Implications of OpenID - Google Tech Talk
July 10, 2007 | Leave a Comment
The embeded video comes from a Google Tech Talk given by Simon Willison.
From the abstract:
Simon Willison OpenID is an emerging standard that provides simple, decentralised … all » authentication for the Web. OpenID follows the Unix philosophy, solving one small problem rather than attempting to tackle the many larger challenges posed by online identity. This talk will explore the implications of OpenID, and explore the best practices required to take advantage of this new technology while avoiding the potential pitfalls.
Tags: authentication, decentralized, google, google tech talks, identity, identity management, open id, openid, password, passwords, simon willison, standard, unix, willison
US Federal E-Authentication and Higher Education
March 28, 2007 | Leave a Comment
The United States federal government has been working on an E-Authentication project actively since 2003 in response to the E-Government Act of 2002. Movement has been slow, but there are many federal agencies now leveraging this infrastructure in a federated manner. For more details about the initiative, there is the publicly available Burton Group Report on the Federal E-Authentication Initiative. For an updated view see the GCN article, E-Authentication maps out its future.
Since then, there has been work to bridge both Liberty Alliance and Shibboleth-based federations with the e-Government services. Involvement also extends to the Post Secondary Electronic Standards Council (PESC) who is working with all these organizations to assure higher education is appropriately represented. Certainly NSF Fastlane and Federal Student Aid (FAFSA) seem like the most obvious first candidates to work with higher education institutions.
With all the activity surrounding the federal government deploying these services in a federated method, institutions should definitely be getting their internal infrastructure in place to support and interoperate with one of the major federations (InCommon, eGovernment, etc).
Tags: "liberty alliance", act, authentication, burton group, e-authentication, eauth, eauthentication, egovernment, fafsa, fastlane, federal, federated, federation, financial aid, gcn, government, higher education, identity, identity management, idm, incommon, initiative, liberty, pesc, pki, shibboleth
Cops Need My SSN Why?
June 26, 2006 | Leave a Comment
I was recently awoken in the middle of the night to a huge crash. A drunken guy had driven full speed into a group of trees across the street from my house. I was the first on the scene, the first to interact with the driver. When it came time for me to give a report to the police, there was a short form for me to fill out.
On the form was a field for SSN. I opted to leave this blank. When I gave the completed for the the officer, he gave me trouble about omitting the SSN. I offered to provide my drivers license number, but refused to give my SSN.
When he pressured me further, I told him he had no legal right to require my SSN in this situation. He pleaded further getting increasingly annoyed with me. Luckily I was within my house, within my rights and confident with both. He eventually left, I maintained the security of this piece of information.
How many others would have? How often do these gestapo techniques work on the uninformed public? I fear they get most SSNs, store them insecurely, and never think much about it.
We need more education in the general public about privacy and identity theft. If Bush can use fear tactics to steal our personal freedoms and privacy, can’t we fear the public into standing up and protecting these things?
Tags: accident, cop, cops, identity, identity management, police, ssn
Disney Biometrics
April 9, 2006 | 6 Comments
One of the oddest things I saw this year while at SunGard Higher Education’s Summit 2006 was the biometric finger scanners they now use at Disney. Yes, you read that right, Disney is now using biometrics to help crack down on people sharing multi-day passes and other gate fraud. Disney softens this fairly invasive technology by branding it “ticket tag”.
While there I asked the gate keeper what the machine actually does. He explained that the dimensions of your fingers are measured, and the first time this data is encoded on the magnetic stripe on the back of the card. On each subsequent visit, a new measurement is compared against what is on the card. He then assured me that the data is not stored in a central Disney database. Still a bit curious, I asked about reliability. He informed that they get their fair share of failed scans, especially on people with arthritis or other conditions which can cause a variation in someone’s finger dimensions.
I found this description on how you use the machine:
You insert your pass into the park entrance turnstyle just like everyone else. After you have inserted your pass, you put your index and middle fingers into the scanner located atop the turnstyle. Once your fingers are inside the scanner, you will feel two small rubber knobs. Place your fingers so that the rubber knob is between the index finger and the middle finger. *LIGHTLY* bring them together so they touch the rubber knob and push your hand all the way in so the web part between your index and middle fingers touches the small plastic spindle at the very front. Do not squeeze the rubber knob tight.
A quick blurb about how finger geometry works:
finger or hand scanning systems capture the physical, geometric characteristics of an individual’s hand – with most systems having the capacity to do so in less than a second. From these measurements, a profile or “template” is constructed which will be used to compare against subsequent readings by the user.
It is important to note this is not fingerprinting. I think in many ways it is similarly invasive, and if Disney is in fact storing and cataloging all this data it is far scarier than the police having your fingerprints. I was very surprised how few people seem to ask the gate attendants what is going on. Everyone accepts this a necessary act for entering the park. If this does bother you, you can refuse and show an ID card instead. I’d be curious how many people do… I bet it is less than .01%.
Also of interest are these further discussions:
Mickey Prints
Biometrics at the Disney Gates
Tags: biometrics, disney, disney world, finger geometry, identity, security, ticket tag, walt disney
See More Dick
March 21, 2006 | 16 Comments
Dick Hardt recently published a video of his newest presentation titled “Who is the Dick on your site?” This video is from his talk at ETech and was apparently the first time he gave it. Therefore, it lacked a lot of the polish of his previous talk on Identity 2.0.
He talks about a pile of technologies like OpenID and Passport explaining with great graphics how many of these work, and then basically tries to sell us on sxore. I’ve yet to dig deeply an truly try sxore out, but intend on doing so within the week. For now, I setup my account there and have installed the Wordpress plugin. Check back for more on that later.
Update/Warning: If you are running a recent version of bsuite with database driven tags (currently in private alpha release), do not install sxore. Something is incompatible in the installer and will cause all your tags to be deleted.
Tags: bsuite, Dick Hardt, identity, identity management, identity20, openid, passport, sxip, sxore, wordpress
Leveraging Varying Level of Assurance
March 9, 2006 | 2 Comments
In higher education we all seem to struggle, at least a bit, with coupling together our many varied web services and applications. Part of the difficulty I see is the varied needs for how secure each of the services we delever need to be.
A common reaction to this is to lock things down tightly, requiring your users to reauthenticate on a regular basis to access even the most trivial of services. In this situation users feel encumbered by the security and are less satisfied using these services. Face it, who doesn’t love sites that know who we are and let us do the things we expect when we go back? (ex. Wordpress, Gmail, Flickr, Amazon, etc)
For the purposes of this article, I am defining level of assurance as how sure we are that the user on the other end of the browser is who we think they are.
I imagine an ideal situation where we identify a required level of assurance for each service, then check against an appropriate indicator.
A preliminary structure for varying levels of assurance:
| LOA | Who/How? | Example Services |
|---|---|---|
| Level 0 | Anonymous | Homepage, various public facing pages, etc |
| Level 1 | Long term cookie | Targeted Announcements, News Reader, Personalized Content, Bookmarks, etc |
| Level 2 | Active browser session or desktop domain login |
Email, Learning Management System, Calendar, Groups Tool, etc |
| Level 3 | 30 minute session | Financial Information, Grades, Address Information, etc |
| Level 4 | Every usage | Password change, others? |
In this scenario, users would be asked for credentials less frequently for less secure needs. This in turn encourages them to use many of these types of applications more frequently. In those less secure applications, “ticklers” can be placed encouraging them to register for classes, update address information, or check in on classes in the learning management system all as appropriate. This allows us to draw users into the more secure areas just like Amazon draws us into making a purchase, but always allows us to place things in our shopping cart.
Tags: browser, higher education, identity, identity management, level of assurance, loa, password, portal, session
Web Initial Sign-on (WebISO)
March 8, 2006 | 6 Comments
Web initial sign-on or WebISO is a term defined by Internet2 as a system
designed to allow users, with standard web browsers, to authenticate to web-based services across many web servers, using a standard, typically username/password-based central authentication service.
They created the definition, but that doesn’t mean I need to like it… I’d like to propose an alternate working definition:
A single point for web based authentication which provides SSO across multiple systems and services.
I think that could be word-smithed further to really get it nice and concise. Please comment any recommendations you have on this.
What excites me about WebISO solutions is their fantastic ability to deep link systems and services. Users can bookmark or share URLs and when someone accesses these systems and services they will be required to provide credentials and then be directed through to what they need. This also sets up applications in a loosly coupled structure ideal for changing individual services without affecting others.
The drawback of this approach (when compared against a monolithic portal application) is how there is generally not a single welcome screen presented to users after authenticating. This loss of a “funnel” approach can cause weaknesses in communication and a perceived loss of control in your user population. Another potential area for weakness is providing a directory of services and ways for users to find what they need initially.
For those not familiar, a couple examples of real life WebISO tools would be: CAS (now JA-SIG as opposed to Yale), Pubcookie, WebAuth (from Duke), Shibboleth, and more.
Tags: "central authentication service", "web initial sign-on", authentication, cas, definition, duke, federation, identity, identity management, single sign on, sso, webauth, webiso, yale, yale cas