So what is the Gluu Server going to do to help make this magic happen? For those who have never heard of Gluu, we publish free open source Internet security software that is used by universities, government agencies and companies to enable Web and mobile applications to securely identify a person, and manage what information they are allowed to access.
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
The gluu in an nstic pilot
1. Last week, there was a lot of press around the the announcement of this year’s NSTIC
pilots. Here at Gluu, we are excited to participate in one of these projects, and are
hopeful that it will be a nice showcase for free open source wam software and the power
of open standards for two factor security. The goal of this blog is to shed some light on
how the Gluu Server will help this project come to life. Note, these are my thoughts as
CEO of Gluu, and don’t necessarily reflect the opinion of MorpoTrust, the lead
contractor, NIST, the State of North Carolina, or any of the other contractors.
2. So what is this pilot about? In my opinion, it’s about one thing: electronic enrollment.
You can think of enrollment as a kind of online registration. You know the drill–you
need an account on a website, you fill out a form, pick a password, validate some
“CAPTCHA”, perhaps validate your email, and you’re off to the races.
However this ritual has a few weaknesses: there is not a strong link to an actual person.
With a plethora of ways for hackers (or your friends) to figure out your passwords,
control of an email account hardly provides much of an assurance that the actual
person filled out the registration form. In identity geek parlance, we call “identity
proofing” the process where you correlate a person to an electronic credential. Email
validation is a very weak form of identity proofing, sufficient for only low value
transactions.
Today, in many situations, identity proofing requires you to show a printed government
issued ID. As a person needs to transact more important business online, the strength
of that identity-proofing process needs to also increase. Here is an extreme example,
but it makes a point. Recently I was issued a US Dept. of Interior smart card. It was
really a pain in the neck. I had to drive to Temple TX from Austin, which is 70 miles
north. This was the nearest DOI office that was authorized to issue these cards. I
presented two forms of valid ID. At that meeting, they collected high quality biometrics
( fingerprint and photo). Subsequently I was interviewed by the FBI at my office, and I
provided contact information for my family and childhood friends. After background
checks, my ID was ready. I asked for it to be FedEx’s.
3. No way… I had to drive 70 miles back to Temple, TX. At which point, they verified the
previously collected biometrics. And after some chit-chat, I was handed my smart card–
280 miles and four hours of driving later. I’ll say one thing: they were pretty darn sure
that they handed that ID to Michael Schwartz. But it was an expensive and
inconvenient process.
The North Carolina Food and Nutrition Services Program online also needs to issue
electronic credentials to citizens. As I understand it, some people in North Carolina
who need the benefits offered by this program might be quite far from a physical office.
Wouldn’t it be great if there was some way we could save them the drive? There are
many reasons why this makes sense. But there is only one problem: there is no
alternative to the “in person” identity proof.
The magic in this pilot would be to develop an alternative to the in person identity proof
by leveraging the sensors of a mobile device. Can the camera of a mobile device collect
enough data to identify me as well as a person could do it? It’s not that far-fetched,
especially for me (when I passed age 40, let’s just say my visual acuity isn’t what it used
to be…) The precedent for electronic “non-in person” enrollment just doesn’t exist. But
once it does, we could see many services that required in person identity proofing–like
voting–have a better chance of becoming a reality.
4. So what is the Gluu Server going to do to help make this magic happen? For those who
have never heard of Gluu, we publish free open source Internet security software that is
used by universities, government agencies and companies to enable Web and mobile
applications to securely identify a person, and manage what information they are
allowed to access.
In this pilot, there are two critical authentications: the first time you enroll, we need to
identify you using information gathered from the mobile device, and compared against
information held by the State of North Carolina, and other contextual information
(like your location). This authentication might be a little bit inconvenient, but it may
save you hours of driving! After this initial authentication, we will use crypto
techniques to enable you to re-authenticate very conveniently–without even using a
password.
The algorithms to do this identification (to do the image processing for example), or to
detect fraud, are proprietary. I understand that these will be supplied by MorphoTrust
and the University of Texas Identity Center.
5. The Gluu Server is used to communicate with the mobile device, to communicate with
servers that analyze the data secured inside the state environment. It is the “glue” (no
pun intended) between the mobile device and the backend identification engine.
Identifying a person is only half the battle. The second half of the battle is authorizing
the person to web access management tools software certain protected APIs that will
be used by the mobile application to do its business. The Gluu Sever provides a way for
a domain (in this case the State of North Carolina), to define policies that can control
which people, using which devices, can access which APIs. IT veterans may not be
impressed. Oracle, IBM, and Computer Associates all have software that can perform
this function. However, the Gluu Server is the only free open source platform that uses
open standards to enable centralized access management.
Ultimately, the vision of Gluu, and the vision of NSTIC area aligned: to make the
Internet a safer place. It’s an honor to participate in such an effort, and we’re looking
forward to serving the citizens of North Carolina to the best of our ability.
Article resource:-https://sites.google.com/site/thegluuserver/the-gluu-in-an-nstic-pilot