Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Privacy Encryption IBM Security Technology

New IBM Tech Lets Apps Authenticate You Without Personal Data (csoonline.com) 27

itwbennett writes: IBM's Identity Mixer allows developers to build apps that can authenticate users' identities without collecting personal data. Specifically, Identity Mixer authenticates users by asking them to provide a public key. Each user has a single secret key, and it corresponds with multiple public keys, or identities. IBM announced on Friday that Identity Mixer is now available to developers on its Bluemix cloud platform.
This discussion has been archived. No new comments can be posted.

New IBM Tech Lets Apps Authenticate You Without Personal Data

Comments Filter:
  • by SeaFox ( 739806 ) on Monday November 23, 2015 @12:14PM (#50985779)

    1) Companies want the personal data to use for their own marketing and to resell to others, authentication is their excuse to get it now.

    2) No one will want to pay a license fee to IBM on top of the loss of revenue from (1).

    • 1). Companies are cheap personal data was the cheapest easiest solution to identifying users. Then companies realized they could sell that data to make more money too.

      2) never assign to malice what can be adequately assigned to stupidity and greed

      • 2) never assign to malice what can be adequately assigned to stupidity and greed

        Sorry, but corporate greed is utterly indistinguishable from malice.

        Which means it's easier to attribute pretty much anything done by a corporation as a form of malice, and stop trying to make excuses for them.

  • It's pretty trivially easy to have multiple private keys. Hell it's easy to have a fsking USB stick with a private key thats signs other keys and gets tossed back on a shelf, so you can do key revocation etc.

    • "Trivially easy" for IT, security or developers isn't likely the same as trivially easy for casual users of phone apps who aren't computer-related professionals

      • Yea because phones dont have trustzone etc? It's trivially easy to get a fairly secure private key on a smartphone.

        At this point none of this should be part of your average website, oauth, openid, saml etc etc etc etc etc authentication is a service at this point. How you authenticate etc should be a thing between whoever you use (or self host) for authentication not something to get baked into every app.

  • by davecb ( 6526 ) <davec-b@rogers.com> on Monday November 23, 2015 @12:23PM (#50985825) Homepage Journal

    My credit-card supplier will issue single-use or otherwise restricted numbers, to use with "untrustworthy vendors". This allows a similar functionality: with the vendor I can be OscarTheSuspiciousGrouch and use a card number that is limited to legitimate stuff.

    In both cases I can credibly demonstrate I'm really "Oscar"

    • Except with that model, the CC company can still tie OTSG back to davecb

      If that is acceptable to you then it is a working solution... but as far as for use in situations where not being able to associate any two given identities is a critical factor, then it won't work.

    • by KGIII ( 973947 )

      I don't know about you but I've a couple of debit cards that do not have my name on them. So long as I authorized them then the credit union happily gives them to me. I presume no laws are being broken. This, of course, is not complete privacy but it comes in handy with a variety of online purchases. I used to have a credit card in a famous person's name and would use that. I don't know if that's still something credit card companies allow or not but once you had the account you could get a card in another

  • by xxxJonBoyxxx ( 565205 ) on Monday November 23, 2015 @12:41PM (#50985907)

    TFA says this avoids birthday, home address and other criteria typically demanded by banks during a CC transaction to prove online identity. However, IBM's technology would seem like fail on arrival unless it got the blessing of the almighty PCI council, which pushes a lot of those "additional" identity requirements onto banks to make sure they aren't being defrauded.

  • by sxpert ( 139117 ) on Monday November 23, 2015 @12:56PM (#50986023)

    This sounds suspiciously similar to SQRL https://www.grc.com/sqrl/sqrl.... [grc.com]

Quark! Quark! Beware the quantum duck!

Working...