Establishing and Securing Identity in a Distributed World
September 2, 2005 | 10 Comments
We have found ourselves in an interesting position. We need to establish, ensure, and maintain identity with remote users without ever exchanging SSN or other highly confidential identifiers or information. Popular solutions include security questions, requiring initial email address, authoritative remote identity providers (ex. notary), or physical presence. First let me debunk all of these in our environment.
Security questions:
- limiting questions to predetermined ones, simplifies ability to automatically guess answers.
- with increased personal information becoming available online, personal questions may have answers easily found.
- open questions often lead to simple question/answer combinations (ex. what color is the sky? blue.)
Initial email address:
- we provide email accounts as a service, requiring an email account to get an email account is laughable
- expired or abandoned accounts are a dead end for ongoing use
Remote identity providers:
- time consuming and cumbersome for the user
- costly for the user
- much manual work
- difficult globally
Physical presence:
- could be time consuming
- online education implies never needing to come to campus
- difficult globally
- not remote, if they have to come here
One potential solution in this space is Faces. This is also potentially cumbersome and the cost is unknown.
Now let me present our solution.
Upon account creation at the institution (student, faculty, guest, alumni, etc), we generate a 32 character password change authorization code, or PCAC, (ex. KLAS-DFHL-KASD-FKLJ-KKL3-243I-HF34-POI2) and a unique username. The account is initially locked. The user receives the username and code through the postal service to a known address, in person, or it is presented to them online if they are able to establish an account-creating relationship online.
Once they have the PCAC, they are instructed to keep it in a safe permanent location (ex. with birth certificate or social security card). They are also intructed to use this code to activate their account and set their password online. From anywhere in the world they can enter the PCAC and username into a secure web form, to set their password.
Once the user has a known username and password combination they use this to access all their services.
This same procedure can be used in the future to instantly reset their password if they have lost or forgotten it. Of course if they know their password they will always be allowed to use that to change it to something else.
At this point they have established identity, received credentials, and with their PCAC can always recover from lost or forgotten passwords. All these steps can be performed online, self-service. The security of their account is primarily in their hands. No one at the institution ever knows their password, and their is no formulaic way of figuring it out. There are no guessable hints.
All of this explains the situation where the user has their PCAC or password. In the contingency where they have lost or misplaced their PCAC, they can have a new one created immediately in person, or request a new one to be mailed to them via an online form.
I have posted this with hopes that people will review this and comment on their opinion of its viability. Please leave comments if you see problems or advantages in this we have not.
This solution is not useful for schools with a PKI solution, but could be used very easily as a cheap intermediary solution while that area matures.
Flowchart of this process (PDF)
PCAC Example (PDF)
Jon Emmons’ article on this same topic: Password Management in an Identity-Theft World
(This proposal authored by Jon Emmons and Zachary Tirrell - 2005)
Tags: faces, identity, identity management, information technology, it, Jon Emmons, password, password management, passwords, PCAC, pki, pooch, security, Zach Tirrell, Zachary Tirrell
World’s Ugliest Dog
August 29, 2005 | 348 Comments
For three years running Sam has won the San Francisco Sonoma-Marin Fair’s“World’s Ugliest Dog” competition. I’ve been meaning to blog this ever since my father-in-law Brian showed it to me a week ago. The pictures really say it all. Is there a single endearing characteristic about this animal?
I searched around a lot, but could not find any of the runners-up out there. I have no doubt that this is undeniably the world’s ugliest. However, apparently his health is fading so I wonder what the competition will grace us with in years to come.
This UK site claims to have some ugly dogs, but they just don’t compare.
Well, anyway, here’s all the pictures I turned up of this handsome devil.
UPDATE:
So Matt brought up a good point in a comment, is this a friendly creature? Well, no not really. I found the owners blog site and Sam’s site.
From her site:
I invite anyone with complaints to come and see how absolutly adored and well cared for this dog is and to touch his leg and see how little it takes to get him snarly. One time, SAM came SCREAMING into the house dragging his back leg..I dropped the dish I was carrying and thought he had gotten out and been hit by a car or something. When I caught up with him in the bedroom he was looking back at his back leg and screaming and growling..WELL…there was a post-it note stuck on his rump..he had sat on it on the sofa and it stuck. The last thing in the world I would do is hurt SAM but it does NOT take much to get him growling//usually he just does it on his own anyway!
More articles about Sam:
http://www.resourceinvestor.com/pebble.asp?relid=10958
http://www.snopes.com/photos/animals/uglydog.asp
http://www.gadgetryblog.com/gadgetryblog/2005/07/worlds_ugliest_.html
http://xo.typepad.com/blog/2005/07/another_image_o.html
Tags: dog, nasty critter, pooch, puppy, ugliest dog, ugly, ugly dog, ugly mud sucker, world’s ugliest, yuck