Identity, security, access control, mashups, and social networking: a perfect storm of chaos that is only growing in complexity. Johannes Ernst from NetMesh led a discussion at Mashup Camp 2 in which a number of identity-related problems were explored:
- Protecting individual data using just a password is low security.
- Identity theft is rampant. There was one participant who cited the uniquely American problem of getting a new credit card using just a name and a social security number.
- Exchanging or updating identity-based data is terribly difficult. It doesn’t seem possible for 500 small API vendors to agree upon a standard single sign-on service. (Say that three times fast!) Also, how does an individual specify what personal data he/she will permit any two partners to share with each other?
- Enabling services fail to take social networks into account.
Vendors need to stop putting out additional independent logins. Even though i-names are ready, the process of adoption has yet to begin. Really - did I need to set up six separate wiki accounts for the six wiki-backed conferences that I've attended in the last few months? I’ve signed up for my i-name, so =christine is ready to go.
Do we need Microsoft or Yahoo! to drive adoption? They didn't do well the first time around. Passport imposed a financial burden upon small businesses when it was launched, since small businesses didn’t have API savvy. That being said, Windows Live ID is entering into a market that’s evolved substantially. Ernst revealed that Microsoft is now considering letting independent vendors use an open version of InfoCard (AKA Windows CardSpace), under the banner of Open Source Identity Selector (OSIS).
The independent identity community is driving a couple of standards-based efforts: OpenID and i-names. Both of these are involved in the creation of an OpenID 2.0. These services will only become available once there is enough demand from both vendors and consumers. Kaliya Hamlin had some encouraging news: Wikipedia is adopting OpenID for their contributor logins. (Disclosure note: Omidyar Network is an investor in Wikia, a related entity.)
As a user, I also have a nagging dumb question: why is a single sign-on service considered more secure than using the same password for all of your accounts, which as consumers we are told to never do? (This is a technical question, not a rhetorical question, so please do comment if you have a straightforward answer.) Let's resolve these issues of identity, and get people educated on what the community has rallied around and why.
Most of the people in the room had a variation on the core problem of how to handle a single user across multiple systems. This doesn't address the user's perspective, however. While vendors may see themselves as independent of each other, the user thinks about experiences more holistically. Standards-setters need to keep this in mind in architecting not only the technology, but also the user experience and the strategy for rollout and adoption.
Tags: christine herron christine.net spacejockeys mashupcamp mashupcamp2 identity security social network technology
My opinion is that if your password becomes compromised then you need to go change it at fifty different sites. In the case of using an Identity Provider, there is one place to change it and with single-sign-out the ability to end all of your sessions with those other fifty sites at once. Additionally, by incorporating two-factor authentication into an IdP, you effectively now have the benefit of it on all fifty of those sites.
Posted by: David Recordon | July 22, 2006 at 12:20 AM
Interesting -- so if you know every system for which that user has a password, and the user's identities on those systems, you can hack the single password more quickly and easily.
Does this imply that it *wouldn't* be less secure if the user had used different sign-on identities, so you couldn't perform the cross-reference?
Posted by: Christine | July 21, 2006 at 01:51 PM
You have raised a great question. Only reason I can think of, is that most of the authentication system has built-in brute force attack aversion system. Now in case you are using same password across multiple sites, the hacker has that many chances available to try to crack the password. While incase of SSO system, since there is one system that can be attacked for the password, hacker has the minimum number of chances to crack before the account that gives access to all other applications will get locked.
Posted by: Shekhar Jha | July 19, 2006 at 06:17 PM
Christine Herron has a good summary of the first identity session at Mashup Camp.
Here's her post. She also has a question ...
Posted by: Johannes Ernst | July 15, 2006 at 12:26 AM