Getting noticed is a hard thing. But when you do get recognized by adoring fans, it's like living the life of a beauty queen.

And just look at who noticed us: CrackBerry.com and BlackBerry Cool

So you ask, what's the news?
We all know that VeriSign Identity Protection (VIP) Access for mobile has already been available for free on Blackberry® smartphones and downloadable from the BlackBerry App World and the VeriSign Identity Protection Mobile Center sites for some time now.

What is new (or what you may have not noticed until now) is that with the VIP Access 3.0 release of September 2009, users can easily copy-n-paste the security code and credential ID into a mobile browser to complete VIP Access registration. Two-factor authentication has never been easier for the 'power' mobile-user.

So where can you use VIP Access for two-factor authentication to websites?
Simple. Register and use your VIP Access credential at participating VIP network member sites, such as eBay, PayPal, AOL, GEICO, or any participating VIP network site.

Greetings VIP Blog fans,

In the way of introductions, I'm a new member of the Product Marketing organization at VeriSign. Seems like I'm already an old vet (time spent in the technology industry always seems to be measured in "dog years"). To give you some additional background on my IT curriculum vitae, 5 years of UNIX systems sales; 2 years of business development in Linux and Wireless; and 10 years in product marketing and management in Data Storage, Linux, and Networking. So as a long time marketer, I'm excited about the opportunity to share my experiences through 'new' social media vehicles, like this blog site.

I'm here at the 2009 Gartner Identity & Access Management (IAM) Summit. While this is my 1st Gartner IAM event, it certainly is not my 1st analyst or technology industry event. Having seen the ups and downs of the tech industry for the last 17 years, and having attended similar events like IDC Forums, CES, SNW, LinuxWorld Expos, Oracle OpenWorlds - you name it, I've been there.

The day started off with a keynote presented by Earl Perkins, one of the lead Gartner analysts who explained how much IAM has evolved over the years - highlighting the fact that there are several IAM lifecycle elements (Planning, Process, and Problems) to consider and several key business drivers (improving security, reducing risk, and meeting regulatory requirements) in deploying an IAM solution. And at the end of the day, four of the analysts presented as a panel and reviewed the 2009 "Magic Quadrant" (classic Gartner MQ) trends and developments for each of the IAM disciplines in User Provisioning, Web Access Management, Enterprise Single Sign-On (SSO), and Authentication.

One mid-day session titled "Google Case Study: Lessons From Google's IAM Initiatives For Cloud-Based Applications," presented by Eric Sachs, Google Product Manager, was particularly interesting. Eric's presentation covered essentially two topics: Federated login as a Service (or Cloud-based SSO) and Strong Authentication beyond passwords. Eric explained that the challenge of provisioning user accounts, managing multiple logins and passwords, and ensuring strong security and reliability is driving the movement towards a Federated login structure, built on open standards (OAuth and OpenID) and hosted in the cloud to support a host of Software as a Service (SaaS) applications.

With the heavy interest in cloud-computing and hosted applications, both IT vendors and consumers are seeking ways to reduce costs of deployment, speed implementation, and do more with fewer resources at hand. Google, Amazon, Salesforce, and Microsoft are just a handful of the many vendors vying to be the cloud-based app provider of choice. But in the hype, it seems that few vendors have discussed the new breed of security concerns that cloud-based services yield.

Eric's presentation touched on these very security concerns in the new SaaS world. And most importantly, Eric brought up the idea of leveraging "stronger forms of authentication" to mitigate the weak security of simple username and password. "One Time Password (OTP) is the answer!" Two-factor Authentication and OTP are not new technologies. Enterprises have long been using OTP tokens to authenticate users' access to internal networks (via VPN) for years now. But traditionally, OTP credentialed VPNs have been too costly or too resource consuming to manage and deploy. That is, until now - Eric also demonstrated a low-cost OTP credential in the form of a mobile phone software generated OTP. And the iPhone screen-shot Eric displayed on his slide was the VeriSign Identity Protection (VIP) Access for Mobile credential. Eric pointed out a unique feature of the VIP Access for Mobile software was that the key generator resides locally on the mobile phone itself, thus requiring NO network connection as some other products require in order for an OTP key to be sent via SMS or voice.

Here is Eric on stage:(image added 11/11)

What Eric did not mention during his session, is that behind the VIP Access for Mobile OTP credential lays a trusted VeriSign Identity Protection service entirely hosted by VeriSign. VeriSign allows enterprises to quickly and cost-effectively implement and integrate scalable Strong Authentication services (for VPN or partner and customer communications) for validating user credentials via Web Services APIs that connect to the VIP hosted network.

So what does this mean for the mass of new cloud-based computing enterprises? It means that enterprises can rest assured that not only can they migrate IT apps to the cloud, but they can also secure user access by leveraging a cloud-based Security as a Service with the VeriSign Identity Protection service.

Witnessing a 3rd party (not to mention the fact that we're talking about Google) extol the virtues of YOUR product, unpaid and unsponsored, was really an exciting surprise. And this really was a true coincidence - just by attending the Google breakout session at the Gartner IAM Summit, I saw VeriSign's own Two-factor authentication product in action and being explained by one of the premier thought leaders in the industry. This certainly bodes well for a plethora of future opportunities for Security in the cloud. And I can't wait to watch this all unfold.

Organizations in search of strong authentication solutions will benefit from being able to use VIP in combination with RSA SecurID hardware tokens and the convenience of a single platform.

This technical and sales partnership between RSA and VeriSign signals a new chapter in the longstanding relationship between RSA and VeriSign, both of whom were recently rated Best-in-Class for Multi-Channel Authentication Technology by Javelin Strategy & Research, are teaming up to address the market segment for managed, shared authentication services, offering organizations the convenience of a single platform. Read the press release.

Updated on October 9:
Read what Burton Group's Senior Analyst Mark Diodati has to say about our partnership with RSA.

You don't have to be a government official, political figure or celebrity to be the target of the phishing and password-reset hack. This latest incident demonstrates that hackers have moved beyond just the high and flighty to target ordinary people. With each security breach, the shortcomings of weak passwords and the need for stronger authentication solutions become more and more evident. One-time passwords via two factor authentication provides a critical layer of security to counter such threats. If you're an organization that has been on the fence on rolling out two-factor authentication, you're in luck. VeriSign is offering a 90 Day free trial of the VeriSign Identity Protection Service -- see more details at 90 Day Trial.

No, I'm kidding. No producer would never even read a script which includes the term "identity management" in its title (except, perhaps, "Harry Potter and the Identity Management Prince"). But there is a new Bruce Willis movie that deals with the issue of identities, among other things, and, well, that's a start.

The movie is called "Surrogates" (watch trailer), and it tells the story of a futuristic world in which humans live in isolation while only communicating with their fellow man through robots that serve as social surrogates and are better-looking versions of their human counterparts.

Now isn't that kind of what happens today in our own world? When we go to the web we have a virtual identity through which we communicate with our fellow man, fellow banks, fellow stores: we send our virtual identity (user name) to the bank, it "shakes hands" with the web embodiment of the bank (using a password), and then starts communicating with it. Our online identity may not be a better-looking version of us, but it still gets the job done.

In "Surrogates" Bruce Willis is an FBI agent who enlists the aid of his own surrogate to investigate the murder of a genius college student. As the case grows more complicated, however, Willis's surrogate is destroyed and he discovers that in order to actually catch the killer he will have to venture outside the safety of his own home for the first time in many years.

Sadly enough, in our real world, our online identity "surrogate" can also be destroyed. If a deadly killer (a nerdy hacker in our case) takes over our identity, we have a problem: the surrogate still looks like us, other web surrogates still know him and trust him, but it is really, well, misbehaving. Our one chance to stop it is to identify that it is not acting like we usually do, and that's why we find behavioral analysis systems at banks, stores and (recently) social networks. If we miss that chance, our identity must be terminated - close accounts, cancel cards, change email address.

As it happens in many Hollywood movies, there is a happy ending to "Surrogates". Willis solves the mysteries, kills the bad guys, and even ends up with the girl (yes, there is a girl in this flick!). In real life, however, this rarely happens: even when we solve the mystery ("The attacker came from a proxy server in Finland, and used a zero day IE6 exploit! Yeah!"), catching the bad guys is slow and expensive, and new "killers" are born every day.
And I'm not even talking about getting the girl.

Still, what we can do (considering we don't have the budget to hire Mr. Willis) is to carefully watch our online identities: Let them communicate with the world only behind firewalls. Dress them with an anti-malware shield. Don't let them go to places you wouldn't visit in the real world. And if you're a security company, look for changes in their behavior, they may have been taken over by a vicious nerd.

This article was also published in SC Magazine.

All too frequently, reports surface of high-profile hacks victimizing individuals using weak password protection. But, unlike the inconsequential account break-ins hitting Britney Spears, Ashton Kutcher or Sarah Palin, the consequences of some compromised accounts raises serious implications for cloud services security.

Your personal and professional security is only as strong as your weakest password. And for IT managers, the security of an organization's cloud-based resources is only as strong as your most careless employee's weakest password.

Personal information can be harvested many ways - and the viability of traditional usernames and passwords are undermined by the "forgot your password" processes employed by many sites today. Many hacks have been successful because of harvested information used to break the confidence of such "reset" measures and then scouring accounts for professional account login information.

The industry must move to stronger authentication technologies. After all, the strength of a password is meaningless if someone can reset your password. The primary mechanism for secure access to web services is embarrassingly inadequate. In fact, the migration of IT to the cloud may mark the death of the traditional username and password and drive the adoption of stronger internet security measures.

Stronger authentication is available in the form of two-factor authentication, such as one-time password solutions. These solutions can - literally -- put stronger security in the hands of every individual: Plastic tokens, USB drives, SMS-enabled devices or software running on mobile devices.

Such solutions have been available for years for enterprise implementations, but cost issues tied to scaling these solutions to large numbers of users have been prohibitive.

By delivering two-factor authentication through a managed service, however, the expensive infrastructure investments of on-premise models may not present as intimidating a barrier. Such a service can dramatically reduce fixed and operating costs of ownership. And a mobile device can dramatically simplify deployment.

Ironically, or not so ironically, Authentication-as-a-Service (AaaS) - strong authentication delivered through the cloud - could be a major solution for the cloud paradigm's most obvious security challenge.

Reckless human behavior is something you can influence but can't ultimately control. Additionally, people live their digital lives across personal and private online accounts. But two factor authentication can be implemented across professional and personal accounts - from the free email account to the cloud-based ERP account - to ensure that password vulnerabilities are a thing of the past and that cloud-based services are secure in the future.

The pilot allows developers to test the functionality of the mobile application to see how simply they can integrate strong authentication with any J2ME and iPhone applications. Developers of mobile payment, mobile banking, m-Commerce and mobile social networking can also easily incorporate VIP open standards two-factor authentication into their applications and protect their users with extra layer security that goes beyond standard secure log-ins.

To find out more about our new VIP mobile developer test drive, please visit vipdeveloper.verisign.com. Please also send us your success story and feedback. We'd love to hear from you!

VIP Access for Mobile is an easy-to-install application that transforms leading mobile phones into strong authentication credentials. To discover the benefits of the easy-to-use and cost-effective VIP Access for Mobile, download VIP Access for Mobile from m.verisign.com.

We continue adding popular feature phones into our phone family each month. If there is a popular phone model you do not see on our current official supported phone list that you would like to be considered, please let us know!

We appreciated all the constructive feedback from our VIP users. Many users also wish more online banks, gaming and social network sites would sign up with VIP Network, so they can use one VIP Access credential anytime anywhere to secure their online accounts and online identity.

 
We also have had many iPod touch users ask to be notified when we include support for the iPod Touch. Although in our first release, we leverage SMS as part of activation process, we are reviewing other alternatives to enable iPod Touch users in the near future. Stay tuned.

If you have any suggestions, please email to vipmobile@verisign.com. We love to hear from our users.

Check out Apple's App Store "What's HOT" category. You will see "VIP Access" for iPhone recommended for iPhone users. This is the only security application to receive the coveted endorsement from the App Store - What's HOT category this week.

This great mobile application turns your iPhone into your personal security device and adds an extra layer security for your online accounts at the 40+ members of the VIP Network - including eBay, PayPal, AOL, and GEICO.

Check out VIP Access on your iPhone and tell us what you think.

+ Read the New York Times Article

+ Read our press release

Download the app using iTunes or your iPhone here.

---Updated April 3, 2009---

Here is the latest coverage:

4/2/2009: Two-factor authentication using an iPhone: Killer security app? – Andrew Patrick

4/2/2009: How to turn your iPhone into unbreakable security token – TG Daily

4/2/2009: VeriSign release iPhone VIP Access security app – Geek.com

4/1/2009: VeriSign App Turns iPhone into Security Device – Mac Evangelism

4/1/2009: Move Over Token! My iPhone Can do The Trick – Celent Banking Blog

4/1/2009: VeriSign VIP Access for iPhone Provides Additional Authentication Security - Mobile Content Today

4/1/2009: VeriSign ships OTP generator iPhone app – Finextra.com

4/1/2009: New VeriSign app offers better online security – TECH.BLORGE

4/1/2009: VeriSign releases online security application for iPhone – The Paypers

4/1/2009: New iPhone App Reduces ID Theft by Unique Password - InfoPackets

4/1/2009: VeriSign Offers Two-Factor Authentication for iPhone – IT Business Edge

4/1/2009: VeriSign app turns iPhone into security device - MacWorld

4/1/2009: VeriSign Powers iPhone Two-Factor Authentication - InternetNews

4/1/2009: VeriSign's free iPhone app secures passwords - InfoWorld

3/31/2009: An iPhone App for Security - BusinessWeek

3/31/2009: VeriSign Brings Authentication Tokens to iPhone - TidBits

3/31/2009: A safer iPhone – SiliconBeat

3/31/2009: What’s the Password? Only Your iPhone Knows– The New York Times Technology Bits Blog

3/31/2009: VeriSign Launches Online Authentication App For iPhone- WebGuild

3/31/2009: VeriSign password generator app for Apple iPhone- RSS For Gadgets

3/31/2009: Verisign launches secure password app: VIP Access - Textually.org

3/30/2009: VIP Access - iGoApps

---Updated April 21, 2009---

Additional News Coverage of VeriSign's new iPhone App

Interesting to note that scam details were similar and the destination account was in the UK in both cases, which hints at the possibility that both scams were perpetrated by the same people. More troublesome was that Beny's case happened in Jan whereas Eileen's, according to WPIX, happened on Feb 8th which may show that Facebook was not able to block the attackers even after they got notice of the first incident.

The public tally so far is: 2 Facebook identities stolen, 2 friends scammed and $1793 stolen. I suspect there could be more, leave a comment here if you know of anyone else that may have been victimized by this scam.

A few weeks ago, my friend Beny stepped up to help one of his friends, Bryan, who was robbed at gunpoint in a foreign country.

We've all heard about friends getting in trouble during a trip, but what was new here was the fact that the distress call and help request came via Facebook status updates and instant messages.

As it turns out, the distress call was fraudulent and my friend ended up wiring a total of $1,143 to some fraudster account in England.

How could this happen ? Somehow, a fraudster got a hold of Bryan's Facebook username and password, studied his profile and started to reach out to his friends with the harrowing news and the request for help. The fraudsters were able to sound legitimate when instant messaging to Beny as they casually dropped bits and pieces of personal information that only Brian would know. Or, shall we say, only anyone with access to Brian's account would know. They went so far as leaving voice messages on Beny's phone asking for more money for Brian. After that, all that was left between the fraudsters and the money was Beny's good heart and a wire transfer.

Why are we seeing an increase in these types of attacks against non-financial sites (see also Twitter and Yahoo) ? Well, the answer is that fraudsters and criminals are always looking for the weakest link that can help them get access to your wallet.

Over the last 3 years, banks have stepped up their online banking security with measures such as second factor and risk based authentication. The bad guys did take note of that and are now trying to use the same tools they used against the banks to get access to your email, social network or work applications. There they can find information that can help them get access to your money without having to face the bank's security systems.

What is interesting about social networks is that it doesn't matter that you protect your own passwords, use the latest and greatest anti-virus or only transact with well authenticated EV sites. If any of your social network friends make a mistake and lose their Facebook or MySpace password, now your private information is exposed to a stranger or maybe even a criminal.

All that said, I'm a strong believer in the value of social networks and the hundreds of millions of people accessing them cannot be wrong: the power of sharing information online is really here to stay and we have only seen the beginning of this social fabric that we are building on top of the Internet.

What social network providers need to realize is that the growth and eventual monetization of these networks will depend on how well the user's data, identity and privacy is protected.

Beny will soon forget the $1000 or so that he lost, but I bet he won't recover his trust on social networks for a long time to come.

For more details on Beny and Bryan's case check the following video:

What if a fraudster had set up that free WiFi you just logged into? How much of your personal information was just compromised? Well, this nightmare scenario is coming true. It's so widespread that it has even earned its own nickname: The "Evil Twin." Fraudsters can easily set up a fake hub and even name it to look legitimate, by using the name of a nearby store or cafe. Some people have noticed this in airports.

But don't lose hope: the "good guys" at the WiMAX Forum have defined a security model using two-way mutual authentication and they are creating standards that will protect us from this kind of scam. WiMAX is one of the standards for mobile broadband. It's not fully adopted anywhere yet, because only some providers have adopted it as a standard. But some of the big chip makers will be baking it into devices in the coming years so it will become more widespread.

Today we are announcing that the WiMAX Forum has chosen VeriSign as the Certificate Authority to secure the certificates that will go on WiMAX-enabled servers and devices.

Our PKI Product Manager, Charul Sadwelkar took a few moments to answer some of my questions about VeriSign's role in the WiMAX ecosystem. Charul used to work in the mobile industry so he knows all the jargon and he explained all the competing standards.

Question: "Are there any competing standards to WiMAX today?"
Answer: "There are competitive technologies that are in various stages of evolution. The one most commonly cited is the "Long Term Evolution" (LTE) roadmap, which is the path taken by the GSM and the GPRS service providers. But we believe that they are a little bit behind WiMAX which is spearheading the high-speed mobile Internet access revolution."

Question: "As part of VeriSign's PKI service for WiMAX, are we using any proprietary technologies?"
Answer: "VeriSign takes pride in the fact that we are a standards-based PKI provider. For the WiMAX ecosystem, we are not doing anything proprietary, these are very standard certificates with profiles as specified by the forum."

Question: "When will WiMAX be widespread?"
Answer: "It is in pilot roll-out in a couple cities in the US and in some Asian countries where the landline infrastructure is not particularly strong. We expect that WiMAX will be available in a widespread in a year or two from now."

Listen to the interview with Charul

Learn More:
White Paper: Helping to Secure the WiMAX World: VeriSign WiMAX PKI
Service
Data Sheets: VeriSign WiMAX Public Key Infrastructure Service for Device
Manufacturers, and VeriSign WiMAX Public Key Infrastructure Service for Service
Providers