street conf overview
TRANSCRIPT
![Page 1: Street conf overview](https://reader033.vdocument.in/reader033/viewer/2022052823/555142d3b4c905f2288b4aa7/html5/thumbnails/1.jpg)
Internet Identity
November 2011
![Page 2: Street conf overview](https://reader033.vdocument.in/reader033/viewer/2022052823/555142d3b4c905f2288b4aa7/html5/thumbnails/2.jpg)
Updates
1. Account ChooserSimplify SignIn/Signup on the web
2. OAuth2/OpenIDConnectEliminate password reuse (one password)
3. Identity verificationCHOOSE to share your VERIFIED legal identity (name/address) with a site
4. Strong authenticationSecure the "one password" with additional protection
![Page 3: Street conf overview](https://reader033.vdocument.in/reader033/viewer/2022052823/555142d3b4c905f2288b4aa7/html5/thumbnails/3.jpg)
![Page 4: Street conf overview](https://reader033.vdocument.in/reader033/viewer/2022052823/555142d3b4c905f2288b4aa7/html5/thumbnails/4.jpg)
![Page 5: Street conf overview](https://reader033.vdocument.in/reader033/viewer/2022052823/555142d3b4c905f2288b4aa7/html5/thumbnails/5.jpg)
![Page 6: Street conf overview](https://reader033.vdocument.in/reader033/viewer/2022052823/555142d3b4c905f2288b4aa7/html5/thumbnails/6.jpg)
![Page 7: Street conf overview](https://reader033.vdocument.in/reader033/viewer/2022052823/555142d3b4c905f2288b4aa7/html5/thumbnails/7.jpg)
1. Account Chooser
• accountchooser.com• Working group in OpenID Foundation
o NOT protocol specifico Current version is site specifico Next version is global to the browser
• Implemented in products such as Janrain Engage and Google Identity Toolkit
• Google replacing its own login boxo opt-in by searching for "account chooser
experiment"
![Page 8: Street conf overview](https://reader033.vdocument.in/reader033/viewer/2022052823/555142d3b4c905f2288b4aa7/html5/thumbnails/8.jpg)
![Page 9: Street conf overview](https://reader033.vdocument.in/reader033/viewer/2022052823/555142d3b4c905f2288b4aa7/html5/thumbnails/9.jpg)
2. OAuth2/OpenIDConnect
• oauth.net (OAuth2 in particular)• ONE protocol for identity in the cloud = OAuth
o On-premise systems still use a mixo Protocol supports many use cases
Federated Login=OpenIDConnect• Simpler story for developers
o Use OAuth for identity in the cloud Web services friendly (REST/JSON)
o OpenIDConnect is OpenID v2 rebuilt on OAuth
![Page 10: Street conf overview](https://reader033.vdocument.in/reader033/viewer/2022052823/555142d3b4c905f2288b4aa7/html5/thumbnails/10.jpg)
3. Identity Verification
• How do you PROVE you are not a dog on the Internet?
• What if you WANT to share your legal identity (name/address) with a site so you can access..o Your online medical recordso Your Social Security, Tax, etc. recordso Your utility recordso Premium content you have paid foro ...
![Page 11: Street conf overview](https://reader033.vdocument.in/reader033/viewer/2022052823/555142d3b4c905f2288b4aa7/html5/thumbnails/11.jpg)
![Page 12: Street conf overview](https://reader033.vdocument.in/reader033/viewer/2022052823/555142d3b4c905f2288b4aa7/html5/thumbnails/12.jpg)
![Page 13: Street conf overview](https://reader033.vdocument.in/reader033/viewer/2022052823/555142d3b4c905f2288b4aa7/html5/thumbnails/13.jpg)
![Page 14: Street conf overview](https://reader033.vdocument.in/reader033/viewer/2022052823/555142d3b4c905f2288b4aa7/html5/thumbnails/14.jpg)
![Page 15: Street conf overview](https://reader033.vdocument.in/reader033/viewer/2022052823/555142d3b4c905f2288b4aa7/html5/thumbnails/15.jpg)
Behind the scenes
1. How was the user's identity verified?
2. What is the business model?
3. How was the user's login authentication?
![Page 16: Street conf overview](https://reader033.vdocument.in/reader033/viewer/2022052823/555142d3b4c905f2288b4aa7/html5/thumbnails/16.jpg)
Identity verification
• Done via attribute providerso Some already have a verified identity for the usero Others will perform the verification from scratch
• ID/DataWeb demoo Shown at the OIX event
![Page 17: Street conf overview](https://reader033.vdocument.in/reader033/viewer/2022052823/555142d3b4c905f2288b4aa7/html5/thumbnails/17.jpg)
![Page 18: Street conf overview](https://reader033.vdocument.in/reader033/viewer/2022052823/555142d3b4c905f2288b4aa7/html5/thumbnails/18.jpg)
![Page 19: Street conf overview](https://reader033.vdocument.in/reader033/viewer/2022052823/555142d3b4c905f2288b4aa7/html5/thumbnails/19.jpg)
![Page 20: Street conf overview](https://reader033.vdocument.in/reader033/viewer/2022052823/555142d3b4c905f2288b4aa7/html5/thumbnails/20.jpg)
![Page 21: Street conf overview](https://reader033.vdocument.in/reader033/viewer/2022052823/555142d3b4c905f2288b4aa7/html5/thumbnails/21.jpg)
Postcard code technique
• Common approach• Social Security Administration• Hospitals• Google Maps• etc..
Big difference• Previously it was once per site (and costly)• Now it is once per person
o Better usability (for 2nd, 3rd, ... site)o Lower cost (cost spread across sites)
![Page 22: Street conf overview](https://reader033.vdocument.in/reader033/viewer/2022052823/555142d3b4c905f2288b4aa7/html5/thumbnails/22.jpg)
![Page 23: Street conf overview](https://reader033.vdocument.in/reader033/viewer/2022052823/555142d3b4c905f2288b4aa7/html5/thumbnails/23.jpg)
Business Model
• User consents for the site (UserIDTV) to see their address
• Site does not get ACTUAL address until they pay the attribute providero Fee is decided by attribute providero Site decides what attribute providers to support
• Significant interest as shown by the OIX event• Government RP's could use this model as well• ID/DataWeb and Google are ready for pilots now• Other IDPs and Attribute Providers are expected in
the future
![Page 24: Street conf overview](https://reader033.vdocument.in/reader033/viewer/2022052823/555142d3b4c905f2288b4aa7/html5/thumbnails/24.jpg)
Business Model
• Significant interest as shown by the OIX evento Government RP's could use this model as well
• ID/DataWeb and Google are ready for pilots nowo Other IDPs and Attribute Providers are expected in
the future
![Page 25: Street conf overview](https://reader033.vdocument.in/reader033/viewer/2022052823/555142d3b4c905f2288b4aa7/html5/thumbnails/25.jpg)
4. Strong authentication
Secure the "one password" with additional protection
![Page 26: Street conf overview](https://reader033.vdocument.in/reader033/viewer/2022052823/555142d3b4c905f2288b4aa7/html5/thumbnails/26.jpg)
User Authentication
![Page 27: Street conf overview](https://reader033.vdocument.in/reader033/viewer/2022052823/555142d3b4c905f2288b4aa7/html5/thumbnails/27.jpg)
Authentication as an attribute
Same API calling mechanism to get street address can also be used to learn how the login session was authenticated
• $2/user/year for verified address• $5/user/year for address + OTP• $10/user/year for address + certificate• $20/user/year for in-person-verification + certificate• etc....
![Page 28: Street conf overview](https://reader033.vdocument.in/reader033/viewer/2022052823/555142d3b4c905f2288b4aa7/html5/thumbnails/28.jpg)
Who will handle authentication?
• Big consumer IDPs making some progress with OTPs
• Revenue potential is attracting other companies
• Mobile carriers are a common example
![Page 29: Street conf overview](https://reader033.vdocument.in/reader033/viewer/2022052823/555142d3b4c905f2288b4aa7/html5/thumbnails/29.jpg)
![Page 30: Street conf overview](https://reader033.vdocument.in/reader033/viewer/2022052823/555142d3b4c905f2288b4aa7/html5/thumbnails/30.jpg)
Phone purchase process
• Bonnie orders a new phone online• Consents for carrier to
o be her street address attribute provider for address
o be her authentication provider• Bonnie's new phone arrives
o Turn it on, unlock ito Mail/Addressbook/etc. syncs automaticallyo Browser logged into account using device IDo Bonnie visits an RP and it detects the strong
authentication (for a fee)• Simple user experience + powerful security
![Page 31: Street conf overview](https://reader033.vdocument.in/reader033/viewer/2022052823/555142d3b4c905f2288b4aa7/html5/thumbnails/31.jpg)
Summary
1. Account ChooserSimplify SignIn/Signup on the web
2. OAuth2/OpenIDConnectEliminate password reuse (one password)
3. Identity verificationCHOOSE to share your VERIFIED legal identity (name/address) with a site
4. Strong authenticationSecure the "one password" with additional protection