LastPass - a must

It's really that simple:

Using the same password for each and every site or webservice is just not an option:
a) because of different and incompatibly password rules and policies
b) for simple security reasons.
If one site gets hacked and passwords leak (and it will and they will) then those nasty nasty people will have access to all (or many) of your accounts.

Creating (much less remembering) 100 separate and secure passwords in your head simply wont work.
So you need a service to do this for you.

I choose LastPass some time ago, and it works great, especially the random password generator, and the auto-fill feature on web-sites and Android apps.

I know, some will say, that LastPass can get hacked and then all my accounts (incl online banking and all) are revealed. True. But still more unlikely than all the other scenarios.

As of today this is the most secure choice for me.

There are others like 1Password, or Apple's key chain... (here's a list).  If you don't yet have any of those, get LastPass now.

Start 2012 by Taking 2 Minutes to Clean Your Apps Permissions

Wow, the most simple app ever... just links :)  mypermissions.org

Start 2012 by Taking 2 Minutes to Clean Your Apps Permissions

If you have a habit of trying all new services that come around, and use your Facebook, Twitter, Google, ... account to sign in, then you'll have a mess in the apps/services permissions in Facebook et al.

My Permissions.org just has the links to all those plattforms, directly to the permissions pages.

So simple, yet so useful.

Bookmark this!
Visit it every odd month!

Facebook vs Identity - again

Well, it should read "Facebook vs Privacy - again"... but the point I want to make is, that Facebook could have been an Identity platform.
In a way they are... not only in a way, if you go and count the sites that allow you to login with your facebook account. But that only makes them an Identity provider.

An Identity platform needs more than just a secure single sign-on.
For example authorization: you should be able to finely tune who has access to what. That's why the social graph (or your address book, if you will) is so valuable. Facebook does have most of the data and means to enable proper authorization: who can see my wall-posts, who is allowed to contact me, ...

It would have been easy to extend from there.

But with Places they once again proved that they rather go the pure marketing platform way, instead.

1. Places is mostly opt out. It is somewhat (but not fully, it seems) enabled by default, until you disable it.
   Not a good default - privacy-wise.
2. Other people (your friends) can check you in at any place they want.
3. You can't control your places. Anyone can check in at your home...[1]

This is all good and fine for a geo platform (like foursquare)... but not for an identity platform

To Facebook (the company) it seems more important to publish stuff about you (and make money from the ads) than to have you properly manage your identity. That's fine, too, but that makes them a marketing platform only...

Sorry.

--
[1] different issue, I know, but it still troubles me.

Sxipper

There's a great podcast/interview on IT conversations with Dick Hardt about Sxipper.

Sxipper is a free Firefox add-on that saves you time by keeping track of an unlimited number of usernames and passwords as well as the personal data you share every day over the web. The company's mission is to make your interactions with the Web simple, keeping your data private and secure.

Dick Hardt, founder of Sxip, joins Phil, Scott, and Ben, to discuss the product, as well as the entire issue of privacy and identity on the web, as well as how to market plug-ins as products.

Find it here or on iTunes

Why OpenID should have relevance for the enterprise

As with federated identities, I thought that OpenID had no space in the enterprise.

The main thought was, that OpenID make me the owner of my identity, and lets me choose where to use it. This is usually not what the enterprise wants. My enterprise identity, i.e. my accounts and profiles with the IT systems of my employer, belongs to my employer, not to me.
So, why should an enterprise care ?
Well, there are people who use their corporate account names and passwords on external sites as well.
They might use it for their email account, or eBay, ... Or they use their corporate email address to register with amazon and others who base an account on a email address. And usually, people tend to use the same password as well.

Bad idea.

But this (mis)concept exists, since there are "external" account, CompuServe, AOL, fidonet, whatever... and of course all those fancy sites on the web. And this behavior could never be eradicated. Because people (and therefore users) are lazy bastards.

Well - you can write and publish policies that forbid this (and all enterprises have those), but frankly, who cares. Who even reads them.

So why not turn 180° and actually allow this... even more: encourage it.

Become an OpenID provider and let users use their corporate account to login at your openid provider site. That way, the can stay lazy, but never give a password to other sites... They only enter it at your site(s).

The only drawback right now is, that there are still not enough openid enabled sites... but they are growing... rapidly actually.

A case for Identity Federation for the Enterprise

When it comes to identity management enterprises today tend to only care about user provisioning, compliance and (worst of all) single-sign-on.

Identity Federation - like Liberty - is usually not really considered. And I neglected it, too, since customers were not really interested in it, or asking for it.

However, there is a good use-case for federated identities across within enterprises... I choose to say "within" because the case I'm about to make is when the user should not see enterprise borders:

Consider an outsourced process - like HR in our case at Sun - where your employees have to access an application that is outsourced as well. People then have to sign on to computers that are not being operated by you (your IT).

Big deal... those application can easily access my directory (LDAP or AD)... so why should I need identity federation there?
And you might even trust those external application to securely access your directory this way.

But you don't want your users to enter their corporate userid and password at any remote site - even if you trust that company.

If you do, you open up big potential for fishing... By using federation you keep the input mask for your userids and password within your IT, operated by your staff, transported only over your network. There is no chance that the password can get intercepted... or at least the risk is not higher than within your own network.
That's the point.

OpenID According to Dave

Nice and simple (too simple, actually) introduction to OpenId:

Enterprise Identity Trends

I have been working with/in/for enterprise (!) identity management (IdM) for the past 4 years or so. What I noticed from recent developments and discussions with partners and customers is:

1. The market is now moving from a vendors to consultants and integrators. They finally got it. And the enterprises as well. We are no longer discussing whether Sun or Novell or Oracle are better, and which to deploy, but customers now first try to identify what their organizational needs are and pick a tool afterwards.
2. The focus is moving (right now) from pure user provisioning to a more full identity management including role management. See the recent acquisitions from Sun (Vaau) and Oracle (Bridgestream)
3. This means that the tool market will become “ commoditized”:
   Customers can now (see bullet 1.) focus on the higher layers first, while having the confidence that later they will be able to implement that on any on the top tools (Sun, Novell, Oracle, ...).

Well, my 0.02€ at least.

(For the sake of full disclosure: I work for Sun Microsystems)

Sun to acquire Vaau

So, Sun decided to broaden their Identity portfolio by acquriring Vaau... finally we will see some decent role management capabilities in the Sun portfolio.
Actually, this is a must, after Oracle bought Bridgestream this summer...

If you are into corporate press-releases then you might want to endure this: Sun Microsystems Strengthens Market-Leading Identity Management Portfolio with Intent to Acquire Vaau

(In the interest of full disclosure: I am a Sun Microsystems employee)

Review of the Austrian ID system

Found a good review of the Austrian Identity system, a.k.a. "Bürgerkarte" (="citizen card").

Austrian ID system � Identity and Privacy Blog

A good point (with a false assumption) is at the end:

Finally, as with all smartcards used for online authentication, the need for smartcard readers to access the digital certificate. However, it may be that widespread availability of smartcard readers (one for every computer) is not a problem in Austria.

Given the current acceptance of the Bürgerkarte with citizens (or rather lack there-of), one can easily see that the burden of the card reader is indeed still a problem in Austria.

Burton interop report on user centric identity

Burton Group Identity Blog: Recapping the Catalyst user-centric interop:

The Burton Group hosted a User-Centric Identity Interop at the Catalyst Conference in San Francisco during the week of 23 - 29 June 2007; a public demo session was held on the evening of Wednesday 27 June to showcase the accomplishments of the participants in this event.

Read the whole story here.

Planet Identity

Planet Identity: "Planet Identity is an aggregation of public weblogs related to Identity Management."