authentication

Paris Web : de la sécu et de la qualité

logo-parisweb-2015

L’été bat son plein. Cigales et soleil (enfin, pour moi). Je me penche sur le programme Paris-Web, la conf du web programmée en Octobre (oui, déjà, je sais, certains disent que je suis très prévoyante), et joie, bonheur, extase : de la sécu, il y en aura à gogo chez Paris Web cette année. Rendez-vous compte, pas moins de 6 interventions relatives au sujet.

– Votre cauchemar ressemble peut-être à une invasion de script malicieux sur vos sites, Nicolas Hoffman vous racontera que CSP est un anti dote pour ce genre de situation embarrassante.

– Vous avez envie de rendre un peu plus robustes vos applications web ? Il existe des outils pour cela. Mathias Dugué partagera son retour d’expérience sur l’usage de ces outils obscurs de sécurité et de la Web Crypto API.

– Une bonne authentification est la garantie d’un service deployé sûrement. L’administration française l’a compris. Francois Petitit partagera son retour d’expérience sur le déploiement de FranceConnect, de OpenID, de l’OAuth2, du bonheur…

– Les bots sur le net générèrent du traffic, et vous embêtent probablement en tant que webmaster, François Hodierne vous expliquera comment gérer ce petit détail, et comment reconnaître les bons des mauvais robots.

La sécurité du web et des internets, c’est un sujet sérieux, que les organismes de standardization discutent, je viendrai vous raconter les avancées faites dans ces consortiums d’industriels au W3C, à l’IETF, et à FIDO.

– La sécurité, c’est aussi une question sous-jacente dans les enjeux de la liberté des usagers du web. Adrienne Charmet, de la Quadrature du Net, viendra plaider pour un engagement des acteurs du numériques en plénière d’ouverture..

On se croise donc à Paris-Web les 1/2/3 Octobre ! #bisous

FIDO Alliance : an amazing standardization story

la piste aux etoile by abac077

As you know, my main job is to jump from one standardization body to another. In (my) history of meeting this kind of tribes, I have witnessed several birth and death of SDOs. I have gone to the traditionnal ETSI, the rich GSMA, the working hard GlobalPlatform, the always-been-here TCG, the fabulous W3C… None of them, from my view, had a development such as FIDO Alliance did. Seriously. Jumping from 4 founding folks (Lenovo, Validity, Paypal, NokNokLabs) to a list of 170 (paying) members in 2 years. This is amazing. For the ones who missed it, few facts and figures about FIDO Alliance.

FIDO Alliance primer goal is to design a solution for seamless authentication on the web, under user control. Born in 2013.  Worked under the water during one year to write spec, evangelize and recruit. Showed at MWC 2014 – different products , including a commercial deployment by Samsung and Paypal. Announced a Google launch named Secure Key in October 2014. Issued its first set of specifications in December 2014 (aka 500 pages of architecture, protocol, documentation, …) and may surprise us again during the MWC 2015. In the meantime, the Board increased to 22 members, to include major players such as (sorry long but impressive list worth sharing it here) Alibaba, ARM, Bank of America, Discover, Google, Mastercard, Visa, Microsoft, NXP, Qualcomm, RSA and Samsung. Those guys are the ones paying the most and directing the strategy.

Seriously. So much people around that specific problem. There must be something. One may argue that at the moment the co-existence of two different technologies (UAF and U2F for acronyms geeks) may reduce the value of FIDO Alliance to solve one single problem. Maybe. But it kickstarted the market, and it was required to have Google family joining the conversation, and thus having all the major actors around the table.

Nevertheless, such growth should have never happened without the following assets :

– a clear value proposition : hey, come on, let’s kill passwords ! (a real challenge in the security area)

– a strong marketing and business development team, backed with serious financial interests, being everywhere, in any single conference approaching the authentication topic.

– a continuous  positive and monitored communication, encouraging and valuing product or members PR.

– a clear governance : you pay, you decide, you pay less, you influence the technical stuff, you pay few, you listen and implement.

– good and committed technical folks to chair the working groups and edit the specs (folks like Brad Hill, Jeff Hodges, look at the names here).

– a pragmatic product functional compliance approach (aka interoperable test fest before thousands of tests being developed).

I’d say that FIDO Alliance may succeed or not (I wish it will), but the growth of that SDO is amazing and we should, first get inspiration from their good practices, and second, listen to FIDO Alliance announcement during this year, hoping those guys will talk loud.

Note : picture by abac077La piste aux étoiles” in CC BY-NC-SA 2.0