Trustable "Bring Your Own Identity"

In late 2011, I got fed up with the 352 usernames and passwords I had to manage for asserting my digital identity. Clearly, all the existing paradigms for solving the identity problem weren't cutting it. Things were getting worse and worse every day with no end in sight.

Being a serial entrepreneur who loves tackling hard problems, I worked with leading cryptologists to start from scratch to design a new, improved approach to identity that would eliminate shared secrets, centralized breaches, and ensure that my identity could only ever be asserted with my express consent. It would be an identity system that would satisfy all the NSTIC goals as well: easy to use, private, secure, interoperable, user-centric, etc.

The result is OneID, a new Internet identity service that provides truly trustable identity. No usernames. Passwords are optional. If you do pick a password, there are no password standards so you can pick any password you want. For example, I don’t have a username and my current password is “x” but you cannot log in as me because OneID is device based.

Trustable identity means that you don’t have to trust what is happening at your identity provider or on your devices. So there can be multiple compromises, and even a mass breach at OneID and/or relying parties, and your identity is still safe. Even in the worst possible scenario, you will never have to revoke the public keys associated with your identity. If a device is breached, it gets automatically revoked everywhere instantly, without any relying party having to change anything.

The goal we achieved is remarkable: the world's first and only, self-provisioned, end-to-end secure trustable digital identity. All of the complexity is hidden from users (other than having to "pre-authorize" new devices), and the protocols were designed to be as simple as possible, yet meet the design constraints of a trustable identity provider (no single point of compromise, no point of mass compromise, IdP can never assert your identity without your involvement, privacy preserved, immunity to all known attacks, etc.).

It turns out we incorporated many of the techniques (such as device centricity, ECC cryptography, provisioning of new devices using old devices) that are advocated in the soon- to-be-published "Authentication at Scale" article written by the VP of Security at Google.

But OneID goes far beyond those basic techniques in the Google paper and adds quite a bit more security, control, privacy, and ease of use. For example, OneID relying parties all use two or three independent ECDSA signatures. We do authentication, authorization, information sharing, secure storage of information, and digital claims.

We support MFA both in-band and out-of-band. Our 2FA looks to a user like it is single factor auth, so we can get 100% MFA compliance from users without a problem (compared to Google who gets less than 1% actual usage of MFA). You don't need any special hardware. It works with existing browsers without a download or extension.

All the crypto is NSA Suite B approved. It takes about the same time to add to a site as adding Facebook Connect. You can call a web service to do all the crypto for signature verification (or do it yourself).

I've showed OneID to well over 100 CISOs and CIOs in the US government, financial institutions and Fortune 500 companies and they pretty much all say things like "nothing else is even close to this" and that we have put all the pieces together in a single package with a simple, elegant, yet powerful new architecture for identity.

It is available today if you'd like to try it out at OneID.com. There are only about 100 sites where you can use it right now, but more will be coming soon, including some very large e-commerce sites and financial institutions.

We are also integrating OneID into the top enterprise IAM products. You can also use it with SSH giving you convenient out-of-band authentication for sensitive resources. No changes to the SSH clients are required. We'll have support for federated standards (such as SAML2, OpenID Connect, and Shibboleth) in the near future.

Details of the technology behind OneID and the thinking that went into the design (see "Why I started OneID") can be found in the Documentation Guide.