Pick Category

Nym Wars aka Hailstorm Revisited

 Identity, Security  No Responses »
Sep 012011
 

This is a bit of a follow-up to my earlier post “Google+ Primarily an Identity Service?” though these posts elevate the topic to a more serious level that I did in that post, which was purely from a simple end-user perspective.  From a professional, where’s-online-identity-going standpoint, this is a very interesting touchpoint and Doc Searls puts it in great historical and technological perspective in his post, Circling Around Your Wallet.  The ultimate online battle for the ultimate killer app is… you.  This means your identity in whatever guise identity ends up being defined as, which means who defines it matters.  Hailstorm / Passport from Microsoft was dead on launch because no one wanted to trust such a definition and resultant architecture to come from MS.  As I finished up my last post on this topic, it comes down to trust.

Do we trust Google to get this definition and resultant architecture right?  Just because they have the self-aggrandizing motto “do no harm”, that just isn’t possible once you get to where they and a few others have gotten, where a lot of what you do will inevitably harm some community.  Clearly, there are use cases where using a real name will be actually, dangerous to you in the real world.  Google, by taking this stand indicates, “accept risk or get lost”.  Certainly, their product, their right.

However, do we trust Google, or any other entity to be in a position to enforce their idea of accountability?  Hear Eric Schmidt’s own words:

“If we knew that it was a real person, then we could sort of hold them accountable, we could check them, we could give them things, we could you know bill them, you know we could have credit cards and so forth and so on.”

“There are people who do really really evil and wrong things on the Internet, and it would be useful if we had strong identity so we could weed them out.”

 Meg Worley in her post, say no to the meat wallet rightly calls out the word “accountability” as “one of the darkest words in the English language”.  Combine accountable with “we could weed them out” and you don’t have to be too big a conspiracy theorist to get a bit of a shiver down your spine.  Apparently, Google has decided with their real names policy has decided to preemptively weed out those that don’t fit the definition of “you” they see as best commoditized in their business model.

To many, this all sounds like a lot of furor over nothing and trying over-intellectualize the issue, but there is a lot at stake here.  Bonnie Nadri does a good job highlighting the real practical issues we should all be thinking about now.

Only the players have changed since the early 2000′s when MS made their bid.  Now its Google and Facebook and others.  The real point is that one of the players hasn’t changed and isn’t going to change and that’s YOU.  Yep, the you that does and should define you in the real world and the virtual and anywhere they intersect.

 Posted by Tim at 2:19 pm

Google+ Primarily an Identity Service?

 Identity, Tim's Opinion  1 Response »
Aug 292011
 

The Google+ Identity Service Project – Search Engine Watch #SEW.

I’ve seen the quote from Eric Schmidt all over the place and I can’t take any issue with Eric’s stated intentions and motivations, as they are whatever he says they are and I’m happy to believe him.  However, I can certainly chuckle about the reality.  It is exactly the same chuckle I had about the supposed user community kerfuffle around the “real name” related banning.

What kind of name could you put up that would get noticed and banned?  If you are John Smith and don’t want to go by John Smith, then pick something else that looks even remotely reasonable.  Kiqnaz Taiknaims?  Sounds good.  I just registered that at Gmail and invited Kiqnaz to G+ from one of my 4 G+ accounts.  It will be interesting to see if Google ever flags that “identity” as un-”real”.

Yes, you read that right, I have 4 G+ accounts and while I do have one in my real name, I don’t post there and don’t foresee really ever doing so.  I post under the same name I’ve used on the internet for over a decade.  There are people that only know me as Hahleq, so why shouldn’t it be considered a “real name”?  I have used it a lot and for a long time such that online it has as much or more reputation as my “real name”.  What the reputation is of course, is up for others to decide and therein lies the point I’m getting to much slower and more painfully than I’d like.

Your identity is not your username, real name or not.  Your identity isn’t your username and password.  Your identity is a combination of the following:  an identifier (username, screen name, email address, etc.) and data linked to that identifier.  This data comes in many forms.

  • Sometimes the data may be contextual such as john.smith@myco.com indicates a certain level of data given that not just anyone can get a corporate address and that if I hit the user directory, I can get some more info on this person and if he’s hassling me, I can get it addressed with Human Resources.
  • The data may be tied into reputation such as at ebay or Amazon given the ratings of various buyers and sellers.  The reputation may be 1:1 given your interaction with the person via email or chat.
  • Insert your examples here…

The data at the end of the day however always comes down to trust.  Do you trust that your company controls issuing email addresses?  Do you trust that ebay and Amazon police their communities and prevent reputation inflation cheats?  Do you trust that the John Smith on Google+ ostensibly living in your hometown is the John Smith you went to high school with?  If so, what data did it take to earn your trust?  If you run across a blog written by Mr. Kiqnaz Taiknaims and find the content valuable will you really care if that is his real name?  If he buys your used tablet on eBay and the payment clears will you care?

Exactly.

 Posted by Tim at 5:28 pm

Why Facebook and Google’s Concept of ‘Real Names’ Is Revolutionary – Alexis Madrigal – Technology – The Atlantic

 Digital Life, Identity, Security  No Responses »
Aug 052011
 

Why Facebook and Google’s Concept of ‘Real Names’ Is Revolutionary – Alexis Madrigal – Technology – The Atlantic.

Well worth reading and definitely lays out many of my thoughts and rationale for being against “real names”.  I’ve held this position since day 1 on the internet and am glad that this gent, Alexis was able to work through all the politically correct hype and come to his own rationale.

What do you think?

 Posted by Tim at 2:08 pm

Peter Thiel: If I’d Known, I Would Never Have Started PayPal

 Digital Life, Identity  No Responses »
Aug 042011
 

Peter Thiel: If I’d Known, I Would Never Have Started PayPal.

Interesting to note that the reason Peter and company were able to grab this space for themselves was precisely because the existing payment companies (one of which I worked for at the time) did know what was involved and purposely stayed on the sidelines.  I was hugely critical of my employer’s decision to sit out and even pass on purchasing PayPal when they had the opportunity.  Seems to me that 1.5 billion would cover a fair amount of pain.

I also think it is interesting to hear that Peter thinks that Facebook is a place where people use their real identities is hysterical.  I have lost track of the number of Facebook pages I have and only one has my actual name on it and is the one I used least.  PayPal has a much stronger claim to know real identities than Facebook.  To use PayPal you have to provide some type of payment account and prove control of that account.  Perfect? No.  Fraud ridden? Yes, and Peter and Max would know.  Better than making up a name and getting a free email account to tie it to?  Absolutely!

Given this, I never understood why PayPal never tried to turn their accounts into an online identity play.  Tie PayPal payment instrument identity to eBay reputation and you’ve got a huge leg up on anyone else out there in terms of reach and utility in facilitating transactions and that elusive element on the web… trust.

 Posted by Tim at 10:56 am

Keep My Opt-Outs page for Chrome

 Digital Life, Identity, Security  No Responses »
Jan 262011
 

Keep My Opt-Outs

Just so you don’t even have to search for it :-)

 Posted by Tim at 11:34 am

Opt out of some online ad tracking

 Digital Life, General, Identity, Security  2 Responses »
Jan 262011
 

Web browser makers developing new tools to protect privacy – SiliconValley.com.

Excerpt of interest:

Google’s new tool — called Keep My Opt-Outs — would preserve consumers’ tracking choices even when they delete their browser’s cookies. The tool comes in the form of a browser plug-in — a mini-program that consumers can download and add to their Web browser to give it more functions.

For now, the plug-in works only with Google’s Chrome browser, which is used by a small fraction of the Internet population. But Google officials said they are working on plug-ins for other browsers as well.

The plug-in works in conjunction with an opt-out website put together by the National Advertising Initiative. Although the site includes major advertisers such as Google, Yahoo and Microsoft, it doesn’t represent the entire online advertising industry. So consumers can’t use the site and Google’s plug-in to block all online tracking.

 Posted by Tim at 10:50 am

Product Watch: New Microsoft Identity Technology Aims To Protect Online Privacy – DarkReading

 Digital Life, Identity, Security  No Responses »
Jul 132010
 

Product Watch: New Microsoft Identity Technology Aims To Protect Online Privacy – DarkReading.

All the way back from March.  Can’t believe I missed this for so long.

 Posted by Tim at 4:54 pm

Consumers Accept Device Fingerprinting, Study Finds — InformationWeek

 General, Identity, Security  No Responses »
Sep 232009
 

Consumers Accept Device Fingerprinting, Study Finds — InformationWeek.

Much as I’d like to say that consumers aren’t so much against “working for” strong authentication as they are at recognizing that KBA isn’t actually providing any security, at least the results are the same.  KBA is being rejected.  KBA doesn’t protect against even phishing and is just another set of hard to remember and manage passwords.

I still contend that users will definitely work for and even pay for strong authentication if they believe it is effective and if they believe what they are protecting has value to them.  Why should I worry about my credit card being compromised when I know my liability is limited to $50 or some such manageable number.  Heck, my credit card has been stolen a couple times via physical POS situations and it has never cost me any out of pocket money and at worst a couple minutes on the phone with my credit card company.  Of course, it does cost me something as the losses to merchants and banks end up reflected back to me in increased fees, rates, etc., but all that disappears into the great “cost of doing business” economic effect.

Which then brings up the question as to why financial institutions, merchants, etc. aren’t looking to reduce their costs and increase their margins by offering strong authentication to:

  • Give themselves a competitive edge over their competitors on margin
  • Give themselves a competitive edge in customer loyalty by taking better care of their customers
  • Offer price breaks and other incentives for customers that use offered strong authentication mechanisms

One of the online communities I spend time in has actually begun to self-regulate itself along the lines of those that use strong authentication and those that don’t.  Want to participate with a group in that community?  You have to use strong authentication offered in the context of that community.  You don’t have to, but if you don’t you are precluded from interactions with the “better elements” of that community.

Just something to consider.

 Posted by Tim at 5:21 pm

Trend in KBA?

 General, Identity, Security, Tim's Opinion  No Responses »
Aug 042009
 

I’ve taken a lot of questions lately on the topic of KBA.  KBA (Knowledge Based Authentication) is a general term that covers several types of scenarios where users are asked a set of questions to verify their identity for situations where there isn’t another credential available to authenticate the user.  There are various cases where this is used:

  1. A user you don’t know.
  2. A user you do know.

The user you don’t know

Typically this is when a user shows up to register for service and likely will end up with an authentication credential at the end of the process, which they will use going forward to authenticate themselves.  KBA is generally used in this case to prove or establish the identity of the user and again, generally for services where the user’s true identity really matters because of regulations or other legal “know your customer” types of strictures.

The user you do know

This is for the situation where a registered user who does have a valid credential / identity with you, but for some reason isn’t able to utilize that authentication mechanic to login.  Typical use cases for this are when the user is for one of the following reasons unable to login with their proper credential:

  • User has forgotten their password.
  • User does not have access to their second (or third) factor in a strong authentication situation.  Anyone who has needed to login when they didn’t have their hardware (OTP token, hardware smartcard) or software token (cookie, software token, software smartcard) has at one time or another encountered this scenario.

Types of KBA

There are three methods of accomplishing KBA.

  1. Questions the user knows, but you do not.  Generally speaking these Q&A pairs are obtained via services that utilize public or semi-public data sources to ask questions about a user.  These questions can take a wide range of form and are often referred to as “out of wallet” questions as they questions that couldn’t be answered by a thief who as stolen a users wallet.
    • Provide the address where the user lived during a range of dates.
    • Provide the amount of a recurring payment (mortgage, car, etc.)
    • Provide the proper relationship (spouse, father, sibling, etc.) the user has with a name person.
    • Other questions that can be directly or indirectly built from public and semi-public information.
  2. Questions both the user and you know because of a prior existing relationship outside the online channel.  These Q&A pairs are derived from information you have about the user from a relationship you have with them outside the online relationship.  This can take any number of forms, but the typical scenario most are familiar with are:
    • Amount of last transaction
    • Account number used to make transactions
    • Other information you have that the valid user should know or be able to readily obtain.
  3. Questions you and the user both know because the question / answer pairs were setup as part of the online relationship.  These Q&A answer pairs are either previously arranged (consequently often referred to as “static KBA”), usually at registration or something setup post-registration as part of the user’s profile specifically for helping the user accomplish authenticating themselves when there is an issue using their normal authentication credential.

Clearly, KBA Type #1 is great to use for those users you don’t know and want to identify as being exactly the person they claim to be.  If you are setting up an online relationship from scratch and don’t have any prior basis upon which to “know your customer” and need to know that John Smith is the John Smith at 123 Main St., Somewhere, Ohio, U.S.A. and want to do this all online, then is a good way to go about it.  There are a fair number of services that provide exactly this function, generally used at registration or initial provisioning of login credentials.  One of the main considerations to bear in mind when shopping for these services is how well they structure the questions such that the legitimate user can answer them and an attacker can’t obtain the answers from publicly available sources or guess the answers.  This can be harder than it sounds as balancing the increased security of this type of KBA vs. static KBA and keeping the questions from frustrating and confusing end users, is a tricky proposition.

This isn’t to say that KBA Type #1 can’t be used for other use cases such as self-service forgotten password resets or “step-up” authentication or other secondary authentication use cases.  It can be used for those as well, but may be a higher cost type of transaction than using either KBA Type #2 or #3. 

KBA Type #2 is a lower cost option when having an existing cusstomer you know sign-up online for services.  This can also be used for other use cases as well, though asking questions that aren’t too readily guessable or aren’t reused too often can be difficult depending on the amount of variable, private or semi-private information you have on your customers.  For instance, my mobile phone bill doesn’t vary that much month to month and the people I call are probably pretty easy to guess for anyone willing to spend a bit of time researching me, so those types of questions wouldn’t serve very well.

Which brings us to KBA Type #3.  All of us that participate in much of anything online are familiar with this one.  You set up an account and at registration are asked to setup at least one or more questions to be asked for any number of reasons including:

  • Self-service “forgot your password?” scenarios
  • Various renditions of, “We don’t recognize you having used this computer”, “We want to verify you’re identity”, “Reset your <proprietarily named security “token”>”.  This occurs when you are logging in from a device the site doesn’t recognize or you or your anti-virus / anti-malware software deleted your cookies such that the authenticating site wants to make sure you aren’t an imposter.
  • Step-up authentication.   You attempt some transaction or behavior deemed “risky” by the site, so again, they want to ensure you aren’t an imposter.

You usually get to pick from a list of drop down questions and in some cases even can write your own questions.  This is popular since it is inexpensive as there is no service provider to pay and reduces the number of help desk calls for high frequency events, such as “I forgot my password”. 

There are a couple drawbacks.

  • You don’t want to have users setup questions that are easily guessed or readily discovered (mother’s maiden name) or for which the set of answers is small (many people have the favorite color blue).
  • Users don’t remember answers to less obvious questions, fail the step and call the help desk anyway.
  • The simpler you try to make it by keeping the number of questions low and even with complicated questions, the entire scenario of static KBA is prone to phishing and guessing attacks.  After all, KBA Type #3 (aka “static KBA) is just another single factor, something you know, shared secret, i.e. a ”password”.

There have been an increasing number of news items about the compromise of politicians, celebrities and even services being “owned” via KBA compromise.  Which brings me back to the beginning of this article and why I am hearing so many questions and such confusion over the issue of KBA. 

Folks want to know:

  • What are the best questions to ask?
  • How many questions should I ask?
  • Do I provide questions or let the user pick their own?
  • Should I use static / Type #3 KBA at all or go with Type #1 KBA for all use cases?

These are tough questions to answer in the face of KBA’s growing list of failures.  Mark Diodati over at Burton Group has written a ton on the issues of KBA and in a May 29th article states what my personal opinion is with regard to KBA:  “Can We Finally Commit to the End of Knowledge-Based Authentication?“.

Yahoo and Google, who in the last year have both had high-profile users in the news with compromised accounts because of hacked KBA, have apparently decided that KBA needs help.  They are both offering the ability for end-users to use their mobile phones instead of KBA for resetting passwords and I hope for any other secondary authentication opportunities that may arise in the use of their services.

Yahoo’s wording is:  “Having your mobile number will help future password reset attempts. ”  I thought for sure I had a security question setup on Yahoo, but now can’t find it anywhere.  My test drive of their forgotten password procedure tonight shows that my phone is the default or I can pick a non-Yahoo email to use for the ID verification step.  No security question offered.  I don’t know how much they are promoting this yet, but hopefully a lot and soon.

Google’s Account setting page lists email, SMS to your phone and a security as options for password recovery.  When I ran my test there tonight I was advised that an email and a SMS phone message had been sent to assist me in recovering my password and a link for each was provided so I could pick which I wanted to use.  While Google does still have a security question and answer, that can’t be used until my account has been idle for 24 hours.  Interesting compromise.

Which brings me to the title of this article “Trend in KBA?”.  Google and Yahoo are moving away from KBA, static, Type 3 KBA to be exact, shouldn’t those for whom reputation is even more important consider doing so?  I know this is a battle that till now has been dominated by the business and bean counter side of the organization while the security folks get ignored as usual as being unrealistic and alarmist.  Time to listen to the security folks and dump KBA.

 Posted by Tim at 12:09 am

TriCipher, Persistent Systems unveil secure single sign-on to Oracle Siebel CRM – Middleware : News

 General, Identity, Security  No Responses »
Jul 272009
 

TriCipher, Persistent Systems unveil secure single sign-on to Oracle Siebel CRM – Middleware : News.

 Posted by Tim at 12:43 pm
 Older Entries
© 2012 Who is Hahleq? Suffusion theme by Sayontan Sinha