New post: Venn of access control for the API economy

Up on the Forrester blogs, I present a new Venn diagram that compares OAuth, OpenID Connect, and UMA. A number of people contributed to the final form of this one, which we presented in a Google Tech Talk a couple of weeks back. Thanks to all of the following folks (listed in no particular order) for their feedback!

By the way, we’ve […]
Read more

New: strong authentication research: “bring your own token”

Over on the Forrester blogs, I talk about my just-published TechRadar™ on strong authentication, and the term we came up with for leveraging the devices, apps, and communications channels you already have for logging-in purposes: bring-your-own-token. BYOT. Like BYOD. (Geddit??)

(Note to Paul: No, not that BYOT… Your timing on that post absolutely killed me.)

New: Musings on SCIM after IIW

Over on the Forrester blogs, I talk about the latest progress on Simple Cloud Identity Management (SCIM), as seen and discussed at IIW.

(I’ll be at Forrester Security Forum November 9-10, in lovely Miami — you going?)

New: Report contemplating OAuth and “Zero Trust identity”

Is it possible for an enterprise to turn itself inside-out? Apparently so. I’ve got a new post up on the Forrester blogs that discusses the “Zero Trust” aspect of enterprise security that a number of companies are addressing with various clever uses of OAuth.

New: “Participating In Markets For Portable Identities In The Cloud: What’s The Coin Of Your Realm?”

I’ve got a new post up on the Forrester blogs, discussing a “markets for portable identity” angle on my latest research report (which is full of Venn goodness!), and how SAML, OAuth, and OpenID are “hard currencies.”

You could take this theme pretty far. Does SAML-OAuth bridging have any elements of arbitrage about it? Is assurance leakage in protocol translation like the lousy currency exchange rates at those little van kiosks in airports? Maybe that’s far enough…

New: “Protecting Internal APIs – Is OAuth Ready For Its Closeup?”

Check out my new post on the Forrester blog, looking to hear about your experience and opinions on the use of OAuth to secure your internal app landscape. You know you have stories. I know you have stories. So why not share them??

I hosted a session at IIW last week to start collecting data around this topic, impishly/illicitly called Two Legs Good? (since the OAuth community keeps trying to quit the “legs” habit but can’t seem to […]
Read more

How UMA deals with scopes and authorization

The UMA group has been quite busy of late. Like several other efforts (don’t miss John Bradley’s OpenID ABC post or anything Mike Jones has been blogging in the last few months), we’ve been gearing up for IIW 12 as a great place to try out our newest work, figure out the combinatorial possibilities with all the other new stuff going on, and get feedback.

Newcastle University’s SMART project team will be in Mountain View […]
Read more

New: “Identity Assurance Means Never Having To Say ‘Who Are You, Again?’”

Does having published my first Forrester research report and done my first quarterly teleconference mean I’ve made my analyst bones? Hmm. You can read about my identity assurance coverage here. (Regular readers may recall that I wrote about identity assurance on Pushing String last fall, batting around ideas with Paul Madsen and others.)

Baseline health and Paleo 2.0

With Gary Taubes blogging and the extended low-carb/paleo community hopping, I feel less of that ol’ carbgrrl blogging pull, but I follow all the goings-on with keen interest.

One recent post over on Hyperlipid analyzes fasting insulin and — get this — accidental weight loss among the obese. Here are some excerpts that may be mind-blowing to the nutritionally uninitiated:

[O]ut of only five subjects, one obese person became a food refusenick. Various studies have had similar compliance problems,

 […]
Read more

New: “CardSpace Is Dead. Long Live Back-Channel Access.”

I’ve got a new post up on my Forrester blog, commenting on CardSpace and the important trends to pay attention to at this juncture.