This time, the usual suspects are competing to verify us with 'Sign in with Google' or 'Sign in with Facebook' or 'Sign in with Microsoft' or 'Sign in with Apple.' As this SSO sprawl moves into the enterprise, we are tasked with figuring out what happens when staff mistakenly link to a personal Gmail, or how to maintain multifactor across authentication mechanisms. Still less painful than hundreds of unmanaged user accounts and separate passwords, but lots to sort out, nonetheless.

Ironically, we are making choices in our personal lives as to which tech company will represent our identity, while lawsuits and news about how those same companies fail us in privacy and security are commonplace. And in the enterprise, the calculus is much the same, balancing privacy and security with the convenience of fewer passwords. But it prompts the question of why. Why do we need massive tech companies guaranteeing our personal identity?

There are examples of government-backed digital IDs. The European Union, typically more progressive in the areas of digital privacy, is moving forward with a Digital ID wallet for member states that aims to provide digital identification starting in 2023. Both the concept and possibilities are equally interesting, but the execution of a digital ID is what I think most about. It elicits the sovereign identity movement that organizations like CIRA have highlighted the potentiality of. Predicated on blockchain technology, a sovereign identity offers the digital equivalent of an ID that belongs to you, not a third party. Blockchain often evokes thoughts of bitcoin and NFTs, and the corresponding scratching of chins as to the long-term relevance. It is a fair criticism. Keep in mind the early web was synonymous with animated GIFs and brightly-colored blogs. The underlying technology showed promise even when the execution was questionable.

The key feature of a sovereign identity is the same reality you have had in your wallet since you were 16 years old. You get to control who sees your ID. You grant and revoke access to your digital ID in the blockchain (like you would for bitcoin or NFT) in the same way you decided who among your friends got to see your embarrassing driver's license photo. Yes, there are many issues to work out, such as privacy, anonymity, and security. Yes, the news is filled with bitcoin heists and NFT strangeness. But the underlying technologies and ideas behind Web3 seem to have real promise. Skepticism is understandable, but how straight is the line from GIF-peppered GeoCities sites of the 90s to modern online banking? Perhaps young IT pros of today will be the seasoned IT pros of a future when for-profit identity providers seem as ridiculous as the GIF-laden Myspace pages the current seasoned pros built in the 90s.

And for those curious, the SSO maxim held true. We did not end up going with the software that required a separate username and password. In an interesting plot twist, I got to employ a second maxim, 'only build what you cannot buy,' and we ended up writing our own assessment software, complete with SSO and LDAP for teacher, student, and class rostering with PowerBI for reporting. A somewhat rare win/win for credos.

Blockchain

Microsoft

EdTech