Main

Trusted Identities in Cyberspace

Last week, the White House announced its official National Strategy for Trusted Identities in Cyberspace (NSTIC). NSTIC is the largest-ever effort by the federal government and private sector partners (including Symantec) to develop a secure, standards-based and interoperable online identity system. The goal: Improve the security and privacy of online interactions and more effectively fight cybercrime. Today's announcement marks the culmination of two years of effort by VeriSign (first as an independent company and later as part of Symantec) to help bring this important initiative to life.

At the heart of NSTIC is the concept of an Identity Ecosystem based on trusted identity frameworks. Trusted identity frameworks are the lynchpin to trusted interactions online, for everything from e-commerce to electronic health records to online voting. These frameworks will require all participating service providers to ensure the credentials they offer adhere to the same standards for identification, authentication, security and privacy. This wouldn't be a "national online identity" setup, but rather interoperability among many market offerings.

The initiative recognizes that public-private partnerships are essential for success. Symantec and other private sector companies have already created the technology for strengthening and sharing high assurance identities. Government leadership will promote, facilitate and coordinate industry to further NSTIC goals.
The government can also help overcome the three big impediments this kind of initiative faces:

1. Privacy concerns: The government can define and deploy standardized trust frameworks that help ensure citizens privacy (e.g. by working through the private sector, leveraging organizations such as the Online Identity Exchange).

2. Liability concerns: Data breaches involving personally identifiable information (PII) can easily run into the tens or hundreds of millions of dollars, depending on the number and kind of records affected. Once trust frameworks are in place, Congress can pass legislation to cap liability for organizations certified under those frameworks.

3. Business concerns: The federal government can create business incentive for trusted identity providers to join the eco-system by becoming the initial customer. That would basically prime the pump for a trusted identity service business model.

NSTIC's goals for FY11 include:

• Convene the private sector by hosting workshops on governance, privacy and technology
• Establish a governance model, standards and models for addressing liability
• Develop criteria, assess potential programs and prepare for formal funded pilot launches in FY12

These plans are ambitious, certainly, but are necessary given the escalating data breach and cybercrime threats people face every day. NSTIC will provide the means to dramatically improve online authentication and the security, privacy and business benefits it provides.

04/20/11 | permalink | comments [0]

Identity Proofing - the Next Mobile Business Opportunity?

It is clear that high assurance identity on the internet is going to require identity proofing. With more than 1 Billion Web users, and 3 Billion mobile users increasingly connected to the Internet, scalability is going to be essential. If high assurance identities become the norm, digital identify verification services that do not require in-person proofing could therefore turn into a significant market opportunity

Most folks in the industry would tell you that credit bureaux, and financial institutions ought to be primary beneficiaries as the new business emerges. However, the convergence of Internet, mobile and telecommunication driven by iPhone and Android could attract new market players. Mobile network operators (MNOs) have a wealth of identifiable data about us. They are also uniquely positioned to bring to market multi-channel solution. In fact, an MNO-operated ID proofing service could easily support voice and web, for brick and mortar as well as online service providers.

Them comes the unfair advantage: the mobile handset. Obviously, the biggest challenge of "person not present" identity proofing lies in the processor ability to match the person on the other side of the communication channel to the identity data. A personal mobile device provides a unique link between my digital and physical me (there is a long history that links my mobile device to my identity). For the web, it supports an out of band channel that considerably adds to the security of the verification process. From a privacy and control standpoint, the mobile phone enables a user-centric approach where the user can approve the transfer of her personal information (a sort of out of band OAUTH dance). Last but not least, location (somewhere I am) may prove of strategic importance, since an embedded GPS can correlate the proofing event to a verifiable personal location (e.g. my home). Location verification for proofing could happen "just in time" or as a post-process step. In any case, it would greatly strengthen the overall process.

There is little doubt that the combination of wireless data and handset constitute a unique recipe for enabling high-assurance identity proofing systems. The OIX will soon get to the bottom of this theory since it has recently announced the formation of a working group for telecom data. Early next month, OIX members will explore the development of a trust framework that would support the secure exchange of identity data between MNOs and relying parties while ensuring the privacy and trust of consumers. This could well be a significant step towards high-scale, high-assurance identity systems. So, good luck to new working group; we will be watching closely.

09/06/10 | permalink | comments [0]

Greek Heroes, Facebook and Trust

When Achilles was a baby, the oracle predicted that he would die in battle from an arrow. Thetis, Achilles' mother who did not want her son to die decided to dip Achilles' body into the water of a river that would make him immortal. Unfortunately, Thetis had held Achilles by the heel which was not washed over by the magic water. Achilles grew up to be a Great War hero, whose apparent invincibility had turned him into a legend. But one day, an arrow shot at him was lodged in his heel, killing him instantly.

When it comes to consumer identity, Facebook looks more and more like the Achilles' of identity. Every day, it is growing more powerful and invincible. Yet, a growing stream of concerns is gradually exposing the social warrior's vulnerability to security and privacy. Nevertheless, as a website, Facebook core usage matrix is mind-boggling:

• More than 400 million active users
• 50% of our active users log on to Facebook in any given day
• Average user has 130 friends
• People spend over 500 billion minutes per month on Facebook

However, Facebook true ambition's may well reside beyond the confine of its own Web site. If one combines Facebook Connect (authentication++), OAuth (authorization) and the Social Graph API, it is crystal clear that Facebook strategy is to become the identity fabric for the Internet. By turning the social network into an identity infrastructure, the Facebook APIs could enable an even larger business opportunity. By extending the Facebook business over external websites, the Social Graph APIs open the door to transactional business models such as Cost per action advertising, eCommerce and payment. There again, when it comes to numbers, the social network hero is showing Homeric promise:

• More than 80,000 websites and devices (including iPhone and Xbox) have implemented Facebook Connect since it launched in December 2008
• More than 60 million Facebook users use Facebook Connect each month.
• Two-thirds of ComScore's US Top 100 websites and half of ComScore's Global Top 100 websites have implemented Facebook Connect.
• Sites like the Huffington Post have seen a 500% increase in Facebook referrals after implementing Facebook Connect.
• 500,000 applications have been built on Facebook and the growth of social gaming (playdom, Zynga, Playfish, etc) is still in its infancy.

So, what could go wrong? Where could the enemy arrow strike its fatal blow to our hero? Could it be over this security glitch that exposes our chat messages to friends? Perhaps, these controversial default privacy settings that leaves our identity increasingly public? Will the threat arise from a growing reputation as a corporation trying to take advantage of our personal data to 'help itself -- and its advertising and business partners'? If there is something that could stand in the way of Facebook, it is probably Facebook itself. Indeed, the growing controversy and erosion of consumer trust surrounding Facebook privacy and security nonchalance may eventually become the Achilles' heel of the young identity giant.

Facebook is clearly an extremely innovative company and a successful platform. Of course, it must keep on running fast against the agile Twitter and the powerful Google of the world who are certainly eying with envy its privileged position as the leading Internet social platform. No doubts that the investors are placing tremendous pressure on management to drive revenue growth. Nevertheless, Facebook needs to slow down and consider the long terms implications of being the de-facto custodian of our digital lives. It must start fulfilling the responsibility that comes with millions of digital identities under management. If it is true that today's Internet generation may have less privacy concern than their elders, in the long run, consumers will not allow Facebook to manage and control their identities unless they can trust the platform.

Eventually, Facebook will have to "do the right thing" for the consumers, sometime in spite of their ignorance digital risks, and surely, despite a business model that encourages Facebook to look the other way when it comes to privacy and security. Yes, the Achilles' heel is very real, it is being exposed every week in the press, and the temptation is growing for privacy zealots and regulators who are assiduously watching the missteps. Good common business sense aside, it is time for Facebook to take responsibility and leadership for the immense security, privacy and trust challenges that our digital identities require. Maybe, it is even time for the social network to start promoting elements of security, privacy and trust within its core platform.

05/10/10 | permalink | comments [0]

Open Identity: the end of childhood, the age of assurance

This week is the week of the OpenID summit in Mountain View, California. We are all hoping that 2010 will be another pivotal year for open identity. There seems to be a combination of market forces that are making federated identity more attractive. In fact, we are hearing new compelling use cases for federation. A first example is cloud access and identity management. As enterprises shift their IT infrastructure and information to the cloud (as in IAAS, PAAS and SAAS applications), CIOs need to federate corporate identities with cloud service providers. For cloud resources, the corporate directory becomes the identity providers and the cloud services are the relying parties (and if you don't have a directory or don't want to use it for federation, Google is in the pole position to be your OP). Another interesting vertical ripe for federation is healthcare. Now that the Obama bill for healthcare has passed, one should expect a revival of health information networks (remember the RHIOs). Finally, payment, the mother of al federation, online payment, is seeing a lot of innovation too. From mobile to social games, to high assurance open identity networks led by modern payment systems such as PayPal, Amazon or Facebook could sway consumers, curb fraud and shift merchant liability where Verified by Visa has fumbled to-date.

So, what do the trusted cloud initiative, Obama's new health care bill, and next generation online payment have in common? They all require federation and stronger forms of authentication to enable trust and protect against fraud. These transactions are complex and risky. They are complex because they involve multiple independent, sometime competing organizations. Federation is needed. These transactions are also too risky because the current Internet authentication system based on name and password is too weak. High assurance identity is needed. As government and vertical industries worldwide come to the realization that their cyber security and business agenda require them to enable high assurance online transactions, federation and strong authentication will converge into new compelling trust infrastructures deployed across vertical markets.

The need for high assurance federation may provide a much needed boon for open identity technologies such as OpenID and OAuth. The point is that the adoption of a new identity management model on the Internet by consumers may require much more than single sign on, attributes exchange and authorization. As Dick Hardt put it many times, these traditional identity features are only vitamins. Most people won't go for vitamins alone. Consumers want enablement. Facebook figured that one a long time ago but tying friends discovery and activity streams to Facebook Connect. So, what is Open Identity's mojo then? I dare to suggest that the opportunity for open identity is new transaction enablement. If open identity networks can enable complex and risky transactions that are not possible online today, massive adoption will follow and altering the digital identity experience becomes palatable.

Of course, it is a security guy talking but let us consider the business model too. The business of security and trust is well understood. Credit bureaus, security companies and VISA/Mastercard have clear and compelling transactional business models. Transactional revenue model are also more compelling than advertising. The profit margins for standing in the middle of transactions as neutral third-party and enable high assurance are fairly high. Compare the addressable market to the currently minuscule market size of open identity as it stands today. Whether you look at it from a product, deployment or economic standpoint, I continue to believe that the future of open identity on the Internet rapidly is intimately linked to high assurance identity.

04/05/10 | permalink | comments [0]

Enabling all the Visas of identity

The Open Identity Exchange was launched this morning at the RSA conference in San Francisco. It is a significant step for federated identity as it will enable US government web sites such as the NIH to embrace open identity standards and roll out open identity services to US citizens. For example, the National Institute of Health can now move out of pilot phase and support accredited OpenID providers.

So, what is the Open Identity Exchange (OIX)? The OIX aims at enabling specialized trust frameworks or certification programs within a vertical community (e.g. US government, health care, financial services). Certification requirements for shared identity can be diverse and complex depending on the level of assurance required. Simply said, when it comes to trust, one size does not fit all.

You can think of a trust framework as the policy sibling of technical standards for identity. Identity policies must be set to deal with privacy, security, and liability. Once policies have been defined, certification can emerge as the foundation for trust between all parties exchanging information. However, the type of policy needed greatly depends on the sensitivity of this information, the security risks, and many other factors, including geo-political sensitivities. Indeed, the level of trust assurance required to protect access to the energy grid, electronic health care records or social web pages is clearly not the same.

The open approach that the OIX take is attractive. The OIX does not try to set the policy rules. Instead, it creates a common framework, a shared approach that will enable different communities to create their own certification rules. It is not an easy problem. But because cyber security and key governmental initiatives depend on high assurance identity management, OIX is an important first step to get there.

03/03/10 | permalink | comments [0]

Trust assurance in open identity networks

One of key challenges in federated authentication network is the establishment of trust between an identity provider (IDP or OP) and relying party websites (RP). In the real world, contractual agreements provide a simple out-of-band mechanism to effectively bind two parties into a trust relationship. When it comes to federated identity networks, peer to peer contracts between many identity providers and a myriad of relying party websites do not provide for a scalable process. Therefore, open federated networks need a trust assurance framework to bootstrap trust between the three parties (the user, the OP and the RP).

The basic idea is that if an OP can be certified to comply with a set of industry best practices, the RP should be able to enter into open identity exchange where both the websites and the consumers are reasonably protected. Of course, a pragmatic trust assurance framework should be flexible enough to support different levels of assurance based on the transaction risk and value. For low assurance Web federation where large brands such as email providers and major social networks dominate as OPs, certification may seem overkill, unless of course, the federation is built on open principles stating that any OP meeting the standard should be able to participate. For high assurance identity, such as payment networks, financial networks or eHealth record exchanges, certification is primordial. In fact, in such environments, both the OP(s) and the RPs need to be certified.

The NIST guideline for electronic authentication is often referenced in the community as a good model for any identity trust framework. The NIST guideline defines four levels of insurance for e-authentication. Each level is deemed appropriate
Depending on transactional risks. Tiered levels of identity assurance are essential to any pragmatic trust framework. Set the bar too high and deployment becomes impractical. Set the bar too low, and the bad guys will have a ball. Justifiably, the NIST guideline provides a solid starting point. Nevertheless, one needs to observe that the framework may be too narrowly focused on user credentialing and credentials strength to provide a complete answer. Open Identity systems cannot ignore the reality of today's Web vulnerabilities, threats and exploits that feed identity theft around the globes such as man in the browser exploits, session hijacking or Web vulnerability driven exploits like mass SQL injections. A trust standard also needs to go beyond security and address the major consumer concerns and political challenges of privacy. When it comes to trusting identities, security, privacy and anonymity are intricately intertwined. Trust in a federated identity Web mandates a holistic approach that looks not only at user authentication but also takes into account the current state of desktop exploits, Web site compromises and most importantly establishes clear and enforceable privacy protection guidelines.

Trusting the OP/RP Websites: web security & business authentication

For low and medium assurance identity transactions, it seems to be that both the OP and RP website security would need to be asserted. There I think, one can learn from Internet security standard such as PCI. Even though the standard is far from being perfect (a euphemism, perhaps), it provides a shared base of security requirements for all websites to engage into ecommerce and securely handle credit card information. If one believes that consumers will require for their personal identity the same level of security as for their credit card, the parallel can be useful. The OP website should then be scanned for network security vulnerabilities; Ports should be closed. Network services should not run outdated or un-patched software; the OP should not be vulnerable to common Web exploits such SQL injections, cross-site scripting (XSS), or Cross-Site Forgery requests (CSRF). For web application vulnerabilities, the OWASP standard that identifies the top 10 Web vulnerabilities provides a useful reference. In addition to security assessment, a set of security best practices should be required. For example, the OpenID profile retained by the federal pilot already specifies that SSL should be part of the deployment profile. Verifying the authenticity and legitimacy of the organization behind the OP is as important as verifying the security of its website. There, a proven model that the industry could re-use is the EV business authentication standard. EV certification already defines a strong process for vetting organizations and it is already widely used across the industry.

Trusting the user: beyond identity verification and credentials

As mentioned, NIST will provide the foundation for user trust assurance (both for runtime and initial authentication of end users). Equally important, however, is to consider that Internet threats have significantly evolved since the NIST framework was initially published. In particular, we need to recognize that one of the main threat vector for identity theft is now malware. An identity trust framework can no longer ignore the potential of a man-in-the browser attacks (Trojans, key-loggers, worms, etc). Knowing whether the end user has any end-point protection (and maybe encouraging websites to introduce out-of-band messages into high assurance identity transactions when such protection is lacking) could be of consideration.

Trusting the transaction: from activity to security streams

Believing that the OP can provide strong identity assurance by simply checking credentials and abandoning the user at the RP front door is a dangerous over-simplification. Because modern exploits often let the user authenticate to commit fraud further down the session, it is important to enable OPs to leverage the knowledge of the end-user and her transaction patterns to identify high-risk conditions. Since we cannot assume the existence of adequate desktop protection (Internet security that exclusively relies on the presence of a client on the user desktop is no more than an academic exercise), high assurance federation models need to enable the use of fraud engines techniques across RPs (most logically, run at the OP although it could be a separate). The ability to create an effective user risk profile across transactions is what has made the credit card networks work. High assurance identity networks are going to need an equivalent (think VISA of identity). An interesting idea could to leverage the concept of activity stream as a real-time fraud detection primitive. A security stream back to the OP (under complete user consent and strict privacy protection) would allow RPs to feed transactional information back to the OP, allowing it to build a complete risk profile of the user across her Internet activities (fraud detection is often based on clustering techniques that measure abnormal deviation from normal behavior). Even without a risk-engine running at the OP, a security activity stream could have tremendous security value if used as a simple identity alert system to notify the user of all ongoing transactions. In high risk cases, the activity stream could trigger an out-of-band consent for the transaction (think of Visa calling you to confirm and authorize a suspicious transaction); it is interesting to think that the social concept of activity stream that is today missing from OpenID (not from Facebook Connect) could actually be used to drive better identity theft protection. With such transactional feedback loop, a security minded OP would be able return a transaction score and possibly a liability guarantee based on the user risk and behavioral profile built over time. Incidentally, interesting new OP business models could emerge (VISA-like: "I will take a cut of the transaction", Credit-Bureau-like: "I will charge you for the score", Insurance-like: "I will take the liability risk").

Ensuring trust across these three dimensions (the organization, the website and the user) is non-trivial. Yet, it is critical to enable consumers worldwide to engage into shared identity interactions with peace of mind across the Internet. Very much like PCI vendors emerged from the existence of a commercial PCI standard, one would hope that Identity trust assurance services could emerge as well since security companies need economic drivers to build great services. One of the key challenges of the standard will be to strike a balance between where to set the security bar to permit a high level of automation for accreditation. Such balance is always hard to strike, but it is also what makes the challenge worthwhile.

11/05/09 | permalink | comments [0]

OpenID goes to the White House

Two weeks ago, I had the privilege to join the OpenID foundation and Information Card boards for a meeting with CIO, Vivek Kundra and his staff at the Whitehouse. The goal was to discuss the forthcoming OpenID pilot and better understand the government commitment to enabling distributed identity on the Web. Undeniably, this was a very interesting and spirited discussion.

A key take home for me was the recognition of identity as the lynchpin to new citizen-centric services, governmental IT cost reduction, and stronger cyber security. For key Obama initiatives such as citizen participation or electronic health records, identity management was described as foundational. Equally impressive was the sense of a holistic and consensual approach towards the broad deployment of trusted digital services across federal, state and local Web sites.

In particular, there is a clear view that the deployment of low level assurance identities is only a critical first step, not an end in itself. With the initial OpenID pilot, the administration is seeking to teach Internet users how to conveniently and confidently re-use their identities across multiple sites. Federation is a new behavior and as such, it requires training. Federal and State web sites will provide an important training ground of relying parties. The government endorsement of OpenID is likely to prove significant. After all, if OpenID is good and secure enough for the government, it should be good and secure enough for most Web sites. Beside, once consumers are comfortable using distributed identities, it becomes possible to alter the login experience by introducing stronger security and identity assurance. This is the ultimate end game since high assurance identity services are pre-conditions to new strategic initiatives.

Consider health care reforms for example. To counter balance the $900B expense that the new Obama plan calls for, electronic health records must come to reality. However, eHealth requires access control across a large and complex ecosystem. Users must be able to register, login and access private data across physicians, hospital, pharmacies, labs, insurance, and employers Web sites. Privacy and security concerns are high on the list. Without high assurance, clear liability models and robust shared identity services, eHealth is a non-starter.

The crawl, walk run approach to identity services that our federal government is taking may prove insightful. By restricting initial interaction to pseudonymous and low assurance level identities, federal web sites instantly provides the industry with a simple test bed to iron out the trust and privacy frameworks necessary to the deployment of large federated identity networks. User experience, privacy policy and security approach that can work for millions of consumers will have to be standardized. The liability elephant that has been haunting the identity discussion rooms will have to be tamed. No doubt that the OpenID foundation, the Information Card foundation and many other have their work cut out for the next few months.

So, keep an eye on the pilot. If all the planets keep aligning, and federated identity can prove to significantly increase user registration, an important chapter in the book of distributed identity systems may be just about to open in front of us.

09/22/09 | permalink | comments [1]

OpenID and the User-Centric Time Machine

There have been a few very insightful discussions from Chris Messina and other regarding the PIP as a secure file, so I thought I would share some of our longer-term product goals.

Today, the PIP file vault is a personal digital locker for our users to manually upload their most personal files. That by itself is not an innovation. In fact, the Web is full of personal storage services like Gmail. Online storage provides immediate and useful value, yet its usefulness is limited by the amount of work an end-user is willing to commit (uploading takes work!).

Now it is interesting to consider how this simple Web 1.0 model of personal digital storage evolves when combined with an OpenID provider. Together, can these technologies allow us to transfer and store in one single place under our control the personal files, private data and rich media content that is today spread throughout the Internet? In short, can a simple file vault become the in-cloud "time machine" of our distributed digital lifestyle?

A SAAS and device-centric view of cloud storage:

A lot has happened with network storage in the last few years. One of the most notorious disruptions is Amazon S3. I would characterize Amazon S3 as a SAAS-centric view of storage. Web applications can outsource the storage function to a highly cost-effective network that already has reached economy of scale. Obviously, it fits the Amazon economic model perfectly. Closer to the end user, we find Microsoft and Apple storage services. Their approach is similar in concept. To them, cloud storage is merely a device enhancement and synchronization is their lingua Franca (iSynch for Apple, Live Mesh for Microsoft). The concept certainly has merit for users with data spread across multiple devices. However, this is a very device-centric view of the world. It fails to realize that increasingly, our critical data resides across many Internet Web Sites with no ability to synch.

A user-centric viewpoint: centralized storage for distributed private data

So, what happens now when one looks at storage with a Web 2.0 user-centric view instead of the cloud-centric view of Amazon, and the device-centric view of Microsoft and Apple? One sees independent, distributed and sometime competing Web services. Through these services, users store personal information, create new data, and acquire digital content. Some of that content is low value and can be left behind. Some of his data is social in nature and is probably best shared with our Facebook friends. However, some of this data is also highly confidential and personal in nature. In that case, we, the end user, should be able to request its safe transfer, and backup to a digital locker that we fully control (the OP).

Towards a "Locker Connect" mechanism

Using the OpenID and OAuth models, such private data transfer can be authenticated and authorized by the end-user (although the data flows from the RP to the OP). The locker network end point address can be discovered as any identity attribute would. Finally, a user interface ala Facebook Connect can provide a friendly user experience while ensuring a user-centric control point (the user controls what, where, when and if the data is being sent).

The "wow" effect

The use cases certainly sound unlimited. Think digital health care and the $20B stimulus package: whether I am accessing my doctor, hospital, lab or pharmacy Web sites, I can now authenticate across all health service providers and authorize the audited transfer of personal health records back to my locker. Think rich media content: I can now purchase digital music, movies, or books across multiple e-tailers and have the bits (or maybe just the digital rights) sent back to my locker. Think payment and billing: please, send all my purchase and online statements back to my digital locker.

Yes, we can! With data portability and OpenID, a simple file vault can grow into a much more compelling personal identity service. And who knows. With security and private storage, we may even have a real business model!

02/22/09 | permalink | comments [0]

FaceBook Joins OpenID: Goodbye OpenID, Bonjour Open Connect?

Great news for OpenID aficionados, the largest identity social network is embracing OpenID. With 221M users, one could easily conclude that OpenID has just received the stimulus package that it needed to finally achieve critical mass. But, what does it really mean for OpenID? While we are all looking forward to the day FaceBook becomes both an OpenID provider and relying party, the initial impact is more likely to be a significant change in the OpenID user interface. As shown, here and there, is clear that from a UI standpoint, Google and FaceBook are converging in terms of how to achieve login and exchange of personal data across relying parties and social networks.

While FaceBook will likely integrate OpenID as the "alternate" login method for FaceBook Connect, Google and its followers will do the same with Open Social and Google Friends Connect (in the case of Google, you may also get the friendly Yahoo!, MySpace and AOL followers). By becoming the alternate login method (but a more obscure one), the risk for OpenID is to be relegated to the level of OAuth and SAML as authentication protocols without any consumer brand recognition. Alternatively, OpenID may rise above the "open stack" plumbing to become the network mark that ensures interoperability across the FaceBook and Google networks. That my friend, is of course politics, but with a Facebook on board, it would appear that this week, this old chimera of federated Internet identity may have made a significant leap forward.

02/12/09 | permalink | comments [0]

New PIP Feature: Add any Site to your 1-Click Sign-in List

This week, the PIP team is releasing an improved version of the 1-click sign in. The great news is that PIP users are no longer restricted to our small initial list of supported sites. Indeed, you can now add any of your favorite sites to your 1-click list (with a few caveats such as pure flash sites). Over time, we will monitor the most popular sites being added and we will include them to the default 1-click list.

This is great news for PIP users, especially for the non-US community who is no longer limited to our choice of sites (I must confess that our initial list was very US-centric). By the way, kudos to the PIP engineering team: doing all this in JavaScript without any browser plug-in is a real engineering "tour de force". Also, the team also improved the UI and performance of the bookmarklet window. Note that you will be prompted to re-install the 1-click bookmarklet.

The Internet is getting easier. Happy 1-click navigation!

01/11/09 | permalink | comments [0]

My OpenID New Year's Wish List

01/03/09 | permalink | comments [0]

The New Personal Identity Portal (PIP)

08/20/08 | permalink | comments [0]

Federation 2.0: In Search of a Switzerland for Identity Portability

05/27/08 | permalink | comments [0]

Friend Connect or the Deportalization of Social Networks

05/19/08 | permalink | comments [0]

The Business of Identity

03/18/08 | permalink | comments [0]

Bringing Useful Scalable Security to OpenID

06/22/07 | permalink | comments [0]

OpenID IPR: Past and Future

06/18/07 | permalink | comments [0]

VeriSign, Microsoft & Partners to Work together on OpenID + Cardspace

02/06/07 | permalink | comments [0]

My Identity on Rails

06/22/06 | permalink | comments [0]

Forward Looking Design Decisions

06/20/06 | permalink | comments [0]

The Identity Necklace

06/19/06 | permalink | comments [0]

Introducing the VeriSign Personal Identity Provider (PIP)

05/16/06 | permalink | comments [0]

Working Toward the Bang

05/12/06 | permalink | comments [0]

Sxip's Fourteen Requirements

02/17/06 | permalink | comments [0]

Drummond Reed on Anonymous Single Sign On

02/13/06 | permalink | comments [0]

Human Beacons

02/13/06 | permalink | comments [0]

The Seventh Law of Identity

02/06/06 | permalink | comments [0]

URL-based Identity and the Fourth Law of Identity

02/06/06 | permalink | comments [0]

OPML and URL-Based Identity

11/28/05 | permalink | comments [0]

Yadis and URL-Based Identity

11/07/05 | permalink | comments [0]