New IBM Tech Lets Apps Authenticate You Without Personal Data

itwbennett writes: IBM's Identity Mixer allows developers to build apps that can authenticate users' identities without collecting personal data. Specifically, Identity Mixer authenticates users by asking them to provide a public key. Each user has a single secret key, and it corresponds with multiple public keys, or identities. IBM announced on Friday that Identity Mixer is now available to developers on its Bluemix cloud platform.

unathenticated

First Post!

Re:unathenticated

Parent is a registered dog fucker.

It will never go anywhere.

[SeaFox]

1) Companies want the personal data to use for their own marketing and to resell to others, authentication is their excuse to get it now.

2) No one will want to pay a license fee to IBM on top of the loss of revenue from (1).

Re:It will never go anywhere.

And also
3) Users are too stupid to manage their keys, not understanding anything. Feedback: "it was so easy before: I never forgot my name and birth date; please rollback.". Federal agencies celebrate opening dozens of boxes of fine champagne.

Re:It will never go anywhere.

I can add a few more to that:

3: Being locked to IBM's cloud solution. In my experience, if you want a production cloud solution, you go AWS, or Azure. OpenStack is getting better, but unless one is willing to throw throusands of man-hours at OpenStack, there are existing solutions which give a better bang for the buck.

4: This is a solved problem. OpenID comes to mind.

Re: It will never go anywhere.

Too true. Take for example Android 6 with new 'privacy' feature.
Cyanogenmod and others have privacy tools, you can turn off features like location, camera etc. and those features simply pretend to be broken or return fake null data like a blank image or quiet sound.
Google implements the same feature in 6, only to deliberatle break it in the most privacy violating way. It TELLS the app that the user is refusing it access. So now Apps can draw a person in, and wait for the most opportune moment to DEMAND the privacy feature. e.g. want to finish that conversation?... turn on location rights... and address book... and access to your image files and your account access... All demanded at the time when the app has most leverage.

and of course Google Play Spyware GETS A FREE RIDE, with compulsary on.

On my Android device I can refuse Google access to location. and every time I turn on location, it asks me again, misleading me into thinking that I have to say Yes to permit an app to get location. You can never say 'no', only 'not this time'.

There is big money to be made in spying on you and Google needs to increase its profits. You should also realize the Google is only showing you the tip of the iceberg in its privacy panel. It has full tracking data on you but claims its 'anonymous' even though it is not, and it is used to target adds and services at you in particular, even behind a NAT.

Re:It will never go anywhere.

[roman_mir]

Well, not all companies do that, some base their business model around personal security, for example numbered bank accounts are designed on purpose not to let authorities (or anybody) know who is the owner if the account. Bearer certificates have the same purpose actually, they are like cash in that regard.

Now, governments fight against such very important individual freedoms of-course. Governments destroy personal freedoms much more than any company ever could.

Re:It will never go anywhere.

[peragrin]

1). Companies are cheap personal data was the cheapest easiest solution to identifying users. Then companies realized they could sell that data to make more money too.

2) never assign to malice what can be adequately assigned to stupidity and greed

Re:It will never go anywhere.

[gstoddart]

2) never assign to malice what can be adequately assigned to stupidity and greed

Sorry, but corporate greed is utterly indistinguishable from malice.

Which means it's easier to attribute pretty much anything done by a corporation as a form of malice, and stop trying to make excuses for them.

Why one key

[silas_moeckel]

It's pretty trivially easy to have multiple private keys. Hell it's easy to have a fsking USB stick with a private key thats signs other keys and gets tossed back on a shelf, so you can do key revocation etc.

Re: Why one key

[bsDaemon]

"Trivially easy" for IT, security or developers isn't likely the same as trivially easy for casual users of phone apps who aren't computer-related professionals

Re: Why one key

[silas_moeckel]

Yea because phones dont have trustzone etc? It's trivially easy to get a fairly secure private key on a smartphone.

At this point none of this should be part of your average website, oauth, openid, saml etc etc etc etc etc authentication is a service at this point. How you authenticate etc should be a thing between whoever you use (or self host) for authentication not something to get baked into every app.

Re: Why one key

Yea because phones dont have trustzone etc? It's trivially easy to get a fairly secure private key on a smartphone.

"How was I supposed to know I had to transfer the secure-privy-thingy-you're-talking-about to the new phone I just purchased? I just thought I could access to my content because, you know, I'm using my phone. How come the application no longer recognizes me? that's still my phone, shouldn't matter it's a new one."

At this point none of this should be part of your average website, oauth, openid, saml etc etc etc etc etc authentication is a service at this point. How you authenticate etc should be a thing between whoever you use (or self host) for authentication not something to get baked into every app.

We definitely know that all startup companies appy-apps rely on very secure authentication protocols. So there's no need for your single point of authentication / identity2.0 servers.. Go home, damn commie you.

This just in: Fine grained authentic digital id

This just in: Fine grained authentic digital id

That is all it is, fine grained certification of your digital credentials.

Instead of a large atomic blob, they now make it finer grained.

Not patent worthy or revolutionary but COMMON SENSE.

Apps are for Cows

You are all Cows. Cows say moooo. Moooo! Mooooo! Mooo cows Moooo! Moooo say the cows. YOU APPER COWS!!!

Spiffy, like credit-cards

[davecb]

My credit-card supplier will issue single-use or otherwise restricted numbers, to use with "untrustworthy vendors". This allows a similar functionality: with the vendor I can be OscarTheSuspiciousGrouch and use a card number that is limited to legitimate stuff.

In both cases I can credibly demonstrate I'm really "Oscar"

Re:Spiffy, like credit-cards

[i.r.id10t]

Except with that model, the CC company can still tie OTSG back to davecb

If that is acceptable to you then it is a working solution... but as far as for use in situations where not being able to associate any two given identities is a critical factor, then it won't work.

Re:Spiffy, like credit-cards

[KGIII]

I don't know about you but I've a couple of debit cards that do not have my name on them. So long as I authorized them then the credit union happily gives them to me. I presume no laws are being broken. This, of course, is not complete privacy but it comes in handy with a variety of online purchases. I used to have a credit card in a famous person's name and would use that. I don't know if that's still something credit card companies allow or not but once you had the account you could get a card in another name with nary any trouble at all.

cool story bro

cool story bro.

Looks like it avoids credit card verify, but PCI?

[xxxJonBoyxxx]

TFA says this avoids birthday, home address and other criteria typically demanded by banks during a CC transaction to prove online identity. However, IBM's technology would seem like fail on arrival unless it got the blessing of the almighty PCI council, which pushes a lot of those "additional" identity requirements onto banks to make sure they aren't being defrauded.

IBM doing what is does best, embrace and extend ?

[sxpert]

This sounds suspiciously similar to SQRL https://www.grc.com/sqrl/sqrl....

Re:IBM doing what is does best, embrace and extend

No, that uses QR capture and this is an electronic wallet. I am not sure how they are related other than that they use public-key encryption to verify a user.

Re:IBM doing what is does best, embrace and extend

[SScorpio]

Read the article, IBM's solution also uses a credentials wallet.

SQRL uses QR codes so the user's wallet can be on a mobile device, and the user could log into a public machine without exposing a repeatable login method. SQRL also allows for a SQRL:// link on the QR code so a wallet program on the local machine, or the phone itself can still authenticate without using the QR code.

Where these differ is that SQRL is made to replace the username and password part of logging in. It also creates a unique identity for each site so the only way to map SQRL accounts between sites would be through information the user gives to the site such as an email address.

IBM's solution appears to have a 3rd party signer like a government create a certificate with identity information which is then used in the authentication process.

Wtf?

so IBM has created a login window that accepts a private key encrypted challenge? So?

New Tech

IBM's Identity Mixer allows developers to build apps that can authenticate users' identities without collecting personal data.

You mean, like a password?