• VeriSign’s Personal Identity Portal (PIP)
• Vidoop
• PassPack

Also here’s a couple articles I ran across in the past couple days on this topic and on these players.  Check ‘em out.

• Two-Factor Authentication For the Rest of Us
• Verisign Launches Competitor to PassPack
• The New PIP
• Verisign’s OpenID Provider Gets an Upgrade

I hope to get some time in a couple weeks to compare and contrast these offerings against each other, what I currently use (RoboForm) and what I want.

Great posts and all of this is marvelous commentary on all that is wrong, what exists but isn’t enough and the remaining challenges, but are the players with the technology and know-how just going to sit by and let something coalesce out of the chaos?  Do they have a choice?  All the big players have a reason to hark back to the MS Passport / Hailstorm days and shiver, but what about the little guys with nothing to lose, but some sleep and VC money? 

Users are aware of the problems and looking for solutions.  One community alone is keeping the virtual shelves bare of even the hated OTP over at the Blizzard store* trying to protect their virtual loot in WoW.  I haven’t been able to order one, though I’ve been checking multiple times a day over the last month. You know from my previous posts, that I have an unnatural hatred of OTPs, yet I’m eager to get one for this very specific, non-single sign-on situation.

Do people really want a digital readout thing-a-ma-bob?  Not even with Blizzard stamped on it.  Do they want to make dang sure that their stuff doesn’t go missing as is happening with great frequency to their friends, even the supposedly security savvy? (no, it hasn’t happened to me <grin>).  Clearly, yes. 

Combine this article with the news today about the various worms running through the Facebook and MySpace communities, wouldn’t we expect these communities to react with the same vigor as the WoW folks?  Sure, there may not be as much virtual goodies to be stolen, but these sites reportedly thrive on something more important… my reputation with my friends and their friends and their… yeah, the social net thing.  However, regardless the supposed Data Portability announcements with some fuzzy commentary of “trusted authentication” among 3rd parties, where are the true security related announcements?   

The majority of these attacks start at the same place and the stories all begin with the same phrase:  “With the compromised credentials, the attacker… [insert virtual violation technique here]“.  As the MythBusters often exclaim whilst smacking their foreheads, “well THERE’s your problem!”.  If Startup X showed up tomorrow and gave users easy to use, very, very difficult to compromise credentials, that worked for even just the top 50% of sites they want security for, would they use it?  That question, along with “what would they pay?” are the two questions I always hear as the discussion killer by the jaded. 

But think how much happier users and vendors would be in the Blizzard Authenticator case if the solution was software based and not bound by the availability of what is apparently a strongly sought after physical item at $6.50 each.  That’s just for one site that 10+ million people care about.  Oh that’s right, those OTPs can’t be purchased outside the U.S. so the number of users keeping these in short supply is well south of 10 million.  Imagine then that your software only solution would truly be available to the global community and with significantly better margins than a physical device.  Getting anyone’s attention yet?

Is authentication enough to really generate strong numbers?  I think that it would, but consider if the credential were of a significantly powerful variety to provide functionality beyond authentication.  Then that brings in both fence-sitters and entirely new groups of users with different security and / or business interests.  Folks, there’s enough technology out there already available (with some about to make an appearance that I’ll chat about here when it is ready for public announcement) to put together a very compelling, game-changing and revenue generating service. 

Before you say, “No one would ever trust a startup / new entrant enough to permit the creation of an uber-powerful identity provider”, remember that is exactly what the banks and their blinder-wearing service providers said while PayPal came in and ate their lunch.  Funny that in the “Goodbye, Passwords” article, PayPal is properly called out as one of the key players in deciding what is and isn’t secure enough in Web 2.0 and beyond.

==========================================================

 * Loading the Blizzard store is still problematic as fans crush it for Blizzcon tickets as of 8/12/08.

• Found a fabulous house we decided we needed to make all best efforts to acquire while the real estate market has everything “for” sale, “on” sale.
• Outbid 2 others that felt nearly as strongly about the house as we did.
• Arrange for financing and all that red tape stuff.
• Prepped our house for sale by clearing out of our basement and other sundry clutter that has gathered over the past 9 years.  This took a disturbing portion of two weeks and completely consumed two weekends ferrying stuff to the curb or to two storage sheds.
• Put our house on the market and praise God, got it under not just one, but two contracts!
• Closed on the new house and spent the past 10 days moving all our stuff across town.  Big thanks to my parents for visiting and helping out!
• Started a new consulting gig on Monday with travel involved.  I’m typing this from the road.

Consequently, my digital lifestyle has been seriously impacted and I’ve (gasp) had to live almost entirely in the real world!  This is actually a bit distressing given how much I was forced to accomplish offline that could have been done more expediently online.  Sure, moving furniture will likely be a real world activity for a long time to come, but there’s certainly a lot that could have been done online.

One bright spot was finding and listing our house.  We found our house along with a dozen or so other candidates via various MLS listing searches.  All of those that walked through our house found us online as well.  That’s where the glory ended.  All the contract negotiating, banking, closing, etc. happened via actual paper and faxes!  I am astounded at the number of fax machines that apparently live and thrive out in the wild.  As frustrating as it was to deal with that fact given I have no fax machine and communicate purely via email, IM and other electronic means, I guess I can understand why these processes continue to be so paper and fax driven.

We continue to suffer without a decent online identity infrastructure!  (You had to see that one coming.)  I dealt with several banks, my realtor agent selling my house and representing me in my purchase, the realtor of those selling the house I wanted to buy, the realtors of those wishing to buy my house and the various closing attorneys.  None of these entities issue credentials online that are of more than marketing value to themselves.  None of them offered any online services to facilitate the routing and signing of the myriad documents that instead were faxed, copied, scanned and dealt with in often barely legible fashion.

This certainly isn’t because such services and technologies exist.  Yet no one has put together the right technology in a properly packaged product that would stand up to the security and usability and trust challenges that I freely admit exist.  OpenID could be a part of such a solution; Information Cards could be a part of such a solution; practical PKI could be a part of such a solution; federation functionality could be a part of such a solution, etc.; etc..  Indeed they all probably should be part of such a solution and I know I’m not the only one that sees that. 

Yet where are the solutions?  Are the potential players, specifications, startups, thought leaders, etc. thinking too big and waiting till they can do it all or; shooting too low and offering up slightly interesting, but not-ready-for-power-apps services?

I have to confess that as closely as I follow and often espouse the value of OpenID, I’m a complete hypocrite as I don’t use it day-to-day. I like OpenID more as a demonstration of what we need than an actual solution to that need. I play with some of the IPs offerings waiting to see if someone is going to offer a secure IP solution with additional security services of real value.That being said, I’ll comment on the three points:

1) I do need “it” with “it” being defined as simple single signon. Today I’m one of those Roboform-aholics using it to fulfill that very real need. However, keeping Roboform or any other thick client solution synched up across several PCs and my mobile device is not fun. I’d love to have Roboform Online (or equivalent) retaining my full control and with some solid security.

2) I completely agree, a universal solution is a must and any OpenID IP would be well-served to take into account non-OpenID site support.

3) I don’t trust it and neither does anyone that’s been paying attention to the plethora of articles, papers and demos. That’s why the predominant use is to non-critical applications. OpenID is a SSO protocol without any security model. That’s fine, just so long as OpenID proponents don’t try to argue otherwise. Security needs to be added either as part of a service offering or at another protocol layer over which OpenID travels.

Phew, nice to get that out in the open! I feel internal hypocrisy levels falling…

The paragraph that raised my ire and prompted this post is:

A third of those surveyed by Which? said money had been fraudulently taken from their credit card or bank account. However the “vast majority” got all the stolen money back. The consumer group says this seems to suggest that ID theft insurance is “unnecessary for most people”.

At first reading I blamed the journalist for being a moron, then realized they were just channeling the stupidity of the “consumer group” representative.  Since when is my money my identity?  I have long said that I’d much rather a crook get into my account of whatever type and run up $3,000 worth of fun for themselves.  There’s lots of protections for me to get my money back, but even if there weren’t I’d much rather be out $3,000 than have that same crook steal enough identity data to go open brand new accounts with my name on them.  In the first theft, I’m out $3,000.  In the second theft, I’m out lots and lots of money, hours, sleep with lawyers involved, etc.  I’ve experienced the stolen card number case and really, that has been completely painless (thanks AmEx).  I definitely fear having my identity misappropriated (can’t really steal it, just abuse the heck out of it) and having my credit ruined with all the subsequent pains that follow.

It is completely irrational to state that because banks protect their users by reimbursing them for fraudulent account use that users shouldn’t protect themselves from a significantly higher impact theft with equally significant costs.

These thoughts hit me as I was reading this article “When discs go the way of disco“, by John Murrell over at SiliconValley.com and it also brought to my mind why I haven’t yet bought a BluRay player (i.e. a PS3) or really gotten crazy on buying HD discs.  I did buy a HD-DVD player attachment to my Xbox 360 and bought roughly 8 discs in the excitement before I realized just how much the same movies on the same physical media (plastic disc) were costing me over and above regular DVDs.

I’ll admit that over the DVD years I have accumulated quite a collection of DVDs ranging from movies to TV shows.  I’d bet that my average price for those has fallen drastically to $10 or maybe even a little under.  I keep my eye out for good old movies and shows on special and am a huge fan of the $4.99 special.  Consequently, when I reached for that 9th or 10th HD-DVD at $24.99+ I balked and all purchases ceased and just as well as HD-DVD took a bullet to the brain-pan in the interim.  However, I’m not all that interested in jumping on the BluRay bandwagon yet.

This certainly isn’t because there is no difference between a DVD and HD disc, there absolutely, definitely is.  I purchased the most recent Harry Potter disc last fall which has DVD on one side and HD-DVD on the other.  I accidentally started watching the regular DVD side and was very disappointed until I realized my mistake and the difference was remarkable.  Remarkable enough to pay a premium for?  Yes, but not a 60+% difference and certainly not for BluRay which is still adding features that HD-DVD has had all along.

Since I am a HD snob at this point, instead of buying discs, we’ve been recording HD versions of movies via PPV via DirecTV or via Xbox Live.  I don’t get the “extras”, but really the extras on most movies anymore are really not interesting.  Commentaries anymore seem to be more about the movie makers getting together and getting caught up with each other than providing any in-depth discussion of the content of their film.  Of course this may be due to the fact that there really hasn’t been much in the way of great films for the last couple years…  Sorry, back on topic.  Consequently, for me the economics of spending $4.99 for a HD movie that I can watch whenever I want and repeatedly, but without owning physical media seems like a bargain compared to owning physical media of a movie I’ll probably not watch all that often after a couple years of its release for $24.99.  Besides in a couple years BluRay discs will be back down to the $14.99 level with bargain discs beginning to appear.  Maybe then, the economic calculation will change again, but then again I have over 2TB of storage on my network already so…

“Spock users have flagged and deleted a picture which you contributed to Tim Renshaw’s search result. Flagging and deletion occurs for a number of reasons. Sometimes it is because information is factually incorrect, sometimes it is because contributions are inappropriate. For more information please visit our community guidelines.”

I have reviewed the community guidelines and am not sure why my picture was removed.  It was not a picture involving nudity, it was not copyrighted (indeed Blizzard is quite happy too have me promote World of Warcraft by spreading my in-game image hither and yon) and is indeed a picture of me that many of my friends will know as me.  The “me” is from an online game, actually the online game / community World of Warcraft, through which I have met many people and this picture is the only “me” they have ever seen.

I suggest that Spock review their own community guidelines to ascertain what they are going to define as “me” and “my identity”.  This will of course have non-trivial impacts on what reputation of “mine” they are defining.  If the site is only going to work on purely “real me” identities, that’s fine, but I believe that really sells the site’s reputation possibilities short.  Reputation matters a great deal to me in virtual spaces.  One of the core ideas behind forming Clans and Guilds in virtual worlds is around the idea of reputation.  Anyone who has put on a headset and ventured into Halo on Xbox 360 knows that you don’t want to just hang out and play with just any schlub online.

I continue to watch Spock with a level of interest, but I don’t believe their allowing themselves enough breadth and interconnectivity to all that defines “me” online such that my reputation can really be meaningful across all the various entities representing me online.

Saw this article on a super smart guy researching whether or not Abraham Lincoln may have suffered from a rare disease.  The part that got me going was the opening sentence, “Did John Wilkes Booth shoot a dying man?”.  Wouldn’t it have been actually more newsworthy if John Wilkes Booth had shot a non-dying man?  Is everyone else in on some piece of history I missed, principally that in some way Lincoln was otherwise immortal except for Mr. Booth’s magic bullet?

That said, would this have been the same magic bullet that ricocheted around so devastatingly through JFK’s limo in Dallas?  Was the bullet also silver?  Were Lincoln and JFK related by the fact they were secretly werewolves or some other such immortal creature with an Achilles heel weakness to magic bullets?

This would be a fun book / screenplay / comic to write.  Could write it into the Underworld universe for the next movie, which might then actually be interesting, or just take it into a stand-alone fictional effort.  Unless of course it isn’t fictional and Lincoln wasn’t in fact dying when Booth shot him, but would have lived forever which would have been cool, cuz I’d still vote for him.

Make a great day, I gotta get back to work.

Originally published April 14, 2008

I’ll be networking as I pursue several avenues of opportunities for my “next gig”.  Good news is that there is a lot going on and I’m really looking forward to linking up with friends, old and new.

The main non-networking item I’m interested in at the show is the OSIS Identity Interop.  There’s a lot of buzz in the identity space and I’m anxious to see what the reality of the situation is with real vendors, real products and real useful applications and use cases.  So far, I read a lot of good ideas, see a lot of work being done in various efforts around specs, protocols, etc., but haven’t seen any services or implementations that make me exclaim, “aHA! There’s something useful and secure, I’ll trust my online life to THAT!”.

Given that, you can imagine that my main focus as I examine my “next gig” options, is how to participate in the creation of exactly that service or application.  I believe all the pieces exist already today to put in place and create a revolutionary service, but all I see are the most timid steps forward.  This doesn’t mean that something won’t be announced at the show this week and I certainly hope it is and that we all can be using it by the end of next week!

Leave me a comment here or email me if you’d like to get together at the show and kick around some ideas or just grab an adult beverage <grin>.

Originally published April 4, 2008