Sunday, May 29, 2011

Google goes NFC payments, oh la la!

When I was at the IIW12 a presentation was given about the changing landscape in payments and banking.
PayPal was giving the creditcard companies like VISA and MasterCard a hard time keeping customers for their online payments via creditcard.
Why use expensive creditcards when you have PayPal?
But the creditcard companies try hard to keep their 'beloved'customers.
How? Well, they add NFC-payments to the creditcard-landscape.
Users can pay for goods using NFC-enabled devices, either NFC-enabled phones with stored data that act as a debit/credit payment card (example follows soon) or NFC-powered contactless payment cards they touch ('wave') to readers like VISA's payWave.
However, American Express did not want to wait for the NFC-enabled devices and, in March 2011, launched "Serve" an app that turns a desktop, mobile phone, and Facebook account into a virtual wallet. With Serve, customers can send and receive money, pay bills, or make digital purchases through a cloud-based peer-to-peer network.

Hm, lots of new online payment-products, and lots to say about security and privacy, but when I was making this blog Google came with an anouncement.

All this NFC- and mobile payment in the cloud also triggered Google to get involved.
So, 26 May 2011 they launched Google Wallet (duh!!), together with Citi, MasterCard, First Data, and Sprint as their partners.
Hm, MasterCard already had PayPass ,but why not partner with Google to use it's NFC-enabled Nexus 4G?
Nothing new concerning NFC-telephones, if you look at VISA's efforts, and the ISIS-project, but now Google is involved. OK, Google has its Google Checkout, but is now also into NFC-payments. This was for Sprint the call to join Google wallet and not ISIS.
Also important, because the NFC-payments adoption is in Europe higher than in USA: Dutch public transport already uses a NFC-enabled card, comparable to the U.S. ORCA-card, which I also saw in San Fran.
Heee, but was the Dutch OV-chipcard not already hacked way back in 2008?
That's why I was triggered when I saw the creditcard companies using this technology!!
Even, if Google and financial institutions are involved in the NFC-payments network, I'm still cautious, because of my experience with the OV Chipcard.

Why I am cautious I will discuss in my next post(s), where I will look at the security-issues related to using NFC-enabled devices for payment,by card or by mobile phone.

Saturday, May 14, 2011

Internet Identity Workshop 12: seen by a Tester

A week ago the Internet Identity Workshop 12 took place in the Computer History Museum in Mountain View, California.
Three days (3-5 May) listening to and discussing the latest trends in Internet Identity protocols, enterprise identity management etc. from a user-centric view.
Boring, no way!!
First of all, it wasn't a normal conference, with fancy presentations and the audience neatly listening and asking questions afterwards.
Nope, this was an unconference, where every day at the beginning the schedule is made of people who want to discuss or present thoughts on user-centric online identities.
This agenda can then be viewed on a big wall in the centre of the conference hall, which I thought was a very good and pragmatic way to schedule the proposed sessions.
Well, time to get dirty I thought, and the first day I already hosted 2 sessions , 1 on security measures for identity protocol flows (always nice to test those :-) ) and also the pros and cons of using OAuth in online banking (you never know in the future).
Very nice sessions where I could discuss my thoughts as a tester with identity experts from different industries, like telco, finance and computer hardware.
However, I wasn't here only to gather info,together with XMLgrrl (the 1 and only :-) ) and the guys from Newcastle Uni. (great to see ya folks!),I did a little PR for UMA, which was very effective, because UMA was also spoken in sessions where UMAnitarians were absent :-).
Next to this, The Newcastle Uni. guys did a kick-ass Ipad(!)demo of their SMART-project. Great stuff to see.

But wait, there is more. I saw sessions about companies wanting to become a relying party, identity-policies between US and Europe, personal data stores, online vaults and many more.
And not to forget the Trust Frameworks, which are being developed for different industries, and have complex flows to test.
For a bloke from Europe, the sessions about NSTIC were very interesting to see: what does the US-government want to do with the trusted identities in cyberspace?
Thanks for the helpful info there guys. It made things clear about how the Americans want to deal with identity in cyberspace, although not every attendee agreed, which made a nice discussion.

I could go on and on about the IIW12, but I want to keep my blogs short.
I had a great time, learned a lot and it's encouraging to see the IIWs are also already taken place in Europe. A great way to stay updated on the work in user-centric identities, which are getting more important every day for everyone involved in internet development..

Any questions about the IIW? Just send me an email or call me.

So, my Silicon Valley Trip (and San Fran ;-) ) was fantastic, let's see where my next adventures will be.
Hmm, perhaps Hawaii??

Thursday, May 12, 2011

The Status Quo of OpenID development

Preceeding the IIW12, the OpenID Summit took place at the World Headquarters of Symantec in Mountain View, California.
Considering my prior interest in OpenID and its future layerment on Oauth 2.0 (next to UMA !!) I was very interested in the Status Quo of OpenID development.
This Summit, presented by the OpenID Foundation, as part of a 2011 series, focused on 'Balancing Security and the User Experience', very interesting for me as a tester.
Through 4 sessions (3 panel discussions and 1 presentation) the attendees were stimulated to think about and discuss the present state of OpenID, the changing authentication protocols, the best practises and also the monetization (making money) of identity without traumatizing the customer.
Especially the latter is important, because of the adoption of OpenID and other identity protocols by enterprises and governments. No business Case means no assurance of a possible Return on Investment, resulting in NO adoption by enterprises or government.
A Business Case alone, is in my opinion, still insufficient, because if the OpenID protocol is crap, no customer wants to buy it.
Well, you might guess what my question was: Why not involve testing in the OpenID development lifecycle from the beginning, the specs, to improve the quality?
After all, I have done this for the UMA-protocol last year, and the UMAnitarians are very happy with it. Reactions to this from the OpenID Summit were positive, let's see what happens in the coming weeks.
But let's get back to the OpenID Summit. I won't give elaborate descriptions of how the panel discussions went (see the link above for more info and the panel members), but I will highlight some.

The first panel, chaired by Nico Popp, our Symantec host, discussed the changing authentication protocols like strong authentication, One Time Passwords (OTP), PKI (-smartcards), but also identity proofing, biometrics and risk-based authentication (especially banking!) were addressed. Next to this the different levels of authentication were explored.
I thought it described the evolution of authentication protocols and easy to follow if you had some knowledge of authentication.

The next session was done by The Oauth-pro's: Mike Jones, John Bradley and Nat Sakimura.
They gave us an insight in the Status Quo of OpenID development.
Next to the work done on JSON and JWT chain representation, especially OpenID ABC framework and OpenID Artifact Binding were discussed. Vey nice, because, that's what I came for.
Regarding the rapid development of mobile phone authentication, more use cases will be made to extend the OpenID development here.
Well done guys, I'm up to date again on the OpenID development.

The third session was all about best practices and chaired by Eric Sachs from Google.
Especially the authentication of web 2.0 apps were discussed and especially the minimal scope of the parameters of a ID check. I think they were Name, Email and Photo.
Also the combination of OpenID and the HTTPS-protocol to ensure a secure exchange of data. Facebook, for instance, now gives its customer the opportunity to use this protocol.
But still a lot has to be done here to ensure a good functioning of the OpenID protocol.

The last session, hosted by Don Thibeau, features investors interviewing technology leaders about investing company money in identity and technology leaders interviewing investors about venture investing in identity companies. Bottom line here was, is there an investment opportunity in Identity management or online privacy: NO.
It still needs a well defined business case and certainly won't give profits in the short term, although these aren't excluded in the long term.

Well, that was for me the OpenID Summit May 2011: I learned a lot, had good pizza for lunch and went home with the feeling that OpenID development is ongoing, although it needs a good business case and a critical look from a tester's point of view.
OpenID Foundation, Symantec and Google, thanks for a great day!

The next blog will highlight my days at the Internet Identity Workshop 12 last week.

Monday, May 9, 2011

What's next in online identities? Cordny in Silicon Valley: a blog series

Last week, on invitation by PIMN, and with 4 other invitees, I spent a week in Mountain View (Silicon Valley, USA) visiting groundbreaking events on the development of online Identity and Access Management. These events were the OpenID Summit and the Internet Identity Workshop 12.

The next days I will describe my point of view of these events.
Separately, because both events, although related to each other, have distinct goals and attracts a different crowd.

I thank PIMN and the organizers of the events above for the fantastic and educative time I had in Mountain View, and look forward to see and work with them again in the future on other events.

In my next blog I will discuss my view of the first event which took place on Monday May 2nd 2011, the OpenID Summit.