Posts filed under ‘OpenID’

Elusive SSO

I’ve been a fan of usability guru Jakob Nielsen’s regular update (Alertbox) for a long time. It’s admirable how he keeps re-emphasising the fundamentals again and again.

I suspect that half the reason I read the updates so regularly is the futile hope that somehow- maybe by osmosis- his common sense approach will percolate into my sub-conscious and lead to better outcomes for the online services I’m involved in.

Jakob Nielsen would no doubt laugh at such nonsense, throw up his hands, and demand that I user test to objectively determine that one way or another.

Anyway, his latest piece is on enterprise portals. That is not an area that I often venture into but he had some stuff about single sign-on (SSO) that caught my eye:

“Single sign-on is the Loch Ness monster of the intranet world: People hear about it and even believe it exists, but they’ve yet to see it for real…In our initial research 5 years ago, it was already clear that single sign-on could dramatically improve user productivity and satisfaction, as well as immensely reduce support costs.”

“Our second round of research confirmed single sign-on’s potential — and its elusiveness… True single sign-on was and is extraordinarily rare… We can only conclude that it’s very difficult to achieve, despite its promise.”

What’s true of the enterprise is even more so outside it, for the Internet.

The benefits and business case for enterprise SSO are undoubtedly great. But for the Internet? That’s an area that I personally struggle with, notwithstanding that SSO is the original use case for federation and, to some extent, can be provided by OpenID (provided the person has logged on to the OpenID Provider).

Now, Internet SSO does mean convenience. It surely is a good thing to log on once and then be able to do whatever a person wants across the Internet without logging in again.

What worry me are the security and privacy implications. Those aren’t that big a deal within an enterprise context but are on the Internet. And, within government online services on a national scale, even more so.

From a security perspective, it’s about the loss of keys to the kingdom- passwords are just too easy to compromise. Now, if passwords were used appropriately (i.e. only where there is a low level of identity-related risks) then the consequences from a compromised password wouldn’t be too bad. But, realistically, passwords today protect far too much and a compromised password can be a widespread disaster for the person.

Then, there’s privacy. Using the same username & password to do everything (or lots of things) then raises the possibility of aggregation of information and building profiles.

So is Internet SSO a good thing? Yes, provided it is implemented in a secure and privacy-protective manner. Problem is, can that be achieved in an economical manner (that rules out advanced crypto) for the Internet?


July 15, 2008 at 11:16 pm 1 comment

NZ: Identity Month

In my first official post on the SSC blog, I mentioned that April is Identity Month, a time for NZ government agencies to talk about identity management.

The first event of the month was yesterday when the Biometrics Institute organised its 2008 Annual New Zealand Conference. I co-presented with a colleague about igovt and then was on the “Biometric Data Management and Data Security Issues” panel. The panel discussion gave me an opportunity to talk about the dangers of using static identifiers like biometrics and gave the example of Germany’s unfortunate interior minister.

The highlight of the month is the Identity Conference on 29th and 30th April but there are two more events around the same time that are worth having a look at:

First, a barcamp focussing on User-Centric Identity on 25th and 26th April. Secondly, the Office of the Privacy Commissioner’s next Technology and Privacy Forum has Marek Kuziel on 28th April talking about “OpenID Enabled New Zealand.”

With so much happening, it’s heaven for the identityrati in Wellington. And, with apologies to the people across the ditch, where the bloody hell are you?

[To be fair, I actually did like the original advert and found the politically-incorrect NZ spoof only somewhat amusing.]

April 4, 2008 at 9:55 pm Leave a comment

Interviewing Simon Willison about OpenID

During the recent Webstock conference, I had the opportunity to interview Simon Willison about OpenID. This is now available online (windows streaming video, MP3, about 15 minutes).

I found talking with Simon really interesting, whether it was about Webstock, New Zealand, or OpenID. He had some great insights into the current state of play, including the challenges and opportunities facing OpenID. I particularly liked his emphasis on looking at OpenID in the context of decentralised social networking and the fit with OAuth and OpenSocial.

Though, I did think Simon did well to duck the question about national-level implementation of OpenID (a la Estonia).

As a first go at video interviewing, it was certainly a great experience for me. But I’m clearly no John Campbell so I guess I’ll have to keep my day job…

March 25, 2008 at 11:35 pm 1 comment

Webstock recordings now available

The Easter Bunny has done his magic and recordings from last month’s Webstock conference are now online. There’s hours of great quality presentations to sit back and enjoy.

I had earlier posted comments on day 1 and day 2.

For Kiwis, my pick is the interview (“fireside chat”) of TradeMe’s Sam Morgan (streaming video, mp3). For the identityrati there is Simon Willison on OpenID and decentralised social networks (streaming video, mp3).

Very cool stuff.

March 20, 2008 at 9:40 pm 2 comments

Thank you Mahalo

If you’re like me and come across an article or news item about search engines, you quickly skip to the next thing. After all, Google’s already got that sorted, right? Why worry about two-bit wannabes?

So, when I came across a blog post in TechRepublic called Sanity check: Can Mahalo save us from Google, Digg, and Wikipedia? I smiled at what was obviously a provocative title (that’s polite for “cheap trick”) and started moving on. But… the post kept getting more and more interesting; blogger Jason Hiner kept getting more and more persuasive.

His basic point is that Google is great for problem solving but not that hot for information gathering.

Intrigued, the next step was to check out Mahalo (“thank you” in Hawaiian), a human search engine in beta from the controversial Jason Calacanis. Mahalo’s “goal is to hand-write and maintain the top 50,000 search terms.”

Jason Hiner had based his article on doing a search for “WiMAX” across Google, Wikipedia, and Mahalo. I did the same by first searching for OpenID and immediately saw his point.

Right at the top it says “Also try: Yahoo OpenID” and then gave seven links that were spot on. It also had well laid out Guide Note, News, Criticisms, Blogs and Commentaries, Related Searches, and User Recommended Links.

Good stuff for people in information gathering mode.

Contrast that with the Google search for OpenID which suddenly started looking to be a bit of a scattergun result.

What Mahalo is trying to do is of course not unique. Ask tried and failed to scale the model. Yahoo! Answers is another approach to human-assisted search services while Google’s Knol is yet another twist.

It is still early days for Mahalo but I think it’s worth keeping an eye on. Even if the search term you are looking for isn’t one that Mahalo’s editors have covered, such as SAML, it caters for the long tail by displaying results from Google with tabs for other search engines, YouTube,, etc.

Anyone surprised that OpenID is covered but not SAML or Liberty Alliance?

February 19, 2008 at 11:42 pm 2 comments

Webstock day 2

The second and final day of the main conference at Webstock was as impressive as day 1.

It reminded me of the experience with the heavenly Chocolate Madness dessert at Strawberry Fare: rich, yummy, wicked. You know you should be savouring each bite but you just can’t help gulping it all down. After some time, the flavour and sweetness gets overwhelming but you still want more. Until it’s all gone… and you know that while you’re bloated now, come tomorrow you’ll want more.

Russell Brown kicked things off with a wonderful review of the local web scene. He made the important point about how video has taken off in NZ over the past year. Next up was Simon Willison with an excellent round-up of OpenID. He was clearly talking to an audience who wanted to get an insight into the state of play.

The quality did not let up. Tom Coates of Yahoo Brickhouse talked about the web of data followed by Luke Wroblewski on “using visual hierarchy to construct meaningful, prioritized page layouts.”

Things continued at the same high level after lunch- Amy Hoy on evil usability, Scott Berkun on innovation, Damian Conway on web design mistakes, and Kathy Sierra on creating passionate users.

Once the presentations and recordings are up at Webstock, they will be a great source of ongoing value.

With such a rich offering, it’s no wonder that the bar at the end of the day was an oasis of soothing reflection.

February 15, 2008 at 11:22 pm 1 comment

Are IP addresses, OpenID-URLs/XRIs PII?

There is an interesting debate emerging in the EU whether IP addresses should be treated as personally identifiable information (PII). A consequence, if this was to be the case, would be extending all the privacy and data protection requirements to IP addresses.

Extending this debate, should an OpenID identifier be treated as PII and protected similarly?

IP addresses are meant to be locators for devices on a network and often do not map to being a unique identifier (for example, where the IP address is dynamically assigned or NAT is being used for an external connection).

Yet, ISPs and online services routinely log IP addresses and use it for tracking users. Search engines use IP addresses to provide location-aware results, advertising, and detecting click fraud.

The answer is far from clear cut.

As a privacy counsel for Google told the EU meeting, “There is no black and white answer: sometimes an IP address can be considered as personal data and sometimes not, it depends on the context, and which personal information it reveals.”

On the other hand, Germany’s data protection commissioner believes that when someone is identified by an IP address “then it has to be regarded as personal data.”

This is going to be an interesting debate. To spice things up, lets thrown in things like persistent cookies and ISP/OP logs into the mix.

January 23, 2008 at 11:08 pm 4 comments

Older Posts

This blog is no longer updated. See the About page for more info. I'm currently active on Twitter.

Follow me on twitter