As referenced on Mike Jones's blog, Fun Commutations has deployed a service at: http://idtheft.fun.de/ that attempts to demonstrate a man-in-the-middle based phishing attack against a number of OpenID providers using Janrain's IDSelector. Since our Personal Identity Provider or "PiP" is one of the providers included in the Selector we naturally had a look.

The good news is that there are a couple of features specifically designed in the PiP to combat the attacks noted in the demonstration. The first is found within the PiP itself. The optional feature is called "Secure Sign-On" and the way it works is that if the user has enabled it, they must first be logged into the PiP *before* they attempt to login to a RP. If they are not logged in and they attempt to login they will be presented with this message:

The important point is that any PiP user who has enabled this knows that they must first login, so in the "Fun" case seeing a login screen while having the feature enabled would immediately flag the user that they were being phished.

Secondly, this feature combined with our SeatBelt being used in conjunction with the PiP beta product affords even more detection. With SeatBelt if a user is entering their identity URL we immediately detect whether or not the user is logged in and if they aren't we give them the option to login to their account. With SeatBelt installed Firefox 2 and 3 users can clearly see if they are on the "correct" login page through a visual indicator in their status bar. There are a number of checks SeatBelt performs to insure that the login page the user is entering their credentials into is correct for their configured OP. In addition to the PiP, SeatBelt is supported by 9 other providers some of which are listed in the selector (more on this in a follow-up post).

In addition to these features our PiP product also provides 2 factor authentication through our VeriSign Identity Protection ("VIP") Authentication Service so at the end of the day our view is balancing usability with the layering of functionality to thwart the very thing that Fun in their demo attempts to bring forward. "Secure Sign-In" backed with 2 factor authentication and SeatBelt we believe is a step to providing a level of comfort to the OpenID community in continuing to drive usage and adoption.

Posted by Gary Krall at 10:18 AM | Permalink | Comments (0)

The controversy around personal and social data portability is growing. For consumers, it is an important issue because it will determine how much ownership they will be able to enforce upon their "digital identity" that lives today across competing Internet silos. For the silos, the Google, FaceBook, Yahoo! and Microsoft of the world, a lot is at stakes since, ultimately, it is about whom consumers will entrust with their digital self.

Undoubtedly, data portability is the natural child of federated identity (more on that in a future post). Personal and social data are an important part of any consumer identity'. Like identifiers, credentials and profile attributes, social graphs, activity streams belong to the end user who created them in the first place. In the long run, consumers will require full control, privacy, security and portability over such personal information. Therefore, the identity technical community must engineer a new and comprehensive identity portability layer. The new layer needs to broaden the tradition notion of identity federation beyond names, passwords and profile to encompass the full gamet of personal and social data. Furthermore, this new layer must support a plurality of identity service providers who can compete and distinguish themselves by the quality of their service and the user experience that they provide. Freeing our data off Web portals and social networks by creating a new service layer dominated by one single service provider is hardly trading one master for another.

Incidentally, putting the user first and ensuring plurality of competing identity service providers strikes as the fundamental principle that OpenID places on identity providers. The OpenID foundation has always be the strong proponent of a user-centric approach to Internet identity. Unlike many organizations, it appears to have achieved a balanced representation across the grass-root technical community and large big Internet corporations. Moreover, because of the strategic stakes it represents, the quest for personal data portability is likely to become the main driving force behind OpenID deployment and maybe, even the necessary solution to the so-called "relying party problem".

As a neutral ground, I hope the foundation will quickly realize that it has the opportunity and responsibility to provide the necessary leadership that helps clearing the technical issues around personal information and data portability. Yes, more than large Internet companies proclaiming their own APIs as open standards, it seems to me that OpenID can be the right foundation (pun intended) to lead towards a true interoperable solution for Internet data portability.

Posted by Nico at 1:36 PM | Permalink | Comments (0)

The issue of personal data portability is rapidly moving center stage. So, what is the big fuss about and what is really at stake here?

For us, as consumers, it is an important issue because eventually, it will determine how much ownership we will be able to enforce upon our personal data and content, including our social graph, that today, is dispersed across competing social networks and Web portals.

For Google, and FaceBook (FB), the stakes are equally high. Ultimately, the winner could take it all and be the one who really drives revenue from social networking. But to understand, we need to review the controversy first.

It really all started with OpenSocial. OpenSocial was Google's response to the rapid rise towards hegemony of FB APIs. To counter FB, Google created an alternative that it self-proclaimed an open standard by rallying a large number of FB competitors behind it.

Competitive response aside, Open Social also arises from our industry's realization that social network is much more than a destination. Social networking is really a new application dimension. It is a new form of interactions that can augment almost any application, or any web site. To add social networking capabilities to an application, you need APIs. OpenSocial fills that gap.

With OpenSocial, Google is also reducing social network to mere "containers". Google is turning the social networking portals into a set interoperable data sources that it can dip into. In fact, with the consent of the end-user, these social databases become instantly accessible to a whole new layer of identity services. The first generation of these new of services is now known. It is called Google Friend Connect.

It is clear that FB understand the threat of a layer above social networks dominated by Google. Its decision to block Friend Connect under the excuse of privacy control does not fool anyone. It is also likely that OpenSocial may have forced FB into exposing its own APis to third party Web sites. Friend Connect, on the other hand, is consistent with Google "social cloud" strategy. It simply extends OpenSocial by alleviating the need for site owners to write code. Although it remains to be seen whether an embedded widget can provide the right user interface, by putting itself, between Web sites and social networks, Google is moving fast to disintermediate the leading social network. If Google were to succeed, it would surely make a significant dent into FB's $15B valuation.

But what is the real prize here? What is really at stakes? Let me venture an explanation. How do you discover sites, products, music, videos on the Internet? You Google it,of course. Now, in the real world, how do you discover products, movies, or books? Very often, you discover them through your social connections. Social events are always full of "I love this new product, you should really buy it too", "you must see that movie", "I highly recommend reading that book", "this restaurant is unbelievable". So maybe, social discovery is the perfect complement to search when it comes to generate and monetize traffic to other sites.

So here may lie Google's bet on Open Social. The bet is that social networking capabilities integrated into a Web site can drive viral traffic (because your social feed will notify your friends of a site visit or of a transaction, because you will recommend a merchant by becoming a 'member of the site' or writing a review, because you will trust a site by finding people you know who have already experienced this site). Not withstanding the data mining and advertising intelligence opportunity that sitting between sites and social networks can present in the long run, the bet is that social interactions will drive more site visitors. Of course, for an ad network like Google that strives on monetizing new customer acquisition and traffic, it is a very rational bet.

So while FB seems initially more concerned about keeping interactions within the walled garden, Google is forcing all the social networks to embrace a deportalization strategy. Of course, it is a smart move for Google who, unlike social networks, has already strong customers relationship with most Web sites through its AdWords and AdSense programs. Without access to a direct channel to online merchants and .COM sites, FB is in a relatively weaker position but it had to respond and Facebook Connect is its current answer to Google. Will FB be more effective in driving revenue by deportalizing its APis and driving traffic outside FB instead of raising the walls of the garden day by day? That remains to be seen.

At the end of the day, social traffic is still a theory in search of validation. For these merchants and Web site owners, that traffic may never materialize. To the non-believers, I can only oppose the success of Yelp whose sole purpose of its community is to drive traffic to local businesses. Considering the energy that Google is deploying around open Social and Friend Connect, we should have our final answer soon. One thing is almost certain, for the near future, the social cloud is likely to be the strongest market force driving internet-scale identity services, and that is very good news for OpenID.

Posted by Nico at 11:52 AM | Permalink | Comments (0)