Posts filed under ‘OpenID’
I’ve been a fan of usability guru Jakob Nielsen’s regular update (Alertbox) for a long time. It’s admirable how he keeps re-emphasising the fundamentals again and again.
I suspect that half the reason I read the updates so regularly is the futile hope that somehow- maybe by osmosis- his common sense approach will percolate into my sub-conscious and lead to better outcomes for the online services I’m involved in.
Jakob Nielsen would no doubt laugh at such nonsense, throw up his hands, and demand that I user test to objectively determine that one way or another.
Anyway, his latest piece is on enterprise portals. That is not an area that I often venture into but he had some stuff about single sign-on (SSO) that caught my eye:
“Single sign-on is the Loch Ness monster of the intranet world: People hear about it and even believe it exists, but they’ve yet to see it for real…In our initial research 5 years ago, it was already clear that single sign-on could dramatically improve user productivity and satisfaction, as well as immensely reduce support costs.”
“Our second round of research confirmed single sign-on’s potential — and its elusiveness… True single sign-on was and is extraordinarily rare… We can only conclude that it’s very difficult to achieve, despite its promise.”
What’s true of the enterprise is even more so outside it, for the Internet.
The benefits and business case for enterprise SSO are undoubtedly great. But for the Internet? That’s an area that I personally struggle with, notwithstanding that SSO is the original use case for federation and, to some extent, can be provided by OpenID (provided the person has logged on to the OpenID Provider).
Now, Internet SSO does mean convenience. It surely is a good thing to log on once and then be able to do whatever a person wants across the Internet without logging in again.
What worry me are the security and privacy implications. Those aren’t that big a deal within an enterprise context but are on the Internet. And, within government online services on a national scale, even more so.
From a security perspective, it’s about the loss of keys to the kingdom- passwords are just too easy to compromise. Now, if passwords were used appropriately (i.e. only where there is a low level of identity-related risks) then the consequences from a compromised password wouldn’t be too bad. But, realistically, passwords today protect far too much and a compromised password can be a widespread disaster for the person.
Then, there’s privacy. Using the same username & password to do everything (or lots of things) then raises the possibility of aggregation of information and building profiles.
So is Internet SSO a good thing? Yes, provided it is implemented in a secure and privacy-protective manner. Problem is, can that be achieved in an economical manner (that rules out advanced crypto) for the Internet?
In my first official post on the SSC blog, I mentioned that April is Identity Month, a time for NZ government agencies to talk about identity management.
The first event of the month was yesterday when the Biometrics Institute organised its 2008 Annual New Zealand Conference. I co-presented with a colleague about igovt and then was on the “Biometric Data Management and Data Security Issues” panel. The panel discussion gave me an opportunity to talk about the dangers of using static identifiers like biometrics and gave the example of Germany’s unfortunate interior minister.
The highlight of the month is the Identity Conference on 29th and 30th April but there are two more events around the same time that are worth having a look at:
First, a barcamp focussing on User-Centric Identity on 25th and 26th April. Secondly, the Office of the Privacy Commissioner’s next Technology and Privacy Forum has Marek Kuziel on 28th April talking about “OpenID Enabled New Zealand.”
With so much happening, it’s heaven for the identityrati in Wellington. And, with apologies to the people across the ditch, where the bloody hell are you?
I found talking with Simon really interesting, whether it was about Webstock, New Zealand, or OpenID. He had some great insights into the current state of play, including the challenges and opportunities facing OpenID. I particularly liked his emphasis on looking at OpenID in the context of decentralised social networking and the fit with OAuth and OpenSocial.
Though, I did think Simon did well to duck the question about national-level implementation of OpenID (a la Estonia).
As a first go at video interviewing, it was certainly a great experience for me. But I’m clearly no John Campbell so I guess I’ll have to keep my day job…
The Easter Bunny has done his magic and recordings from last month’s Webstock conference are now online. There’s hours of great quality presentations to sit back and enjoy.
For Kiwis, my pick is the interview (“fireside chat”) of TradeMe’s Sam Morgan (streaming video, mp3). For the identityrati there is Simon Willison on OpenID and decentralised social networks (streaming video, mp3).
Very cool stuff.
If you’re like me and come across an article or news item about search engines, you quickly skip to the next thing. After all, Google’s already got that sorted, right? Why worry about two-bit wannabes?
So, when I came across a blog post in TechRepublic called Sanity check: Can Mahalo save us from Google, Digg, and Wikipedia? I smiled at what was obviously a provocative title (that’s polite for “cheap trick”) and started moving on. But… the post kept getting more and more interesting; blogger Jason Hiner kept getting more and more persuasive.
His basic point is that Google is great for problem solving but not that hot for information gathering.
Intrigued, the next step was to check out Mahalo (“thank you” in Hawaiian), a human search engine in beta from the controversial Jason Calacanis. Mahalo’s “goal is to hand-write and maintain the top 50,000 search terms.”
Jason Hiner had based his article on doing a search for “WiMAX” across Google, Wikipedia, and Mahalo. I did the same by first searching for OpenID and immediately saw his point.
Right at the top it says “Also try: Yahoo OpenID” and then gave seven links that were spot on. It also had well laid out Guide Note, News, Criticisms, Blogs and Commentaries, Related Searches, and User Recommended Links.
Good stuff for people in information gathering mode.
Contrast that with the Google search for OpenID which suddenly started looking to be a bit of a scattergun result.
What Mahalo is trying to do is of course not unique. Ask tried and failed to scale the model. Yahoo! Answers is another approach to human-assisted search services while Google’s Knol is yet another twist.
It is still early days for Mahalo but I think it’s worth keeping an eye on. Even if the search term you are looking for isn’t one that Mahalo’s editors have covered, such as SAML, it caters for the long tail by displaying results from Google with tabs for other search engines, YouTube, Del.icio.us, etc.
Anyone surprised that OpenID is covered but not SAML or Liberty Alliance?
It reminded me of the experience with the heavenly Chocolate Madness dessert at Strawberry Fare: rich, yummy, wicked. You know you should be savouring each bite but you just can’t help gulping it all down. After some time, the flavour and sweetness gets overwhelming but you still want more. Until it’s all gone… and you know that while you’re bloated now, come tomorrow you’ll want more.
Russell Brown kicked things off with a wonderful review of the local web scene. He made the important point about how video has taken off in NZ over the past year. Next up was Simon Willison with an excellent round-up of OpenID. He was clearly talking to an audience who wanted to get an insight into the state of play.
Once the presentations and recordings are up at Webstock, they will be a great source of ongoing value.
With such a rich offering, it’s no wonder that the bar at the end of the day was an oasis of soothing reflection.
There is an interesting debate emerging in the EU whether IP addresses should be treated as personally identifiable information (PII). A consequence, if this was to be the case, would be extending all the privacy and data protection requirements to IP addresses.
Extending this debate, should an OpenID identifier be treated as PII and protected similarly?
IP addresses are meant to be locators for devices on a network and often do not map to being a unique identifier (for example, where the IP address is dynamically assigned or NAT is being used for an external connection).
Yet, ISPs and online services routinely log IP addresses and use it for tracking users. Search engines use IP addresses to provide location-aware results, advertising, and detecting click fraud.
The answer is far from clear cut.
As a privacy counsel for Google told the EU meeting, “There is no black and white answer: sometimes an IP address can be considered as personal data and sometimes not, it depends on the context, and which personal information it reveals.”
On the other hand, Germany’s data protection commissioner believes that when someone is identified by an IP address “then it has to be regarded as personal data.”
This is going to be an interesting debate. To spice things up, lets thrown in things like persistent cookies and ISP/OP logs into the mix.
I was reading Peter Griffin’s article in the NZ Herald called Managing your online identity today. Most of it was straightforward coverage of OpenID and the critical mass that Yahoo provides.
Towards the end of the article he says, “With that many Yahoo users in the OpenID camp you can bet hackers will try to gain access.” Yes but, more importantly, OpenID is now at a stage where it has become economically attractive for the bad guys to spend some serious efforts and resources on attacking it.
These guys are “rational” and organised. So far, attacking OpenID was not a rational use of resources. Now with critical mass, all that has changed.
I think it is safe to predict that in the near future we are going to see OpenID protocols, implementations, and user experience (for social engineering) coming under intense scrutiny and probed in ways that it hasn’t so far.
In some ways, that’s a good thing as it will help strengthen OpenID. But, getting there may be a bit painful.
One of the more notable things that happened while I was enjoying the unusually good Wellington summer was release of the OpenID 2.0 specs. Importantly, from my perspective at least, this includes specs for OpenID Attribute Exchange 1.0.
However, as Dick Hardt said in his blog a couple of days back, “OpenID 2.0 seems ready for prime time. But is it?” In that post, he points to some weaknesses of OpenID 2.0 but concludes that OpenID is continuing to evolve at a fast pace as a globally unique identifier.
I think one of the immediate challenges before the OpenID community is to get a couple of big, mainstream sites accepting and actively promoting OpenID. Entering a username and password specific to a website (at the website itself) have become so deeply ingrained that changing mental models for the average user is a non-trivial exercise.
It was therefore good to hear that giants such as Yahoo and Google plan to support OpenID. Hopefully, with all their years of developing and promoting new online services for the mass market, they will be able to make using OpenID as intuitive as the standard username and password. I wouldn’t be surprised if that involves not using the term OpenID but simply providing it as added functionality.
The OpenID community also faces challenges in getting the digerati (outside those particularly knowledgeable about online identity issues) to understand and develop plain-English mental models.
An example of the challenge is a post by Bruce Simpson, aka Aardvark, a couple of days back called Son of Passport. With a title like that, I was expecting to read his views about CardSpace and the Identity Metasystem. Nope, it was about OpenID.
He says “The OpenID system simply acts as a URL/password based ID authentication system that shares no information between the sites that use it.” He goes on to wonder if anyone would actually want to use it as browsers can remember and auto-fill passwords.
Confusing descriptions and a lack of appreciation of what OpenID is really about is obviously fairly widespread.
I will leave Bruce’s final comments “Could OpenID be the authentication system that even our government is looking for as part of its eGovernment strategy?” for examination another day.
Turns out that when I set up this blog at WordPress, I got an OpenID automatically. It seems that WordPress gets all the information required to register a person for OpenID when they create a blog.
This is really good user experience: nothing extra to do, no extra steps. People just have to do whatever they would have done in any case and, presto, you have an OpenID.
However, there appeared to be two downsides:
- I’ve already got an OpenID and there seems to be no obvious way a person can consolidate multiple OpenIDs (from different OpenID Providers) into one. One of the problems that OpenID is supposed to solve is doing away with multiple things to keep track of and this hardly seems to be better.
- There was almost zero selling of the benefits of OpenID. WordPress limits its description in the admin panel to, “OpenID allows you to log in to other sites that support the OpenID standard.” Factually correct but if the person has no idea what OpenID is then it’s hardly enticing.
From the NZ government perspective, the Government Logon Service (GLS) provides logon management (authentication).
It is not really the direct equivalent of OpenID (the GLS provides pseudonymous logons with no identity), the GLS does have the benefit of allowing people to choose to combine multiple username & password pairs into a single one without changing the underlying linkages.