Online Identity and Trust

Posted by Vijai Shankar, Sr. Product Marketing Manager at VeriSign, Inc.

We are seeing more and more articles about the difficulty remembering username and passwords. To add to the list along with our other stuff to remember i.e. household chores, birthdays etc., we now have to remember the new trend of security questions along with username and passwords. I was having a problem logging into one of my student loan accounts, which not only had a username and password but a set of security questions in a PARTICULAR order. Phew, needless to say I was locked out and had to call in, listen to some crazy call center music and after 15 minutes of waiting, spoke to an agent to unlock my account.

I saw this article in The Wall Street Journal about the daunting task of managing passwords, a complicated system she came up with, aggravated by the added task to manage answers to security questions. Can't we make all this simpler and yet secure? How about a stronger authentication and painless authentication process like using a single device be it mobile phone, tokens, SMS etc. to generate unique codes eachtime at all my online sites? How about asking your organizations that you transact online with to join a trusted Network that enables you consumers to use a single credential across multiple sites thus offering secure yet painless authentication process? The answer is right here, the VeriSign Identity Protection Network. Now is a great time for your organizations to join and be a part of a Network that will drive consumer adoption across the globe.

~Vijai

Posted by Vijai Shankar at 08:50 AM | Permalink | Comments (0) | TrackBacks (0)

Posted by Kerry Loftus

I drove my 13-year-old and his friends to one of their activities recently (yes, I have a minivan) and their conversation was really interesting and eye opening. I quickly called my gal pals in Erie, PA to find out if they were hearing the same and got the affirmative so this is not just a 'valley' phenomena. All of our kids are online and many are using various email, IM and social networking applications. Did you know that they all know each other's usernames and passwords? If they don't know the password part, they can very quickly guess (I chimed in at one point and asked them if they knew anything about 'strong passwords'-- most of them replied that they just use 'password'!). They didn't really think protecting the information was important.

It's probably harmless to sign in as your friend on IM and send one of the girls in your class a provocative message, but couldn't that be the tip of the iceberg? What about online harassment when pranks become more than just kid fun? Our kids are revealing more and more of themselves on the public internet everyday through these applications and many of us have done the right parental things in response. We know to put the computer in a more public spot in our house; we know to ask what they're doing online and periodically check over their shoulders. But did you know how easily kids can "become" each other online? By logging in their email, IM and social networking sites with their guessable usernames and passwords, it's pretty easy to impersonate almost anyone they know. In addition to these guessable usernames and passwords, I'd like to see my teenager's accounts protected with something he physically has in his possession (enter a second-factor one-time password credential). Let's give our kids real, permanent control over what they want to communicate to the rest of the world.

Posted by Kerry Loftus at 01:38 PM | Permalink | Comments (0) | TrackBacks (0)

But what happens when your entire online identity is consolidated into a single entity? It becomes a prime target for attack. In the pre-OpenID world, attackers need to steal your individual credentials for each and every site you visit; but if they're all replaced with a single OpenID, hacking just one account gives you the keys to the castle.

The need for strong account protection has never been greater, which is why we've integrated our VIP Authentication Service with the VeriSign Labs' Personal Identity Provider as a showcase for how strong authentication melds with user-centric identity. Our users agree - a significant percentage of PIP users already protect their OpenID with a PayPal Security Key or a VIP Security Card.

Once you add strong authentication to OpenID, you need a way for relying parties to request it, and for identity providers to answer those requests. This is where the PAPE standard comes in, providing a standardized language for OpenID sites to talk about the strength of their authentication.

In the OpenID world, we're encouraged to put all of our eggs into one basket. Just make sure you stick a good lock on it!

Posted by Jeff Burstein at 08:16 AM | Permalink | Comments (1) | TrackBacks (0)

Hi, I'm Jeff Burstein, a product manager on the VIP team.

Today is Super Tuesday, and as a California resident, I went to vote this morning in the primary election. Since this is a blog about identity and trust, let's examine what I needed today to prove my identity to vote: nothing. Do I really look that trustworthy?

I walked into my polling place, went up to the table and told the poll worker my name, which she dutifully looked up in the voter roll and crossed out. No identity check needed, no need to show my ID, check a signature, or any other form of authentication -- just the honor system. (And of course the threat of going to jail for voter fraud!)

For those of us who live and breathe identity and authentication every day this is just unnatural! Of course, there are all sorts of reasons for the lack of strong authentication for voting today, most having to do with budgets, voter turnout, the 24th amendment, and the potential for discrimination. So what can be done to strengthen voter authentication while still preserving equal access and maintaining the integrity of the secret ballot? Some ideas are coming out of the Caltech-MIT Voting Technology Project, who held a conference on this very topic in 2006. But considering the recent fiascoes with touchscreen voting machines, it may be hard to get the public to accept new technology solutions to voting problems.

-- Jeff

Posted by Jeff Burstein at 09:12 AM | Permalink | Comments (1) | TrackBacks (0)