Street conf overview

379 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
379
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Street conf overview

  1. 1. Internet Identity November 2011
  2. 2. Updates <ul><li>1. Account Chooser </li></ul><ul><li>Simplify SignIn/Signup on the web </li></ul><ul><li>2. OAuth2/OpenIDConnect </li></ul><ul><li>Eliminate password reuse (one password) </li></ul><ul><li>3. Identity verification </li></ul><ul><li>CHOOSE to share your VERIFIED legal identity (name/address) with a site </li></ul><ul><li>4. Strong authentication </li></ul><ul><li>Secure the &quot;one password&quot; with additional protection </li></ul>
  3. 7. 1. Account Chooser <ul><ul><li>accountchooser.com </li></ul></ul><ul><ul><li>Working group in OpenID Foundation </li></ul></ul><ul><ul><ul><li>NOT protocol specific </li></ul></ul></ul><ul><ul><ul><li>Current version is site specific </li></ul></ul></ul><ul><ul><ul><li>Next version is global to the browser </li></ul></ul></ul><ul><ul><li>Implemented in products such as Janrain Engage and Google Identity Toolkit </li></ul></ul><ul><ul><li>Google replacing its own login box </li></ul></ul><ul><ul><ul><li>  opt-in by searching for &quot;account chooser experiment&quot; </li></ul></ul></ul>
  4. 9. 2. OAuth2/OpenIDConnect <ul><ul><li>oauth.net (OAuth2 in particular) </li></ul></ul><ul><ul><li>ONE protocol for identity in the cloud = OAuth </li></ul></ul><ul><ul><ul><li>On-premise systems still use a mix </li></ul></ul></ul><ul><ul><ul><li>Protocol supports many use cases </li></ul></ul></ul><ul><ul><ul><ul><li>Federated Login=OpenIDConnect </li></ul></ul></ul></ul><ul><ul><li>Simpler story for developers </li></ul></ul><ul><ul><ul><li>Use OAuth for identity in the cloud </li></ul></ul></ul><ul><ul><ul><ul><li>Web services friendly (REST/JSON) </li></ul></ul></ul></ul><ul><ul><ul><li>OpenIDConnect is OpenID v2 rebuilt on OAuth </li></ul></ul></ul>
  5. 10. 3. Identity Verification <ul><ul><li>How do you PROVE you are not a dog on the Internet? </li></ul></ul><ul><ul><li>What if you WANT to share your legal identity (name/address) with a site so you can access.. </li></ul></ul><ul><ul><ul><li>Your online medical records </li></ul></ul></ul><ul><ul><ul><li>Your Social Security, Tax, etc. records </li></ul></ul></ul><ul><ul><ul><li>Your utility records </li></ul></ul></ul><ul><ul><ul><li>Premium content you have paid for </li></ul></ul></ul><ul><ul><ul><li>... </li></ul></ul></ul>
  6. 15. Behind the scenes <ul><li>1. How was the user's identity verified? </li></ul><ul><li>2. What is the business model? </li></ul><ul><li>3. How was the user's login authentication? </li></ul>
  7. 16. Identity verification <ul><ul><li>Done via attribute providers </li></ul></ul><ul><ul><ul><li>Some already have a verified identity for the user </li></ul></ul></ul><ul><ul><ul><li>Others will perform the verification from scratch </li></ul></ul></ul><ul><ul><li>ID/DataWeb demo </li></ul></ul><ul><ul><ul><li>Shown at the OIX event </li></ul></ul></ul>
  8. 21. Postcard code technique <ul><ul><li>Common approach </li></ul></ul><ul><ul><li>Social Security Administration </li></ul></ul><ul><ul><li>Hospitals </li></ul></ul><ul><ul><li>Google Maps </li></ul></ul><ul><ul><li>etc.. </li></ul></ul><ul><li>Big difference </li></ul><ul><ul><li>Previously it was once per site (and costly) </li></ul></ul><ul><ul><li>Now it is once per person </li></ul></ul><ul><ul><ul><li>Better usability (for 2nd, 3rd, ... site) </li></ul></ul></ul><ul><ul><ul><li>Lower cost (cost spread across sites) </li></ul></ul></ul>
  9. 23. Business Model <ul><ul><li>User consents for the site (UserIDTV) to see their address </li></ul></ul><ul><ul><li>Site does not get ACTUAL address until they pay the attribute provider </li></ul></ul><ul><ul><ul><li>Fee is decided by attribute provider </li></ul></ul></ul><ul><ul><ul><li>Site decides what attribute providers to support </li></ul></ul></ul><ul><ul><li>Significant interest as shown by the OIX event </li></ul></ul><ul><ul><li>Government RP's could use this model as well </li></ul></ul><ul><ul><li>ID/DataWeb and Google are ready for pilots now </li></ul></ul><ul><ul><li>Other IDPs and Attribute Providers are expected in the future </li></ul></ul>
  10. 24. Business Model <ul><ul><li>Significant interest as shown by the OIX event </li></ul></ul><ul><ul><ul><li>Government RP's could use this model as well </li></ul></ul></ul><ul><ul><li>ID/DataWeb and Google are ready for pilots now </li></ul></ul><ul><ul><ul><li>Other IDPs and Attribute Providers are expected in the future </li></ul></ul></ul>
  11. 25. 4. Strong authentication <ul><li>Secure the &quot;one password&quot; with additional protection </li></ul>
  12. 26. User Authentication
  13. 27. Authentication as an attribute <ul><li>Same API calling mechanism to get street address can also be used to learn how the login session was authenticated </li></ul><ul><ul><li>$2/user/year for verified address </li></ul></ul><ul><ul><li>$5/user/year for address + OTP </li></ul></ul><ul><ul><li>$10/user/year for address + certificate </li></ul></ul><ul><ul><li>$20/user/year for in-person-verification + certificate </li></ul></ul><ul><ul><li>etc....  </li></ul></ul>
  14. 28. Who will handle authentication? <ul><ul><li>Big consumer IDPs making some progress with OTPs </li></ul></ul><ul><ul><li>Revenue potential is attracting other companies </li></ul></ul><ul><ul><li>Mobile carriers are a common example </li></ul></ul>
  15. 30. Phone purchase process <ul><ul><li>Bonnie orders a new phone online </li></ul></ul><ul><ul><li>Consents for carrier to </li></ul></ul><ul><ul><ul><li>be her street address attribute provider for address </li></ul></ul></ul><ul><ul><ul><li>be her authentication provider </li></ul></ul></ul><ul><ul><li>Bonnie's new phone arrives </li></ul></ul><ul><ul><ul><li>Turn it on, unlock it </li></ul></ul></ul><ul><ul><ul><li>Mail/Addressbook/etc. syncs automatically </li></ul></ul></ul><ul><ul><ul><li>Browser logged into account using device ID </li></ul></ul></ul><ul><ul><ul><li>Bonnie visits an RP and it detects the strong authentication (for a fee) </li></ul></ul></ul><ul><ul><li>Simple user experience + powerful security </li></ul></ul>
  16. 31. Summary <ul><li>1. Account Chooser </li></ul><ul><li>Simplify SignIn/Signup on the web </li></ul><ul><li>2. OAuth2/OpenIDConnect </li></ul><ul><li>Eliminate password reuse (one password) </li></ul><ul><li>3. Identity verification </li></ul><ul><li>CHOOSE to share your VERIFIED legal identity (name/address) with a site </li></ul><ul><li>4. Strong authentication </li></ul><ul><li>Secure the &quot;one password&quot; with additional protection </li></ul>

×