Identity as easy as LMNOP


Published on

Identity as easy as LMNOP

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Identity as easy as LMNOP

  1. 1. Identity as easy as LMNOP Eric Sachs, Google
  2. 2. LMNOP <ul><li>P=Passwords </li></ul><ul><li>O=Open IDs </li></ul><ul><li>N=phone Numbers </li></ul><ul><li>M=Mobile operators </li></ul><ul><li>L=Local governments </li></ul>
  3. 3. P=Passwords <ul><ul><li>Passwords are bad.  Password reuse is worse </li></ul></ul><ul><ul><li>OpenID type techniques are already making progress </li></ul></ul><ul><ul><li>OpenID lets websites outsource the identity business to experts, i.e. identity providers </li></ul></ul>
  4. 4. O=Open IDs <ul><ul><li>OpenID community from the beginning has focused on one thing that is important to NSTIC, user choice </li></ul></ul><ul><ul><li>OpenID community already has led the way with trust frameworks and a government certification </li></ul></ul><ul><ul><li>But there are some things OpenID does NOT do: </li></ul></ul><ul><ul><ul><li>handle authentication </li></ul></ul></ul><ul><ul><ul><li>map to real-world identities </li></ul></ul></ul>
  5. 5. N=phone Numbers <ul><ul><li>Major Open ID providers have sophisticated authentication systems, but still rely heavily on passwords </li></ul></ul><ul><ul><li>They have all started trying to gather phone numbers from users as a backup in case accounts are stolen, and as a weak form of two-factor authentication </li></ul></ul><ul><ul><li>Some are offering strong two-factor authentication, but usability is poor so adoption is low, and OTPs are still phishable </li></ul></ul>
  6. 6. M=Mobile operators <ul><ul><li>Mobile operators already have advanced systems to authenticate phone numbers, both the human owners and the assigned devices </li></ul></ul><ul><ul><li>Instead of OpenID IDPs using SMS and phone calls, there is the potential for those IDPs to outsource authentication to mobile operators </li></ul></ul><ul><ul><li>Solves the usability problems, and is certificate based (SIMs) so it is not phishable </li></ul></ul><ul><ul><li>But what $ is there in it for the mobile operators? </li></ul></ul><ul><ul><ul><li>Let's come back to that </li></ul></ul></ul>
  7. 7. L=Local governments <ul><ul><li>Who do the mobile operators rely on for identity? </li></ul></ul><ul><ul><ul><li>If you lose your phone, how do you prove who you are?  You show a local government ID </li></ul></ul></ul><ul><ul><li>So if websites rely on IDPs, and IDPs rely on mobile operators, should mobile operators rely on an electronic government issued ID as the final backup form of authentication? </li></ul></ul><ul><ul><ul><li>Americans and NSTIC say NO </li></ul></ul></ul>
  8. 8. LMNOP almost gets us there <ul><li>Three problems </li></ul><ul><ul><ul><li>OpenID does not map to real-world identity </li></ul></ul></ul><ul><ul><ul><li>No economic incentive for mobile operators to provide authentication services </li></ul></ul></ul><ul><ul><ul><li>Government avoiding electronic IDs </li></ul></ul></ul>
  9. 9. Street Identity TODAY! <ul><ul><li>Frank was traveling in the Bay Area and was treated for an emergency at Stanford Hospital </li></ul></ul><ul><ul><li>Frank gets home and wants to get access to his health records </li></ul></ul><ul><ul><li>He visits the hospital website and registers by providing his name and billing address </li></ul></ul><ul><ul><li>Stanford sends a letter to his house with a one-time code.  The expense for them is &quot;the prices of a stamp&quot; </li></ul></ul><ul><ul><li>Frank gets it, visits their site again, enters the code, and has access to his data </li></ul></ul>
  10. 10. What if? <ul><ul><li>Frank's mobile operator authenticated him AND acted as an attribute provider for his name & address from his mobile billing record? </li></ul></ul><ul><ul><li>Frank visit's Stanford's website, logs in with OpenID, and tells his IDP to release his &quot;street identity&quot; attribute </li></ul></ul><ul><ul><li>Stanford gets an OAuth token from his IDP that they send to his mobile operator </li></ul></ul><ul><ul><li>The operator charges Stanford &quot;the price of a stamp&quot; and returns his verified address </li></ul></ul><ul><ul><li>Stanford show Frank his records </li></ul></ul>
  11. 11. Industry demand <ul><ul><li>Email providers and social networks have high expenses for handling account recovery </li></ul></ul><ul><ul><li>Banks and big E-Commerce sites have fraud rates that could be offset </li></ul></ul><ul><ul><li>Utility vendors are trying to get customers to move to online interaction instead of postal mail </li></ul></ul><ul><ul><li>Universities have to handle requests for transcripts of alumni </li></ul></ul><ul><ul><li>TV Everywhere is an industry effort for paying cable subscribers to access content on other sites, i.e. HBOgo, NBC Olympics, etc. </li></ul></ul>
  12. 12. Street Identity solves 3 problems <ul><li>1. OpenID does not map to real-world identity </li></ul><ul><ul><ul><li>Solved with mobile operator as attribute provider </li></ul></ul></ul><ul><li>2. No economic incentive for mobile operators to provide authentication services </li></ul><ul><ul><ul><li>Solved with operators collecting &quot;stamp fees&quot; from any website who wants stronger identity </li></ul></ul></ul><ul><ul><ul><li>~200 million users * 10 sites * a stamp = $1 billion </li></ul></ul></ul><ul><li>3. Government avoiding electronic IDs </li></ul><ul><ul><ul><li>NSTIC defines trust framework for delegating street identity to attribute providers </li></ul></ul></ul><ul><ul><ul><li>Government RPs are early adopters/payers </li></ul></ul></ul>
  13. 13. Easy Homework <ul><ul><li>What is the certification profile for a street identity attribute provider? </li></ul></ul><ul><ul><li>What OAuth model is used for IDP to hand out a street identity token, and how does a website use it with the attribute provider? </li></ul></ul><ul><ul><li>How does a user bind their mobile account to their IDP account? </li></ul></ul><ul><ul><li>How does a user log into the apps/browser on their smartphone? </li></ul></ul><ul><ul><li>How does a user log into a PC using their mobile device? </li></ul></ul>
  14. 14. Hard Homework for OIX <ul><ul><li>Is OIX willing to submit LMNOP and Street Identity to NSTIC as a strawman? </li></ul></ul><ul><ul><li>Is there enough $ to attract the interest of mobile operators? </li></ul></ul><ul><ul><ul><li>Can government RPs be the initial payers? </li></ul></ul></ul><ul><ul><ul><li>How about healthcare institutions? </li></ul></ul></ul><ul><ul><ul><li>How do we survey industry for more market demand? </li></ul></ul></ul><ul><ul><li>Which mobile operators are willing to be first? </li></ul></ul>
  15. 15. Identity as easy as LMNOP Eric Sachs, Google
  16. 16. Discussion time <ul><li>  </li></ul>