Online Identity and Trust

Han Dong, Senior Product Marketing Manager, User Authentication

It's a good thing that people much smarter than me are thinking about the future of the internet, cloud computing, and ensuring I'm properly indoctrinated on the right social networking sites du jour. More importantly, these same smart people are constantly thinking about really critical things, like 'standards', 'interoperability', and 'security'. Guys like Tim Berners-Lee, the inventor of the Web and HTML, Paul Mockapetris, the inventor of DNS, and Vinton Cerf, the father of the internet and co-designer of TCP/IP, are constantly analyzing what's happening today and thinking about what's coming in the future. These people are part of the founding fathers of the web, the internet, and how all the intricate pieces work together seamlessly - just so you can download your tunes, update your tweet/blog, and get the latest NFL scores.

Whew, I'm glad these guys are on top of things.

Of course, anytime a paradigm shift occurs in the world of computing, there's bound to be an outgrowth of new issues and problems. And some of these new issues related to cloud computing, are exactly what Vinton Cerf has been thinking about. Mamoon Yunus' article "Vint Cerf and Multi-Cloud Mayhem of cloud Computing" and Paul Krill's InfoWorld article "Cerf urges standards for cloud computing", both cover a number of issues Cerf sees that are created by the "cloud" and how the situation is very similar to the way things were in the wild west days of early computer networks.

One issue in particular is in the area of cloud security and authentication. "Strong authentication will be a critical element in the securing of clouds," said Cerf. Multi-tenant cloud environments and ensuring that the properly authorized user is permitted to access the right services, creates a critical need for strong authentication in the cloud. Now I bring this issue to your attention because this is precisely an area that VeriSign has given a great deal of thought and attention to in delivering our goal of providing trust on the internet and in the cloud.

From Extended Validation SSL, to VeriSign Identity Protection for Two-factor authentication and Fraud Detection Services, to PKI Digital Certificates for authentication, every weapon in VeriSign's arsenal is designed to deliver a secure, trusted experience in the cloud and on the net. And just as I discussed in my last post, VeriSign knows just how to deliver a multi-layered security strategy for anyone who's moving to the cloud.

Whew, I'm glad Vinton Cerf (and VeriSign) has got your back.

Posted by Han Dong at 3:13 PM | Permalink | Comments (0)

Han Dong, Senior Product Marketing Manager, User Authentication

Some thoughts on a couple of recent articles, one from Gartner Research: Where Strong Authentication Fails and What You Can Do About It, by Avivah Litan and a similar article by Jaikumar Vijayan in Computerworld, which also references Ms. Litan's article.

The basic idea presented in these two articles is that "one-time passwords...are no longer enough to protect online banking transactions against fraud." These one-time password (OTP) token-based two-factor authentication methods may be compromised by man-in-the-browser malware that overwrites the user transactions to steal their assets. So the general recommendation from Avivah Litan is "A layered fraud prevention approach that includes server-based fraud detection and out-of-band transaction verification that precludes call forwarding to illegitimate user phone numbers can and has mitigated these threats."

We agree that OTP is not the end-all, be-all of security for the internet. In fact, VeriSign was recently recognized as a "best in class authentication technology solution" by Javelin Strategy & Research, primarily because VeriSign espouses a layered security approach to our customers for protecting online transactions. This approach includes Extended Validation SSL to authenticate the website to a user, with an easily identifiable green address bar. Plus the VeriSign Identity Protection Fraud Detection Service, which delivers risk-based authentication to monitor particular user behavior and trigger authentication when abnormal patterns or behavior are noted. And additionally, the VeriSign Identity Protection Service, one-time password (OTP) authentication to mitigate account takeover and require an additional factor the user must present, in addition to username and password for accessing critical accounts. OTP in and of itself is not a panacea, but it is part of a multi-layered security approach that anyone conducting business online should consider to protect its customers and business.

Fraud may be on the rise, so whom do you turn to for trust in the online world?
Easy, look for the check.

Posted by Han Dong at 12:53 PM | Permalink | Comments (0)

Han Dong, Senior Product Marketing Manager, User Authentication

I just read an article in CNET, by Jonathan Eunice, Character limitations in passwords considered harmful. And immediately after reading the story I thought to myself, Jonathan (may I call you Jonathan), we have the answer to your troubles. It's called VeriSign Identity Protection (VIP) Authentication Service and it's precisely what you need to address your goal to have strong authentication for your "4,000 web services."

Jonathan's article described the issue of how various websites will frequently restrict your ability to create 'stronger' passwords that use symbols (i.e. !@#$%^&), and thus relegate the user to simple (and easy to steal) phrase or nickname passwords. So he is thwarted from his attempt to use a password like "Ga9i)t|Z" by the fact that the website in question, is not allowing the use of these special character passwords. And he's forced to use "easy-to-remember, easy-to-hack passwords." Not an ideal solution.

So here's where VIP comes in. VIP is an easy to implement two-factor authentication service that employs an open standards-based one-time password credential that strengthens your existing userid and password. The VIP Authentication Service provides a cloud-based second-factor authentication, integrated to your favorite web service via Web Services-based API. The VIP credential is available as a small hardware token or can reside as a client application on your mobile phone (always available, regardless of wireless network coverage). This VIP credential generates a 6-digit code (which changes every 30-seconds). The credential is registered with a relying party web service - and every time you initiate a login session to your web service, in addition to entering your easy to remember userid and password, you also enter the 6-digit code from your credential as a "second" password.

Now Jonathan has essentially a password for his password. And better yet, that password for his password is uniquely generated (based on OATH standards) and constantly changing, every 30-seconds. Someone would have to physically steal Jonathan's mobile phone or VIP token IN ADDITION to stealing his userid and password to hack into his favorite websites. Jonathan can combine something he knows (userid & password) with something he has (VIP credential) to add strong password protection. Now he can login, safely and securely.

So Jonathan, feel free to use "goofdog" as your password - just be sure to add VIP Authentication and you're good to go.

Posted by Han Dong at 3:55 PM | Permalink | Comments (0)

Han Dong, 'Blogger of Light'

Did you catch it on the tube last night?
Did you see the VeriSign Identity Protection Access for Mobile credential in action?



In case you missed it, check out the link on YouTube (0:21)

As for how this relates to you, me and your everyday secret agent, I think this fun video demonstrates the need for leveraging One-Time Passwords for strong authentication of your mobile applications. Yes, we have an "app" for that.

Kudos to our esteemed Product Manager, Erica Huang, and her efforts to have VeriSign included in the AT&T commercial.

Posted by Han Dong at 1:36 PM | Permalink | Comments (0)

Han Dong, Sr. Product Marketing Manager, User Authentication

Getting noticed is a hard thing. But when you do get recognized by adoring fans, it's like living the life of a beauty queen.

And just look at who noticed us: CrackBerry.com and BlackBerry Cool

So you ask, what's the news?
We all know that VeriSign Identity Protection (VIP) Access for mobile has already been available for free on Blackberry® smartphones and downloadable from the BlackBerry App World and the VeriSign Identity Protection Mobile Center sites for some time now.

What is new (or what you may have not noticed until now) is that with the VIP Access 3.0 release of September 2009, users can easily copy-n-paste the security code and credential ID into a mobile browser to complete VIP Access registration. Two-factor authentication has never been easier for the 'power' mobile-user.

So where can you use VIP Access for two-factor authentication to websites?
Simple. Register and use your VIP Access credential at participating VIP network member sites, such as eBay, PayPal, AOL, GEICO, or any participating VIP network site.

Posted by Han Dong at 9:33 AM | Permalink | Comments (0)

Han Dong, Sr. Product Marketing Manager, User Authentication

Greetings VIP Blog fans,

I'm here at the 2009 Gartner Identity & Access Management (IAM) Summit. The day started off with a keynote presented by Earl Perkins, one of the lead Gartner analysts who explained how much IAM has evolved over the years - highlighting the fact that there are several IAM lifecycle elements (Planning, Process, and Problems) to consider and several key business drivers (improving security, reducing risk, and meeting regulatory requirements) in deploying an IAM solution. And at the end of the day, four of the analysts presented as a panel and reviewed the 2009 "Magic Quadrant" (classic Gartner MQ) trends and developments for each of the IAM disciplines in User Provisioning, Web Access Management, Enterprise Single Sign-On (SSO), and Authentication.

One mid-day session titled "Google Case Study: Lessons From Google's IAM Initiatives For Cloud-Based Applications," presented by Eric Sachs, Google Product Manager, was particularly interesting. Eric's presentation covered essentially two topics: Federated login as a Service (or Cloud-based SSO) and Strong Authentication beyond passwords. Eric explained that the challenge of provisioning user accounts, managing multiple logins and passwords, and ensuring strong security and reliability is driving the movement towards a Federated login structure, built on open standards (OAuth and OpenID) and hosted in the cloud to support a host of Software as a Service (SaaS) applications.

With the heavy interest in cloud-computing and hosted applications, both IT vendors and consumers are seeking ways to reduce costs of deployment, speed implementation, and do more with fewer resources at hand. Google, Amazon, Salesforce, and Microsoft are just a handful of the many vendors vying to be the cloud-based app provider of choice. But in the hype, it seems that few vendors have discussed the new breed of security concerns that cloud-based services yield.

Eric's presentation touched on these very security concerns in the new SaaS world. And most importantly, Eric brought up the idea of leveraging "stronger forms of authentication" to mitigate the weak security of simple username and password. "One Time Password (OTP) is the answer!" Two-factor Authentication and OTP are not new technologies. Enterprises have long been using OTP tokens to authenticate users' access to internal networks (via VPN) for years now. But traditionally, OTP credentialed VPNs have been too costly or too resource consuming to manage and deploy. That is, until now - Eric also demonstrated a low-cost OTP credential in the form of a mobile phone software generated OTP. And the iPhone screen-shot Eric displayed on his slide was the VeriSign Identity Protection (VIP) Access for Mobile credential. Eric pointed out a unique feature of the VIP Access for Mobile software was that the key generator resides locally on the mobile phone itself, thus requiring NO network connection as some other products require in order for an OTP key to be sent via SMS or voice.

Here is Eric on stage:(image added 11/11)

What Eric did not mention during his session, is that behind the VIP Access for Mobile OTP credential lays a trusted VeriSign Identity Protection service entirely hosted by VeriSign. VeriSign allows enterprises to quickly and cost-effectively implement and integrate scalable Strong Authentication services (for VPN or partner and customer communications) for validating user credentials via Web Services APIs that connect to the VIP hosted network.

So what does this mean for the mass of new cloud-based computing enterprises? It means that enterprises can rest assured that not only can they migrate IT apps to the cloud, but they can also secure user access by leveraging a cloud-based Security as a Service with the VeriSign Identity Protection service.

Witnessing a 3rd party (not to mention the fact that we're talking about Google) extol the virtues of YOUR product, unpaid and unsponsored, was really an exciting surprise. And this really was a true coincidence - just by attending the Google breakout session at the Gartner IAM Summit, I saw VeriSign's own Two-factor authentication product in action and being explained by one of the premier thought leaders in the industry. This certainly bodes well for a plethora of future opportunities for Security in the cloud. And I can't wait to watch this all unfold.

Posted by Han Dong at 4:01 PM | Permalink | Comments (0)

Today, we are pleased to announce that our customers' options have been broadened by our technical and sales partnership with RSA, another "Best-in-Class" Authentication Provider. The agreement will provide organizations with the mutual benefit of an expanded VIP Authentication Service through the availability of RSA SecurID® two-factor authentication technology for more choice in one-time password (OTP) authentication.

Organizations in search of strong authentication solutions will benefit from being able to use VIP in combination with RSA SecurID hardware tokens and the convenience of a single platform.

This technical and sales partnership between RSA and VeriSign signals a new chapter in the longstanding relationship between RSA and VeriSign, both of whom were recently rated Best-in-Class for Multi-Channel Authentication Technology by Javelin Strategy & Research, are teaming up to address the market segment for managed, shared authentication services, offering organizations the convenience of a single platform. Read the press release.

Updated on October 9:
Read what Burton Group's Senior Analyst Mark Diodati has to say about our partnership with RSA.

Posted by Karen Snyder at 11:44 AM | Permalink | Comments (0)

It's about time Hollywood produces a blockbuster about identity management.

No, I'm kidding. No producer would never even read a script which includes the term "identity management" in its title (except, perhaps, "Harry Potter and the Identity Management Prince"). But there is a new Bruce Willis movie that deals with the issue of identities, among other things, and, well, that's a start.

The movie is called "Surrogates" (watch trailer), and it tells the story of a futuristic world in which humans live in isolation while only communicating with their fellow man through robots that serve as social surrogates and are better-looking versions of their human counterparts.

Now isn't that kind of what happens today in our own world? When we go to the web we have a virtual identity through which we communicate with our fellow man, fellow banks, fellow stores: we send our virtual identity (user name) to the bank, it "shakes hands" with the web embodiment of the bank (using a password), and then starts communicating with it. Our online identity may not be a better-looking version of us, but it still gets the job done.

In "Surrogates" Bruce Willis is an FBI agent who enlists the aid of his own surrogate to investigate the murder of a genius college student. As the case grows more complicated, however, Willis's surrogate is destroyed and he discovers that in order to actually catch the killer he will have to venture outside the safety of his own home for the first time in many years.

Sadly enough, in our real world, our online identity "surrogate" can also be destroyed. If a deadly killer (a nerdy hacker in our case) takes over our identity, we have a problem: the surrogate still looks like us, other web surrogates still know him and trust him, but it is really, well, misbehaving. Our one chance to stop it is to identify that it is not acting like we usually do, and that's why we find behavioral analysis systems at banks, stores and (recently) social networks. If we miss that chance, our identity must be terminated - close accounts, cancel cards, change email address.

As it happens in many Hollywood movies, there is a happy ending to "Surrogates". Willis solves the mysteries, kills the bad guys, and even ends up with the girl (yes, there is a girl in this flick!). In real life, however, this rarely happens: even when we solve the mystery ("The attacker came from a proxy server in Finland, and used a zero day IE6 exploit! Yeah!"), catching the bad guys is slow and expensive, and new "killers" are born every day.
And I'm not even talking about getting the girl.

Still, what we can do (considering we don't have the budget to hire Mr. Willis) is to carefully watch our online identities: Let them communicate with the world only behind firewalls. Dress them with an anti-malware shield. Don't let them go to places you wouldn't visit in the real world. And if you're a security company, look for changes in their behavior, they may have been taken over by a vicious nerd.

Posted by Yohai Einav at 5:28 AM | Permalink | Comments (0)

We announced our new "Mobile Developer Test Drive" program today at the 2009 RSA Conference. By leveraging the VIP Access for Mobile SDKs, developers can easily and quickly create a pilot version to transform personal mobile devices into two-factor authentication credentials.

The pilot allows developers to test the functionality of the mobile application to see how simply they can integrate strong authentication with any J2ME and iPhone applications. Developers of mobile payment, mobile banking, m-Commerce and mobile social networking can also easily incorporate VIP open standards two-factor authentication into their applications and protect their users with extra layer security that goes beyond standard secure log-ins.

To find out more about our new VIP mobile developer test drive, please visit vipdeveloper.verisign.com. Please also send us your success story and feedback. We'd love to hear from you!

Posted by Erica Huang at 8:21 AM | Permalink | Comments (1)

With the success of VIP Access for iPhone, we are adding many leading phone models into our mobile credential family. In addition to iPhone, VIP Access for Mobile now supports more than 90 popular mobile phone models including all the popular BlackBerry models as well as the Motorola, Nokia and Sony Ericsson.

VIP Access for Mobile is an easy-to-install application that transforms leading mobile phones into strong authentication credentials. To discover the benefits of the easy-to-use and cost-effective VIP Access for Mobile, download VIP Access for Mobile from m.verisign.com.

We continue adding popular feature phones into our phone family each month. If there is a popular phone model you do not see on our current official supported phone list that you would like to be considered, please let us know!

Posted by Erica Huang at 8:12 AM | Permalink | Comments (0)

I always find it interesting the way old scams are redressed for new and emerging channels.

That was the case during the last few days when Twitter users and employees found themselves under attack by phishers and hackers: follow these links to find a good account of the former and the latter.

Today I'll talk about the phishing attack, which consisted in luring people to give away their twitter passwords to a fake site, the novel aspect is that it used twitter-generated messages (Direct Messages) to propagate to your list of contacts (Followers).

This is all pretty similar to what we have seen with phishing via e-mail, but with two key differences:

- The first one is that e-mail phishing is a "mature product" where phishers are one cog in the big underground economy of stolen bank/e-commerce passwords and credit card numbers, whereas this twitter phishing looked like a "prototype". The good news is that apparently no big harm was done and the Twitter team reacted quickly to reset accounts. The bad news is that the twitter phishing prototype worked, and the bad guys will come up with ideas on how to use it more effectively.

- The second aspect, which I find more disturbing, is that the Twitter media is more time-sensitive than e-mail, capable of reaching a lot of people in very little time. That is why I think there is potential for much greater damage if you combine twitter phishing with events with intensive twitter coverage such as the Mumbai attacks.

A short-term measure that Tweeter could take to beef up its defenses would be to upgrade their SSL certificate to an EV cert and tell their users to check the green bar when they login.

In the meantime, my twitter guru Bob Angus tells me that some of the buzz in the twittershpere is that these attacks confirm Twitter's arrival as a relevant media.

These past attacks seem to confirm that at least the bad guys seem to agree with that.

Posted by Vicente Silveira at 4:39 PM | Permalink | Comments (0)

by Perry Tancredi, Senior Product Manager, VeriSign Fraud Detection Service
Greg Pierson of iovation recently wrote an interesting blog postabout the idea that the more places your identity information resides, the greater the chance of your identity actually getting stolen. It reminded me of an incident that happened to me recently. I live in a condo and our neighbor's sprinkler system had gone off. There was so much water that it seeped through the walls and ceiling and flooded one of our rooms, which happened to be carpeted. Our landlord, along with the condo association, arranged to have the carpet replaced. When the workers arrived, they insisted on taking my wife's credit card number even though they weren't going to charge us. They took an impression of the card, and then insisted on writing down the CVV2 number (the three digit number on the back of the card, often called a "security code"), not to charge anything, but because it was policy or they couldn't start the work. Of course, recording both numbers is totally unnecessary. It's actually pretty dumb, and most likely against the rules that merchants have to sign up to to be able to take credit cards as payment.

Credit card transactions can be "card present" transactions, when the card is physically present, like at a gas station or when you are physically at the store, or "card not present" (CNP), when the card is not present like when you make a transaction online or over the phone. The presence of the card is usually established by reading the magnetic strip or by taking an impression of the card. Clearly, the risk of fraud is greater for CNP transactions because all a fraudster may need is the card number (something you know). Card companies started to combat this by using CVV2 to validate CNP transactions, so you, in theory need to physically have the card or else you wouldn't be able to turn it over to read those three extra digits. Of course, those three digits are just something else you know, and can easily be compromised along with your card number, especially when written down by unscrupulous or clueless merchants. In practice, it does provide a little more security because those extra digits aren't supposed to be stored with your card number. Of course, when the carpet guys are holding your new carpet hostage and they insist on writing both pieces of information on the same piece of paper, that extra security goes out the window. To make matters worse for me, these particular carpet guys spoke with Russian accents. I don't want to launch a discussion about the merits of profiling cyber-criminals, but it didn't do much to ease my suspicion.

After my wife told me what happened, I considered canceling our credit cards, but then we would be faced with the hassle of updating every subscription and service that has our card stored somewhere for auto-renewal. On the one hand, that's not such a bad idea. Who knows what auto-renewals we'd forgotten about and didn't need anymore. On the other hand, who wants to deal with all that, especially when your liability for any fraudulent charges is capped at $50? The real fear wasn't the charges themselves but of someone establishing a new credit line in one of our names using the credit card. Ultimately, we decided just to keep an even more vigilant eye on our statements and rely on our Equifax Credit Watch to alert us of any suspicious behavior.

Continue reading "Who's minding the Identity store?" »

Posted by VeriSign Identity Protection Blogger at 4:00 AM | Permalink | Comments (0)

Today we announced that the American Bankers Association will be joining the VIP Network. We are very excited about this on many levels. Getting VIP credentials into the hands of 350 member banks creates a huge opportunity for VeriSign and makes this much more convenient for their users. ABA Members will have first hand experience with strong authentication on tools they use every day. And as this protection rolls out, ABA member banks will witness how easily they can deploy strong, two-factor authentication, and how convenient it is for their customers. We look forward to working with the ABA. Welcome to the network!

Posted by Fran Rosch at 10:06 AM | Permalink | Comments (0)

by Perry Tancredi, Senior Product Manager, VeriSign Fraud Detection Service

I'm Perry Tancredi, and I manage the VeriSign VIP Fraud Detection Service product. A lot of times when I explain what I do to my friends and family, especially when I talk about some of the latest attacks we see, the conversation turns to whether or not it's too risky to do anything online at all. People want to know if I think banking and shopping online is safe, what virus program I use at home and what they should be doing to protect themselves.

I had already been writing this post when the news about the largest case of identity theft in America (BBC, Washington Post), it seems more relevant now. There's been a lot of coverage last night and this morning, but I happened to be available when the story BBC story was being written,and got the chance to talk to and be quoted by the BBC. I'm a long time NPR and BBC listener, so I do have to say that it was quite a kick to hear Maggie Shiels say my name on the radio last night.

I told the BBC what I typically tell anyone else who asks, that while for the most part, the Internet is secure, but the most important thing anyone can do is just assume that their accounts are going to be compromised. Credit card and personal data are stolen every day using all kinds of methods, and it's not all Internet related. Most people are most concerned about the security at the point of sale, but don't think about what happens with the information later. When you assume that your accounts will be compromised one way or another, you have to start doing what you should have been doing anyway: reading your credit card statements and monitoring your credit reports. It's not fun, but it's easy to spot suspicious transactions when you look at statements every month. If you see something suspicious, call your bank or credit card company. Likewise, if you see something strange on your credit report, follow up on it.

The VeriSIgn Fraud Detection Service (FDS) works on the same pricipal. Protect the front door, but stay on the alert after you've let someone in. Out of the box, the FDS allows our customers to look for suspicious logins, but it was built to be modular and allow the analysis of any kind of transaction, and really reaches its full potential when it looks at post-logon transactions. We already have customers who have written their own modules using it to protect wire transfers online. Soon we'll release our first module to look at a specific kind of post-logon fraud, and that will be just the first module of many.

With more and more organizations looking beyond login, consumers will be safer, and the combination of users and organizations being more vigilant will move the bar that much higher for the fraudsters.

Posted by VeriSign Identity Protection Blogger at 4:18 PM | Permalink | Comments (0)

We asked people on the streets of San Francisco about what they do online, how many passwords they have, and whether they think their personal information is safe.

"Any bill that I pay, other than my rent, I pay online"
"There's probably a lot of sites out there that have my personal information."
"Sometimes even with secure sites, hackers get through"
"Every time I use a credit card, I hope that's the only place it gets used."

Find out how VeriSign can help keep your online identity safe.

Posted by VeriSign Identity Protection Blogger at 9:49 AM | Permalink | Comments (0)

Posted by Vijai Shankar, Sr. Product Marketing Manager at VeriSign, Inc.

We are seeing more and more articles about the difficulty remembering username and passwords. To add to the list along with our other stuff to remember i.e. household chores, birthdays etc., we now have to remember the new trend of security questions along with username and passwords. I was having a problem logging into one of my student loan accounts, which not only had a username and password but a set of security questions in a PARTICULAR order. Phew, needless to say I was locked out and had to call in, listen to some crazy call center music and after 15 minutes of waiting, spoke to an agent to unlock my account.

I saw this article in The Wall Street Journal about the daunting task of managing passwords, a complicated system she came up with, aggravated by the added task to manage answers to security questions. Can't we make all this simpler and yet secure? How about a stronger authentication and painless authentication process like using a single device be it mobile phone, tokens, SMS etc. to generate unique codes eachtime at all my online sites? How about asking your organizations that you transact online with to join a trusted Network that enables you consumers to use a single credential across multiple sites thus offering secure yet painless authentication process? The answer is right here, the VeriSign Identity Protection Network. Now is a great time for your organizations to join and be a part of a Network that will drive consumer adoption across the globe.

~Vijai

Posted by Vijai Shankar at 8:50 AM | Permalink | Comments (0)

Posted by Kerry Loftus

I drove my 13-year-old and his friends to one of their activities recently (yes, I have a minivan) and their conversation was really interesting and eye opening. I quickly called my gal pals in Erie, PA to find out if they were hearing the same and got the affirmative so this is not just a 'valley' phenomena. All of our kids are online and many are using various email, IM and social networking applications. Did you know that they all know each other's usernames and passwords? If they don't know the password part, they can very quickly guess (I chimed in at one point and asked them if they knew anything about 'strong passwords'-- most of them replied that they just use 'password'!). They didn't really think protecting the information was important.

It's probably harmless to sign in as your friend on IM and send one of the girls in your class a provocative message, but couldn't that be the tip of the iceberg? What about online harassment when pranks become more than just kid fun? Our kids are revealing more and more of themselves on the public internet everyday through these applications and many of us have done the right parental things in response. We know to put the computer in a more public spot in our house; we know to ask what they're doing online and periodically check over their shoulders. But did you know how easily kids can "become" each other online? By logging in their email, IM and social networking sites with their guessable usernames and passwords, it's pretty easy to impersonate almost anyone they know. In addition to these guessable usernames and passwords, I'd like to see my teenager's accounts protected with something he physically has in his possession (enter a second-factor one-time password credential). Let's give our kids real, permanent control over what they want to communicate to the rest of the world.

Posted by Kerry Loftus at 1:38 PM | Permalink | Comments (0)

But what happens when your entire online identity is consolidated into a single entity? It becomes a prime target for attack. In the pre-OpenID world, attackers need to steal your individual credentials for each and every site you visit; but if they're all replaced with a single OpenID, hacking just one account gives you the keys to the castle.

The need for strong account protection has never been greater, which is why we've integrated our VIP Authentication Service with the VeriSign Labs' Personal Identity Provider as a showcase for how strong authentication melds with user-centric identity. Our users agree - a significant percentage of PIP users already protect their OpenID with a PayPal Security Key or a VIP Security Card.

Once you add strong authentication to OpenID, you need a way for relying parties to request it, and for identity providers to answer those requests. This is where the PAPE standard comes in, providing a standardized language for OpenID sites to talk about the strength of their authentication.

In the OpenID world, we're encouraged to put all of our eggs into one basket. Just make sure you stick a good lock on it!

Posted by Jeff Burstein at 8:16 AM | Permalink | Comments (0)

Hi, I'm Jeff Burstein, a product manager on the VIP team.

Today is Super Tuesday, and as a California resident, I went to vote this morning in the primary election. Since this is a blog about identity and trust, let's examine what I needed today to prove my identity to vote: nothing. Do I really look that trustworthy?

I walked into my polling place, went up to the table and told the poll worker my name, which she dutifully looked up in the voter roll and crossed out. No identity check needed, no need to show my ID, check a signature, or any other form of authentication -- just the honor system. (And of course the threat of going to jail for voter fraud!)

For those of us who live and breathe identity and authentication every day this is just unnatural! Of course, there are all sorts of reasons for the lack of strong authentication for voting today, most having to do with budgets, voter turnout, the 24th amendment, and the potential for discrimination. So what can be done to strengthen voter authentication while still preserving equal access and maintaining the integrity of the secret ballot? Some ideas are coming out of the Caltech-MIT Voting Technology Project, who held a conference on this very topic in 2006. But considering the recent fiascoes with touchscreen voting machines, it may be hard to get the public to accept new technology solutions to voting problems.

-- Jeff

Posted by Jeff Burstein at 9:12 AM | Permalink | Comments (0)