Search
Navigation
Tweets
Blogroll
Powered by Squarespace
« The million dollar speed-up | Main | Crypto-less assertions defined »
Sunday
Feb252007

True user-centric identity

DateSunday, February 25, 2007 at 09:38PM

It’s not easy out there in identity land.

Many are getting all frothy over the latest resurgence in user-centric identities, while some are not.

And when even Microsoft identity czar Kim Cameron has started praising the virtues of an open and free standard such as OpenID it’s not easy to know what to believe.

Let’s step back and see what we have. For this exercise, let’s disregard the Kerberos, NTLM and Active Directory solutions and other limited-federation ideas. We’ll stay in the end-user space, not the corporate space. So, we’ll disregard SAML, Liberty, and WS-Federation (pdf).

That leaves us with CardSpace, and OpenID.

And as fine technologies as they are, there is a problem: By centralizing the user’s many identities into a few (or just one), CardSpace and OpenID effectively create a single point of failure. Once the end-user has one identity, losing access to the same is devastating. Or to put it differently: when all your secrets are behind one locked door, you don’t want to lose the key to the door!

Authentication should be user-centric. The mechanism used must take the user into consideration. Does CardSpace or OpenID? What chocies do I really have?

I want to limit potential damage from someone breaking or guessing my passwords. I want to nix evil identity providers tracking me and abusing that information. A defense today is to have many different identities and equally different passwords, and many don’t mind. People are smart enough to keep throw-away userids and passwords for throw-away sites. To map such behavior onto OpenID, one’d need several OpenID identities. That doesn’t sound right.

User-centrism and federation should be the other way: the end-user should decide which relying parties she trusts, not the identity provider. The end-user should be able to decide which sites are high-value and which are throw-away.

A few companies work with this in mind. Guard ID is an example. It sells an ID Vault USB device you plug into your PC. The device then acts as an anti-phishing device as well as a username and password form-filler.

With a physical token you get the “if you can touch it you can trust it” feeling. There are similar devices around, and while I haven’t used them extensively, they do look promising, especially considering what such devices can grow in to in the future.

User-centrism is about the user, not the identity provider. The user should decide who is friend and who is foe. The user should not be forced to keep all secrets behind one virtual door in the sky’s lock.

AuthorHans | Comment8 Comments |

Reader Comments (8)

Amen.

Indeed most of the time I(user) am on a computer that I(user) do not own. This extends to identity metadata stored therein as well.
February 26, 2007 | Unregistered CommenterKrishna
I have an ID Vault, purchased it after a lot of research. to categorize it as a form filler that does anti phishing is not accurate. this product validates every financial site i go to, so i cannot be phished or pharmed nor can any spyware capture my user name and password since it is stored inside the smart card on the ID Vault token. I can get onto and into my BofA account or any financial accounts in less than 10 seconds with 1 mouse click. i have 13 financial sites on my token and 15 non financail sites. this product is rock solid, ansd offers a level of protection that is not available in any other consumer product i have seen. i highly recomnment it.
February 26, 2007 | Unregistered Commenterjt
I think the characterization of OpenID isn't quite fair. All OpenID servers I've used have very clear trust setup when an RP first requests an identity from the IdP. Admittedly, very few pass along a privacy statement, but it's also built into the protocol.

Second, OpenID is authentication-method-neutral. There are several interesting auth systems that support OpenID. For example, certifi.ca (https://certifi.ca/ ) only uses browser certs for authentication. No passwords, no phishing. That does put some onus on the end user to manage their cert correctly, but I think that the sophisticated users who care about high-quality authentication are smart enough to manage their cert well.
March 1, 2007 | Unregistered CommenterEvan Prodromou
I too use ID Vault, and have no complaints so far. Frankly to eliminate the worry of identity theft given how much of my portfolio I manage online is a bargain at any price. I even purchased 2 and use 1 just to backup all my info from the first.
March 9, 2007 | Unregistered CommenterV Star
I hadn't, thanks. Looks to be an interesting start. Also, love the cartoons!

Is FIX XML the same as FIXML (http://www.lighthouse-partners.com/xml/proj_fixml.htm)?
April 16, 2007 | Registered CommenterHans

PostPost a New Comment

Enter your information below to add a new comment.
Author Email (optional):
Author URL (optional):
Post:
 
All HTML will be escaped. Hyperlinks will be created for URLs automatically.
Alert
Comment Moderation Enabled
Your comment will not appear until it has been cleared by a website editor.

Notify me of follow-up comments via email.