Posts with keyword: authentication

                          Sovrin Use Cases: Authentication

                          This use case discusses authentication in a self-sovereign identity system called Sovrin. Sovrin simplifies authentication, reducing friction while providing a system that businesses can trust without building or maintaining it.
                          Continue reading...

                          Double Your ID Pleasure with TSA

                          Via Jim Harper, a report on the TSA's ruling that requires some passengers to present two forms of ID. What's ironic is these are the passengers who signed up for the Registered Traveler program, designed to let frequent fliers escape the inspection line. The TSA is requiring that these registered travelers present a government issued ID (like any other traveler) in addition to their RT card. Beginning last fall, TSA suddenly required that RT members using the RT line show a picture ID and their RT card right before entering the line. These are the same RT cards that,
                          Continue reading...

                          Linking OpenID and CardSpace: SignOn.com

                          PingID (disclaimer: I'm on the advisory board) released the beta of SignOn.com today. SignOn.com is an OpenID identity provider that also accepts InfoCards. Once you've signed up, you can register an InfoCard with SignOn.com, you can use that to authenticate when you use your SignOn id at a Web site. Confused? Here's an example: I go to Jyte.com and click "login" Jyte asks for an OpenID, so I give it my SignOn OpenID (windley.signon.com) SignOn asks me to authenticate (since I'm not currently logged in there) and I choose to authenticate with an InfoCard The card selector pops up,
                          Continue reading...

                          CAS: Simple Authentication

                          Ken McCrery, from Virginia Tech gave a presentation at JA-SIG on their experience using Central Authentication Service (CAS) to provide single sign-on and single sign-off for their campus systems. CAS is an authentication system originally created by Yale University to provide a trusted way for an application to authenticate a user. It's freely available for download. VT orginally used a home grown system called AuthPortal but their middleware group couldn't keep up with the portal groups requirements. They determined to move to something that was more widely used. They found that CAS 2.0 was easy to deploy Previous AuthPortal
                          Continue reading...

                          XRDS and Self Asserted Claims

                          Andy Dale posted posted some cautions in response to my post on using XRDS. He later summarized his concerns very succinctly: SEPs in XRDS must be considered self asserted claims and as such should not be trusted on their face. Service Providers should publish the mechanisms by which SEP claims should be validated to be about a specific subject (authenticated identifier). From The Tao of XDIReferenced Tue Jun 05 2007 13:48:15 GMT-0600 (MDT) For an authentication service, this isn't a problem. If I claim 2idi.com is my authentication service, the method for a relying party to check that claim
                          Continue reading...

                          Obfuscating Passwords in Forms

                          Most are familiar with password fields in Web forms. When you use a password field, anything the user types is obfuscated. This is, to my knowledge, to reduce the danger of shoulder surfers stealing the password by reading the screen as it's typed in. As long as I've used computers, this has been standard practice--the IBM Selectric terminals I used in 1976 would pre-print multiple characters on the paper before having you type your password so it couldn't be stolen from the printout. What would you think of a social networking Web site that in the interest of reducing
                          Continue reading...

                          Sun Supports OpenID and Opens the Question of Reputation

                          Sun announced (or at least Tim did) that Sun's supporting OpenID at openid.sun.com. Sun has taken the additional step of stating that only Sun employees will have IDs there. So, if someone presents an OpenID with a base domain of openid.sun.com, you can be assured that Sun is vouching that they are an employee of Sun. The biggest problem with this set up, of course, is that the attributes of an identifier ought to be transfered orthogonally to the identifier itself. The fact that the URL has a certain form should encode data like whether someone's an employee or
                          Continue reading...

                          Overdoing Security

                          I was registering for the FAA Medxpress program today. This program allows pilots to submit their flight physicals online. Once you've registered, the FAA requires that you change your password. Here's the requirements for the new password: You have accessed the FAA MedXPress site using a temporary password. You must change your password in order to continue. Passwords must contain between 8 and 12 characters and include at least three of the following four character groups: English upper case characters (A through Z); English lower case characters (a through z); Numerals (0 through 9); Non-alphabetic characters (such as !,
                          Continue reading...

                          On Impersonation and Delegation

                          An Elvis Impersonator(click to enlarge) A couple of my students, Devlin Daley and Bryant Cutler, are doing some work on delegation in OpenID. Kim Cameron has been posting about delegation and that led to some interesting discussions in the lab. First we distinguished between impersonation and delegation. The former is an authentication issue, the second is an authorization issue. Kim's point, and I think fairly made, is that you don't ever want some one other than the entity to whom the identity belongs to authenticate as that identity. Rather, you want the entity (be it a service or human)
                          Continue reading...

                          Where is OpenAttributes?

                          Gunnar Peterson, has a thought provoking post on OpenID and attributes. He quote heavily from another interesting post on names from Mike Neuenschwander. The idea is that names, without attributes are not very useful. I agree wholeheartedly with the assertion that we have to get OpenID and other wide-area identities past simple authentication for them to really be useful. Mike says: I understand why from a programmer's perspective, it would be so much more convenient if everybody could simply have one globally unique, unambiguous, resolvable name. But such a quaint design constitutes a wanton disregard for reality. The tech
                          Continue reading...

                          OpenID and XMPP

                          Via Scott Kveton, a link to an OpenID server that uses XMPP authentication (the undelying protocol for Jabber). Fun stuff!
                          Continue reading...

                          Beyond Passwords

                          Hacking CardSpace in the Hi-Fi Lounge (click to enlarge) In the session on authentication without passwords (beyond passwords) put, Lisa Dusseault made the assertions (with some help from the room): Existing browsers do not succeed in verifying site identity to users HTML forms for login considered harmful. Browser-based third-party identity systems habituate user to redirect to enter their password (task fixation). When you catch someone in the middle of doing something, they will plow through all kinds of barriers to "get the job done." Current password redirection schemes (most of them) redirect users to authenticate. Any password-based system is vulnerable
                          Continue reading...

                          Trusting OpenID

                          We started off the morning, as is our tradition by building the schedule for the conference. Lots of good sessions proposed and many I will have to choose between. I love seeing these things come together. I started off the morning at David Recordon and Josh Hoyt's talk on OpenID authentication in the new OpenID 2.0 spec. During a discussion of how OpenID 1.1 works, a good discussion of phishing broke out. Someone asked what's to keep a relying party from purposely misdirecting a user to a site that's spoofing the user's IdP and stealing the user's credentials. David
                          Continue reading...

                          Yahoo!'s BBAuth: Browser Based Authentication

                          Today Yahoo! announced BBAuth or Browser Base Authentication (I found out from Dave Winer). Google has a similar service. Once a user has logged in to Yahoo! (after a redirection from your site) they specifically authorize your application to retrieve certain user data that you've requested. You then get back a token (one hour TTL) that can be used with Yahoo! APIs to get the data. Jeremy Zawodny says that right now only Yahoo! Photos and Yahoo! Mail are supporting BBAuth. Dan Theurer has a post about getting it ready to go. I'd like to use this in the
                          Continue reading...

                          Digital Identity in BC Government

                          Dave Nikolesjsin, CIO, Prov. of British Columbia(click to enlarge) Dave Nikolesjsin is the CIO for the Prov. of British Columbia. No less an authority on identity than Dick Hardt has told me that I really had to see what they were doing in identity. So, when I saw that Dave as speaking at DIDW, I knew that was one session I had to attend. Serendipitously, I sat with Dave at breakfast and got a chance to get acquainted. The title of Dave's talk is "Citizen-Centric Identity." He shows a picture with a citizen, in this case a little girl from
                          Continue reading...

                          Jim Harper on Identity

                          Jim Harper is the author of Identity Crisis: How Identification is Overused and Misunderstood. Jim is an analyst at the Cato Institute, a non-profit thinktank with Libertarian leanings. Phil Becker introduced him by saying his book was a great introduction to the theory of identification. He uses the discussion of a national ID card to launch into a discussion of identification and it's theory. There are serious challenges in identification and policy makers will do a better job if we do a better job of articulating what identification is, how it works, and why it fails. Surveillance is easier
                          Continue reading...

                          Dresdner Bank, BYU's Partner in Germany

                          Dresdner Bank(click to enlarge) In Germany, many of the ATMs were in enclosed vestabules that required a card to enter. Some seemed OK with any bank or credit card, but others apparently needed a specific card (the bank's ATM card, I presume). In Koln, we were in a hurry to get money to catch the train to Munich and the Dresdner Bank was the one closest to the hotel. It is in the latter category, neither my bank card nor my credit card would open the door, even though I was fairly certain that once I was in, either would
                          Continue reading...

                          Separating Authentication and Authorization

                          Yesterday I was talking to Kelly Flanagan, BYU's CIO about the OpenID enabled wiki we have for the Internet Identity Workshop. I'd love to see BYU put an OpenID server on top of their directory. That way I could easily have my students authenticating on my wikis and blogs. Of course, BYU has all kinds of APIs for doing this, but I have use certain development environments, have permission, etc. Solutions like OpenID are much more loosely coupled. Our discussion ultimately got down the distinction between authentication and authorization. OpenID is a pure authentication system. It doesn't even support
                          Continue reading...

                          OpenID and MediaWiki

                          Ross Mayfield generously donated a wiki for the Internet Identity Workshop and we used it to good effect for the event last October. This time there was some interest in using OpenID (and even Yadis, if possible) to do authentication and it just so happens that Jonathan Daugherty has created an OpenID patch for MediaWiki. With some help from the group at #openid on Freenode, especially Jonathan, I was able to get a patched copy of MediaWiki up and configured to use OpenID. It's now the official Internet Identity Workshop Wiki. Here's what I did to make it all
                          Continue reading...

                          Trusting Google Authentication

                          In an earlier entry, I said With no fanfare at all, Google has created a universal login for anyone who wants to use it. From Phil Windley's Technometria | Using Google's Universal Authentication EngineReferenced Tue Mar 21 2006 08:22:50 GMT-0700 (MST) Well, not quite. I had a couple of my students, Devlin Daley and Harsh Nagaonkar spend a little time playing with it. As presently constituted, the token you get back is long lived and replayable. It's better than giving a third party site your password, but not much. Anyone with your token can use it to log in
                          Continue reading...

                          Presentation at W3C Workshop

                          The paper Kaliya Hamlin, Aldo Castaneda and I put together for the W3C Workshop on Transparency and Usability of Web Authentication was accepted for presentation. The paper discussed identity rights agreements. W3C has released the draft program. This looks like a really good event. Unfortunately, I've already committed to moderating a panel at the InfoWorld SOA Executive Forum in San Francisco those days and the workshop's in NYC. I'll have to rely on my co-authors to make the presentation.
                          Continue reading...

                          Position Paper at W3C Workshop on Web Authentication

                          Kaliya Hamlin, Aldo Castaneda, and I have had a position paper accepted at the W3C Workshop on Transparency and Usability of Web Authentication. The workshop will be March 15 and 16 in New York. Our paper is Identity Rights Agreements and Provider Reputation. Identity Commons Position Paper. This is probably the most complete discussion of our thinking around identity rights agreements to date.
                          Continue reading...

                          VeriSign's VIP

                          Verisign has announced a system for better authentication on the Internet that will be supported by eBay, Yahoo! and PayPal. The system uses a USB hardware token. I'm interested to see if people will use it. American Express had a card (I think it was called "blue") a long time ago that included a smartcard and gafve away the readers. People didn't go for it. Maybe if they can get someone to put them in this really cewl wristband, they will.
                          Continue reading...

                          Using Google's Universal Authentication Engine

                          Google's Chat service, GTalk, is based on XMPP, the protocol behind Jabber. That's why you can use any Jabber client with GTalk. This has other implications beyond chat clients, however. XMPP has a very capable authentication mechanism built-in to service distributed chat servers, but you can use XMPP authentication for anything. Google has conviniently tied this authentication service to your Google account. That means that you could build an application that let's people log in using their Google account name (what I call GIDs) and password without any prior arrangement with Google. With no fanfare at all, Google has
                          Continue reading...






                                                  Foreign exchange


                                                  Mobile phone

                                                  Buy a car