ºÝºÝߣ

ºÝºÝߣShare a Scribd company logo

Identity as easy asLMNOP

?Download as PPT, PDF?
?
Eric Sachs
Eric Sachs

This document proposes a new identity framework called "Street Identity" that aims to solve some of the key issues with existing identity solutions like OpenID. It suggests having mobile operators authenticate users and act as attribute providers by verifying personal details like names and addresses from user billing records. This would give websites a way to reliably map digital identities to real-world users. It also provides an incentive for mobile operators to participate by allowing them to charge websites a small "stamp fee" for each identity verification. The framework is presented as having potential demand from industries like email providers, social networks, and universities seeking more secure online identity and account recovery solutions.

1 of 16
Download to read offline
Identity as easy as LMNOP Eric Sachs, Google
LMNOP P=Passwords O=Open IDs N=phone Numbers M=Mobile operators L=Local governments
P=Passwords Passwords are bad. ?Password reuse is worse OpenID type techniques are already making progress OpenID lets websites outsource the identity business to experts, i.e. identity providers
O=Open IDs OpenID community from the beginning has focused on one thing that is important to NSTIC, user choice OpenID community already has led the way with trust frameworks and a government certification But there are some things OpenID does NOT do: handle authentication map to real-world identities
N=phone Numbers Major Open ID providers have sophisticated authentication systems, but still rely heavily on passwords They have all started trying to gather phone numbers from users as a backup in case accounts are stolen, and as a weak form of two-factor authentication Some are offering strong two-factor authentication, but usability is poor so adoption is low, and OTPs are still phishable
M=Mobile operators Mobile operators already have advanced systems to authenticate phone numbers, both the human owners and the assigned devices Instead of OpenID IDPs using SMS and phone calls, there is the potential for those IDPs to outsource authentication to mobile operators Solves the usability problems, and is certificate based (SIMs) so it is not phishable But what $ is there in it for the mobile operators? Let's come back to that
L=Local governments Who do the mobile operators rely on for identity? If you lose your phone, how do you prove who you are? ?You show a local government ID So if websites rely on IDPs, and IDPs rely on mobile operators, should mobile operators rely on an electronic government issued ID as the final backup form of authentication? Americans and NSTIC say NO
LMNOP almost gets us there Three problems OpenID does not map to real-world identity No economic incentive for mobile operators to provide authentication services Government avoiding electronic IDs
Street Identity TODAY! Frank was traveling in the Bay Area and was treated for an emergency at Stanford Hospital Frank gets home and wants to get access to his health records He visits the hospital website and registers by providing his name and billing address Stanford sends a letter to his house with a one-time code. ?The expense for them is "the prices of a stamp" Frank gets it, visits their site again, enters the code, and has access to his data
What if? Frank's mobile operator authenticated him AND acted as an attribute provider for his name & address from his mobile billing record? Frank visit's Stanford's website, logs in with OpenID, and tells his IDP to release his "street identity" attribute Stanford gets an OAuth token from his IDP that they send to his mobile operator The operator charges Stanford "the price of a stamp" and returns his verified address Stanford show Frank his records
Industry demand Email providers and social networks have high expenses for handling account recovery Banks and big E-Commerce sites have fraud rates that could be offset Utility vendors are trying to get customers to move to online interaction instead of postal mail Universities have to handle requests for transcripts of alumni TV Everywhere is an industry effort for paying cable subscribers to access content on other sites, i.e. HBOgo, NBC Olympics, etc.
Street Identity solves 3 problems 1. OpenID does not map to real-world identity Solved with mobile operator as attribute provider 2. No economic incentive for mobile operators to provide authentication services Solved with operators collecting "stamp fees" from any website who wants stronger identity ~200 million users * 10 sites * a stamp = $1 billion 3. Government avoiding electronic IDs NSTIC defines trust framework for delegating street identity to attribute providers Government RPs are early adopters/payers
Easy Homework What is the certification profile for a street identity attribute provider? What OAuth model is used for IDP to hand out a street identity token, and how does a website use it with the attribute provider? How does a user bind their mobile account to their IDP account? How does a user log into the apps/browser on their smartphone? How does a user log into a PC using their mobile device?
Hard Homework for OIX Is OIX willing to submit LMNOP and Street Identity to NSTIC as a strawman? Is there enough $ to attract the interest of mobile operators? Can government RPs be the initial payers? How about healthcare institutions? How do we survey industry for more market demand? Which mobile operators are willing to be first?
Identity as easy as LMNOP Eric Sachs, Google
Discussion time ?

More Related Content

Identity as easy asLMNOP

  • 1. Identity as easy as LMNOP Eric Sachs, Google
  • 2. LMNOP P=Passwords O=Open IDs N=phone Numbers M=Mobile operators L=Local governments
  • 3. P=Passwords Passwords are bad. ?Password reuse is worse OpenID type techniques are already making progress OpenID lets websites outsource the identity business to experts, i.e. identity providers
  • 4. O=Open IDs OpenID community from the beginning has focused on one thing that is important to NSTIC, user choice OpenID community already has led the way with trust frameworks and a government certification But there are some things OpenID does NOT do: handle authentication map to real-world identities
  • 5. N=phone Numbers Major Open ID providers have sophisticated authentication systems, but still rely heavily on passwords They have all started trying to gather phone numbers from users as a backup in case accounts are stolen, and as a weak form of two-factor authentication Some are offering strong two-factor authentication, but usability is poor so adoption is low, and OTPs are still phishable
  • 6. M=Mobile operators Mobile operators already have advanced systems to authenticate phone numbers, both the human owners and the assigned devices Instead of OpenID IDPs using SMS and phone calls, there is the potential for those IDPs to outsource authentication to mobile operators Solves the usability problems, and is certificate based (SIMs) so it is not phishable But what $ is there in it for the mobile operators? Let's come back to that
  • 7. L=Local governments Who do the mobile operators rely on for identity? If you lose your phone, how do you prove who you are? ?You show a local government ID So if websites rely on IDPs, and IDPs rely on mobile operators, should mobile operators rely on an electronic government issued ID as the final backup form of authentication? Americans and NSTIC say NO
  • 8. LMNOP almost gets us there Three problems OpenID does not map to real-world identity No economic incentive for mobile operators to provide authentication services Government avoiding electronic IDs
  • 9. Street Identity TODAY! Frank was traveling in the Bay Area and was treated for an emergency at Stanford Hospital Frank gets home and wants to get access to his health records He visits the hospital website and registers by providing his name and billing address Stanford sends a letter to his house with a one-time code. ?The expense for them is "the prices of a stamp" Frank gets it, visits their site again, enters the code, and has access to his data
  • 10. What if? Frank's mobile operator authenticated him AND acted as an attribute provider for his name & address from his mobile billing record? Frank visit's Stanford's website, logs in with OpenID, and tells his IDP to release his "street identity" attribute Stanford gets an OAuth token from his IDP that they send to his mobile operator The operator charges Stanford "the price of a stamp" and returns his verified address Stanford show Frank his records
  • 11. Industry demand Email providers and social networks have high expenses for handling account recovery Banks and big E-Commerce sites have fraud rates that could be offset Utility vendors are trying to get customers to move to online interaction instead of postal mail Universities have to handle requests for transcripts of alumni TV Everywhere is an industry effort for paying cable subscribers to access content on other sites, i.e. HBOgo, NBC Olympics, etc.
  • 12. Street Identity solves 3 problems 1. OpenID does not map to real-world identity Solved with mobile operator as attribute provider 2. No economic incentive for mobile operators to provide authentication services Solved with operators collecting "stamp fees" from any website who wants stronger identity ~200 million users * 10 sites * a stamp = $1 billion 3. Government avoiding electronic IDs NSTIC defines trust framework for delegating street identity to attribute providers Government RPs are early adopters/payers
  • 13. Easy Homework What is the certification profile for a street identity attribute provider? What OAuth model is used for IDP to hand out a street identity token, and how does a website use it with the attribute provider? How does a user bind their mobile account to their IDP account? How does a user log into the apps/browser on their smartphone? How does a user log into a PC using their mobile device?
  • 14. Hard Homework for OIX Is OIX willing to submit LMNOP and Street Identity to NSTIC as a strawman? Is there enough $ to attract the interest of mobile operators? Can government RPs be the initial payers? How about healthcare institutions? How do we survey industry for more market demand? Which mobile operators are willing to be first?
  • 15. Identity as easy as LMNOP Eric Sachs, Google