Maximizing PayPal's New Identity Services to Create Seamless and Safe User Experiences

MAXIMIZING PayPal’s NEW IDENTITY SERVICES TO CREATE SEAMLESS AND SAFER USER EXPERIENCES Eve Maler, Distinguished Engineer, Information Risk Management Andrew Nash, Senior Director, Identity Services

AGENDA

The Evolution of Digital Identity

Benefits of Partnering with PayPal to Outsource Identity Tasks

Identity and the PayPal Developer Platform

Identity in the U.S. Federal Government

Single Sign-on and Related Use Cases

IDENTITY EVOLUTION: FINALLY ADDRESSING THE CONSUMER Enterprise-centric 1 2 Federated Partners 3 User-centric Social Networks Mashups Web 2.0 Tagging e-Commerce Finance Open Government

INTERNET CONSUMER IDENTITY …YESTERDAY?

AGENDA

PayPal PLATFORM IDENTITY BENEFITS Service Provider: Merchant Application Developer Identity Provider (IdP): PayPal I can log in once, not twice, for every purchase, and share useful data with merchants automatically. I can help service providers give their customers faster and more personalized service. I can collect fresh, accurate data every time the user visits, and avoid the cost of password resets.

CONSUMER DIGITAL IDENTITY ECOSYSTEM Identity Provider

User experiences:

Single sign-on

Information synchronization

Controlled information release

Claims Providers

User claims:

Shipping information

Preferences

Authoritative Claims Risk Information Authoritative Claims

Identity support services:

Roaming

Mobile/PC platforms

Technology support

Privacy and controls

Merchants/ Service Providers PayPal eBay Third-parties User Preferences

TRANSACTIONAL OPPORTUNITY Consumer Claims identity service Fraud/Risk Reduction Targeted Marketing Reduced Friction Increased Checkout Completion Cookies Historical data Checkout- time Identity

AUTHENTICATION/INFORMATION REDUCTION USE CASES 1 2. Select a product 4. Log in with PayPal authentication 3. View shopping cart 1. Go to online store 2 3 4 9. Back to online store 9 5. Enter or confirm billing and shipping 7. Log in to PayPal 8. Confirm payment 6 7 8 5 6. Check out with PayPal

AGENDA

DEVELOPER PLATFORM AND IDENTITY

THE IDENTITY TRUST GRADIENT Low Value High Value None Extreme Transaction “ Value ” Regulatory / Compliance Risk Blogs Social Networks Shopping Financial Health Intelligence Agency Shopping

AGENDA

CONSUMER IDENTITY PROVIDER ROLE IN OPEN FEDERAL GOVERNMENT

Assurance Level 1 identities access government blogs

General Services Administration (GSA) defining trust frameworks

PayPal certifying as an identity provider

Trigger consumer adoption of OpenId and InfoCard

Future

AGENDA

DISTINCTIONS BETWEEN IDENTITY TASKS Authorization Relying party Authoritative source ID Authentication

THE VENN OF IDENTITY: TODAY’S STANDARD PROTOCOLS

WHAT SECURITY ASSERTION MARKUP LANGUAGE (SAML) BRINGS TO THE TABLE

SAML ASSERTIONS Authentication: “Joe logged in with a smartcard PKI certificate at 9:07am today.” Attribute: “Joe is a manager and has a $500 spending limit.” SubjectName can be a well-known ID or a persistent or transient pseudonym. I’m telling you (yes, it’s really me) about this person. Follow these rules in using this info: By the way, did you know that…? Okay, so here’s what you need to know.

SAML RP-INITIATED REDIRECT/POST FLOW

WHAT OPENID BRINGS TO THE TABLE

OpenID is “an open, decentralized, free framework for user-centric digital identity.”

Who is using OpenID?

Google

six apart

Yahoo

Flickr

myspace.com

Facebook

WordPress

Verisign

AOL

USING DIRECTED IDENTITY FOR PRIVACY

When your ID is a URL, discovering the location of the identity provider is easy.

Giving every relying party the same OpenID is a huge privacy risk.

OpenID V2.0 added directed identity.

OPENID RELYING PARTY-INITIATED FLOW

WHAT INFOCARD BRINGS TO THE TABLE

InfoCard is a smart client that uses a card metaphor to let users manage data sharing.

HOW INFORMATION CARDS WORK

Initially use the identity selector client component to:

Accept managed cards from identity providers after authentication

Create personal cards that store your own claims about yourself

Later, when you access a card-accepting relying partner:

Choose from among your cards that satisfy the relying parties and identity providers policy requirements and abilities

SIGN-ON USING A MANAGED CARD

USE CASES RELATED TO SINGLE SIGN-ON (SSO)

Master use case: SSO

Initiated at identity provider

Initiated at service provider

USE CASES: SSO PLUS USER ATTRIBUTES

User attributes ideally have one authoritative source.

If a relying party can receive them at login, they’re likelier to be accurate and fresh.

Attributes are used for authorization and personalization.

Privacy and user consent and control considerations should be paramount.

USE CASES RELATED TO SSO AND SINGLE LOGOUT (SLO)

CONCLUDING THOUGHTS

Consumer internet interactions are repetitive, frustrating, and littered with outdated information.

PayPal’s credential assurance level and consumer confidence make it a natural trusted identity provider.

PayPal is certifying as an Identity Provider (IdP) offering OpenID and information cards.

OpenID is an open, decentralized, free framework for user-centric digital identity.

An information card is the digital version of the cards you carry in your purse or wallet today to make everyday web transactions become much easier, faster, and safer.

MORE INFORMATION