Playing with Fire

Even as the infrastructure around Information Cards and other user-centric and/or federated identity initiatives grows and matures, other groups & technologies are trying to solve the same problems. Browsers have had password managers forever, for example.

Browsers, however, do not travel to the service whose passwords you have entrusted to them and actually authenticate in order to farm your accounts for information.

This service does, however:

We already have RSS feeds – why not account feeds? These guys figure that if we just give them all of our usernames and passwords for all of our silos, they can give us a one-page dashboard of all of our bank balances, point balances, incoming email, you name it. Well actually, they name it. Because they can take whatever they want out of your account. Best part is: they reserve the right to use that data to market things back to you. But hey – you don’t have to enter your password when you go to any of the aggregated sites…

I have no problem with the general idea. I know people who would love to see all of their numbers from all of their investments, etc, all in one page, including a handy little “login now ” link for the website of each institution. What I do have a MASSIVE problem with, is the underlying technology used to achieve this end.

The whole site is based on credential management. You give this company complete access to your bank accounts, and they give you a pretty aggregated screen back. They authenticate as you and pull out whatever information they want, with no controls, no visibility into what they are doing while authenticated, and the obvious ability to make programmatic use of your credentials as often as they wish. You give it all to them, completely at the mercy of their ethics, business practices, and technological failsafes. Such a scheme benefits neither side of the transaction.

To me, this is a perfect illustration of the long-term future of federated identity. You want an aggregated account feed? Authorize a specific service to request a specific amount of information from your account. Want a handy login link? No problem, part of the information you can give the aggregator is your relying party endpoint, and next thing you know, you are asked to directly authenticate to the site in question, in a consistent fashion, using credentials that you trust, and that only you possess. Perhaps you don’t even need to do that – perhaps the aggregation site participates in a ‘circle of trust’ that in fact means you can seamlessly travel to your bank site. Chances are, this won’t happen though — and for very good reasons; because chances are banks may not trust the aggregation site. If they do trust the aggregation site, you can bet there is legal work backing that trust relationship up. What legal work backs up a user who gives their credentials away to a third party? There is no difference in user experience – but a world of difference in risk mitigation, in transactional repudiation, in auditability, heavens, pick any security or privacy buzzword, and it probably applies.

What do these guys have? They have a beautiful, easy-to-use interface. They solve a problem that many people are eager to have solved. They have some fancy logos in their footer that show they at least get the fact that what they are doing had better damn well be secure. But – in my opinion, they are basing all of this on a foundation that is quickly tilting sideways.

The whole “give us your account credentials” trend, whether it be for social networking or any other kind of data aggregation is a serious problem. Allowing such practices to gain a foothold in user’s minds as a valid practice simply because they are starting with “inconsequential” data is a surefire way to make future battles a lot tougher to fight in this area.

The good news is, this site is yet another validation of what the user-centric identity folks have long said. Silos are bad. People hate them. They want their online lives to improve, and they want improvement now, not in 5 years. The bad news is, if we don’t galvanize our industry into wholesale participation in providing an alternative in the near future, this site serves as an exact answer to where the world will go.

5 thoughts on “Playing with Fire

  1. Pingback: Links » OAuth

  2. I couldn’t agree more — I’ve been meaning to write up some semi-literate article about this myself. In my opinion, one of the main problems with this is that the user community has been poorly educated about credential management and conditioned to ignore or not consider the security problems posed by this. Admittedly, you need a fairly solid understanding of electronic security concepts before the “attack” itself is evident.

    The less sophisticated web users are not even going to recognize that divulging their Google , Hotmail, Yahoo! or even bank credentials to a third party is a bad idea because it isn’t always obvious that it is a third party. You pretty much have to know that there is no solution to this problem to understand that there is a problem at hand.

    Simply put, we’ve dumbed things down so much in the media and education system that folks simply don’t understand how this works and therefore cannot see the issues or risks. They are told to trust the pop-up dialogs that warn about this and that, but they are not really understanding the underlying security mechanism, so they are not in a position to see when they are broken or (worse) being exploited.

  3. Pingback: SlashID Blog » Blog Archive » Business Model of Identity Management

  4. Hello Pam. I am new to your blog. With articles like this, I am quickly becoming a fan. When I think about Pageonce, I ask myself “Grant, would you trust any accounts to Pageonce?”. I am able to answer yes, though certainly not all accounts. Is it the same for you? That is interesting in itself. I have to think about that.

  5. Pingback: PageOnce Beta: Two Lattes Left On My Starbucks Card « PhilSpace

Comments are closed.