Brief introductions. Yubico offers Yubikeys that help with authentication: low cost and simple! Acts as a keyboard, enters user password and 32 character passcode. Easier than smart cards (insert into USB port, push a button).
Lots of users: 1M users + 16k customers in 95 countries. Use cases: Google for internal staff, PayPal, Fedora, lastpass. Yubico is self-service: hardware sales on web store, free and open source server components and virtual appliance for remote access (enterprise-class VPN.
Versions of Yubikey: regular: one-time password, OATH (works with OTP – one-time passcode, not same as oAuth) standard, Static password, and Challenge response key. Secure life cycle: “trust no one.” Secure your servers.
Key is robust: sealed, simple. Accidentally went through a washing machine for several weeks and worked fine.
Future vision: one key for all Internet: YubiCloud validation service, 3rd party single sign-on and SAML. High security, Easy to use, Low cost. Plans to work with mobile phones via nearfield communications (NFC).
The IIW conference is again underway in Mountain View, CA. This is the 12th conference. I’m capturing some of the sessions in video and/or picture-enhanced audio streams. The later option is important as the Computer History Museum offers free wi-fi, but for over 200 attendees it’s spread pretty thin.
Lately I’ve been beta testing out a low-bandwidth record/broadcast app for my phone called Chachanga. It captures the audio and pairs it with a picture, captured periodically from my phone’s camera. I started the recording a bit late in our first session–here’s most of the Trust Frameworks session with Drummond Reed of Connect.me.
What’s a Trust Framework? From the Open Identity Exchange (OIX):
In digital identity systems, a trust framework is a certification program that enables a party who accepts a digital identity credential (called the relying party) to trust the identity, security, and privacy policies of the party who issues the credential (called the identity service provider) and vice versa.
Basically, it’s a system that helps establish trust between parties: including people (“users” in this picture), sites or services that can verify who you are, and sites or services that need to know who you are. The OIX offers several pdf whitepapers explaining more about Trust Frameworks.
Coaching moment: I care about trust frameworks because I want certain services to be available in a way that protects and assures me that what I want is accurately represented. For example, if I need to digitally prove I’m over 18, I might rely on the DMV to back up my claim. If I need to show that my eyes have 20:20 vision, my eye doctor or health care provider will vouch for me.
One interesting thing about this is that the parties in these scenarios don’t need to know or provide more information about me than necessary: Yes, over 18 years old, or Yes, 20:20 vision. There’s no extra or out of bounds sharing, like “18 years old and… (cue Facebook pictures).” This is about “just the facts” from parties who can be trusted (in a legal sense).
1. Mobile identity always has been and will continue to be the biggest game in town. Each year nearly 5 billion smart card technology subscriber identity modules are sold. And as smart phones grow in sophistication and as a result occupy an increasing percentage of user screen time they will become the most important area in the identity marketplace.
2. None of the Facebook, Google, OpenID, triad will actually manage to issue trusted identities in 2011 and consumers will continue to fail to realize they are the product and not the customer for these and many other identity providers.
7. The User Managed Access work of the Kantara Initiative will gain support as it addresses the overarching requirement of the need for user control of personal information in the era of shared infrastructure.
9. Consumers will demand the adoption and benefits of commercial off-the-shelf application software to provide privacy and identity protection of data at rest and in motion via encryption and secure channels in their day to day communications with banks, health care organizations, and other organizations even in those states where it is not mandated.
11. Identity theft and fraud will continue to grow and be subsidized by consumers via premiums, user fees and interest rates without the mandate for strong interoperable identities. And while the National Strategy for Trusted Identities will talk the talk it remains to be seen if it can walk the walk.
Coaching moment: As passive customers of digital services, we are prone to greater influence and manipulation by the system, for the benefits of the system and not for ourselves. If we wish to empower ourselves–and the commercial marketplace generally–with better and more trustworthy practices, we will need to be active and even vocal supporters of the alternatives that lead us in that preferred direction. This isn’t as scary as it might seem. It just means making certain choices more mindfully, more aware of the cost of “free.”
Personal and online security is a desirable state and a complex idea. This guide offers a general overview of the main idea that, when used together, help us establish a level of security that makes us comfortable using our computer in an online world.
Awareness
The first subject in talking about security is awareness. We need to be aware, for example, that we are not always safe in the world (online and offline). When we are online, most people are aware that there are certain dangers such as viruses, phishing, and spam that threaten our safety (personal, financial, or data). Once we know that problems exist, we are more likely to learn about and take steps to avoid danger and keep ourselves safe and secure.
Authentication
Authentication is the process of verifying that you are the real you. Your friend may authenticate you to other friends by saying something like “this is my friend Chris” (or whatever your name is). You may prove that you’re who you are to a business entity by answering questions that only you would know the answer to. You are usually being authentic when you speak honestly, from your perspective, to someone you love.
Authorization
When you are authorized, you have access to a computer system. Verifying users of your computer, or your work’s computer, or any storage systems or online accounts, can help you track the activity in files and resources. An unauthorized user can be prevented from gaining access to your information. Authorization is the process of assigning permission to use certain files and resources.
Access Control
Setting permissions on files, directories, accounts, or computers can establish limits to these resources. You may wish to be the only person that read and update your personal finances, for example. This is referred to as individual read-write access (only the owner of the file can read or update). At work, your group may have access to read and maybe edit a collaborative document. Most of the web pages offer global read-only access. Individual, group, or global access can be set to allow reading, editing, and/or other permissions.
Auditing
As individual computer users, we don’t often think about the clues that we can use to track where we’ve been and what we’ve been doing. However, whenever we visit a web site, the site’s server automatically keeps a record of things like our domain name or IP #, the time and date of our request, the page or file requested, a code indicating success or error, the number of bytes transferred, and more. As the visitor, we don’t have such tracking tools (and in many cases, don’t need them). However, as our habits and travels on the Internet are increasingly scrutinized by the sites we visit, we have a stronger case for understanding what is being compiled about us.
Coaching moment: In reality, these five A’s are somewhat intertwined. For example, it doesn’t make sense to have Authentication without Authorization. Access control doesn’t happen without Authentication and Authorization, and none of these make sense without Awareness.
What does this have to do with digital identity? These are the pieces that make up our digital records, including who we are and what we’re allowed to do. Sometimes we have control over these decisions, and sometimes control is in the hands of others. It depends on the context of where we are and what we need.
National ID cards and programs are problematic at best, and an ongoing nightmare for citizens and visitors alike when the programs are poorly designed. The U.S. government has made earlier attempts at developing such a program, which have failed. However, the dream lives on in the minds of certain government officials and representatives.
The Electronic Frontier Foundation (EFF) has been following these efforts for years. EFF’s Richard Esguerra has a post, PASS ID: REAL ID Reanimated that offers an informed look at the latest effort to create the next version of a national identity card.
The PASS ID Act (S. 1261) seeks to make many of the same ineffectual, dangerous changes the REAL ID Act attempted to impose. Fundamentally, PASS ID operates on the same flawed premise of REAL ID — that requiring various “identity documents” (and storing that information in databases for later access) will magically make state drivers’ licenses more legitimate, which will in turn improve national security.
An ID card is only a small part of the picture. The government program that supports the card is where the devils live. I recommend to you Bruce Schneier’s testimony to the Senate on why this whole idea is seriously flawed.
Coaching moment: Have you ever filled out a form for a new service, at a web site or store, where the form asked for information that they might not have needed for the transaction you were seeking? Long forms that ask a lot of questions about you, your preferences, your income, and other personal information, are unnecessary. If you’re just buying something, why might the vendor need your income, your birthdate, or any information about other family members?
The fact is that they often don’t need it. They’re collecting information about you because they can, and because you might volunteer it. Even when certain information is marked as “required,” it might be in your best interest to think twice about doing business with companies that would be so invasive and demanding.
Treat your personal information on a “need to know” basis. What that means is don’t give out more information about yourself than you think the companies need to know in order to carry out the transaction. If the company or form require more information than you’re comfortable giving, think hard about your future well-being as a trade-off for today’s discount. Your mindfulness is a low-cost insurance on your future.
![[del.icio.us]](http://digitalidcoach.com/wp-content/plugins/bookmarkify/delicious.png)
![[Facebook]](http://digitalidcoach.com/wp-content/plugins/bookmarkify/facebook.png)
![[LinkedIn]](http://digitalidcoach.com/wp-content/plugins/bookmarkify/linkedin.png)
![[Ma.gnolia]](http://digitalidcoach.com/wp-content/plugins/bookmarkify/magnolia.png)
![[Technorati]](http://digitalidcoach.com/wp-content/plugins/bookmarkify/technorati.png)
![[Twitter]](http://digitalidcoach.com/wp-content/plugins/bookmarkify/twitter.png)
![[Email]](http://digitalidcoach.com/wp-content/plugins/bookmarkify/email.png)
