Web 2.0 has become a big buzz phrase over the last couple of years. It comes from a play on the software versioning number system used to signify revision and releases to the public. Many people have adopted this to mean the web has been revised enough to have its second version now in production. Following this lead, many new technological and software advances are also being given second version nomenclature; among these is Identity 2.0
Before discussing Identity 2.0 I would like to define, to the best of my understanding, what “Identity” is. Dick Hardt (Hardt) expressed that Identity is:
Who you are
Where you are from in the past and present
Who you say you are
Who others say you are
This last point is the basis of reputation, because it is reported by others. The third point, who you say you are, is the credentials we provide about ourselves Reputation then, allows for repeated validation by outside sources.
Truly verified identity is presentation of proof issued by an authorizing agency. For example, a driver’s license, passport, or other government issued ID is proof of identity. This proof passes the trust of the person being identified on to the issuer of the ID making trust based significantly on their creditability. Traditionally we have relied upon Government agencies to provide the root proof of identification. Other forms of identity proof are based on these government root IDs. Allowing trust to ultimately flow back to the government agency who issued the root ID.
These root forms of identification proof are universally accepted and built upon by other institutions. Universities, businesses, and other government agencies take these root IDs and add relevant information to them to build our profile within their data stores and provide a secondary ID. Once a secondary ID is granted, both the root ID and the secondary ID can be utilized as proof of identity within the specific secondary system. To prove our identification, the requesting party validates our claim by matching our photo, if we are present, to our actual self. Often times, the requesting party simply accepts the possession of identification credentials as enough evidence that the sending person is honestly the person in the credentials.
The first version of online identity required submission of personal information to each individual website’s database. These submissions vary in consistency from filling in very little private information to divulging considerable private details. Usually this request is directly tied to the degree to which the requesting site needs to trust the user. If it is simply a way to provide access to more information about the user, then something as simple as an email account may be all that is requested. If, however, you are conducting business either by purchasing or selling online information requested could require verified proof of your bank account number. (Most often bank accounts are verified by small deposits being placed in your account and you reporting the amounts of these deposits back to the requester.) As Dion Hinchcliffe stated in his blog “when it really counts, there’s no generally accepted way to identify who a user really is without resorting to onerous methods that are either 1) rife with privacy problems or 2) too complex and time-consuming and also kill the level of participation.” (Hinchcliffe)
The most glaring problem with this form of identity is presentation of fraudulent or stolen information of the user and phishing on the side of the business or website. (Richards) Advances in the physical realm of identity has made physical attempts at passing fraudulent ID much harder to accomplish, but in the virtual world it’s almost a given that if you ask for more information from the user than they deem necessary you will be given false data. After the issue of false or stolen data, the next troublesome issue lies in what agency possesses the authority to grant root proof of identification? This wades into the dark and smelly world of politics and I am choosing not to venture there in this research.
Each site’s data is contained in silos that cannot be connected or intermingled. This is further complicated with the fact that many sites have different requirements for setting up profiles secured by usernames and passwords. Thus, one site may have your preferred username available, but their password requirements (or limitations) don’t allow you to use your preferred password. Suddenly you have two passwords to remember. This compounds quickly as you register for more sites, each one requiring its own unique profile information about you. The same problems often apply to Enterprise applications and programs used on local machines. Being able to use the same credentials at different web sites or to have one site communicate to another site your identification, preferences, and any other relevant information would be a benefit to most online users.
Many garage doors have a keypad outside the home to allow entry without a key or garage remote. Have you ever seen a house with a five digit number scribed into the concrete drive next to the garage? Or a house that had a clip board hanging from the fence w/ five large numbers scribbled on it facing the garage? You might have seen a cubby (don’t tell if it’s your own) with yellow stickies on the monitor, under the keyboard, or in the top drawer containing miscellaneous usernames and passwords penciled on them. (Richards) (Conry-Murray) The user centric design of online identity has caused this security lapse to be an acceptable practice in the work place. There are ways to avoid this, such as browsers that remember which username and passwords go with which sites. However, these do not always perform correctly and do not work at all on another computer. The chances that you will remember your username and password diminishes the longer these form fillers are relied on.
Identity 2.0 is an effort to bring a user centric based proof of ID to the online world as well as Enterprise applications. By allowing users to submit a single line of text as the login to validate, and for the first time visit create, the user has greatly increased the proficiency of online identification. (Conry-Murray) Some of the projects underway also allow the sharing of user approved information between sites or applications. Different projects accomplish this in different ways. Some of these ways will be discussed below. One of the major features among most of these projects is putting control in the user’s hands to decide which data is shared with each site, and allowing propagated updates to be pushed out anytime the user’s identification is updated on in their profile.
The three main ingredients needed for any of the projects being pursued in regard to Identity 2.0 is the web browser on the user’s computer, the requesting site, and the authorizing identity provider. (Conry-Murray) VeriSign, Microsoft, and other less recognized companies are issuing various forms of ID. The list of companies contributing and projects they are involved with has stabilized only in the last couple of months. There have been a few smaller endeavors that have either been consumed or died. We are going to look at the main five projects and the companies involved with each.
One of the oldest and probably most widely recognized is Microsoft’s Passport. While it no longer exists, it was the first attempt by large corporation to bring Single Sign On (SSO) to the web. Microsoft has completely rewritten Passport and re-launched it as Windows Live ID. The main feature again being SSO and it’s had a very low adoption rate by any corporations outside of Microsoft.
Microsoft has also brought out CardSpace (formally InfoCard) by imbedding it in Vista and making it available for XP. The difference in CardSpace is it manages your different Identification Cards on your local machine. You can create cards to use on different websites, or acquire a Managed Card by an authorizing identity provider (VeriSign being the most notable.) When visiting a supporting CardSpace site that requires you to login you can click the CardSpace icon and select which ID card you want to submit to the site allowing you to create a profile and login. It does not create the Identities or provide authority to validate them. This makes CardSpace a good companion technology to the rest of the projects we are going to look at. However, adoption of CardSpace is lagging in the high value associated sites. (Richards)
OpenID is probably the most discussed of the current projects among those familiar with this subject. It is being supported and used by many different corporations and websites. In the beginning it was mostly used to quickly validate who you were to leave blog comments. (Conry-Murray) As it’s been used as a base in other projects its use has broadened. OpenID establishes a URL that each user in essence owns and can post their profile information at this URL for other sites to access. This URL acts as the universal username and password to login to sites and applications with. The major drawback to this approach is anyone can create an OpenID without any form of validation. Many companies have approached this by implementing various ways of validating.
VeriSign has taken OpenID and created their Personal Identity Provider card that can be stored in CardSpace. This is currently in VeriSign’s labs and is free for use. (Consumer Identity and Profile Management) This approach works well for Enterprise use as a unique number can be given to each user for Card Creation along with email validation. Then the cards can be used to sign in to various applications or websites that support CardSpace. Efficiency for workers going from site to site, or application, is the biggest draw. Also, anytime the user updates their information in their CardSpace card it is automatically updated for the site. You may have multiple cards, and use more than one card to create multiple profiles in each site or application.
Sxip (pronounced Skip) is another company basing their product on OpenID. Skip takes the users URL and makes it available only through the user’s browser, so there are no direct requests to the URL server from web sites, and the degree of information passed through the browser to the sites is regulated on the fly by the user. (Sxip)
Higgins, Liberty Alliance, and Yadis are three other projects that are being developed by a long list of contributing companies. These projects consist of combinations of OpenID and some other various projects. Each of these is trying to address issues of security, validity, and privacy.
The speed of Single Sign On is the biggest efficiency for businesses looking inwardly for gains. (Conry-Murray) However, there are also gains in speed of user management, since updating a single profile will propagate out beyond your intranet or Active Directory, to external sites. Also, it allows customers fast access to relevant information and gives you continually updated contact info for each. For developers and those wishing to give users cross site access the cost of doing so is dramatically lowered since traditional ways of providing Single Sign On were developer intensive and had to be custom created each time a new connection was made. The CardSpace and OpenID combination allows more than SSO to be accomplished between sites, it also shares user information such as purchase history, preferences, or any other matter of data the user allows to be passed. Normally for this type of information to be shared a lot of integration programming would have to be done, costing both companies resources.
This technology is far from being widely adopted and this will hold back the ways it can be implemented to make financial savings and business advantages. Over the next 12 to 18 months businesses will begin to change the way we do business online and interact with our peers. This technology will be a major part of this change.
Works Cited
Conry-Murray, Andrew. "Single Sign-On For The Web?" Information Week 27 August 2007: 64,58.
Consumer Identity and Profile Management. 8 Sept 2007 http://www.verisign.com/research/Con...ent/index.html
Hardt, Dick. OSCON Keynote - Identity 2.0. 2005. http://identity20.com/media/OSCON2005/
Hinchcliffe, Dion. "Identity 1.x: Microsoft Live ID and Google Accounts." 6 July 2006. http://blogs.zdnet.com/Hinchcliffe/?p=52
Richards, Jonathan. "Can't remember your password? Don't panic." 26 February 2007. Times Online. http://technology.timesonline.co.uk/...cle1441331.ece
Sxip. 5 Sept 2007 http://www.sxip.com/
3 comments:
Hi: I am the technical director for the PiP/SeatBelt product here at VeriSign which you reference in your very well written article. If your readers are interested in actually reviewing the service they can go to: http://pip.verisignlabs.com
Hi Brian, I'm with Sxip. Great overview of ID 2.0 :) Thought your readers might be interested in a free Identity 2.0 solution we're working on, Sxipper. It's a Firefox extension designed to simplify your life online, providing web SSO, form-fill, enhanced phishing protection for OpenID, etc... See http://www.sxipper.com
The article you have written about research is excellent .... More information about Research writing
Post a Comment