Brief introductions. Yubico offers Yubikeys that help with authentication: low cost and simple! Acts as a keyboard, enters user password and 32 character passcode. Easier than smart cards (insert into USB port, push a button).
Lots of users: 1M users + 16k customers in 95 countries. Use cases: Google for internal staff, PayPal, Fedora, lastpass. Yubico is self-service: hardware sales on web store, free and open source server components and virtual appliance for remote access (enterprise-class VPN.
Versions of Yubikey: regular: one-time password, OATH (works with OTP – one-time passcode, not same as oAuth) standard, Static password, and Challenge response key. Secure life cycle: “trust no one.” Secure your servers.
Key is robust: sealed, simple. Accidentally went through a washing machine for several weeks and worked fine.
Future vision: one key for all Internet: YubiCloud validation service, 3rd party single sign-on and SAML. High security, Easy to use, Low cost. Plans to work with mobile phones via nearfield communications (NFC).
1. Mobile identity always has been and will continue to be the biggest game in town. Each year nearly 5 billion smart card technology subscriber identity modules are sold. And as smart phones grow in sophistication and as a result occupy an increasing percentage of user screen time they will become the most important area in the identity marketplace.
2. None of the Facebook, Google, OpenID, triad will actually manage to issue trusted identities in 2011 and consumers will continue to fail to realize they are the product and not the customer for these and many other identity providers.
7. The User Managed Access work of the Kantara Initiative will gain support as it addresses the overarching requirement of the need for user control of personal information in the era of shared infrastructure.
9. Consumers will demand the adoption and benefits of commercial off-the-shelf application software to provide privacy and identity protection of data at rest and in motion via encryption and secure channels in their day to day communications with banks, health care organizations, and other organizations even in those states where it is not mandated.
11. Identity theft and fraud will continue to grow and be subsidized by consumers via premiums, user fees and interest rates without the mandate for strong interoperable identities. And while the National Strategy for Trusted Identities will talk the talk it remains to be seen if it can walk the walk.
Coaching moment: As passive customers of digital services, we are prone to greater influence and manipulation by the system, for the benefits of the system and not for ourselves. If we wish to empower ourselves–and the commercial marketplace generally–with better and more trustworthy practices, we will need to be active and even vocal supporters of the alternatives that lead us in that preferred direction. This isn’t as scary as it might seem. It just means making certain choices more mindfully, more aware of the cost of “free.”
Yesterday the NY Times ran an article on passwords as access tools for our online accounts. The author rightly points out that passwords have problems:
Password-based log-ons are susceptible to being compromised in any number of ways. Consider a single threat, that posed by phishers who trick us into clicking to a site designed to mimic a legitimate one in order to harvest our log-on information. Once we’ve been suckered at one site and our password purloined, it can be tried at other sites.
The solution urged by the experts is to abandon passwords–and to move to a fundamentally different model, one in which humans play little or no part in logging on. … In short, we need a log-on system that relies on cryptography, not mnemonics.
The article continues, extolling the virtues of Identity cards and bemoaning the security distraction caused by OpenID. I think the author is missing the point about how we have choices as to combining tools. No single tool is going to be a silver bullet.
The Times article also rightly points out the challenge in adopting any alternative access system: users must adopt tools that are workable for them, and the websites must allow access to their services through these tools. This is really the more significant problem.
Coaching moment: Your passwords control pieces of who you are. In your hands, they give you power to do certain things. In the hands of another, the power is no longer yours.
![[del.icio.us]](http://digitalidcoach.com/wp-content/plugins/bookmarkify/delicious.png)
![[Facebook]](http://digitalidcoach.com/wp-content/plugins/bookmarkify/facebook.png)
![[LinkedIn]](http://digitalidcoach.com/wp-content/plugins/bookmarkify/linkedin.png)
![[Ma.gnolia]](http://digitalidcoach.com/wp-content/plugins/bookmarkify/magnolia.png)
![[Technorati]](http://digitalidcoach.com/wp-content/plugins/bookmarkify/technorati.png)
![[Twitter]](http://digitalidcoach.com/wp-content/plugins/bookmarkify/twitter.png)
![[Email]](http://digitalidcoach.com/wp-content/plugins/bookmarkify/email.png)