Street conf overview

Internet Identity

November 2011

Updates

1. Account ChooserSimplify SignIn/Signup on the web

2. OAuth2/OpenIDConnectEliminate password reuse (one password)

3. Identity verificationCHOOSE to share your VERIFIED legal identity (name/address) with a site

4. Strong authenticationSecure the "one password" with additional protection

1. Account Chooser

• accountchooser.com• Working group in OpenID Foundation

o NOT protocol specifico Current version is site specifico Next version is global to the browser

• Implemented in products such as Janrain Engage and Google Identity Toolkit

• Google replacing its own login boxo  opt-in by searching for "account chooser

experiment"

2. OAuth2/OpenIDConnect

• oauth.net (OAuth2 in particular)• ONE protocol for identity in the cloud = OAuth

o On-premise systems still use a mixo Protocol supports many use cases

Federated Login=OpenIDConnect• Simpler story for developers

o Use OAuth for identity in the cloud Web services friendly (REST/JSON)

o OpenIDConnect is OpenID v2 rebuilt on OAuth

3. Identity Verification

• How do you PROVE you are not a dog on the Internet?

• What if you WANT to share your legal identity (name/address) with a site so you can access..o Your online medical recordso Your Social Security, Tax, etc. recordso Your utility recordso Premium content you have paid foro ...

Behind the scenes

1. How was the user's identity verified?

2. What is the business model?

3. How was the user's login authentication?

Identity verification

• Done via attribute providerso Some already have a verified identity for the usero Others will perform the verification from scratch

• ID/DataWeb demoo Shown at the OIX event

Postcard code technique

• Common approach• Social Security Administration• Hospitals• Google Maps• etc..

Big difference• Previously it was once per site (and costly)• Now it is once per person

o Better usability (for 2nd, 3rd, ... site)o Lower cost (cost spread across sites)

Business Model

• User consents for the site (UserIDTV) to see their address

• Site does not get ACTUAL address until they pay the attribute providero Fee is decided by attribute providero Site decides what attribute providers to support

• Significant interest as shown by the OIX event• Government RP's could use this model as well• ID/DataWeb and Google are ready for pilots now• Other IDPs and Attribute Providers are expected in

the future

Business Model

• Significant interest as shown by the OIX evento Government RP's could use this model as well

• ID/DataWeb and Google are ready for pilots nowo Other IDPs and Attribute Providers are expected in

the future

4. Strong authentication

Secure the "one password" with additional protection

User Authentication

Authentication as an attribute

Same API calling mechanism to get street address can also be used to learn how the login session was authenticated

• $2/user/year for verified address• $5/user/year for address + OTP• $10/user/year for address + certificate• $20/user/year for in-person-verification + certificate• etc.... 

Who will handle authentication?

• Big consumer IDPs making some progress with OTPs

• Revenue potential is attracting other companies

• Mobile carriers are a common example

Phone purchase process

• Bonnie orders a new phone online• Consents for carrier to

o be her street address attribute provider for address

o be her authentication provider• Bonnie's new phone arrives

o Turn it on, unlock ito Mail/Addressbook/etc. syncs automaticallyo Browser logged into account using device IDo Bonnie visits an RP and it detects the strong

authentication (for a fee)• Simple user experience + powerful security

Summary

1. Account ChooserSimplify SignIn/Signup on the web

2. OAuth2/OpenIDConnectEliminate password reuse (one password)

3. Identity verificationCHOOSE to share your VERIFIED legal identity (name/address) with a site

4. Strong authenticationSecure the "one password" with additional protection