Is PayPal the ‘killer app’ for Identity?

At great risk of dating myself, I was using PCs before the first killer app (Lotus 1-2-3) was launched in 1983.  This spreadsheet software was so useful to companies that PC sales skyrocketed and a revolution was started.  Killer apps have a way of shaking things up.

Email is often referred to as the killer app for the Internet, because it was the first widely used tool that required connected networks.  I was using email on internal networks prior to my first Internet mail account, but the real utility of Internet-based email launched me (and millions of others) into a habit that continues to hold.

A killer app for identity management has yet to emerge, but the folks and eBay and PayPal are looking to change that.  eBay’s foray into identity, PayPal Identity Services, hopes to solve the convenience, security and privacy problem associated with having dozens of online accounts.  Users register by providing information that can be can verified by a third party such as a bank. The service then issues an Azigo or Windows CardSpace information card for the user to use on subsequent transactions.

The PayPal Identity Services info card can then be used by the user to share information about themselves with e-commerce or e-government sites.  The idea is that the relying site does not need to collect a user profile — it can reliably collect the verified information directly from the supplied card. (Or, if it does need to create a profile, it could be automatically filled in, with the user’s permission, using data from the card.)

This type of service offers privacy protection, convenience and a more trusted transaction.  The identity management industry and its customers are eager to have these solutions available to support higher-value implementations.  Does eBay/PayPal have the marketing savvy and presence necessary to make this the identity killer app?

If it does gain ground, it would change the way organizations and companies offer enhanced services to their users.  The ability to rely on a quality credential from another party is a game-changer: higher levels of identity assurance, more simply achieved, will allow greater value transactions and more frequent online business to take place.


For more on information cards, please visit the Information Card Foundation.

Federation: SAML, Open ID and InfoCards

I came across a very succinct summary of these technologies and the scenarios they support over at Matthew Gardiner’s blog:

Information Cards provide a very elegant system for use cases which require and/or benefit from explicit user participation. With Microsoft’s impending release of supporting server side tooling, it will be an important force in Web identity management for many years to come. However, for applications for which explicit user participation is unnecessary or counter-productive – simple Internet SSO being the goal – SAML remains the best choice. OpenID’s focus remains on easing access to applications for which assuring true user identity is not really necessary.

Even better is the link to the IEEE Security and Privacy whitepaper The Venn of Identity.  Pretty much a must-read if you are interested in Federated Identity.


PS2009 — Stefan Brands, Microsoft

Feb 3rd, 3:10pm

Dr. Stefan Brands was in town this week so even though he wasn’t on the original program, the organizers decided to add Microsoft’s newest addition to the conference.  Brands is now an Principal Architect in the Identity and Security Division.  

The first part of the presentation was standard Identity 2.0 stuff. A User accesses a Service Provider (SP), who in turn asks for one or more claims. User then authenticates to an Identity Provider (IdP) to get required claims.  Claims are passed by user to Service Provider.  Access granted.  

Mr. Brands explained how Geneva — a major new release of Microsoft Active Directory Federation Services — fits into each part of the user-centric model:

  • Used by the IdP, Geneva Server will provide claims (including SAML 2.0);
  • CardSpace Geneva will provide user control over distribution of claims by offering an active client; and
  • Geneva Framework will provide tools to applications to accept and process claims.

The interesting part of the presentation was the discussion how U-Prove technology (from Credentica, Brands’ old company) is being incorporated into Geneva to allow for more refined handling of claims by CardSpace users.  As examples:

  • Users can selectively disclose some claims, but not all, to an SP.  If a CardSpace card had six attributes, but the user only needed one to access the services, the user could mask the other five claims.
  • Users can strip down the claims to bare minimum to maximize privacy protection.  For example, if an SP only needed to know that the user was a resident of Quebec, it only would need the first letter of the postal code — “H”.  The user could hide the remaining five characters in the postal code string and only supply the first one to prove residency.

Interesting stuff.

In response to a question, Mr. Brands differentiated federated identity from user-centric by saying that only user-centric identity management is suitable to the large-scale, citizen-oriented systems that government need to deploy. In his view, federation is best suited to enterprise applications and services that are shared between business partners.


Virtual info cards and choosing the right guinea pigs…

Dick Hardt from Sxip was interviewed last month by IT Conversations on the Government of BC’s plans for a virtual information card pilot.

Mr. Hardt points out that privacy laws in BC and Canada are very strong compared to the rest of the world, and that governments are actually not interested in collecting and linking citizen data unnecessarily.  The goal is to NOT have an electronic ID card like those that are being rolled out in other countries.

There is a lot of interesting information in the interview, but for now I’ll stick to some comments on the implementation.  Mr. Hardt maintains that the virtual info cards are more advanced than traditional tokens because they allow for a user to select what information can be shared with the site being accessed.

The first use case being implemented is not particularly ambitious from a identity standpoint.  Recognizing that government staff tend to work together and often travel to each other’s work sites, there is a need to share wi-fi connections at dozens/hundreds of sites.

Info cards will be used to control a user’s access at these sites.  By integrating the technology into the wi-fi portal, access can be restricted to those that possess a valid info card.   Users that want Internet access at the site simply present the virtual card to gain access.  This results in improved privacy because the card is only used to confirm that the user is allowed access — it does not identify them.

It is an interesting choice for a first implementation.  The users are all known to the organization (typically senior-level staff) and have a well defined need.  Both privacy and security is improved and, apparently, a standard solution can be rolled out to many locations easily.

But most intriguing to me is the user audience.  This implementation targets roving users — and most often these are director-level and higher in government.  As these laptop enslaved decision-makers roam around the province, the ease of the solution should win converts.  When designs for more tricky info card  implementations, such as those for public citizens, arise in the future, the management teams are already well-versed with the technology and able to make informed decisions.

This is of critical importance to identity and access management systems.  Having had direct experience designing identity systems in the public sector, I can attest to the importance of having educated decision-makers at the table.  When issues around privacy and security need to be escalated, you want your sponsor and team to be knowledgeable and comfortable with the topic — and, ideally, the technology.

The BC Government appear to be making smart choices with this project, it will be interesting to hear how it progresses in the next few years.


Info Card / Smart Card Convergence

Here’s a prediction: by 2010 we’ll all carry a smart card that is linked to a virtual information card that resides on our PC.

In this near future, our bank needs us to use two-factor authentication, and the credit card companies force us to use the same when shopping online.  Our governments want us to apply for programs online, but insist on proving who we are with strong authentication to reduce fraud.  And we also have realized that its a good idea to have two-factor logins on our own computers.

In the midst of all this, our awareness of personal privacy has increased to the point that we don’t just blindly enter personal information on every e-commerce registration page that asks.  We’re not just tired of the repetitive entry, but insist on controlling what information is shared. 

A Microsoft rep told me this past week that CardSpace and smart card integration services are just around the corner.  Are info cards converged with smart cards an obvious solution to a set of already chronic security and privacy problems?