Protecting Internal APIs — Is OAuth Ready For Its Closeup?

Two years ago, the OAuth API protection mechanism was a fairly well-kept secret. It actually won an award at the 2009 European Identity Conference for "best new/improved standard," but most people didn't seem to have figured out what it was good for yet; I felt like I was the only one even talking about it.

Fast forward a bit, when Facebook started using an early draft of OAuth 2.0 in its Open Graph-based platform, and then a bit more, when Twitter started requiring OAuth 1.0a use by third-party developers (known amusingly as the OAuthcalypse), turning off the HTTP Basic authentication option. And now we're in a world where cloud developers talk casually about the "open API economy" and the ease of getting work done by building RESTful apps, and OAuth is making star appearances in recent gatherings of influential software architects and developers I've attended, such as The Experts Conference and the Internet Identity Workshop.

Read more

Categories:

Identity Assurance Means Never Having To Say “Who Are You, Again?”

A decade after launching the SAML standard and seeing its, shall we say, stately pace of adoption, it’s wild to see real single sign-on and federated attribute sharing starting to take off for social networking, retail sites, online gaming, and more — not to mention seeing the US government starting to consume private-sector identities on citizen-facing websites.

Last week, we published a report on Outsourcing Identity Assurance. In it, I examine this “Government 2.0” effort, including the National Strategy for Trusted Identities in Cyberspace (NSTIC), and its innovations around identity assurance, and the confidence you can have in the real-world verification of the identity you’ve been given by an identity provider. We’re predicting you’ll see new Web 2.0-ish ways to outsource identity verification in the coming three years, driven by use cases like e-prescribing, high-value eCommerce, and even online dating.

Read more

CardSpace Is Dead. Long Live Back-Channel Access.

Microsoft announced during last week's RSA conference that it would not be shipping Windows CardSpace 2.0. A lot of design imperatives weighed on that one deliverable: security, privacy, usability, bridging the enterprise and consumer identity worlds – and being the standard-bearer of the "identity metasystem" and the "laws of identity" to boot.  Something had to give. What are the implications for security and risk professionals?

The CardSpace model had nice phishing resistance properties that cloud-based identity selectors will find hard to replicate, alas. But without wide adoption on the open Web, that wasn't going to make a dent anyway. We'll have to look for other native-app solutions over time for that.

Read more

OpenID, Successful Failures And New Federated Identity Options

If you're a security and risk professional in charge of protecting consumer-facing applications, you may have heard that OpenID is a “toy,” or it's an insecure protocol, or other critiques. And then here comes the recent news by former early adopter 37signals to drop its OpenID login support, which has occasioned some soul-searching in the Web 2.0 identity community. Check out commentary from Scott Gilbertson of Wired's WebMonkey, Dare Obasanjo, and reaction from “social login” vendor JanRain

When OpenID appeared on the scene, more robust solutions based on SAML were well under way for many years and seeing adoption, but only in scenarios involving limited circles of trust — typically point-to-point enterprise outsourcing scenarios and specialized higher-education communities — rather than in broad-based consumer populations. 

Read more