 Thank you. Thank you. Good morning and welcome everybody to our Octa Developer Day 2023. It's exciting to be here again this year, of course. Each year we want to bring you all of our developers and update on the latest in identity space. And last year we focused on passwordless. Why using passwords is an outdated approach. What you should be doing. How you can get rid of it or move from password to passwordless. And today we will focus on continuing that journey and the theme and work on what are the technology and platform features available for you to take on the passwordless journey. So in today's digital edge age our identity is constantly at risk. As individuals we share a lot of personal information online, our sensitive information, our personal information is the biggest target of data breaches, identity thefts and other malicious activities. So to protect this information and identity, security and privacy are more important than ever. Today we will explore all of that and what you can do to secure identity through easy to use SDKs, attack prevention capabilities but also as developers. What you can use in using a platform and authentication flow to integrate in your system and the larger application. So to kick that off as you saw Abby walk us through this you will see with every talk track what it says in so many words is anything future looking that we talk about is subject to change. And with that for those who I haven't met yet and I would love to, I'm Bhavna Singh. I'm the CTO of customer identity at Okta and every day I and my team work to help build a world where everyone can safely use any technology. Our goal is to empower developers to take control of identity so that you can better protect your users sensitive information and provide a secure user experience. So as a developer and a citizen of the world our identity as I said is under constant attack. In my personal life I'm constantly having to enter my personal information in every day in different sites that I'm doing business with to order food, to buy tickets for an event or even to chat with my family. So each site has an onerous password filling, personal information filling path and all of this information is going somewhere and getting stored and this is a lot of personal information for all of us users. So if I read and get an email about data breaches or anything else I try to be on top of it and make changes and this is a thing for all users around because we need to be on top of it. So as developers what can we do for our users to make sure that these sites if they could compromise how we can you know support our users or first of all let's not compromise our sites right. So let's talk about that let's explore what it means to take control of identity and how we can help using our platform to take control of identity. And I think there are two sites to it the developer side and then of course the user side. As developers as you can see we are the owners of the system that works with the login technology and of course stores user information. So we to secure this entrusted information by our users we need to implement the latest identity standards to stay ahead of attacks. We need to scale the system as our user base is growing and we need to make sure that using the system we are granting the right access to the right person. It does feel like all of this that we need to do we also need to deliver fast securely fully compliant and at times it does feel like we have two magicians to make it all happen in one go. Hence as developers it's very important that the identity platform is also providing us an easy to use APIs and well documented SDKs. So those are all the story that is all the story on the developer side but on the user side the story is also kind of similar you know we want our data to be handled securely and our privacy to be guaranteed. So we want securely we want to log in securely and make sure into each application and make sure that the login capability or the login is without any friction no complexity and of course we would prefer that to use our credentials or social logins wherever possible because we already own it and we don't have to keep remembering for every side and of course privacy is top of mind right. So as an identity platform we want to provide all of these capabilities to our developers so that they can offer these capabilities to their users. So how do we do that? But before I start talking about how let's talk a little bit about you know what are our developer pay points and while I hear a lot of stories again and again around this space I want to share three today. One common one of course is that you have to make some code change in your login capability and you have to make some you know few lines of code change in one and few others in other place but at the same time you hear from your colleagues that the last time someone touched that code production went down. So now you're nervous about you know what changes and then should you really make change into your login code base. There's another story that I hear which is about using an open source library right. Teams use open source library in their identity implementation and it wasn't standards based or it wasn't updated. It hasn't been updated for the last two years and then now changing this into the new latest update setup or standard that's quite an investment. It's months and months of work. So of course business doesn't want to invest in work that is causing more login box you know because login box works and why invest more in something that's already working and the last story I want to share here of course is the many of you must have to work in the space of like okay let's integrate MFA right and as you're working on integrating MFA you don't have a security or a compliance partner to guide you and help you understand are you doing it right are you integrating it right and as you do that you go ahead you roll out your MFA implementation and when an issue is identified with it the blame game starts right. These are all the stories that you would relate to you have experience with you had to deal with and so much more. So if these stories I just shared are familiar and relatable then you are in the right place. That is not a new problem but today we will share about how you can overcome them you don't have to deal with it and our platform has evolved further for you to take advantage to secure identity for your users. So we'll start with diving into authentication as a service space. Our platform has started with actually working on authentication or solving for authentication and is now a well understood approach then we'll move into authorization as a service which is a new and growing capability we rolled out our authorization solution last year and it's part of our and actually open source part of it for our developers to engage with and lastly we'll talk about and share our active work in the very fabled credentials space which is an emerging market. So let's dive into the first one and let's start with authentication. So here's how we'll break it down for today's conversation the login capability which is allowing users to log in with any factor hence universal login and then we'll dive into the security and privacy forward features because our security and privacy aspects are core to authentication. If you remember we took this journey last year in last year's dev days and I'm bringing it up again again to create enough FOMO so you go if you haven't you have to go watch that session from the last year's dev day it's all on our site. So of course as I said you know offering security and privacy forward features out of the box doesn't work if the box limits you on our developers when implementing your authentication flow so we all know no two applications are similar you might have your own way or business needs so how do we make sure that we accommodate this and provide flexibility which allows developers to customize and configure not only the authentication flow but also the login screens based on the specific needs so because an identity solution needs to be flexible through to handle any scenario right at any time so very quickly I want to walk I want to show you how a glimpse of you know our very extensible pipeline that provides flexible and customizable framework for managing user authentication and authorization which is our answer to our developers need for flexibility the pipeline is designed to be modular and extensible allowing you to customize and configure authentication flows to meet your business needs at a global scale you can bring in your own code into any of these green dots which are our extension points and the platform will run and scale your customized code actually and we call these green dots action which is you will hear this word few times referred in the conversation today and this includes the support for social login sso mfa passwordless login and much more right and then to continue with flexibility our platform is designed to integrate with a wide range of third-party tools and services so including identity platforms user directories and of course more because those are all the tech that you already have in your stack and you want to bring it along right so we believe seeing is believing and to make sure that we can see things that we talked about I want to invite Sam Bill and our developer advocate to join with me and show our developers you know all the unique needs they have Sam what he said absolutely let's do this so our developers can tailor the authentication pipeline we provide to suit their own needs the needs of their applications this is by using actions or the extensibility points the green dots that Bhavna showed you in the previous slide and some of these are very easy to use because we have a marketplace that offer out of the box easily usable marketplace actions so you don't even need to write custom code you just go to the marketplace find something that works for your current problem install it and you're good to go so if there's things like identity proofing or biometric multi-factor authentication maybe you want to allow certain people from certain locations or disallow certain people from certain locations in your application or send a notification to a dashboard whenever somebody registers or whenever somebody logs in these are all things you can do with out of the box marketplace solutions marketplace actions you don't even have to write any code install them configure them and you're good to go but sometimes you want to go one step further right you want to create something that isn't available in the marketplace so you need to write your own custom logic your own custom code and we provide a good solution for that as well we allow you to write custom JavaScript code you don't need to host it somewhere we'll take care of that for you but by writing this custom JavaScript code you can also import npm modules you can test it you can use our secrets manager to use secrets like API keys for third-party solutions you don't have to write them explicitly in your code base you can do a lot of things with our with our online editor and because we know that sometimes stuff goes wrong I'm a developer I might have broken certain things in the past we also baked in version control so you can always roll back to your previous version and go from there and if you think that whatever you just wrote your custom action is something that the people outside of your company other companies other products might also want to use you can also submit it to the marketplace so they don't have to write that code they can just install it again as a marketplace action we're hosting a workshop on this later today so if you're interested in marketplace in actions in extending our authentication pipeline stick around for this afternoon Sam that was all behind the scenes we have a whole site in front which is the front door of our users login application and we want to make sure that that also something that you as developers can customize and make it look like yours so you have something that you can share for the front door yeah I'll show you some some other things so let's get a look at customizing the login screen of your application or your applications front door are easy to use no code editor allows you to match the style of your login page and all the other pages involved with logging in your users so that they match the style of your actual application so your users do not even know that they have redirected to your of the odd zero tenants and back which would be one seamless one seamless visual part so you can start it once I will make sure that the styles will be duplicated across all of the pages that's a login page that's a register page that's forgot password MFA and so forth all of the the possible pages will have the styles that you have configured in that online no code editor and as you can see you can do things from changing colors to changing borders and backgrounds and so much more you don't need to write any code we'll make sure that it's performing performing enough because your login page needs to be as fast as possible right but we don't stop there how your page look is only half of the story how you communicate with your users as the other have and we allow you to easily customize all text all labels on these pages with support for over 40 languages out of the box and sometimes you just want to change certain labels because well you don't like what's written in the label or you just want to have some creative freedom and we also allow you to change all of these labels for all of the languages we support to the dashboard and we know each application has their own needs and sometimes you want to identify user by email address sometimes you want to use something else like a phone number for example and that's all possible as well we don't lock you into that email identifier constraints if a phone number makes more sense to you by all means use a phone number and lastly we've teased past keys at our developer keynote at octane last year but i want to mention it again because it is something that i'm actually really really excited about and if you're interested in past keys you can try it out today in our experimental or zero labs environment it's experimental it's just a preview of what we're building we're still building on it and we're planning to add it to our production in the future but if you want to try it out it's a way for doing true passwordless phishing resistance authentication on the web so stay tuned for more on that later well thank you sam with these short demos and of course i want to plus one and emphasize on the past keys usage certainly if you are taking on the passwordless journey so that you can continue that effort and the important aspect of going passwordless so once you have implemented your authentication journey using universal login we want to make sure that it is also secure and compliant and for there as well as i mentioned we have your back right we will we through the security and privacy forward features and capabilities so we looked at the capabilities in the platform that will help protect your application from attacks we do a lot to prevent attacks and make it easy for developers that is you all to secure implement securely implement a customer identity cloud using sdk's but again we want to empower you further that's not it right so according to our own state of secure identity report that was published last year based on customer identity cloud data approximately 90 percent of web application attacks are caused by credential abuse that is a big number and that should concern us all bad actors use an arsenal of abuse credentials like fraudulent attacks or registration credential stuffing mfa bypass attacks and just credential stuffing account for 34 percent of overall traffic and authentication events on our platform so you can see and an attack can cost almost an average of more than six million dollars a year which is a big amount of money that money that should rather be invested in our innovation and our teams so to help protect your code and your business we have a host of security features in place to help prevent automated attacks let me share a few of you today here and as you can see it in the list we have we can display capture challenges for suspicious traffic to verify that a human is attempting to access the authentication our bot detection capabilities can attract unique device fingerprints to identify bots and block them if they are trying to access your application it is powered by machine learning algorithm that can detect patterns of bad behavior and adjust security measures sometimes even automatically and in real time for you and of course we can block traffic from specific ip address or ip ranges actually to prevent excessive traffic that may be indicative of bot traffic and you also see our back channel logout capabilities also coming soon so again we want to we want to show it to you so that we we make sure that you definitely believe what we are doing and so all part of our platform so how about we share our audience with their audience Sam what are these some of these security features and how are they helping our developers secure their apps yeah let's do that so aside from protecting our customers through these security protection measures you just mentioned we also provide guidance and easy to use as a case to prevent security issues on the software implementation level abstracting all of these complexities these identity complexities and making sure that as a case take care of that also makes it harder for developers to make mistakes that they didn't intend to make but just they happen to make those and by building on top of open standards we aim to well we always try to follow the guidelines of the creators of those standards to improve the security and if some vulnerabilities are discovered with these standards those standard bodies will also offer guidance on how to mitigate these vulnerabilities so we can easily and securely fix them as soon as they are discovered our official SDKs aim to always be up to date with their latest version of their software their programming language or their framework because oftentimes these these these updates they contain security security patches security fixes and you want to and you want to implement this in your applications as soon as possible so we also aim to have our SDKs follow those updates to those frameworks and programming languages and of course a good SDK is nothing without good documentation our goal is to have the best documentation as possible for our SDKs so you can go and get started with our SDKs without as much friction as as you well without any friction at all and lastly whenever we launch some new features you want to use those features as soon as we launch them so our SDK teams get hard to work to make sure that the SDKs also support all of the new features that we launch continuously so you as the implementers the developers that are working that are working with us can use those features as soon as possible in your applications and our own Martin Walsh will tell us a bit more about the power of SDKs later today so if you're like SDKs I'd certainly do because it makes my life so much easier stick around for Martin's talk yeah all right well thank you Sam thank you so much you know I know you're awesome you know you're awesome but I think now everybody knows you're awesome so thank you so much all right we looked at the capabilities in the platform that will help protect your application from attacks so we do a lot to prevent attacks and make it easy for developers that is you all to securely implement customer identity cloud using SDKs but we want to further empower you right we're not done that's not it the attacks on your application are constantly happening these attack patterns are changing they're evolving and it's important that for an organization and for you to keep an eye on the kind of attacks that are coming your way so I'm happy to announce that last week we released security center thank you thank you security center provides real-time monitoring that allows you to observe attacks on your SIAM or login system and of course view any anomalies in your traffic pattern using an anomaly detection metrics and through security center you can conveniently configure our attack mitigation features features we just talked about and to secure your login implementation but hey Sam is not done yet because he's awesome he will show us one last demo one more promise one more okay so with the security center we provide an easy to use dashboard that will let you monitor all traffic on your on your applications on your odd 0 tenants but also let you monitor all of the total threats that we monitor in your odd 0 tenants in your applications we allow you to observe threat behavior as well so we'll give you some insights into how these behaviors are trending at the moment or in the past and we allow you to identify applications that currently might be under attack because well attackers usually don't target all applications out there they have specific targets most of the time so if they're targeting one of your applications you'll be able to monitor that through the security center you'll also be able to track login and sign up traffic because you want to know how many users you have at all times because well that's great and you can also monitor threats identified by attack prevention prevention measures like bot prevention or MFA so if we see that there's a lot of bot prevention going on you can also see that in the security centered dashboard so there's a few of the things that you can see in the security dashboard more is coming soon but this is available since last week thank you all right so we talked about authentication at length and I think we can keep going on that space but let's move to authorization as a service right and to talk about our authorization capability and have a look at the future with verifiable credentials let me invite our chief product officer Shiv Ramji. Good job all right thank you Banna for kicking us off and thanks to Sam for the amazing demos first off just a shout out to all the live and in-person audiences thank you for attending we have quite a few watch parties and I'm glad a lot of you tuned in this morning for for the session so big round of applause to everybody now I'm really excited to talk about authorization so Banna kicked off this morning with a ton of updates on what we're doing with authentication right so all the features and all the capabilities and make your life easy as a developer well I want to talk about where authorization is going and why is this important why am I excited I believe authorization is essentially where authentication was just about a decade ago so what do I mean by that today like just like a decade ago a lot of people today solve authorization by essentially building themselves right and it often starts out by a very simple problem basic rule sets and grows into a pretty hairy problem very very quickly and a lot of users or developers or customers today essentially build their own solution and typically deploy in their own data centers but that is all about to change with the ability of the cloud now that gives you low latency highly available and highly scalable solutions we can now deliver an authorization service that can take all of the pain away from you but it's not just about the clouds ability to solve this for us it's also about your growing use cases how many of you use google workspaces or you know share documents I see a lot of hands going up now you know this for yourself typically you know you create a new document you may want to share with one user initially but very quickly you may want to share with an alias with a distribution list with a group with internal teams with external teams very quickly the authorization problem explodes and it's really really hard to manage all of this on your own so I'm really excited to talk about how we're trying to solve this problem so sorry I skipped there we go that's a video okay so open if we're solving the solution we're solving this problem by essentially bringing our own fine-grained authorization service to life essentially open fga is a relationship-based access control solution that we're building and we're building it as an open source project and recently this was added to the cloud native computing foundation or cncf as an open source project with lots of contributors and interests in the developer community now we're also working on a managed version of this so that we can take all of the pain of hosting updating patching securing and scaling away from you so that you you can just think about the application and the types of relationships that you want to set up now our fine-grained authorization solution really empowers you as developers to set up fine-grained access controls as much as you want so you can you can use all of your typical solutions such as role-based access control that can be easily configured some of you may want to be doing attribute-based access control you can also achieve that so regardless of what your use case is or regardless of how simple you start out and how complex you're you're growing we have the solution to to help you with those with those needs and what's really really cool is the modeling language you know that's powering all this can be used to define these relationships very very easily and once you have some data into the model that you can run against your authorization setup that you have the powerful engine can quickly look for relationships and make sure that there is consistent access across the different access decisions that are made across your your applications and what's really nice is because it's a centralized authorization engine it really makes authorization rules explicit and standardizes how authorization works across your applications across your stacks and frankly across your company now later today there will be a deeper dive on this topic led by adrian so if you're if you're interested in this i recommend that you stick around and attend that session now as i mentioned we have open sourced our core engine called open fga really excited to share that we launched open fga version one just about a month ago at cubecon on april 18th and so please check it out you can you can try the product now and as i mentioned earlier our vision is to really empower you as developers to think about solving authorization problem all the way from coarse grain to fine grain and you may be thinking well why why should i think about this problem well according to octa's recent businesses at work report organizations that have more than 2000 employees have an average of about 200 applications that's the average and this is growing 10 percent year over year now many of you can probably relate with this problem that not only do you have a growing number of applications you have all of these complex rules and policies that you have to keep up and maintain so we believe now is a good time for sort of a next generation fine grain um authorization solution can really help you as developers to manage the complexity meaning the number of apps that you have to deal with but also stay ahead of all of the complex rule sets and policies that you want to you want to deliver the other interesting and cool thing that we're also working on is that we have a identity governance and access management solution too from octa over time we will easily also connect our fine grain authorization solution with iga so if you are looking for auditing after you have set up all your permissions you're also able to do that out of the out of the box so we believe this is have will have a really really big impact on teams that are building that have to maintain so many applications that are all these complex rule sets but also if you are a developer building a SaaS product then selling to enterprise customers this solution will also help you manage the the complexity that you may have with with authorization so as sort of Banna had mentioned we're constantly obsessing on how to solve for all of your complex identity needs we talked about authentication with lots of updates there today for you I just talked about authorization and authorization as a service and the solutions we have for you and the next topic that I want to talk about is sort of the evolution of verifiable credentials so as you all know our lives continue to shift online in so many ways now many of us are very familiar with you know it's a login box I'm creating an app it's a web app it's a mobile app I want to give users a seamless login experience make sure that it's secure it's privacy compliant and all of that is great if you're working within the confines of an online ecosystem but we all know there is a lot of identity data that's still locked up in physical formats and what's an example of that well our passports our driver's license your medical insurance card and on us there's a lot you know your your degrees and certificates from from the schools that you went through there's a lot of data that's still locked up in offline system so what verifiable credentials allow you to do is that you know they are essentially a secure and a decentralized way to prove your identity online so essentially they allow you to take an identity or an artifact that is locked up in this offline format you can bring it online for purposes of identifying who you are now verifiable credentials are essentially based on this idea of self-sovereign identity which means that the individuals really have full control over their identity and often saved either in a wallet on your phone and essentially allowing you to share only with with those apps and people that you want to share this information with now there are a wide range of potential applications for this so for example a common thing is you can use this to verify your age now why would you want to do that with the certain products such as regulator products such as alcohol and tobacco that where they do need to verify your age right so you can do that verification very very easily if you have this digital verifiable credential available on your application and what I think is really interesting is that instead of you sharing your full ID and and birthday and all of those details you can essentially just say hey I can prove that I'm over the age of 18 right without giving all sorts of private and personal information out but it's not just for age verification there are governments that are thinking about how do I provide services to our citizens right so that's another interesting application I talked about health care like a lot of health care is cumbersome and it's offline what if we could bring all of that online imagine if you can share your health record safely digitally and safely and share only the information that you need that the that the service provider needs to ensure that you get the type of medical outcomes that you want so I believe that the the possibilities here are endless and there are so many use cases that will that will emerge and so we're really excited to closely be experimenting in this space and also releasing playgrounds so that as a developer you can experiment and learn about the products and the way they were thinking about building that now you may also be thinking well okay you know where do I see this like is this really happening and we're starting to see some early signs of these experiences so the example I'm going to talk about is we recently partnered with Singapore's national digital identification service called sync pass to essentially easily integrate sync pass qr login with universal with our universal login feature that's available in the customer identity cloud essentially this capability allows sync pass users to access a broad set of business and government services with the same convenience of essentially a passwordless experience now this implementation isn't the ideal verifiable credentials implementation I should call out but it gives you an early glimpse into what's possible with digital credentials and ultimately what's possible with verifiable credentials and we believe this will continue to evolve rapidly you can see we have another customer that's also doing this for for for their citizens again it's a g20 country and a provincial government that's providing all of their digital services for their citizens through verifiable credentials so we're starting to see early glimpses and deployments of this technology and we're really excited to continue the innovation in this space and excited to provide the right abstractions so that you as a developer don't have to worry about all of the technical implementations under the hood but you get the value of delivering the seamless experience to your customer there is going to be a deeper dive on verifiable credentials too later today if you get a chance please attend a session led by sam frank and he will tell you more about the work that we're doing with verifiable credentials and so this is just a glimpse of all the innovations in areas that we're working on to solve for identity and I hope you attend the sessions later today back to you above me all right well I hope you also the fun stuff we get to work with but we also bring it to you today so the fun stuff you all get to work with today right and as Shiv just said you know sharing the latest and the authorization verifiable credentials with open fg I want to call out the the open source version that Shiv just mentioned and talked about we are seeing great traction from our developer community so do look at look for it and if you love to engage in that space you know engage with us we're at our developer community is actively contributing to this space and of course it's enriching our authorization offering this morning let's bring it all home and and this morning we we talked about and looked at how octa can help you take control of your identity so our flexible and secure solution authentication solution to make sure make sure that every application is securely authenticated and it's authenticated authentication needs are served how you can take control of your application authorization to the next level with fga and how you can manage credentials in the future with verifiable credentials which is the upcoming market for us so with that and all the information and the full day of expert deep dives I hope you all have what you need to take control of identity and wait isn't it but wait the conversation of identity doesn't end today so I want to call this out very important this conversation of identity that you all are joining does not end today we invite you all to our octane event which is our big annual customer event and starting this year we are actually bringing a developer track to this event and we will have developer focused sessions architectural conversation whiteboarding as well as if you have your code where you need feedback bring your code on and we'll have experts in the space to give you suggestions feedbacks and recommendations so lot that's going that's that will happen and we'll have special tickets for our developer friends so keep an eye out for the email to come to you or or you can visit the link that's on the slide and we all hope to see you in person there so thank you