Posted 12:55 PM (3) comments

The WHERE in IdM

I was on a teleconference with O'Reilly Group's Tim O'Reilly and Nat Torkington discussing the upcoming Where 2.0 Conference which will focus on mapping and location technologies when a thought occurred to me - could location be a factor in a multi-factor authentication scheme?

The "where" of IdM has often referred to the platform or device that someone was using to access a resource, but suppose a GPS was used in order to indicate the physical location of the user?

For a cell-phone user, the GPS might not be needed if the location of the cell tower was "close enough" (i.e., area of a city rather than street address).

I could see this being used in a graded authentication scheme to reduce or deny access based on a possibly adverse location (e.g., someone trying to access a Pentagon database from Uzbekistan).

I don't know if there are any products that do this, if any or planned or if it's even feasible - but it's worth a thought.

Posted 5:40 PM (0) comments

YAPIDS: Yet Another Personal IDentity Scheme

Jamie Lewis points to OpenID (with a tip of the hat to Doc Searls). This new, non-proprietary, "anyone can do it" ID scheme is built around URLs and a "home server" which can send out information to sites you specify.

In some ways it's Sxip without the verified ID server (OpenID has non-verified servers). Or SMBmeta with a more focused Identity purpose. (Sadly, SMBmeta appears to have fallen by the wayside)

OpenID's originator, Brad Fitzpatrick, points to mIDm as a very similar package.

While I didn't go through all of the technical specs for OpenID, a quick glance appears to show that it would be a haven for phishers as they try to entice identity information from the unwary. It is simple and easy to use, but it also seems very easy to abuse.