Online Identity and Trust

Han Dong, Sr. Product Marketing Manager, User Authentication

Getting noticed is a hard thing. But when you do get recognized by adoring fans, it's like living the life of a beauty queen.

And just look at who noticed us: CrackBerry.com and BlackBerry Cool

So you ask, what's the news?
We all know that VeriSign Identity Protection (VIP) Access for mobile has already been available for free on Blackberry® smartphones and downloadable from the BlackBerry App World and the VeriSign Identity Protection Mobile Center sites for some time now.

What is new (or what you may have not noticed until now) is that with the VIP Access 3.0 release of September 2009, users can easily copy-n-paste the security code and credential ID into a mobile browser to complete VIP Access registration. Two-factor authentication has never been easier for the 'power' mobile-user.

So where can you use VIP Access for two-factor authentication to websites?
Simple. Register and use your VIP Access credential at participating VIP network member sites, such as eBay, PayPal, AOL, GEICO, or any participating VIP network site.

Posted by Han Dong at 9:33 AM | Permalink | Comments (0)

Han Dong, Sr. Product Marketing Manager, User Authentication

Greetings VIP Blog fans,

In the way of introductions, I'm a new member of the Product Marketing organization at VeriSign. Seems like I'm already an old vet (time spent in the technology industry always seems to be measured in "dog years"). To give you some additional background on my IT curriculum vitae, 5 years of UNIX systems sales; 2 years of business development in Linux and Wireless; and 10 years in product marketing and management in Data Storage, Linux, and Networking. So as a long time marketer, I'm excited about the opportunity to share my experiences through 'new' social media vehicles, like this blog site.

I'm here at the 2009 Gartner Identity & Access Management (IAM) Summit. While this is my 1st Gartner IAM event, it certainly is not my 1st analyst or technology industry event. Having seen the ups and downs of the tech industry for the last 17 years, and having attended similar events like IDC Forums, CES, SNW, LinuxWorld Expos, Oracle OpenWorlds - you name it, I've been there.

The day started off with a keynote presented by Earl Perkins, one of the lead Gartner analysts who explained how much IAM has evolved over the years - highlighting the fact that there are several IAM lifecycle elements (Planning, Process, and Problems) to consider and several key business drivers (improving security, reducing risk, and meeting regulatory requirements) in deploying an IAM solution. And at the end of the day, four of the analysts presented as a panel and reviewed the 2009 "Magic Quadrant" (classic Gartner MQ) trends and developments for each of the IAM disciplines in User Provisioning, Web Access Management, Enterprise Single Sign-On (SSO), and Authentication.

One mid-day session titled "Google Case Study: Lessons From Google's IAM Initiatives For Cloud-Based Applications," presented by Eric Sachs, Google Product Manager, was particularly interesting. Eric's presentation covered essentially two topics: Federated login as a Service (or Cloud-based SSO) and Strong Authentication beyond passwords. Eric explained that the challenge of provisioning user accounts, managing multiple logins and passwords, and ensuring strong security and reliability is driving the movement towards a Federated login structure, built on open standards (OAuth and OpenID) and hosted in the cloud to support a host of Software as a Service (SaaS) applications.

With the heavy interest in cloud-computing and hosted applications, both IT vendors and consumers are seeking ways to reduce costs of deployment, speed implementation, and do more with fewer resources at hand. Google, Amazon, Salesforce, and Microsoft are just a handful of the many vendors vying to be the cloud-based app provider of choice. But in the hype, it seems that few vendors have discussed the new breed of security concerns that cloud-based services yield.

Eric's presentation touched on these very security concerns in the new SaaS world. And most importantly, Eric brought up the idea of leveraging "stronger forms of authentication" to mitigate the weak security of simple username and password. "One Time Password (OTP) is the answer!" Two-factor Authentication and OTP are not new technologies. Enterprises have long been using OTP tokens to authenticate users' access to internal networks (via VPN) for years now. But traditionally, OTP credentialed VPNs have been too costly or too resource consuming to manage and deploy. That is, until now - Eric also demonstrated a low-cost OTP credential in the form of a mobile phone software generated OTP. And the iPhone screen-shot Eric displayed on his slide was the VeriSign Identity Protection (VIP) Access for Mobile credential. Eric pointed out a unique feature of the VIP Access for Mobile software was that the key generator resides locally on the mobile phone itself, thus requiring NO network connection as some other products require in order for an OTP key to be sent via SMS or voice.

Here is Eric on stage:(image added 11/11)

What Eric did not mention during his session, is that behind the VIP Access for Mobile OTP credential lays a trusted VeriSign Identity Protection service entirely hosted by VeriSign. VeriSign allows enterprises to quickly and cost-effectively implement and integrate scalable Strong Authentication services (for VPN or partner and customer communications) for validating user credentials via Web Services APIs that connect to the VIP hosted network.

So what does this mean for the mass of new cloud-based computing enterprises? It means that enterprises can rest assured that not only can they migrate IT apps to the cloud, but they can also secure user access by leveraging a cloud-based Security as a Service with the VeriSign Identity Protection service.

Witnessing a 3rd party (not to mention the fact that we're talking about Google) extol the virtues of YOUR product, unpaid and unsponsored, was really an exciting surprise. And this really was a true coincidence - just by attending the Google breakout session at the Gartner IAM Summit, I saw VeriSign's own Two-factor authentication product in action and being explained by one of the premier thought leaders in the industry. This certainly bodes well for a plethora of future opportunities for Security in the cloud. And I can't wait to watch this all unfold.

Posted by Han Dong at 4:01 PM | Permalink | Comments (0)

Today, we are pleased to announce that our customers' options have been broadened by our technical and sales partnership with RSA, another "Best-in-Class" Authentication Provider. The agreement will provide organizations with the mutual benefit of an expanded VIP Authentication Service through the availability of RSA SecurID® two-factor authentication technology for more choice in one-time password (OTP) authentication.

Organizations in search of strong authentication solutions will benefit from being able to use VIP in combination with RSA SecurID hardware tokens and the convenience of a single platform.

This technical and sales partnership between RSA and VeriSign signals a new chapter in the longstanding relationship between RSA and VeriSign, both of whom were recently rated Best-in-Class for Multi-Channel Authentication Technology by Javelin Strategy & Research, are teaming up to address the market segment for managed, shared authentication services, offering organizations the convenience of a single platform. Read the press release.

Updated on October 9:
Read what Burton Group's Senior Analyst Mark Diodati has to say about our partnership with RSA.

Posted by Karen Snyder at 11:44 AM | Permalink | Comments (0)

CNET reported this morning that fraudsters phished thousands of email account passwords from multiple email providers.

You don't have to be a government official, political figure or celebrity to be the target of the phishing and password-reset hack. This latest incident demonstrates that hackers have moved beyond just the high and flighty to target ordinary people. With each security breach, the shortcomings of weak passwords and the need for stronger authentication solutions become more and more evident. One-time passwords via two factor authentication provides a critical layer of security to counter such threats. If you're an organization that has been on the fence on rolling out two-factor authentication, you're in luck. VeriSign is offering a 90 Day free trial of the VeriSign Identity Protection Service -- see more details at 90 Day Trial.

Posted by Jeff Burstein at 10:51 AM | Permalink | Comments (0)

It's about time Hollywood produces a blockbuster about identity management.

No, I'm kidding. No producer would never even read a script which includes the term "identity management" in its title (except, perhaps, "Harry Potter and the Identity Management Prince"). But there is a new Bruce Willis movie that deals with the issue of identities, among other things, and, well, that's a start.

The movie is called "Surrogates" (watch trailer), and it tells the story of a futuristic world in which humans live in isolation while only communicating with their fellow man through robots that serve as social surrogates and are better-looking versions of their human counterparts.

Now isn't that kind of what happens today in our own world? When we go to the web we have a virtual identity through which we communicate with our fellow man, fellow banks, fellow stores: we send our virtual identity (user name) to the bank, it "shakes hands" with the web embodiment of the bank (using a password), and then starts communicating with it. Our online identity may not be a better-looking version of us, but it still gets the job done.

In "Surrogates" Bruce Willis is an FBI agent who enlists the aid of his own surrogate to investigate the murder of a genius college student. As the case grows more complicated, however, Willis's surrogate is destroyed and he discovers that in order to actually catch the killer he will have to venture outside the safety of his own home for the first time in many years.

Sadly enough, in our real world, our online identity "surrogate" can also be destroyed. If a deadly killer (a nerdy hacker in our case) takes over our identity, we have a problem: the surrogate still looks like us, other web surrogates still know him and trust him, but it is really, well, misbehaving. Our one chance to stop it is to identify that it is not acting like we usually do, and that's why we find behavioral analysis systems at banks, stores and (recently) social networks. If we miss that chance, our identity must be terminated - close accounts, cancel cards, change email address.

As it happens in many Hollywood movies, there is a happy ending to "Surrogates". Willis solves the mysteries, kills the bad guys, and even ends up with the girl (yes, there is a girl in this flick!). In real life, however, this rarely happens: even when we solve the mystery ("The attacker came from a proxy server in Finland, and used a zero day IE6 exploit! Yeah!"), catching the bad guys is slow and expensive, and new "killers" are born every day.
And I'm not even talking about getting the girl.

Still, what we can do (considering we don't have the budget to hire Mr. Willis) is to carefully watch our online identities: Let them communicate with the world only behind firewalls. Dress them with an anti-malware shield. Don't let them go to places you wouldn't visit in the real world. And if you're a security company, look for changes in their behavior, they may have been taken over by a vicious nerd.

Posted by Yohai Einav at 5:28 AM | Permalink | Comments (0)

Posted by Fran Rosch, SVP of User Authentication, VeriSign

This article was also published in SC Magazine.

All too frequently, reports surface of high-profile hacks victimizing individuals using weak password protection. But, unlike the inconsequential account break-ins hitting Britney Spears, Ashton Kutcher or Sarah Palin, the consequences of some compromised accounts raises serious implications for cloud services security.

Your personal and professional security is only as strong as your weakest password. And for IT managers, the security of an organization's cloud-based resources is only as strong as your most careless employee's weakest password.

Personal information can be harvested many ways - and the viability of traditional usernames and passwords are undermined by the "forgot your password" processes employed by many sites today. Many hacks have been successful because of harvested information used to break the confidence of such "reset" measures and then scouring accounts for professional account login information.

The industry must move to stronger authentication technologies. After all, the strength of a password is meaningless if someone can reset your password. The primary mechanism for secure access to web services is embarrassingly inadequate. In fact, the migration of IT to the cloud may mark the death of the traditional username and password and drive the adoption of stronger internet security measures.

Stronger authentication is available in the form of two-factor authentication, such as one-time password solutions. These solutions can - literally -- put stronger security in the hands of every individual: Plastic tokens, USB drives, SMS-enabled devices or software running on mobile devices.

Such solutions have been available for years for enterprise implementations, but cost issues tied to scaling these solutions to large numbers of users have been prohibitive.

By delivering two-factor authentication through a managed service, however, the expensive infrastructure investments of on-premise models may not present as intimidating a barrier. Such a service can dramatically reduce fixed and operating costs of ownership. And a mobile device can dramatically simplify deployment.

Ironically, or not so ironically, Authentication-as-a-Service (AaaS) - strong authentication delivered through the cloud - could be a major solution for the cloud paradigm's most obvious security challenge.

Reckless human behavior is something you can influence but can't ultimately control. Additionally, people live their digital lives across personal and private online accounts. But two factor authentication can be implemented across professional and personal accounts - from the free email account to the cloud-based ERP account - to ensure that password vulnerabilities are a thing of the past and that cloud-based services are secure in the future.

Posted by Fran Rosch at 11:04 AM | Permalink | Comments (0)

We announced our new "Mobile Developer Test Drive" program today at the 2009 RSA Conference. By leveraging the VIP Access for Mobile SDKs, developers can easily and quickly create a pilot version to transform personal mobile devices into two-factor authentication credentials.

The pilot allows developers to test the functionality of the mobile application to see how simply they can integrate strong authentication with any J2ME and iPhone applications. Developers of mobile payment, mobile banking, m-Commerce and mobile social networking can also easily incorporate VIP open standards two-factor authentication into their applications and protect their users with extra layer security that goes beyond standard secure log-ins.

To find out more about our new VIP mobile developer test drive, please visit vipdeveloper.verisign.com. Please also send us your success story and feedback. We'd love to hear from you!

Posted by Erica Huang at 8:21 AM | Permalink | Comments (1)

With the success of VIP Access for iPhone, we are adding many leading phone models into our mobile credential family. In addition to iPhone, VIP Access for Mobile now supports more than 90 popular mobile phone models including all the popular BlackBerry models as well as the Motorola, Nokia and Sony Ericsson.

VIP Access for Mobile is an easy-to-install application that transforms leading mobile phones into strong authentication credentials. To discover the benefits of the easy-to-use and cost-effective VIP Access for Mobile, download VIP Access for Mobile from m.verisign.com.

We continue adding popular feature phones into our phone family each month. If there is a popular phone model you do not see on our current official supported phone list that you would like to be considered, please let us know!

Posted by Erica Huang at 8:12 AM | Permalink | Comments (0)

We are very excited to share that our VIP Access for iPhone downloads has reached a record high. Downloads grew three times more than our previous record high this week.

We appreciated all the constructive feedback from our VIP users. Many users also wish more online banks, gaming and social network sites would sign up with VIP Network, so they can use one VIP Access credential anytime anywhere to secure their online accounts and online identity.

 
We also have had many iPod touch users ask to be notified when we include support for the iPod Touch. Although in our first release, we leverage SMS as part of activation process, we are reviewing other alternatives to enable iPod Touch users in the near future. Stay tuned.

If you have any suggestions, please email to vipmobile@verisign.com. We love to hear from our users.

Posted by Erica Huang at 11:55 AM | Permalink | Comments (0)

What are the hottest applications you can get for your iPhone this week?

Check out Apple's App Store "What's HOT" category. You will see "VIP Access" for iPhone recommended for iPhone users. This is the only security application to receive the coveted endorsement from the App Store - What's HOT category this week.

This great mobile application turns your iPhone into your personal security device and adds an extra layer security for your online accounts at the 40+ members of the VIP Network - including eBay, PayPal, AOL, and GEICO.

Check out VIP Access on your iPhone and tell us what you think.

Posted by Erica Huang at 4:01 PM | Permalink | Comments (0)