If you ask almost anyone you meet if they have too many passwords, if they have trouble remembering their passwords, or if they are reusing the same passwords in multiple places, you’re likely to get an ear-full. People intuitively know that there has to be something better than having to have a password for everything they do!
The good news is that passwords are being used for fewer and fewer identity interactions. They are being replaced by biometrics (sign into your phone, your PC, or your bank with your face or fingerprint), local PINs (prove it’s you to your device and it does the rest), and federation (sign in with Facebook,
The award recognizes that the OpenID Certification program has become a significant global force promoting high-quality, secure, interoperable OpenID Connect implementations. Its innovative use of self-certification using freely available online tools has made testing the quality of OpenID Connect implementations simple, effective, and commonplace. Thanks to Kuppinger Cole for recognizing the impact of the OpenID Certification program!
The award recognizes that the OpenID Certification program has become a significant global force promoting high-quality, secure, interoperable OpenID Connect implementations. Its innovative use of self-certification using freely available online tools has made testing the quality of OpenID Connect implementations simple, effective, and commonplace. Thanks to IDnext for recognizing the impact of the OpenID Certification program!
Digital identity systems almost universally support end-users logging into applications and many also support logging out of them. But while login is reasonable well understood, there are many different kinds of semantics for “logout” in different use cases and a wide variety of mechanisms for effecting logouts.
I led a discussion on the topic “What Does Logout Mean?” at the 2018 OAuth Security Workshop in Trento, Italy, which was held the week before IETF 101, to explore this topic. The session was intentionally a highly interactive conversation, gathering information from the experts at the workshop to expand our collective understanding of the topic. Brock Allen – a practicing application security architect (and MVP for ASP.NET/IIS) – significantly contributed to the materials used to seed the discussion. And Nat Sakimura took detailed notes to record what we learned during the discussion.
Nothing challenges our understanding of infrastructure better than a crisis, and we have a big one now in Houston. We do with every giant storm, of course. New York is still recovering from Sandy and New Orleans from Katrina. Reforms and adaptations always follow, as civilization learns from experience.
Look at aviation, for example. Houston is the 4th largest city in the U.S. and George Bush International Airport (aka IAH) is a major hub for United Airlines. For the last few days traffic there has been sphinctered down to emergency flights alone. You can see how this looks on FlightAware’s Miserymap:
Go there and click on the blue play button to see how flight cancellations have played over time, and how the flood in Houston has affected Dallas as well. Click on the airport’s donut to see what routes are most affected. Frequent fliers like myself rely on tools like this
Strong Authentication using Asymmetric Keys on Devices Controlled by You: This presentation is about the new authentication experiences enabled by the W3C Web Authentication (WebAuthn) and FIDO 2.0 Client To Authenticator Protocol (CTAP) specifications. It describes the progress being made on the standards and shows some example user experiences logging in using authenticators. Check it out in PowerPoint or PDF.
Token Binding Standards and Applications: Securing what were previously bearer tokens: This presentation is about how data structures such as browser cookies, ID Tokens, and access tokens can be cryptographically bound to the TLS channels on which they are transported, making them no longer bearer tokens. It describes the state of the Token Binding standards (IETF
Nobody is going to own podcasting. By that I mean nobody is going to trap it in a silo. Apple tried, first with its podcasting feature in iTunes, and again with its Podcasts app. Others have tried as well. None of them have succeeded, or will ever succeed, for the same reason nobody has ever owned the human voice, or ever will. (Other, of course, than their own.)
Because podcasting is about the human voice. It’s humans talking to humans. Voices to ears and voices to voices—because listeners can talk too. They can speak back. And forward. Lots of ways.
Podcasting is one way for markets to have conversations; but the podcast market itself can’t be bought or controlled, because it’s not a market. Or an “industry.” Instead, like the Web, email and other graces of open protocols on the open Internet, podcasting is NEA: Nobody owns it, Continue reading "Open Word—The Podcasting Story"
Reading Walt Mossberg’s latest, titled The post-Jobs Apple has soared financially, but lacks a breakthrough product, and looking toward Apple’s coming announcement on Wednesday, and the headline above occurred to me.
Because the main things Apple makes are extensions of ourselves. That’s what our phones and laptops have become. They are things we almost wear, like our clothing.
Is it just coincidental that Apple Stores inhabit the same shopping streets and districts otherwise populated by upscale clothing retailers? Or that Angela Ahrendts, who runs those stores, came to the company from Burberry?
Or that Apple has lately clarified how it differs from nearly every other tech company by caring almost absolutely about personal privacy?
With all that in mind, it’s easy to understand why Apple’s product lineup looks stale. Shirts and skirts are stale too. They’ve also been around for thousands of years, and we’ll never stop Continue reading "Apple is a clothing company"
I gave an invited presentation on OpenID Certification at the 2016 Cloud Identity Summit (CIS) this week. I used the presentation as an opportunity to inventory what we’ve achieved with the certification program since its launch in April 2015, and while the numbers are impressive in and of themselves (90 profiles certified for 28 implementations by 26 organizations, with new certifications in May by Clareity Security, Auth0, and Okta), there’s a deeper impact that’s occurring that the numbers don’t tell.
The new thing that’s happening this year is relying parties are explicitly asking identity providers to get certified. Why? Because certified implementations should “just work” – requiring no custom code to integrate with them, which is better for everyone. This network effect is now in play because it provides business value to all the participants.
While I’ve spoken about certification about 10 times since the launch, this presentation is different
On May 10, during the OpenID Workshop at the 2016 European Identity and Cloud (EIC) conference, I gave a status update on the OpenID Connect working group to the 46 workshop attendees, including continued progress with OpenID Certification. You can view the presentation in PowerPoint or PDF format.
While I was happy to report on the working group activities, what I really enjoyed about the workshop was hearing many of the attendees telling us about their deployments. They told us about several important OpenID Connect projects each in Europe, Australia, South America, North America, and Asia. Rather than coming to learn what OpenID Connect is, as in some past EIC workshops, people were coming to discuss what they’re doing. Very cool!
Stop now and go to TimeWellSpent.io, where @TristanHarris, the guy on the left above, has produced and gathered much wisdom about a subject most of us think little about and all of us cannot value more: our time.
Both of us will be co-investing some time tomorrow afternoon at the @BerkmanCenter, talking about Tristan’s work and visiting the question he raises above with guidance from S.J. Klein.
(Shortlink for the event: http://j.mp/8thix. And a caution: it’s a small room.)
So, to help us get started, here’s a quick story, and a context in the dimension of time…
Many years ago a reporter told me a certain corporate marketing chief “abuses the principle of instrumentality.”
Totally knocked me out. I mean, nobody in marketing talked much about “influencers” then. Instead it was “contacts.” This reporter was one of those. And he was exposing something
This Post ran on my blog almost six years ago. I was wrong about the timing, but not about the turning: because it’s about to happen this month at the Computer History Museum in Silicon Valley. More about that below the post.
The tide turned today. Mark it: 31 July 2010.
That’s when The Wall Street Journal published The Web’s Gold Mine: Your Secrets, subtitled A Journal investigation finds that one of the fastest-growing businesses on the Internet is the business of spying on consumers. First in a series. It has ten links to other sections of today’s report.
It’s pretty freaking amazing — and amazingly freaky, when you dig down to the business assumptions behind it. Here is the rest of the list (sans one that goes to a linkproof Flash thing):
I didn’t know Dave Goldberg, but I can’t count all the friends and relatives who were close to him. By all their accounts, he was a brilliant and wonderful guy, much loved and respected by everybody who knew and worked with him.
Along with the rest of the world, I await word on what happened. So far that word hasn’t come. But it hasn’t stopped speculation. For example, this post by Penelope Trunk, which imagines a worst-possible scenario — or a set of them — on the basis of no evidence other than knowing nothing. And why do we know nothing? Put yourself in Dave’s wife’s shoes for a minute.
You’re a woman on vacation with your husband, to a place where nobody knows you. Then your husband, healthy and just 47 years old, dies suddenly for no apparent reason. What do you do, besides freak out? First you deal with the local authorities, which is rarely Continue reading "Mercy for the bereaved"