WebProNews

Tag: OpenID

  • Biden Taps Open Source Dev David Recordon As White House Director of Technology

    Biden Taps Open Source Dev David Recordon As White House Director of Technology

    The Biden transition team has selected David Recordon as the next White House Director of Technology.

    Recordon is well-known in the open source community. He is one of the developers behind OpenId and oAuth, he has served as Engineering Director at Facebook and even served as the first Director of White House Information Technology under President Obama.

    Recordon made the announcement of his appointment on LinkedIn:

    I’m honored to have the opportunity to join the Biden-Harris administration’s White House senior team and am excited to both rebuild past and create new relationships with the incredible teams of career civil servants, active duty military members, and intelligence professionals who make technology work day in and day out for such an important set of missions. The pandemic and ongoing cyber security attacks present new challenges for the entire Executive Office of the President, but ones I know that these teams can conquer in a safe and secure manner together.

    Give his vast, and prior, experience, it’s a safe bet Recordon will be well-equipped for his new role.

  • Google’s Open Web Advocate Talks White House Web ID Plan

    As previously reported, the White House is working on a "National Strategy for Trusted Identities in Cyberspace" or NSTIC, in which it has placed the Commerce Department in charge of an "Identity Ecosystem". The initiative has drawn a mixture of praise and criticism, and judging by our own readers’ comments, there is a whole lot of criticism. More on this here.

    Share your thoughts on the White House’s strategy.

     We had a discussion on the subject with Chris Messina, Google’s Open Web advocate. Messina was there when the plan was revealed, and is rather knowledgeable in the subject of online identity (besides working for Google, he’s on the board of the OpenID Foundation, and has worked with Mozilla to produce a concept on implementing identity in the browser called "The Social Agent") , which is why we felt he would be a good person to share his views on the strategy.   

    "As it stands, I can see why people are angry or confused, but, while vague, the NSTIC isn’t as bad as people seem to think — the fact that it’s being run out of commerce means that the government is looking for innovation and competition — not to own these identities," Messina tells WebProNews. "Of course I can’t say what this means about surveillance and security, but anyone who uses a cell phone or hosted email should already understand that they’re susceptible to government wiretaps and data seizure — oftentimes without needing to be informed (Twitter is the rare exception recently). Anyway — if you can pick an identity provider that’s certified to meet certain criteria and that you also trust — that seems win-win to me."

    What the government has suggested appears to be the use of platforms like OpenID. " We need a vibrant marketplace that provides people with choices among multiple accredited identity providers – both private and public – and choices among multiple credentials," said Cybersecurity Coordinator and Special Assistant to President Obama, Howard A. Schmidt, upon the announcement of the plan. "For example, imagine that a student could get a digital credential from her cell phone provider and another one from her university and use either of them to log-in to her bank, her e-mail, her social networking site, and so on, all without having to remember dozens of passwords. Such a marketplace will ensure that no single credential or centralized database can emerge."

    Chris Messina Talks White House Web ID Strategy"The government’s NSTIC plan is designed to promote OpenID and other existing (and not-even-invented) initiatives," explains Messina. "In fact, the NSTIC was written with input from many of these groups including the OpenID Foundation. It went through an open comment period as well — so it’s not as if many of these concerns weren’t raised before. Since the final draft of the NSTIC hasn’t been released yet, I expect many of them will be reflected in the final draft."

    "The NSTIC calls explicitly for the creation of an ‘identity ecosystem’ — fancy words for saying ‘we don’t want a system where there’s only one identity provider’ (least of all the government!),’ Messina continues. "Now, one of the challenges with creating an ‘ecosystem’ is that you end up with potentially non-interoperable solutions, leading to consumer confusion and frustration (think: ‘Sorry, we don’t accept American Express here’). So while the government intends to rely on private industry to develop the technologies and protocols — such as OpenID — that will enable this ecosystem, I believe that the government has a role in placing pressure on the industry to eventually select a set of standards we can all live with."

    "I, for one, would prefer to avoid a government-developed identity standard at a time when industry is rapidly innovating in this space and wants to solve this problem as much as — if not more than — government does," he adds. "But I also know that there are a lot of vested interests that would love to have their pet protocol selected as the gold standard here (pun intended) and that’s going to require leadership, persistence, and an open process so that the best solution(s) to the problem eventually shake out from several years of competition and experimentation."

    A common concern expressed by the public has been along the lines of: a single username and password for all sites is a bad idea, and is not secure, compared to having many usernames and passwords.

    "The user’s concern is valid," says Messina. "One username and password for everything is actually very bad ‘security hygiene’, especially as you replay the same credentials across many different applications and contexts (your mobile phone, your computer, that seemingly harmless iMac at the Apple store, etc). However, nothing in NSTIC advocates for a particular solution to the identity challenge — least of all supporting or advocating for a single username and password per person."

    "In reality, different applications requiring different levels of security, and different behaviors require different kinds of protections," he says. "As Howard A. Schmidt pointed out, for many people, you don’t necessarily want to use the same password that you use for Facebook that you do for your bank. For someone like me, however, where my social media presence is both very important and valuable to me, I want to protect all of my accounts — financial and social networking — equally. So there’s no one-size-fits-all solution, but that’s closer to the reality today — where I as a user often DON’T have a choice about how strong the security deployed to protect my accounts is — versus the future, where we’ll have an ecosystem of identity providers all offering different kinds of protections."

    "To restate this point: when I sign up for an account today, why can’t I choose to login in everywhere with my Google account and then rely on Google’s anti-fraud and second factor authentication features to protect my account? Or, if I’d prefer to use someone other than Google, why can’t I use them instead, and rely on, say, their biometric security features?"

    "Until a competitive marketplace and proper standards are adopted across industry, we actually continue to have fewer options in terms of how we secure our accounts than more," he says. "And that means that the majority of Americans will continue using the same set of credentials over and over again, increasing their risk and exposure to possible leaks (see: Gawker)."

    In the comments section of our previous article, one reader asked who would be responsible "WHEN (not if)" the systems proposed get hacked. 

    "Going back to my previous point, if we truly arrive at a user-centric ecosystem, then the party that you choose to represent you as your identity provider will be responsible should anything happen to your account," says Messina. "And I hope that people actually choose their identity provider carefully, and based on the steps that they take to secure your account and keep it safe."

    "A user-centric model demands that users be in charge of selecting their identity provider, and that this free choice creates a competitive marketplace where identity providers compete for customers," he adds. "If one provider has lax security or onerous identity proofing requirements, the market will ideally reflect that situation by rewarding or punishing them economically, leading to user-positive improvements. Some of this does depend on users having some understanding of what’s at stake when it comes to their online identities and profiles, but just as people safeguard their cell phones today, I think people will feel similarly protective of their online accounts in the future (if they don’t already) and will look for ways to keep those accounts safe and secure."

    As we reported before, there doesn’t appear to be anything in the NSTIC indicating that people will be required to use ID systems spawned by the initiative – a point that some people may have overlooked.  

    "The last thing that I’ll add — which itself is controversial — is that this whole system, at least at the outset, will be voluntary and opt-in," Messina says. "That means that if you don’t want the convenience of not having to use passwords anymore, you won’t have to. If you’re okay rotating your passwords and maintaining numerous discreet accounts across the web, that’s cool too. I don’t think a mandatory system would succeed — at least not without proving its security, stability, convenience, and utility over several years."

    "Furthermore, the fact that this initiative is being run out of the Commerce Department, which has an interest in stimulating growth, business, and innovation, means that we hopefully won’t end up with a set of technologies designed only by security wonks that are completely unusable by regular folks, but that the market will see the exploration of a number of different competitive solutions, and from them, a few will stand out as leading the way forward."

    "I am hopeful that NSTIC, at the very least, is raising these issues at a critical time on the web — where the future of competition for who owns your identity online is in question," Messina concludes. "My hope is that we arrive at a place where people have a choice, and they can go it alone as steadfast libertarians might prefer, or they can choose to get some assistance from the Googles and Facebooks of the web in dealing with this increasingly important issue."

    Speaking of Facebook, any system – existing or spawned from NSTIC – will have a hell of a time competing with Facebook for "owning" users’ online IDs. Facebook has nearly 600 million users worldwide, according to recent estimates, and has a pretty big competitive advantage with its Open Graph and Facebook Log-in features already implanted firmly across many sites around the web.

    Comments welcome

     

  • Flickr Moves To Accommodate Google IDs

    Flickr Moves To Accommodate Google IDs

    Yahoo-owned photo-sharing service Flickr is getting more flexible with regards to how users can sign in.  The site has started to support OpenID, and Google is its first partner in this endeavor.

    "This feature will allow people to sign up for new Flickr accounts by using an existing Web account via OpenID, starting initially with Google as the first partner service.  Google users will be able to register by linking their accounts with Flickr and then will be able to use their Google ID every time they log-in to their Flickr account," a Flickr representative explained in an email to WebProNews.

    And that’s plenty interesting.  Plenty smart, too, since it could convince a few more people to start playing with the site.  But there’s one other aspect of this development worth noting.

    The representative added, "In 2008, Yahoo! became the largest provider of OpenIDs in the world when 100s of millions of Yahoo! users were first given the ability to use their trusted Yahoo! ID to log in to any site on the Web that accepted OpenIDs.  Now, with today’s announcement Yahoo! is for the first time becoming a ‘relying party’ . . ."

    So it looks like Flickr and Yahoo are being accommodating in more ways than one.

    Additional sign-in tweaks and improvements are supposed to be on the way, as well.

  • Google Lets Users Sign Up With Yahoo Accounts

    Google has announced that it is now using OpenID for its signup process. Yahoo users can sign up for a Google Account with their existing email address. 

    Google says that "a much larger number of people" complete the email verification process when OpenID is used. 

    "Some websites use the OpenID standard so that users don’t even need to type a password to sign in," says Tzvika Barenholz of Google’s Internet Identity Team. "While Google does not yet support the usage of OpenID for replacing passwords on its own sites, we are involved in the OpenID community’s efforts to research how to best implement that type of support."

    When a Yahoo users signs up, they will see the following page, and when they click the verification button, they will get the page under that from Yahoo. 

    Google OpenID - Verifiy by signing in at Yahoo.com

    Sign in with Yahoo

    "Other websites that need to verify a user’s email address can also implement this technique using Yahoo!’s OpenID API," says Barenholz. "In addition, it can be used to verify the addresses of Gmail and Google Apps users because those email systems expose the necessary APIs for OpenID. For example, Plaxo is one of the many websites that takes advantage of this feature of Gmail and Yahoo! Mail."

    Google is currently only offering the OpenID feature for Yahoo users, but it intends to expand support to other services.

  • How Open Web Developers Are Trying to Make Social Media Better for You, the User

    Last week, a new open protocol called OExchange was released with the aim of simplifying sharing. Right out of the door, it had names like Google, Microsoft, and LinkedIn signed on. WebProNews spoke with Google’s Open Web advocate, Chris Messina about how the protocol could benefit businesses and site owners.

    "There are a couple different ways to look at this as a website owner," he told us. "If you already use a sharing service like AddToAny, ShareThis, or AddThis, you might not notice much difference. However, OExchange makes it easier for those service providers to support less well-known sharing services. As such, that means that site owners may see a boost in attention from a wider audience than before."

    He said that "because this may give rise to a long-tail of sharing providers, it’s possible that content will be shared across a wider and more diverse audience than before."

    OExchange is just one of handful of open protocols that are being harnessed to smooth out the social web, and make for a more seamless user experience from site to site. Others include OpenID, OAuth, Webfinger, ActivityStrea.ms, PubsubHubbub, and Salmon.

    Google is playing a large role in the advocacy of of these open protocols. Google Buzz, for example, places a great deal of emphasis on the kind of openness they provide, and the kind of openness that is frankly lacking from the much more popular (at least in terms of user count) "Open" graph of Facebook – by far, the largest social network.

    At Google I/O last month, WebProNews spoke with Joseph Smarr of Google’s technical staff about various open protocols and how they can help websites. He does a pretty good job of putting it into terms the non-techie can probably understand:

    "If you’re a webmaster and you’ve got a new site and you want people to check it out, you want to limit that friction as much as possible, right? You want to make it super easy for people to come and find out about who you are," says Smarr.

    "It’s going to be better for you, and it’s going to be better for you users, who are going to have a much more convenient time," he says.

    Smarr also makes an interesting point about the web in general. "The web started with the right open standards. You know, HTML and HTTP, and then anybody could just stand up a new webserver, and anybody could link to it, and that’s what allowed that incredible innovation to happen. So we basically want to get that same set of building blocks right on the social web…"

    As Messina told us upon the launch of OExchange, "the benefits of any open protocol or technology really only offers dividends when it becomes widely adopted by many providers."

    We also have an interview from Google I/O with Messina we will be posting on our Video Blog before long.