New IBM Tech Lets Apps Authenticate You Without Personal Data

itwbennett writes: IBM's Identity Mixer allows developers to build apps that can authenticate users' identities without collecting personal data. Specifically, Identity Mixer authenticates users by asking them to provide a public key. Each user has a single secret key, and it corresponds with multiple public keys, or identities. IBM announced on Friday that Identity Mixer is now available to developers on its Bluemix cloud platform.

It will never go anywhere.

[SeaFox]

1) Companies want the personal data to use for their own marketing and to resell to others, authentication is their excuse to get it now.

2) No one will want to pay a license fee to IBM on top of the loss of revenue from (1).

Re:

[peragrin]

1). Companies are cheap personal data was the cheapest easiest solution to identifying users. Then companies realized they could sell that data to make more money too.

2) never assign to malice what can be adequately assigned to stupidity and greed

Re:

[gstoddart]

2) never assign to malice what can be adequately assigned to stupidity and greed

Sorry, but corporate greed is utterly indistinguishable from malice.

Which means it's easier to attribute pretty much anything done by a corporation as a form of malice, and stop trying to make excuses for them.

Why one key

[silas_moeckel]

It's pretty trivially easy to have multiple private keys. Hell it's easy to have a fsking USB stick with a private key thats signs other keys and gets tossed back on a shelf, so you can do key revocation etc.

Re: Why one key

[bsDaemon]

"Trivially easy" for IT, security or developers isn't likely the same as trivially easy for casual users of phone apps who aren't computer-related professionals

Re:

[silas_moeckel]

Yea because phones dont have trustzone etc? It's trivially easy to get a fairly secure private key on a smartphone.

At this point none of this should be part of your average website, oauth, openid, saml etc etc etc etc etc authentication is a service at this point. How you authenticate etc should be a thing between whoever you use (or self host) for authentication not something to get baked into every app.

Spiffy, like credit-cards

[davecb]

My credit-card supplier will issue single-use or otherwise restricted numbers, to use with "untrustworthy vendors". This allows a similar functionality: with the vendor I can be OscarTheSuspiciousGrouch and use a card number that is limited to legitimate stuff.

In both cases I can credibly demonstrate I'm really "Oscar"

Re:

[i.r.id10t]

Except with that model, the CC company can still tie OTSG back to davecb

If that is acceptable to you then it is a working solution... but as far as for use in situations where not being able to associate any two given identities is a critical factor, then it won't work.

Re:

[KGIII]

I don't know about you but I've a couple of debit cards that do not have my name on them. So long as I authorized them then the credit union happily gives them to me. I presume no laws are being broken. This, of course, is not complete privacy but it comes in handy with a variety of online purchases. I used to have a credit card in a famous person's name and would use that. I don't know if that's still something credit card companies allow or not but once you had the account you could get a card in another

Looks like it avoids credit card verify, but PCI?

[xxxJonBoyxxx]

TFA says this avoids birthday, home address and other criteria typically demanded by banks during a CC transaction to prove online identity. However, IBM's technology would seem like fail on arrival unless it got the blessing of the almighty PCI council, which pushes a lot of those "additional" identity requirements onto banks to make sure they aren't being defrauded.

IBM doing what is does best, embrace and extend ?

[sxpert]

This sounds suspiciously similar to SQRL https://www.grc.com/sqrl/sqrl.... [grc.com]

Re:

[SScorpio]

Read the article, IBM's solution also uses a credentials wallet.

SQRL uses QR codes so the user's wallet can be on a mobile device, and the user could log into a public machine without exposing a repeatable login method. SQRL also allows for a SQRL:// link on the QR code so a wallet program on the local machine, or the phone itself can still authenticate without using the QR code.

Where these differ is that SQRL is made to replace the username and password part of logging in. It also creates a unique identi