Mashing Up with UserCentric Identity

1
Mashing Up withUser-Centric Identity

• America Online LLC
• John Panzer, Praveen Alavilli

2
Web 2.0

• Data Sharing
• Social Collaboration
• Perpetual Beta
• Incremental Evolution
• Web as a Platform, and
• Users in Control

3
Mashup

• Wikipedia "a website or application that
  combines content from more than one source into
  an integrated experience."
• API1 API2 APIN
• Netvibes.com, imified.com, etc

4
Role of Identity

• Well .. to identify the user for .
• Personalization
• Authorization / Access Control
• Communication
• Content Publishing
• Maintaining Public Identity across Providers

5
But it is also

• A barrier to entry
• Registration drop off
• ID fatigue among users
• Expensive to maintain authentication
  infrastructure

6
Online Identity

• Lives moving online
• Virtual world identity ! physical world identity
• Fragmentation of identity across services
• Limits value of services (network growth slowed)
• Not necessary to bind identity and services
  together

7
User-Centric Identity

• Providing user choice
• Privacy protecting
• Easy to adopt use
• Allowing collaboration
• Supporting Long Tail applications
• Internet scale

8
Open Protocols

• Community driven
• OpenID
• CardSpace
• Liberty (SAML)
• Single Provider
• Yahoo! BBAuth
• Google Account API
• AOL OpenAuth

9
Challenges w/ Adoption

• Platform/OS dependencies
• Programming language support
• Too many APIs/protocols
• Complex message formats

10
Challenges User Experience

• Sites with existing user base
• Same ID/Password every where
• Inconsistent login experience
• Deputization of services
• Redirects

11
Challenges Permission Management

• Different ways to manage user permissions
  (consent)
• Implicit vs explicit
• Client vs server
• Decentralized consent management
• Managing given consents

12
Security Issues

• XSS
• Phishing
• Authentication tokens for sites vs users
• Managing sessions (client side vs server side)
• Validating and invalidating authentication tokens

13
Privacy Issues

• Same identifier everywhere
• Public vs private personas
• Anonymous and randomized identities

14
Reputation Services

• Why is reputation important?
• Who owns it?
• Based on
• Published content
• Activity
• Collaboration with other services (Mail, IM,
  etc.)
• Actions to take
• Restricted usage limits
• Block/deny requests
• Report to reputation services

15
Next Steps

• User Experience
• Consistency is key
• User Permissions
• Ask user
• Implied consents are bad
• Report and consume reputation
• Identity and associated data under users control
• Support multiple public/private identities
• Support switching Identity Providers
• Adopt protocols that support all (most) of the
  above

16
AOL Open Authentication API

• Light weight provisioning and authentication of
  AIM/ICQ/AOL users
• Easy to integrate via browser redirect, AJAX, or
  direct models
• Permission management
• Deputization of services through secure token
  exchange
• AOL Open Services built on OpenAuth
• Other services
• Integrated OpenID Provider (OP)
• OpenID Authentication Token Exchange Extension
• OpenID Consumer/Relying Party - accepts 3rd party
  OpenIDs
• STS for CardSpace in future

http//dev.aol.com/openauth
17
Sign In Page
18
Permission Request Page
19
User Permission Management Page
https//my.screenname.aol.com
20
Ficlets
21
Q A
http//dev.aol.com
Contact Info Praveen Alavilli John
Panzer praveen.alavilli john.panzer