The Second Golden Age of Identity
We are now in the second golden age of identity and access management (IAM). Mobile devices, cloud computing, social networks, Big Data, and the Internet of Things (IoT) require radically improved capabilities. They are driving rapid innovation in IAM standards,… Continue reading
Token Bindings to Gear Up Authentication Assurance
In last year’s “Passwords are Overloaded, Not Dead” I voiced skepticism that security’s oldest construct would be replaced anytime soon. But many in the industry continue working to replace passwords, and while their marketing slogans may… Continue reading
Black Sheep or Green Fields?
Just got into a fun discussion at the Peerlyst site on an extended identity management topic.
The question triggering this discussion is: “IAM folks – Who “owns” non-employee identities at your company? Are they entered into the… Continue reading
Privacy By Design and the Online Library
The Information Standards Quarterly (ISQ) just came out with its Identity Management issue, and my feature on Privacy By Design leads it off. Here’s a link to the article’s web page. A word to the wise – if you… Continue reading
Covert OAuth Redirects and Perverse Incentives
Covert redirect is a structural vulnerability in OAuth-based protocols. It was widely publicized in early May. Identity and security experts had long known about, but don’t have an easy fix. Once the media learned covert redirect isn’t as serious… Continue reading
Proposed OAuth 2.0 Assurance Session at IIW
As the morning dawns on the Mountain View Computer History Museum in California, the Internet Identity Workshop (IIW) will begin and I’ll propose an “unconference” session on OAuth assurance. As some of you know and others may see from the… Continue reading
Federated Identity: Broad or Strong?
Broad deployments of federated identity have arrived in the form of social login. But in 2013 we find federation on the horns of a dilemma; can it be both broad and strong?
Federated identity, especially in the form OAuth… Continue reading
Piling On OAuth
For those who’ve read my previous OAuth posts, the title for this article is a double entendre. I mean to convey both the idea that I’m piling on OAuth assurance AND that the entire industry seems to be piling on… Continue reading
Social Login Systems May Share too Much
You thought you heard a click behind that site’s “Sign in with Facebook” button. But did you also hear the inaudible sigh of your personal data disappearing into the maw of yet another application?
Social login is the ability to… Continue reading
Back to the Future (of Federation)
I recently developed a “history of federated identity” diagram and marveled at how it was similar, in many ways, to slides I created while working at Burton Group in 2004. Let’s take a look at a few diagrams and see… Continue reading