About
Building the Internet's missing identity layer through collaboration, digital identity…
Articles by Michael
-
JWTs helping combat fraudulent and unwanted telephone calls
JWTs helping combat fraudulent and unwanted telephone calls
Activity
4K followers
-
Michael Jones shared thisFIDO2 CTAP 2.3 standard and Server Requirements published The FIDO Alliance has published the CTAP 2.3 Specification. No breaking changes were introduced between CTAP 2.2 and CTAP 2.3. Implementations of CTAP 2.2 are thus conformant to CTAP 2.3, therefore, a decision was made to provide certification of CTAP 2.3 implementations and not have a separate certification category for CTAP 2.2 implementations. A corresponding version of the Server Requirements document was also published: Server Requirements (WebAuthn Level 3 and CTAP2.3). More good work moving passkeys forward! See https://lnkd.in/ghncyTxm for a description of the features added and updated in both specifications.FIDO2 CTAP 2.3 standard and Server Requirements publishedFIDO2 CTAP 2.3 standard and Server Requirements published
-
Michael Jones shared thisFinal OpenID Connect RP Metadata Choices Specification The OpenID Connect Relying Party Metadata Choices 1.0 specification has been approved as a Final Specification by the OpenID Foundation membership. The declarations enabled by this specification give an OpenID Provider the information needed to successfully interact with a Relying Party that has not previously registered with it. As I wrote when this became an Implementer’s Draft, the need for this was independently identified by Roland Hedberg and Stefan Santesson while implementing OpenID Federation. The contents of the specification were validated by Filip Skokan, who implemented it, and who is an author. The abstract of the specification is: "This specification extends the OpenID Connect Dynamic Client Registration 1.0 specification to enable RPs to express a set of supported values for some RP metadata parameters, rather than just single values. This functionality is particularly useful when Automatic Registration, as defined in OpenID Federation 1.0, is used, since there is no registration response from the OP to tell the RP what choices were made by the OP. This gives the OP the information that it needs to make choices about how to interact with the RP in ways that work for both parties." Finishing things matters. Thanks to all who contributed to this achievement! https://lnkd.in/gs_2BeBg OpenID Foundation #OpenID #OpenIDConnect #Federation #MetadataFinal OpenID Connect RP Metadata Choices SpecificationFinal OpenID Connect RP Metadata Choices Specification
-
Michael Jones shared thisRead this insightful description of the core of what OAuth is by Blaine Cook, former lead developer for Twitter and one of the inventors of OAuth. Blaine was an OAuth working group chair when I first started working with the IETF in 2011, when OAuth was still in the IETF Applications Area.Michael Jones shared thisOver on dead-Twitter, Geoffrey Litt asked the following question last week: "I desperately need a Matt Levine style explanation of how OAuth works. What is the historical cascade of requirements that got us to this place?" Here's my attempt at a non-technical answer, for anyone who's struggled to understand what the heck OAuth is and why it exists: https://lnkd.in/gFzZgSQh
-
Michael Jones reposted thisMichael Jones reposted thisFor most of the internet's history, "domain control validation" meant emailing webmaster@ and hoping the right human replied. Sometimes it was a WHOIS fax number. That wasn't validation - it was institutionalized optimism. Today Let's Encrypt announced support for DNS-PERSIST-01, this is the ecosystem finally admitting that. Stop challenging. Start proving. Establish standing authorization bound to your ACME account key, and then demonstrate you still hold that key. The shift matters more now because certificate lifetimes are compressing toward 47 days. At that cadence, per-renewal DNS challenges don't prove control - they just prove you haven't lost your automation yet. Persistent authorization changes what the question is: not "did you respond to this challenge?" but "do you still hold the key?" Thirty years to get here. Worth understanding why. Full post: https://lnkd.in/g_XqvzPFDomain Control Validation Grew Up. It Only Took Thirty Years.Domain Control Validation Grew Up. It Only Took Thirty Years.
-
Michael Jones shared thisThe Journey to OpenID Federation 1.0 is Complete The final OpenID Federation 1.0 specification was published today. This marks the end of a nearly decade-long journey and the beginning of new ones. At the 2016 TNC conference, Lucy Lynch challenged Roland Hedberg, saying “If there is someone who should be able to bring the eduGAIN identity federation into the new world of OpenID Connect, it is you.” That was the starting point for the work. Like OpenID Connect, OpenID Federation benefited from multiple rounds of interop testing while it was being developed. Interops were held at NORDUnet 2017, SURFnet 2018, TNC/REFEDS 2019, Internet2/REFEDS 2019, three virtual interops in 2020, SUNET in 2025, and TIIME in 2026. Each time, we listened to the developer feedback and used it to improve the specification. The early and enthusiastic support from the Research and Education community was foundational. They already knew what a multilateral federation is and why it’s useful. They patiently explained what they needed and why they needed it. Many people contributed to the journey, but I want to call out the contributions of my co-authors in particular. Andreas Åkre Solberg was an early contributor and the inventor of Automatic Registration, which greatly simplifies deployments. John Bradley brought his practical security and deployment insights to the work. Giuseppe De Marco spearheaded production deployment for multiple Italian national federations and the Italian EUDI Wallet, informing the specification with real-world experience – particularly with the use of Trust Marks. Vladimir Dzhuvinov was an early implementer and brought his rigorous thinking about metadata operators and establishing trust to the effort. Feedback from early implementations was critical to shaping the protocol. They included those by Authlete, CONNECT2ID LTD, Raidiam, SimpleSamlPHP, DIGG, Sphereon.com, SPID/CIE in Italy, Shibboleth, GÉANT, SUNET, SURF, GRNET, eduGAIN/GARR, and of course Roland’s own implementation. Multiple organizations played important roles in supporting this work. Special thanks to GÉANT, CONNECT2ID LTD, and the SIROS Foundation for their significant financial support and encouragement. Multiple organizations hosted meetings at which significant discussions occurred, including NORDUnet, SUNET, SURF, GÉANT, and Internet2. Ecosystem building, adoption, and deployment is always a long journey and one we’re in the midst of. I am confident that the inherent benefits of the scalable and modular OpenID Federation approach will continue to win adherents the world over. Finally, my most significant thanks go to my friend and collaborator Roland Hedberg. He did the very hard thing – starting from a blank sheet of paper and on it creating a new, useful, and elegant invention. My sincerest congratulations, Roland! It’s been a privilege to be on this journey with you! See https://lnkd.in/exRmN-GY for more stories of the journey!
-
Michael Jones shared thisOpenID Federation Interop Event at TIIME 2026 in Amsterdam Implementers of OpenID Federation gathered at the 2026 Trust and Internet Identity Meeting Europe (TIIME) unconference in Amsterdam on Friday, February 13, 2026 to test their implementations with one another. 12 people with 9 implementations and from 9 countries performed interop tests together. Participants were from Croatia, Finland, Greece, Italy, Netherlands, Poland, Serbia, Sweden, and the US. The interop was organized by Niels van Dijk of SURF and Davide Vaghetti of GARR. Davide ran the interop, including assembing the test federation with the participants. Giuseppe De Marco’s OpenID Federation Browser was a useful tool for visualizing and understanding the test federation. The test federation remains assembled and I’ve observed that some participants have continued to test with one another in the days since the in-person interop at TIIME. See https://lnkd.in/ekBJRMDs for photos of the event. OpenID Foundation #OpenID #Federation #OpenIDFederation #TIIME #SURF #GARROpenID Federation Interop Event at TIIME 2026 in AmsterdamOpenID Federation Interop Event at TIIME 2026 in Amsterdam
-
Michael Jones shared thisOpenID Federation Presentation at 2026 TIIME Unconference I had the pleasure of presenting an overview of OpenID Federation during the 2026 Trust and Internet Identity Meeting Europe (TIIME) unconference in Amsterdam. It was the opening talk in a day dedicated to OpenID Federation – Friday, February 13, 2026. There were ~90 practitioners in attendance. They asked great practical questions, including about how to decide what Federations to trust and the use of Trust Marks. I’m really looking forward to what I’ll learn during the discussions today. Many deployments are being described, including the GÉANT eduGAIN OpenID Federation pilot. Plus, there’s a “TechHUB” interop event today during which people will test their OpenID Federation implementations with one another. See https://lnkd.in/gjffc-xH for the presentation. OpenID Foundation GÉANT SURF #OpenID #Federation #OpenIDFederation #TIIME #SURF #GARR #GÉANT #eduGAINOpenID Federation Presentation at 2026 TIIME UnconferenceOpenID Federation Presentation at 2026 TIIME Unconference
-
Michael Jones shared thisParticipate in the OpenID Foundation and its board election in 2026! Thanks, George Fletcher for bringing both the election and OpenID Foundation membership to people's attention. Indeed, one of the benefits of membership is the ability to vote both in board elections and in polls to approve specifications. (For instance, there's a poll to approve the final AuthZEN spec running right now and there will be a poll to approve OpenID Federation 1.0 shortly.) If you're not currently a member, I encourage you to join and participate. (And obviously also participate if you're already a member!) This is a dynamic and pivotal time for digital identity. The OpenID Foundation's many conversations, initiatives, and specifications are central to achieving great outcomes. I encourage everyone to participate in 2026! You can join the OpenID Foundation at https://lnkd.in/gypMHfBs . You can vote in the OpenID board election at https://lnkd.in/gTVDfDeM . Happy New Year 2026, everyone!Michael Jones shared thisJust wanted to make a quick post regarding the OpenID Foundation Community Representative elections that are ongoing right now. Any member of the foundation can vote for the community representatives (sometimes called community elected board members). So that means that if you are not a member, now is a great time to join! An individual membership is only $50/year. As an identity practitioner I view my OpenID Foundation membership and my IDPro® membership required expenses. In addition to myself, my identity colleagues Dima Postnikov 🆔 💯 and Michael Jones are also running for the available two seats. We'd love to have your votes!! You can vote here: https://lnkd.in/eHFT-65T #openidfoundation #idpro
-
Michael Jones shared thisInitial Drafts of 1.1 OpenID Federation Specs The OpenID Federation 1.0 specification contains two kinds of functionality: - Protocol-independent federation functionality used for establishing trust and applying policies in multilateral federations, and - Protocol-specific federation functionality that can be used by OpenID Connect and OAuth 2.0 deployments to apply the protocol-independent federation functionality. At the urging of implementers and working group members, I’ve created new specifications splitting the two kinds of functionality apart. I’m pleased to announce that initial editor’s drafts of both split specifications are now available for your reviewing pleasure. They are: - OpenID Federation 1.1 (protocol-independent) - OpenID Connect Federation 1.1 (protocol-specific) Together, they are equivalent to OpenID Federation 1.0, by design. No functionality is added or removed from that present in 1.0. Rather, it’s factored into protocol-independent and protocol-specific specifications. Reading every line of the 1.0 spec to perform the split had the additional benefit of identifying editorial improvements to apply to the 1.0 spec before it becomes final. I intentionally started the split while 1.0 is still in the 60-day review to become final exactly so improvements identified could be applied both to the original and the split specs. As background for this work, several people had suggested splitting the two apart into separate specifications – particularly once the core federation functionality started being used with protocols other than OpenID Connect, such as with digital credentials. There was a discussion about this possibility at the Internet Identity Workshop in the Fall of 2024. During the April 2025 Federation Interop event at SUNET, there was consensus to do the split after finishing OpenID Federation 1.0. Starting the work to perform the split was proposed to both Pacific-friendly and Atlantic-friendly OpenID Connect working group calls in December 2025 after the 60-day review had started, with no opposition to proceeding. Now it’s your turn! Please review both OpenID Federation 1.0 and the OpenID Federation 1.1 and OpenID Connect Federation 1.1 specifications derived from it. Please send any issues found to the OpenID Connect Working Group mailing list, or file GitHub issues in the respective repositories: OpenID Federation 1.0 repository, OpenID Federation 1.1 repository, and OpenID Connect Federation 1.1 repository. Please review for both the readability and correctness of the specs and whether you believe aspects of the split should have been done differently. In particular, please consider the examples in Appendix A, which contain both protocol-independent and protocol-specific content. Hopefully this split will make the OpenID Federation content easier to navigate and understand for those using it and considering it. Happy New Year 2026! See https://lnkd.in/gA7UYYwM for links.
Michael Jones commented on a post
6d
Which standards, specifically?
Michael Jones commented on a post
2mo
This photo of Roland Hedberg during the OpenID Federation interop at SUNET in April is in the blog post. Adding it in a comment here...
-
Michael Jones reacted on thisMichael Jones reacted on thisApril is the cruelest month. A few years ago I lost my best friend to suicide. This year, in April there was a war and a long Internet shutdown in Iran on top of the anniversary. With all the chatbot conversations happening right now, and the stories of people young and old taking their own lives, I keep going back to how I felt when she took her life. I had no idea how to deal with the grief. Nobody around me knew how to deal with me either. I wanted to blame myself since I wasn’t there to help. I missed her call on April 25th. Then I read a lot about grieving. I found out I am a survivor. I accepted it. I learned that taking one’s own life is complex beyond comprehension and can never be blamed on one thing. I also learned how little support exists for people with suicidal thoughts, and for the survivors of suicide loss. When we grieve, we get hopeless and we look for someone or something to blame for taking away the person we loved. The Internet shutdown this year also took a major part of support network away and made all of that more pronounced. I was fearing for their lives as well. I couldn’t reach the people who are going through the same thing. I couldn’t see her grave, though honestly, I relive our memories everyday and hang out by her grave in Esfahan. But the pain lingered, and was deeper. I dreaded over not being able to send a message or keep in touch with her loved ones. It was a relief when I received a brief call. Thank you to Jess Miers , who amidst all the chatbot conversations and disputes pointed us to a few suicide prevention trainings. I reached out, and they also referred me to NAMI, which has a program for suicide loss survivors: https://lnkd.in/e6Jsjr9q I am planning to attend a few sessions when they don’t clash with my taekwondo. Taekwondo, by the way, is very good for your mental health too.Suicide Loss Survivors (In Person & Virtual) - National Alliance on Mental Illness of New York City , Inc.Suicide Loss Survivors (In Person & Virtual) - National Alliance on Mental Illness of New York City , Inc.
-
Michael Jones liked thisWe are proud that our founder Stina Ehrensvard will participate at Women In Tech Sweden and speak about a ten times safer internet and a secure digital identity wallet.Michael Jones liked thisMeet Our Speaker: Stina Ehrensvard 🎤 With a background in industrial product design, Stina is the founder of Yubico and SIROS Foundation. Co-inventor of the YubiKey strong authentication key and a leading driver behind FIDO/Passkeys open authentication standards, she has received numerous international awards and is an accomplished speaker on internet identity, cyber security, and entrepreneurship. 💡 In her talk, Stina lays out a bold vision: a ten times safer internet, with 90% fewer fake identities and bots - within five years. From co-inventing the YubiKey to shaping the open standards now used by billions, she brings both the blueprint and the conviction that it's actually possible. #WITsweden #Womenintech #WITswe2026
-
Michael Jones liked thisMichael Jones liked thisSo, it actually happened. After over 27 mostly amazing years with Microsoft I moved on to a new opportunity. My departure was bittersweet — the new opportunity is enticing and lots of great new people await but I will miss the many great people I worked with.
-
Michael Jones liked thisMichael Jones liked this💥 𝐒𝐏𝐎𝐍𝐒𝐎𝐑 𝐀𝐍𝐍𝐎𝐔𝐍𝐂𝐄𝐌𝐄𝐍𝐓 💥 We’re excited to Welcome Skyfire as the Grand Hall Power and Table Sponsor IIWXLII! 🔌⚡ Providing Power to all the Tables in the Grand Hall so that participants can keep their Laptops, Tablets and Phones charged up throughout the event. 💻🔋📞 ( IIW is a 'workshop' after all 🙂) Skyfire Skyfire is the Agentic Commerce Platform built to let AI agents operate in the real economy with verified Know Your Agent (KYA) identity and native payments. Skyfire empowers AI to process payments, verify identities and access essential services without human intervention. From API account creation to monetizing websites, we drive commerce for the world's fastest-growing consumer base: AI agents. 📅 IIW XLII April 28 - 30, 2026 🎟️ You can still register here: https://lnkd.in/gHjTf5Fa 📌 Computer History Museum in Mountain View, CA #IIW #IIWXLII #IIW42 #OpenSpaceunConference Michael Jones | Ankit Agarwal | Phil Windley | Doc Searls | Kaliya Young | Heidi Nobantu Saul | Kimberly Culclager-Wheat
-
Michael Jones liked thisThis is a step in the right direction. The next step is to make passkeys and FIDO the default for digital identity wallets!Michael Jones liked thisToday the UK National Cyber Security Centre (NCSC) made a major announcement - formally endorsing the use of passkeys as the recommended default authentication option for consumers. From my perspective, this is a stellar - and very appropriate - shift in policy that recognizes the amazing work industry and government have done in FIDO Alliance to address some of the initial challenges associated with passkeys. Per NCSC, "Overhauling decades of security practice, the National Cyber Security Centre – a part of GCHQ – has taken the decision to no longer recommend individuals use passwords where passkeys are available because passwords lack the relative resilience to modern cyber threats." Notably, NCSC stated that they "stopped short of endorsing the adoption of passkeys last year due to some key implementation challenges. However, progress within industry means they can now be recommended to the public as the more secure and user-friendly login method and to businesses as the default authentication option to offer consumers." With this, NCSC published a new white paper entitled “Comparing the security properties of traditional user credentials and FIDO2 credentials for personal use” at https://lnkd.in/ezbedCGP. Per their blog post on the paper, the NCSC assesses that: · All traditional MFA methods – including passwords combined with SMS codes, email codes, time-based One Time Passwords generated by apps or physical tokens, push approvals – are inherently phishable. · FIDO2 credentials, including passkeys, are as secure or more secure than traditional MFA against all common credential attacks observed in the wild. · When user verification is required as part of the login, FIDO2 authentication constitutes multi‑factor authentication. · Because FIDO2 removes the ability to cheaply reuse or relay credentials, large‑scale attacks directly targeting correctly implemented passkeys are unlikelyComparing the security properties of traditional user credentials and FIDO2 credentials for personal useComparing the security properties of traditional user credentials and FIDO2 credentials for personal use
-
Michael Jones liked thisMichael Jones liked thisToday the UK National Cyber Security Centre (NCSC) made a major announcement - formally endorsing the use of passkeys as the recommended default authentication option for consumers. From my perspective, this is a stellar - and very appropriate - shift in policy that recognizes the amazing work industry and government have done in FIDO Alliance to address some of the initial challenges associated with passkeys. Per NCSC, "Overhauling decades of security practice, the National Cyber Security Centre – a part of GCHQ – has taken the decision to no longer recommend individuals use passwords where passkeys are available because passwords lack the relative resilience to modern cyber threats." Notably, NCSC stated that they "stopped short of endorsing the adoption of passkeys last year due to some key implementation challenges. However, progress within industry means they can now be recommended to the public as the more secure and user-friendly login method and to businesses as the default authentication option to offer consumers." With this, NCSC published a new white paper entitled “Comparing the security properties of traditional user credentials and FIDO2 credentials for personal use” at https://lnkd.in/ezbedCGP. Per their blog post on the paper, the NCSC assesses that: · All traditional MFA methods – including passwords combined with SMS codes, email codes, time-based One Time Passwords generated by apps or physical tokens, push approvals – are inherently phishable. · FIDO2 credentials, including passkeys, are as secure or more secure than traditional MFA against all common credential attacks observed in the wild. · When user verification is required as part of the login, FIDO2 authentication constitutes multi‑factor authentication. · Because FIDO2 removes the ability to cheaply reuse or relay credentials, large‑scale attacks directly targeting correctly implemented passkeys are unlikelyComparing the security properties of traditional user credentials and FIDO2 credentials for personal useComparing the security properties of traditional user credentials and FIDO2 credentials for personal use
-
Michael Jones reacted on thisMichael Jones reacted on thisA regional war is turning into a global supply chain crisis. New data shows U.S. aluminum imports from Qatar collapsing—just one early signal of wider disruption. From fertilizer shortages to rising shipping costs, the ripple effects are building fast. Read the latest Manifest to understand where the next shocks could hit—and how to prepare. Link to the full report in the comments.
-
Michael Jones reacted on thisMichael Jones reacted on thisAnthropic just did something the AI industry has never done before: it built a model so capable — and so dangerous — that it refused to release it publicly. Claude Mythos can autonomously find previously unknown vulnerabilities across widely-used software systems, generate working exploits, and execute complex cyber operations with minimal human input. Anthropic shared access with only a small group of trusted organizations. Let that sink in. For years, the cybersecurity industry has struggled with the same problem: we don't know where our vulnerabilities are until it's too late. Mythos flips that. The visibility problem is solved. But now we face something harder — the overload problem. If thousands of vulnerabilities can be identified in hours, can your team patch fast enough? The WEF put it plainly: 87% of security leaders already identify AI-related vulnerabilities as the fastest-growing cyber risk. Mythos accelerates that curve dramatically. Here's what I keep coming back to from my years in IAM and enterprise security: The threat model just changed. Perimeter defense built on static rules and weekly patch cycles is no longer sufficient. Organizations need adaptive, AI-native defense — systems that can respond at AI speed. And here's the uncomfortable truth: the offensive capability exists now. Similar models will emerge across the industry. The question isn't whether your organization will face AI-assisted attacks. It's whether you'll be ready when it happens. If you're in enterprise security and you're not actively reassessing your AI threat posture right now, this is your signal. I'd welcome a conversation with anyone thinking through what this means for their organization. #Cybersecurity #ArtificialIntelligence #EnterpriseAI #IAM #AIRisk #Anthropic
Experience & Education
-
Self-Issued Consulting, LLC
View Michael’s full experience
See their title, tenure and more.
By clicking Continue to join or sign in, you agree to LinkedIn’s User Agreement, Privacy Policy, and Cookie Policy.
Publications
-
JSON Web Signature (JWS)
IETF
JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and an IANA registry defined by that specification. Related encryption capabilities are described in the separate JSON Web Encryption (JWE) specification.
Other authors -
-
WebFinger
IETF
This specification defines the WebFinger protocol, which can be used to discover information about people or other entities on the Internet using standard HTTP methods. WebFinger discovers information for a URI that might not be usable as a locator otherwise, such as account or email URIs.
Other authors -
Recommendations received
6 people have recommended Michael
Join now to viewExplore more posts
Explore top content on LinkedIn
Find curated posts and insights for relevant topics all in one place.
View top content