In enterprise environments, identity effectively became the control plane once network perimeters broke down (e.g. zero trust, et cetera). I’m seeing a similar pattern emerging on the public internet via age verification and safety regulation, but with identity moving closer to the access layer itself. Not just: “Are you over 18?” But: identity assertions are becoming part of how access is granted at the OS/device/app store level. From a security perspective, this seems to introduce some new attack surfaces: high-value identity tokens at the OS/device level new trust boundaries between apps, OS, and third-party verifiers incentives to target device compromise or token reuse rather than account-level bypass potential centralisation of identity providers as enforcement points Questions I’m trying to think through: Does this effectively make identity providers the new perimeter/control plane? How would you model this system (closer to DRM, identity federation, or something else?) What are the likely failure modes if this layer becomes centralised? Are decentralised / on-device credentials actually viable from a security standpoint, or do they just shift the attack surface? Curious how people here would threat model this or where the obvious breakpoints are. submitted by /u/wayne_horkan [link] [comments]