Skip to main content

Posts

Showing posts from March, 2017

IRS Data Retrieval Tool for FAFSA: A perfectly predictable use case

We went through a painful process of trying to get the IRS to integrate into the Cipheredtrust API, without success of course. In the end we had to settle for a browser extension which requires us to hold tax information (only in computer memory for a given session). We hope that eventually we'll be able to convince the IRS to do the integration for the good of every taxpayer who needs it. Recently the FAFSA tool (called the IRS Data Retrieval tool) which students rely on to pull data directly from the IRS into their application was shutdown due to security concerns. The case we made to the IRS for supporting this integration specifically made reference to the integration of the IRS data-source into the Department of Education application as an example of how making it easy and secure for people to leverage their tax information can deliver great value. The benefit of the data retrieval tool is two fold, first it is convenient for students since it automates the completion o...

Trust without Trust, beyond OAuth, OpenID, OpenID Connect...etc

Federated identity brokers (plenty in the market) generally require that the "relying party" and consequently the "principal"/user trust them with sensitive information. The implementation of federated login generally involves the service provider directing the user to select from a preset list of identity providers. Combining these modes of operation you end up with a situation where user privacy and security are both compromised, not a good look for what is meant to be a security solution. Beyond these immediate concerns, the actual specifications on which these identity broker services are based are generally more convoluted than they need to be. OAuth and OpenID are two of the more established standards, unfortunately these standards suffer from tunnel vision, ie they are so focused on the problem of user identity as it relates to login flows that they fail to consider simpler, better and more general approaches to solving the problem. User identity authenti...

Launching the Cipheredtrust API blog

Today we're launching the blog for the Cipheredtrust API with the hope of putting a solution on the market that fully addresses the problem of identity verification on the internet. Checkout the API here: https://www.cipheredtrust.com/ We'll have a lot more to say going forward. In the meantime feel free to post questions here or in the community forum.