RE: Google's New two-legged AuthN

Feel free to fire back....

Next week is RSA show; Google will be there, and are probably firing an
early shot in their marketing; now they have phonefactor, and 2 factor
support (boring and yawn on the one hand; a remarkable feat of engineering
if it's now available to their HUGE user base).  Im going to the show in San
Francisco for 2 days, if any wants to meet up. I'm not exactly sociable in
groups > 3 ... but am reasonably pleasant one on one.

At the show, 500 vendors will talk about the topic. They have been doing for
15 years, which is how many RSA shows Ive been to. It's an entire industry,
that grew up, our and from RSA flogging its bsafe toolkit API in rented room
at the hotel down from Oracle in Redwood City... to a huge conference on
several continents. An entire industry was born, and billions of dollars
exchange hands on the topic. The first attendees were worse than me, and
could not actually raise their eyes from the floor.

So what are we doing here? that they@rsa are not?

And that's what we have to focus on. We are not in competition with them. We
are not a vendor. We are not even a vendor consortium. We are (and Im
struggling to say "we", since I know so little about W3C insider aims) W3C -
with a particular opinion (here being formed). We have to have find a
nitch/niche within that RSA eco-system, just as NSA (say) do. (They
basically express their renowed skills in assurance and higher end security
engineering, particularly for bits of fast hardware; a unique claim to

So what is our nitch/niche?

It has to be the semantic web - a level of scale never before envisioned.
It's also using a computing metaphor that has yet to hit the big time,
having teetered on the edge of adoption for years (logic programming). It
also uses those old client certs, issued to consumers (that everyone else
has given up on). Its also able to distinguish itself from 4 websso
protocols, including openid (a kissing cousin).

I think we are still incubating this story. On the one hand it has to
express W3Cish'ness in terms of technical web architecture (and be seen to
portray "doctrines" that the movement believes in, as social engineering),
yet on the other, it has to be politically savvy - to build up a
constituency that migrates towards the position, following the lead. In a
space dominated by billion dollar companies vying for attention, obviously
the end-pitch will have to be well crafted (for next year's show, say), and
be "approachable"; which will be a balancing act between not to technical,
not to religious, just enough assurance, the right level of implementation
ovberhead, the right of people, the moment being right for a change....and
address the needs of a large enough adoptee community so they look over
here, versus over there at the 500 other stands at the tradeshow.


-----Original Message-----
From: []
On Behalf Of
Sent: Thursday, February 10, 2011 4:58 PM
To: WebID XG
Subject: Google's New two-legged AuthN

This has been making the rounds around Twitter, but I thought I should post
it here just so we keep it in mind. On Google's official blog, they posted
this today:

">Advanced sign-in security for your Google account</a>

Basically, Google is offering its account holders the option of adding
another verification step when authenticating a session. Here's the gist of
their new technique:

"Once you enable 2-step verification, you'll see an extra page that prompts
you for a code when you sign in to your account. After entering your
password, Google will call you with the code, send you an SMS message or
give you the choice to generate the code for yourself using a mobile
application on your Android, BlackBerry or iPhone device. The choice is up
to you. When you enter this code after correctly submitting your password
we'll have a pretty good idea that the person signing in is actually you."

This is an example where the use of WebID authentication would be
superior--both from the users' and Google's standpoint.


Received on Friday, 11 February 2011 02:30:44 UTC