What is up with Online Identity in 2012?

From DevSummit
Jump to: navigation, search

Abstract

The most common token for identity for NP is a domain name and perhaps an SSL certificate. Facebook and Twitter presence makes up online identity now, in an emperical sense. It is where data in aggrate online lives. You should treat this identity as an important asset that you have to manage. Peopl eneed tools to manage that ident easily.

FB connect meets oauth meets whatevs. Online credentialing system.


Participants

David from Good Done Great. Developing an online identity system for non-profits. Goal is to help NPs get funding.

Williow. Interested in disseminating what NPs do with their work. Identity discoverty.

Paul. Process Housing. Wants to work on stragety for client focus.

Evan. Way the social graph is controlled. Balance between self hosted and hosted identity providers.

Tomas.

Lee. Crypto identity and offline ident. Privacy versus security.

Dorrit. Exec Director of NPs. Stories from the trenches.

Chino. Mirabel Coop. Designer who cares about branding and marketing. Client relationships.

Gunner.

Discussion

Non-profits controlling their long term technology destinity. This is a challenge if you don't have an IT department. Develop a process for new online accounts. From apps to DNS. Be intentional about contact information that has an email address. Create a different email alias for each account. Develop best practices for people who have the ability to make contacts with others.

Cpanel is some kind of hosting management system with a GUI for domain management. Be able to track your information map. There is no tool that is general enough to recommend.

Persistant storage of contact lists. Basecamp is a utility for smaller orgs. Seneitive information should not be stored with this service. Password rules. How does this scale? There is a heuristic. Song lyrics. Passphrases. Phrase has a front and back. Front load a unique subset of the domain that changes on a 60 day basis. Substring remains. Delimiter changes. Sequencing of substrings. Folkloric approach to capacity building.

Lastpass is a host based utility that stores encrypted keychains on the servers. You have to give them something to get the plaintext back. Password vaults are best practice. Hardcopy offline. Encrypted hard disks are good. Two factor auth doesn't scale beyond a locality. Yuibikey is a hardware device that uses USB for two factor. The NP sector doesn't have the awareness of these kind of issues. There is a guilt complex to spend time on infrastructure so the attrition level is high.

NFC is an interesting tech that's being developed. The tags are small and VERY short range. Hi res photography can be used to take a picture of physical keys from a distance and use that image to duplicate the object with a 3D printer.

Identity can be built up after the fact with privacy tools. A discussion of how long the data that describes identity should live is important.

A checklist of a NPs “identity health” is an important metric. FB connect and Google accounts are good utilities but local offline copies of a social graph is an important thing to store off facebooks. There are some underdocumented tools to work with the FB social graph data but the visibility and docs are rare because it violates the TOS.

Multiple broadcast methods of engagement. Use twitter to get people to go to another place to engage with the org. Different silos of identity. Users don't like FB connect over email and password. Over 75% of users surveyed by ???? prefered FB connect or google auth.

There's a weird way to do logins. Federated web is being pushed. Uses an email address as a unique token and there is no password. Tests different auth services to find one that it can Oauth against with only an email address. Auth should be decentralized. The process point is that it doesn't feel secure because it's a public token (email) so it feels weird.

The compelling reason for orgs to pat attention to auth issues haven't met the tipping point yet. Data driven apps might be the tipping point. Backup is still a problem. Data retention. Don't backup to the cloud because most services don't have your own interests of data retention and privacy in mind. If you do, have a third archive that is offline.

DNS seizsure is a threat because most identity recovery process depends on a domain to authenticate recovery process. Find places to register your domain name where the legal system to shut down domains is difficult or impossible.

“proper” domain name registration. Keep up on the account details for that. Predatory services will steal your domain name and offer to sell it back to you through acting as an impostor web admin for your org. “technology divorce counseling.” “pre-nup thinking” on tech infrastructure.

Manga guide to online identity or a choose-your-own-adventure style checklist for responsible ident management. Choosing a vendor or dev shop that is ethical.

There's no investment in a racecar circuit for NP dev process so most high scale issues are untested.

If you have multiple FB accounts it's difficult to have people manage the second one, so it goes dark and no one cares anymore. We need to govern the change inside orgs.

Charity.nu is a central place where any nonprofit can establish their identity. Programs, directors, roles, mission, social media. Guidestar has profiles of all non-profits but the ability to get any funding through that information is useless. Charity.nu is like about.me for non-profits. Identity portability is the important part. APIs for identity. If the source code is not released the centralized model for ident will not be a good long term strategy.