You may or may not be excited by the acronyms OAuth and IMAP/SMTP, but the combination of them all together is very exciting news. Google Code Labs announced this afternoon that it has just enabled 3rd party developers to securely access the contents of your email without ever asking you for your password. If you’re logged in to Gmail, you can give those apps permission with as little as one click. What does that mean? It means mashups based on the actual emails in your inbox. If you’ve given a 3rd party app secure access to your Twitter account, then you’ll be familiar with the user experience. The first example out of the gate is a company called Syphir , which lets you apply all kinds of complex rules to your incoming mail and then lets you get iPhone push notification for your smartly filtered mail. Backup service Backupify will announce tomorrow morning that it is leveraging the new technology to back up your Gmail account, as well. Sponsor People are often wary about the idea of giving outside services access to their email, and well they should. OAuth is designed to make that safe to do. Combined with the IMAP/SMTP email retrieval protocols, it gives an app a way to ask Gmail for access to your information. Gmail pops up a little window and says “this other app wants us to give it your info – if you can prove to us that you are who they say you are (just give Gmail your password) – then we’ll go vouch for you and give them the info.” The 3rd party app never sees your password and can have its access revoked at any time. You can read more about OAuth, how it was developed and how it works, on the OAuth website . Why is this so exciting? Because it means that the application we all spend so much time in, where so much of our communication goes on and where you can find some of our closest work and personal contacts – can now have value-added services built on top of it by a whole world of independent developers, without your having to give them your email password. That’s the kind of thing that the data portability paradigm is all about. It’s the opposite of lock-in and seeks to allow users to take their data securely from site to site, using it as the foundation for fabulous new services. Google says it is working with Yahoo!, Mozilla and others to develop an industry-wide standard way to combine OAuth and IMAP/SMTP. See also: Rapportive – an incredible GMail contacts plug-in . Discuss

Click here to read more

Back in early February, while aboard a red-eye to New York, Dave McClure wrote a long, humorous, rambling, profanity-laden rant of a blog post that focused on startup business models. While it makes for an entertaining read, McClure’s post is also very insightful and makes a solid case for why startups should shift from advertising models and instead build their new businesses on subscriptions and micropayments. Earlier this month I had the chance to visit the headquarters of ZooLoo , a startup that witnessed this very shift first-hand with their own business model. Sponsor During my visit I spoke with Aaron Baer, Director of Communications at the Scottsdale-based ZooLoo, a site that provides individuals with the ability to share and manage content on their own domain. Like many startups in the past decade, ZooLoo opened for business under an advertising business model, but eventually caught on to the changing trend McClure evangelized on his blog. “[ZooLoo's original model] was an advertising platform, we had a shopping page, we would do affiliate marketing, you could buy and order prints off of our website – we had a very broad business model,” says Baer. “We discovered that didn’t work.” They also realized that it wasn’t the model their customers wanted. Under the old model, users were presented with two options: a free basic service, and a premium service with more features in an “all or nothing,” fashion. Customers complained that they wanted to upgrade and purchase premium services, but that they weren’t willing to pony up the full price for a bunch of other features they didn’t want. In January, ZooLoo fundamentally changed their business model by creating a storefront through which customers could pick and choose features on a micropayment level. Now if a user wants to purchase their own domain name, but doesn’t want to pay for ZooLoo’s SEO services, they can do that instead of being forced into picking from a tiered package. While customer feedback was a substantial motivator for the change, Baer says that potential investors also played a role in the addition of the storefront. “The investors said, ‘You have a solid product, but I want to see you find a better way to package it, and a better way to sell it’,” he says. And the change worked. Since adding their micropayment storefront, ZooLoo has seen an increase in purchases of their premium services. The company is making more money marketing virtual goods in a micropayment system than they were when they bundled everything together at a higher price and relied on advertising and affiliate marketing. This is the exact paradigm shift in online marketing that Dave McClure preaches in his post mentioned earlier. “Gradually we are discovering that the default revenue model on the internet should probably be the simplest one,” writes McClure. “That is: basic transactions for physical or digital goods, and recurring transactions (aka subscriptions) for repeat usage.” Without repeat usage, McClure says that the biggest obstacle in the way of getting users on board with micropayments is that they forget their password. Honestly, if I was asked to login to my Amazon or PayPal accounts right now, I would be playing a guessing game with a handful of passwords because I don’t use those services too often. But for iTunes , Google and Facebook – the services McClure says will be the leaders in eCommerce login in five years – I use those every day, and surely remember my password. ZooLoo realizes this too, which is why they foster repeat usage by connecting their services with Twitter, Facebook, and other popular online social networks. Users can also log into ZooLoo using Facebook Connect, which eliminates the problem of remembering a less frequently used password. ZooLoo and Baer are fully on board with this emerging model, and suggest others hop on as well. “There is this social media bubble forming where all these services are saying, ‘We’re free, come use us!’, but eventually those services need to make money,” says Baer. “We think micropayments are the next big thing.” Photo by Flickr user r-z . Discuss

Click here to read more

High profile security breaches into cloud-based applications like GMail and Google Apps serve to remind us that when people and companies stores all their information “out there” then security measures are of critical importance. In most cases the security breaches are “front door” attacks where a hacker has exploited a weak password or the password recovery process. “Security Breach” has many connotations: an insecure applications, unpatched servers, back-doors or inside jobs. But where a hacker exploits a weak password or a user’s use of a favourite password across multiple sites, who is to blame? Perhaps the only failing in such circumstances is that the application allowed a weak password, or rather that it used single-factor authentication. Sponsor The strength of an authentication mechanism can be judged on how many things it depends on. These factors can be grouped into: Things a user knows… username, email address, PIN and password. Things a user possesses… inbox, credit card, mobile phone, security token. Things only a user has… finger prints, voice, retina, face. The number of groups involved in an authentication mechanism gives us the number of factors required to authenticate. For example, a passport relies on two factors: possession of the passport and that the person holiding the passport looks like the photograph in it (except a little older and fatter.) The all too familiar combination of username and password is a single-factor authentication mechanism. It relies on only one group of things; things that a user knows. If I know your username and password, this is all I would need to authenticate myself as you. Banks and some other companies often use additional fields for authentication like PIN or address. Whilst these do make it more difficult to authenticate, this is still single-factor authentication. Password Recovery Most online services provide some form of self-service password reset or recovery function. The behavior we have come to expect is that a temporary password gets emailed to our inbox, or an email is sent that contains a link to a web page where we can enter a new password. Some low-security systems will email your actual password in clear text! In all cases, this makes the inbox central to accessing all our online identities. Own the inbox, and you most likely own all the accounts linked to it. In the case of the Twitter Attack in July 2009, the attacker’s main point of entry was the password recovery process. Once the GMail account was compromised other services could be targeted. The other exploit relied on the user habit of reusing passwords across other sites. Market Leaders Two of the heavy weight cloud players have multi-factor authentication offerings. Amazon EC2 supports Multi-Factor Authentication using a time-based security token key-fobs supplied by Gemalto . Security tokens use mathematical functions to create a difficult to predict sequence of numbers that are valid for a time period, usually 60 seconds. The sequence of numbers is only known to the security provider and is programmed into a key-fob issued to the user. As each number only lasts for a short period and the next number can only be computed using the secret formula you must be in possession of the key-fob and know the username and password to authenticate. To add additional security to Google Apps, they have a solutions marketplace with a dedicated category for identity management add-ons . Solutions available include LDAP integration and security tokens. Many banks and other financial service organizations are also starting to add additional layers of security to their Internet Banking services. The most common method are the time-based security tokens. If you and your organization are planning to move parts of your IT into the cloud, or have already done so. Please consider the risks of single-factor authentication mechanisms. Remember that people are the weakest link. How will you ensure that your staff are using different passwords across all the different services and that those passwords are changed frequently? Image source: plenty.r. Discuss

Click here to read more