Your SlideShare is downloading. ×
Identity as easy as LMNOP
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Identity as easy as LMNOP


Published on

Identity as easy as LMNOP

Identity as easy as LMNOP

Published in: Technology, Business

1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Identity as easy as LMNOP Eric Sachs, Google
  • 2. LMNOP
    • P=Passwords
    • O=Open IDs
    • N=phone Numbers
    • M=Mobile operators
    • L=Local governments
  • 3. P=Passwords
      • Passwords are bad.  Password reuse is worse
      • OpenID type techniques are already making progress
      • OpenID lets websites outsource the identity business to experts, i.e. identity providers
  • 4. O=Open IDs
      • OpenID community from the beginning has focused on one thing that is important to NSTIC, user choice
      • OpenID community already has led the way with trust frameworks and a government certification
      • But there are some things OpenID does NOT do:
        • handle authentication
        • map to real-world identities
  • 5. N=phone Numbers
      • Major Open ID providers have sophisticated authentication systems, but still rely heavily on passwords
      • They have all started trying to gather phone numbers from users as a backup in case accounts are stolen, and as a weak form of two-factor authentication
      • Some are offering strong two-factor authentication, but usability is poor so adoption is low, and OTPs are still phishable
  • 6. M=Mobile operators
      • Mobile operators already have advanced systems to authenticate phone numbers, both the human owners and the assigned devices
      • Instead of OpenID IDPs using SMS and phone calls, there is the potential for those IDPs to outsource authentication to mobile operators
      • Solves the usability problems, and is certificate based (SIMs) so it is not phishable
      • But what $ is there in it for the mobile operators?
        • Let's come back to that
  • 7. L=Local governments
      • Who do the mobile operators rely on for identity?
        • If you lose your phone, how do you prove who you are?  You show a local government ID
      • So if websites rely on IDPs, and IDPs rely on mobile operators, should mobile operators rely on an electronic government issued ID as the final backup form of authentication?
        • Americans and NSTIC say NO
  • 8. LMNOP almost gets us there
    • Three problems
        • OpenID does not map to real-world identity
        • No economic incentive for mobile operators to provide authentication services
        • Government avoiding electronic IDs
  • 9. Street Identity TODAY!
      • Frank was traveling in the Bay Area and was treated for an emergency at Stanford Hospital
      • Frank gets home and wants to get access to his health records
      • He visits the hospital website and registers by providing his name and billing address
      • Stanford sends a letter to his house with a one-time code.  The expense for them is "the prices of a stamp"
      • Frank gets it, visits their site again, enters the code, and has access to his data
  • 10. What if?
      • Frank's mobile operator authenticated him AND acted as an attribute provider for his name & address from his mobile billing record?
      • Frank visit's Stanford's website, logs in with OpenID, and tells his IDP to release his "street identity" attribute
      • Stanford gets an OAuth token from his IDP that they send to his mobile operator
      • The operator charges Stanford "the price of a stamp" and returns his verified address
      • Stanford show Frank his records
  • 11. Industry demand
      • Email providers and social networks have high expenses for handling account recovery
      • Banks and big E-Commerce sites have fraud rates that could be offset
      • Utility vendors are trying to get customers to move to online interaction instead of postal mail
      • Universities have to handle requests for transcripts of alumni
      • TV Everywhere is an industry effort for paying cable subscribers to access content on other sites, i.e. HBOgo, NBC Olympics, etc.
  • 12. Street Identity solves 3 problems
    • 1. OpenID does not map to real-world identity
        • Solved with mobile operator as attribute provider
    • 2. No economic incentive for mobile operators to provide authentication services
        • Solved with operators collecting "stamp fees" from any website who wants stronger identity
        • ~200 million users * 10 sites * a stamp = $1 billion
    • 3. Government avoiding electronic IDs
        • NSTIC defines trust framework for delegating street identity to attribute providers
        • Government RPs are early adopters/payers
  • 13. Easy Homework
      • What is the certification profile for a street identity attribute provider?
      • What OAuth model is used for IDP to hand out a street identity token, and how does a website use it with the attribute provider?
      • How does a user bind their mobile account to their IDP account?
      • How does a user log into the apps/browser on their smartphone?
      • How does a user log into a PC using their mobile device?
  • 14. Hard Homework for OIX
      • Is OIX willing to submit LMNOP and Street Identity to NSTIC as a strawman?
      • Is there enough $ to attract the interest of mobile operators?
        • Can government RPs be the initial payers?
        • How about healthcare institutions?
        • How do we survey industry for more market demand?
      • Which mobile operators are willing to be first?
  • 15. Identity as easy as LMNOP Eric Sachs, Google
  • 16. Discussion time