Identity and integration

I spent the last years working on IT services to improve higher education: video infrastructures, collaboration tools, digital assessments and digital learning. Coming back to visit the middleware/identity world after  five years away is interesting.

Some of the trends that keep pushing the identity field if I compare with 2012:

• Virtual, not physical: servers are virtualized and roam around in data centers, people have multiple devices and require virtual identities that roam across devices, the borders are more fuzzy between hardware and software in SDN or IoT or apps
• Multiple devices per person: a smart phone, a tablet and a PC/Mac is not unusual; not to mention the IoT and hordes of sensors
• From silos to microservices and APIs: modular approaches require more traffic between components, moving some complexity out of silos; outsourcing services internally in the applications is more comme il faut, apps should be lightweight. This trend moves one of the important scaling factors for identity solutions, we no longer scale to a few thousand services, but scaling needs to be for a few million services.
• Identity for things: Internet of Things requires identity, or binding information to identity, thus introducing large scale device identity requirements
• Data centric identity: when we move from application centric to data centric, identity requirements morph from being used to secure application access to verifying relationships between users and data.
• Cloud based identity: the closed gardens of the big cloud infrastructures have their own identity infrastructures (Apple-ID, Google, Facebook, AzureID/LinkedIn/Outlook.com), and these user centric approaches provide some interaction mechanisms for organization centric solutions.

These are some of the changes I see, but I will spend the next months looking around the field of identity and integration,  trying to figure out what a research network needs to provide for its customers.

Advertisement

 

Scared by Coursera Signature Track

The hottest thing in higher ed is MOOC. And one of the hottest MOOC platforms is Coursera.

Wikipedia keyboard image

There are couple of challenges the MOOC movement is about to run into:

1. How do we know that the person submitting a test is the same person she claimed to be before? Identity proofing in a self-declared identity environment is not trivial. MOOCs are by definition open
2. If we want to make money, we better be able to give credits (or badges, or certificates, or a university degree, or something similar). Solutions include test submission with identity proofing.

Then comes the scary part: Coursera offers a Signature Track, where you as a student get identity verification, verified certificates and sharable course records. This is innovative and new. And the way they do it scares me because of the implications for the student and for other services online (biometric unique typing pattern). There is a Signature Track Guidebook with more details

The unique typing pattern is used to identify your work

“Signature Phrase, a biometric profile of your unique typing pattern. Every time you submit coursework, you’ll easily authenticate your identity by typing your Signature Phrase.”

If this is really workable, I am not sure I want to use any cloud service (like WordPress for this blog, or Gmail) where I type in text. Selling the unique typing patterns for their 2.8 million learners would, however, probably fund the company for the rest of its natural life. It also opens a whole new game of trust issues for any of us using online services. So far the typing part is only available on PC/Mac, and not on tablets

Hopefully I am wrong to be scared.

We need to find a better way to do identity proofing.

 

Secure the web (internet-draft)

A memo on securing the web, entitled An Inquiry into the Nature and the Causes of Web Insecurity was published by Mike Hanson, Hannes Tschofenig and Sean Turner as an Internet-Draft in October 2011. This document is well worth reading, and I am looking forward to further work from the authors.

The memo points out that the current security measures on the web are designed for static text-based one-site content, whereas the current web is real-time, multi-site and has moved from documents to mobile code. Some of the issues with passwords are pointed out, and three types of goals are presented:

1. Reduce the number of passwords used
2. Increase the safety and security of how passwords are used
3. Broaden the use of other credentials

Proposed guiding principles:

• moving authentication down into the platform: Methinks not letting every single web developer reinvent the security wheel is a good thing
• design for growth and multiple authentication mechanisms and credentials: the world changes,
• context matters: exposing minimal information depends on getting context sorted out
• transform long-term password to short-term credentials: the sloppy practices of not verifying end points will come back to haunt us
• keep the user experience in mind: investigate failure scenarios and provide user feedback.
• go from client-server to N-Party: Federated login and other multiple party solutions

Please read the Internet draft and give feedback to the authors!

 

My hacked twitter account

Friday was a sad day, since my twitter account @imelve was hacked. I opened a webpage, via a pointer in a message from  a trusted source, and then things started going wrong. Within a few minutes, my account started to send malicious messages (se below)

And then my friends started to warn me. Luckily one of them warned me by text message, since Friday night is mostly family time and I am offline. Twitter does not run my life, it is but a small part of my online presence. And snuggling up to the kids take precedence. But the message talked of danger, and I did not know what else was compromised on my PC/mobile/iPad. It was time to take back control of twitter

1. Change twitter account password
2. Revoke application privileges (I had 25 apps with privileges registered, only one from the malicious site)
3. Start tidying up app passwords, since leaving this undone may lead to blocked twitter account due to large number of failed logins
4. Delete messages with malicious content, wading through all streams I have sent.

Taking your life back is never easy. Twitter helped by giving a single page where I could revoke account privileges. Getting the apps to work again afterwards? Not fun. The app privileges were harder to deal with than they should have been, since

• I use twitter on PC, mobile phone (Android) and iPad. They have all had multiple renovations and upgrades where apps and web sites get twisted around.
• I did not remember which apps I actually use.
• I did not remember how to change passwords in all the different user interfaces. (Thank you, Flipboard, for making this easy, including meaningful error messages. The rest of you apps know who you are.)

I am still not done with the apps, but my life is back on track. Sort of.

 

Security Usability

Professor Audun Jøssang has formulated some useful principles for security usability. I wish more people would reflect on these, and what their practical implications are for the systems and web pages we offer our users today. And I really wish Facebook would read them.

The rough statistics for usability is

1. 35% of the people will understand, almost no matter what you write or do
2. 40% will have cognitive challenges at some times
3. 25% do have special challenges understanding

Given this, and the fact that most web sites aim at the population at large, we really need to rethink the mental load we place on our users.

 

Real Names: pseudonyms?

Google+ is subject to a #nymwar discussion about the requirement to use Real Names. Google+ has shut down a large number of accounts, for example for IdentityWoman. The movement for use of pseudonyms have launched My Name Is Me, where the arguments for pseudonyms are presented. Some arguments are:

• the right not to be stalked or persecuted (whistle blowers, abuse survivors,  people from small communities, sexual minorities)
• wanting to have multiple persona, choosing nick names presenting yourself, celebrities (Lady Gaga, Bob Dylan, Madonna …)
• being able to voice personal opinions without being associated with employer (academics, fans, bloggers, journalists, military)

Earlier this year, SXSW discussed Social Network Users’ Bill of Rights, and there was agreement on most of the points proposed. The one point with most discussion (and least agreement) was the right to use pseudonyms. Kim Cameron commented on his blog that imposing pseudonyms on all social sites breaks the laws of identity.

In Norway we have a debate about how public online discussion forums may avoid hateful and cesspit discussion. There is a need for participants to be held accountable for their opinions, but in my opinion not necessarily to expose legal identities. The federations in higher education are currently handling both Real Names, nicknames and pseudonymous/anonymous access

1. Real Names are present in the identity management system, because the universities need these names to issue formal credentials (PhDs, MS etc) and bind the formal credentials to formal legally registered names.
2. Nicknames are present in the attribute definitions, but we are still in the process of sorting out what are the most practical ways of sharing this information. There is ongoing debate about consent and necessity for attribute sharing, and displayName is an attribute we need to think more about. Feide decided to require both legal name (Real Name = norEduLegalName) and preferred name (nick = displayName)
3. Federations provide anonymous traceable access, based on technology for per service unique identifiers .

We need to find a balance online, as we have for other aspects of public space where we do not need to post information about identities for each person, but in many cases require that identity is traceable. Minimal exposure of information is good, but defining minimal is difficult.