spacer element
Products

Thursday, 18 September 2008

Palin's Hacked Email

I just read an article about Palin's Yahoo email account being hacked, and the contents posted to the net.

"Details of the break-in, if authentic, are consistent with speculation by computer security experts who said Yahoo's "forgot-my-password" service almost certainly was exploited.

The mechanism allows customers to retrieve or change their password if they can verify their identity by confirming personal information such as birthdate, zip code and the answer to a "secret question," such as a childhood pet's name or school mascot. Palin's hacker was challenged to guess where Alaska's governor met her husband, Todd. Palin herself had recounted in her speech at the Republican National Convention that the pair began dating two decades ago in high school in Wasilla, a town near Anchorage.

Politics and party lines aside, the intersection of what has been traditionally thought of as 'low risk' accounts (e.g. personal email), privacy and even security are about to all collide. Ashish Jain had a good post on this some time back. He discussed the inherent weakness with using facts (readily available, some even by search engines) for KBA rather than things like opinions or preferences for example.

Hacked personal email accounts can expose a number of other security weaknesses related to password-only security, especially since email accounts are often used as part of the password reset process.

It's inevitable (and healthy IMO) that these sorts of events drive the adoption of stronger forms of authentication over the Internet. Federation will only increase the need to protect the front-door better.

del.icio.us digg Yahoo! MyWeb Posted by adurand at 2:54 PM in IdM | Responses (0) | Permalink




One Important Difference between Federation & Internal IdM Projects

We've met with a lot of companies recently who have now decided to ramp their federation efforts. They've mostly tinkered for the past 2 years, but they are now planning to really turn the crank.

What's interesting about our conversations is that invariably, they talk about one or more of their internal provisioning, IdM or WAM projects that is basically not meeting their expectations. What I find interesting about this is that federation deployments, by their very distributed nature, are taking an entirely different approach. Most if not all centralization projects are large, costly, complex and long. This makes them inherently more risky, and introduces higher and higher probabilities of failure at one or more levels.

On the contrary, federation has never over-sold it's promise. We (Ping and our customers) experience success one-connection at a time.

Even though Ping now offers "federated provisioning" in PingFederate 5.2 to Salesforce and Google Email (& Apps), don't somehow put PingFederate into the 'provisioning' bucket. We don't promise the world. We promise to automate provisioning and federated identity life-cycle to 2 SaaS applications (more coming of course, but the number will be measured in dozens, not hundreds or thousands). We're happy to succeed, one connection at a time.

del.icio.us digg Yahoo! MyWeb Posted by adurand at 9:53 AM in IdM | Responses (0) | Permalink




Syndication

Most Viewed: