User centric identity
1 / 67

User-centric Identity - PowerPoint PPT Presentation

  • Uploaded on

User-centric Identity. Diagram by Francis Shanahan. Hank Mauldin CE Meeting - February 26, 2008 Cisco Systems. This discussion represents the work done to date for a white paper on User-Centric Identity. Proposed a 1 year research project - 3 months into study

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' User-centric Identity' - lillian-beasley

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
User centric identity

User-centric Identity

Diagram by Francis Shanahan

Hank Mauldin

CE Meeting - February 26, 2008

Cisco Systems

  • This discussion represents the work done to date for a white paper on User-Centric Identity.

  • Proposed a 1 year research project - 3 months into study

    • Explore a different area and new technologies in identity

    • No preconceived ideas or theories

    • Are there real solutions here?

    • Discover what are the advantages and disadvantages

    • Ultimately what is the impact on Cisco?

    • Can Cisco leverage these technologies?

  • Discussing promising technologies/protocols

    EDCS-647257 - first draft available

Agenda paper on User-Centric Identity.

  • Introduction

  • Historical Perspective on Identity

    • Centralized Approach

    • Distributed Approach with Federation

    • User-centric Approach

  • Technologies

    • XRI

    • OpenID

    • OAuth

    • EV SSL Certificates

    • Information Cards

  • Do these technologies address user’s problems

  • Impact on Cisco

Users have ‘zillions’ of digital identities… paper on User-Centric Identity.




open social



  • eCommerce (e.g. Amazon, eBay)

  • Social Networking (e.g. LinkedIn)

  • Book club

  • Family





  • Book club

  • Family


mortgage / rent

  • Professional networks

  • Dating networks

Social Networks

Online shopping





car loan


Source Forge

Communities of Interest

Personal Finance

bank account



Second Life

  • Second Life

  • Croquet

  • WOW

  • SharePoint

Virtual Spaces







Common issues for users
Common Issues for Users paper on User-Centric Identity.

  • Credential Management

    • Too many login ids and password combinations to remember or worse they are all the same

    • Using lowest strength credentials (passwords) for high value transactions

  • Ease of Use

    • Remembering which credentials to use with a site

    • Filling in the same information for registration forms at different sites

  • User Concern over personal information

    • Concern about the information collected by sites and what happens to the data after collection

    • Protection from impersonation and identity theft

  • Phishing

    • How does a user really know they are at the site they think they are?

  • Issue over vetting process of user’s identity

    • User proves identity by ownership of email address


Identity Provider paper on User-Centric Identity.







  • User: an actor requesting access to the network or an application within the network.

  • Service Provider (SP): From a principal’s perspective, a service provider is providing services and/or goods, typically through a website.

  • Identity Provider (IdP): A special service provider that manages identity information on behalf of principals and provides assertions of the principals authentication to other providers.

  • Relying Party (RP): A special service provider that is the recipient of a message that relies on a request message and associated assertions to determine whether to provide a requested service.

Relying Party





Relationship between entities

Relying Party paper on User-Centric Identity.

Identity Provider

Relationship between entities




Uses services


Trust is the foundation of any security model. Trust is the expression between entities that one entity will believe statements (claims) made by another entity; it is based on evidence – history, experience, contracts, etc. – and risk tolerance.

Basic use case

Identity Provider paper on User-Centric Identity.

Basic Use Case







User tries to access protected resource

User needs to be authenticated - browser redirected to Identity Provider

User is authenticated by Identity Provider

Authentication assertion sent to Relying Party

Relying Party

Concept of user centric identity

Relying Party paper on User-Centric Identity.



Identity Provider

Concept of user-centric identity

  • User in the middle of transaction

  • User has a consistent user experience

  • User is in control of their personal attributes

Historical perspective

Historical Perspective paper on User-Centric Identity.

Diagram by Francis Shanahan


Liberty paper on User-Centric Identity.

“Phase 1”


ID-FF 1.2


ID-FF 1.1







SAML 1.1

SAML 1.0

OpenID 2.0

WS-* Specifications (WS-Federation)


XRI i-names

SAML 2.0

OpenID 1.0













Centralized Approach

Microsoft .Net Passport Windows Live ID

Distributed Approaches

with Federation

User-centric Approaches

Information Cards



User centric approaches

Higgins paper on User-Centric Identity.

User-centric approaches

  • URL-based

    • LID

    • sxip

    • OpenID

  • XRI-based

    • i-names

  • Information Cards

    • CardSpace

    • Higgins

    • Bandit project

Openid 2 0
OpenID 2.0 paper on User-Centric Identity.

  • Open, decentralized, free framework

  • Can transform an existing URI from one’s blog, profile page, etc. to be an identifier

  • IdP discovery is built into the URI

  • Authentication scheme provides a way to prove that a principal owns an Identity URL without passing around their password or email address.

  • Light-weight default trust model

  • Ease of integration into scripted web platforms

Permission-based paper on User-Centric Identity.


i-names (XRI)

Privacy Barrier











An i-name is a new “superaddress” that gives its owner complete control over its use

Any attribute referenced by a URI or encoded in XML

  • i-names are called unified digital addresses

    • Human readable (i-numbers are machine readable)

  • Provides an address one can keep for life

Information cards
Information Cards paper on User-Centric Identity.

  • CardSpace

    • Central feature is the identity selector - allows one to pick a credential visually represented as a card to send to an RP

    • Token-based system

    • Two types of cards supported:

      • Personal cards - self issued

      • Managed cards - provided by identity providers

    • Separation of authentication and storage of personal information

    • Microsoft has released all their associated IP

  • Higgins

    • Provides a software infrastructure to support all the popular digital identity protocols

    • Extends types of cards - r-cards, z-cards, & s-cards

    • Selectors available for Windows, Linux and Mac OS X

  • Bandit

    • Currently providing a CardSpace compatible card selector for Linux and Mac OS X based on the Higgins card selector

Summary of identity spaces
Summary of Identity Spaces paper on User-Centric Identity.

Credit for this Venn Diagram goes to Paul Madsen and Johannes Ernst

Osis open source identity system
OSIS (Open Source Identity System) paper on User-Centric Identity.

URL-based(grassroots, open

source, blogging)

  • Microsoft

  • IBM

  • Verisign

  • Red Hat

  • Novell

  • Cordance

  • Higgins

  • Shibboleth

  • Sxip

  • Sun

  • NetMesh


OSIS started to bring together identity-related projects in order to synchronize and harmonize the construction of an interoperable identity layer for the Internet.

Identityin 2007

OSIS Agreement

“historic development” (ZDNet)

Invisibleto the user


(Liberty Alliancecompanies)





Technologies paper on User-Centric Identity.

Diagram by Francis Shanahan

  • XRI paper on User-Centric Identity.

  • OpenID

  • OAuth

  • EV SSL Certificates

  • CardSpace

  • Higgins

Xri extensible resource identifier
XRI (Extensible Resource Identifier) paper on User-Centric Identity.

  • XRIs can identify people, organizations, concepts, applications, devices, digital objects or anything else

  • XRI builds on the IRI (International Resource Identifier, RFC 3987) by extending the syntax

  • XRI start with “xri://” followed an authority segment and a path portion (if any)

    • xri://

  • The idea is that web addresses evolve from URLs to XRIs

  • Foundational technology for XDI (XRI Data Interchange), the Higgins project and useful for OpenID

Xri characteristics
XRI Characteristics paper on User-Centric Identity.

  • XRIs come in pairs

    • i-name which is human readable and changeable

    • i-number which is permanent (links use the i-number)

  • Adds a layer of indirection on top of DNS- and IP-based URLs to enable better control over their persistent identity

  • This indirection allows semantic mapping for sharing of identifiers across domains

  • Reserved global context symbols:

    • + , for general dictionary tags like +blog, +salmon, +love

    • $, for special dictionary tags like $d (date), $v (version)

    • =, for a personal persistent address like =hank.mauldin

    • @, for an organization like

  • When using global context symbols, one does not need to use a protocol prefix (xri://)

Extended validation ssl certificates
Extended Validation SSL Certificates paper on User-Centric Identity.

  • Phishing scams are a big issue

  • Answer needs to address two issues

    • Provide a method that ensures users know the true owner of a website

    • Provide a browser interface that makes it easy to see the identity when its known and recognize when it isn’t

  • Proposed Answer is a new category of SSL certificate with an issuing process that helps ensure the entity is who it claims to be, and browser modifications

Ev certificate guidelines
EV Certificate Guidelines paper on User-Centric Identity.

  • CA/Browser Forum consisting of CAs, Internet browser vendors and American Bar Assoc. released version 1.0 of EV Certificate Guidelines for a new EV certificate.

  • Uses existing SSL certificate format, but provides a strictly enforced issuance policy with revocation measures.

  • The issuers must:

    • Verify the legal, physical and operational existence of identity

    • Verify the identity of entity matches official records

    • Verify the entity has exclusive rights to use domain specified in certificate

    • Verify the entity has properly authorized the issuance of the EV certificate

Ev browser modifications
EV Browser Modifications paper on User-Centric Identity.

  • When a browser visits a site secured with a EV certificate, the address bar will turn green and display the name of the organization listed in the certificate as well as the issuing CA.

  • If on a bogus site, the address bar will not display green

  • The security status bar shows the transaction was encrypted and the organization has been authenticated

  • Microsoft IE 7 is first browser to meet the new standard

  • FireFox browsers have a plug-in available

Example of address security bar
Example of Address & Security Bar paper on User-Centric Identity.

Thoughts on ev ssl certs
Thoughts on EV SSL Certs paper on User-Centric Identity.

  • Appears to be a step in the right direction

  • One concern is the cost of the new certificate

  • New CA vendors dependent on browser vendors

  • It seems to be a couple of years away for wide spread use, but some companies (eBay and PayPal) are already using these certs.

Openid 2 01
OpenID 2.0 paper on User-Centric Identity.

  • Fastest growing user-centric identity system

  • Because AOL (63 million users) and Yahoo (248 million users) provided all their users with OpenIDs automatically

  • Specifically addresses web single sign-on (SSO) use cases

  • Replace the self generated usernames & passwords with a single login credential

  • Provides simple attribute exchange

  • Only requires an unmodified browser

  • Light-weight protocols and easy for RPs to implement

Openid protocol drilldown

User paper on User-Centric Identity.

OpenID Protocol Drilldown



User wants to access their LiveJournal blog




Redirected to


Redirected back to LiveJournal account

Relying Party(RP)

Identity Provider(IdP)


Openid concerns
OpenID Concerns paper on User-Centric Identity.

  • No real trust framework

  • Basic principle between IdP and RP is to TRUST

  • Advantage: IdPs and RPs can work together without prior relationships

  • Neutral: only good for low value transactions such as blog or wiki comments

  • Concern: OpenID potentially makes the Phishing problem worst

    • A person can put up a great site that takes OpenID and phish the Identity Providers site to harvest the user’s credentials

Openid concerns continued
OpenID Concerns (continued) paper on User-Centric Identity.

  • Concern: User has one unique identifier and so a IdP can track all the websites a user logs into.

    • Cross site profiling would be easy

    • Privacy issue for users

    • Cannot be used for delegation of authority (instead using OAuth)

  • Neutral: If person uses a domain-name URL as their OpenID, they must be careful not to lose the domain name (expires, and not renewed)

  • Neutral: Unclear what the business case is for the smaller IdPs (OpenID Providers)

    • Giving away free OpenIDs

Thoughts on openid
Thoughts on OpenID paper on User-Centric Identity.

  • Top 4 issues the OpenID community wants to fix

    • Solve the Phishing issue

    • Make the UI experience a little less geeky (typing in URLs)

    • Single Sign-out

    • Optimize performance

  • My belief is they will move towards using a combination of EV SSL certificates and Information Cards to solve the first issue above

  • Microsoft, IBM, Google, Yahoo and Verisign have joined the OpenID Foundation Board - announced February 2008

OAuth paper on User-Centric Identity.

  • OAuth Core version 1.0 is released

  • Offers secure delegation of authority

  • Complements rather than replaces authentication

    • Extends the usefulness of OpenID

  • Brings together in one standardized way delegation of authority by many of the major well established security protocols

    • Google AuthSub

    • AOL OpenAuth

    • Yahoo BBAuth

    • Upcoming API

    • Flickr API

    • Amazon Web Services API

Information cards1

Higgins paper on User-Centric Identity.

Information Cards

  • Microsoft Identity Metasystem

    • CardSpace

  • Higgins project

    • Bandit

Seven laws of identity
Seven Laws of Identity paper on User-Centric Identity.

  • Kim Cameron (Microsoft) developed the 7 laws which shaped the design of the Identity Metasystem

  • The Seven Laws are:

    • User Control and Consent - only reveal information with user’s consent

    • Minimal Disclosure - release least amount of information and limit its use

    • Justifiable Parties - limit to entities that are necessary in identity relationship

    • Directed Identity - protect against correlation across services

    • Pluralism of Operators - enable multiple technologies and identity providers

    • Human Integration - integrated into system and protect against id attacks

    • Consistent Experience - provide simple, consistent experience across different contexts

Identity metasystem concepts
Identity Metasystem Concepts paper on User-Centric Identity.

  • Digital Identity: A set of claimsin a security token provided by (and about) a user

  • Roles in the identity meta-system:

    • User (subject)

    • Identity Provider

    • Relying Party

  • Protocol:

    • User goes to site for a resource

    • User is asked for identity (and required claims) from RP

    • User chooses an identity provider

    • Identity provider gives user a security token (meeting required claims)

    • User passes the token to the RP

Ws metasystem architecture
WS-* MetaSystem Architecture paper on User-Centric Identity.






WS-Trust, WS-MetadataExchange, WS-Security



(Token Requirements)



(Token Capabilities)



(Token Capabilities)



(Token Requirements)










Cardspace protocol drilldown
CardSpace Protocol Drilldown paper on User-Centric Identity.

User approves release of token


Windows CardSpace



User selects an IdP

Client wants to access a resource



Request security token

(authentication required

e.g. X509, Kerberos,

username/pwd, self-issued token)



Which IdPs can satisfy requirements?

RP provides identity requirements



Return security token based

on RP’s requirements (any format) – and optional signed display token

Token released to RP

(RP reads token and allows access)


Identity Provider(IdP)

Relying Party(RP)

Cardspace card selector
CardSpace Card Selector paper on User-Centric Identity.

Cardspace cards
CardSpace Cards paper on User-Centric Identity.

Self-Issued Card

Managed Cards

  • Contains claims about my identity that I assert

  • Fixed set of claims

  • Not corroborated

  • Card and data stored locally

  • Signed and encrypted to prevent replay attacks

  • Presented by user during account sign-up

  • Created and signed by IdPs, such as banks, stores, government, clubs, etc.

  • Provisions .CRD file via email, website, group policy etc. which user installs

  • Locally stored cards contain metadata only (not values)

  • Data stored at Identity Provider and obtained only when card submitted (from STS)

Cardspace security

CardSpace Environment (secure shell) paper on User-Centric Identity.

Runs under separate desktop and restricted account

Isolates CardSpace runtime from Windows desktop – no programmatic access

All data encrypted (inc. memory) until use

All parties strongly identified


RP can be hidden from IdP

Signing key for self-issued token varies for each RP

User controls release of information

Cards can be protected with a PIN

Parties must identify themselves via Trust Dialog

Verifies provided certificate for all parties that interact with user

RP: Appears on first visit, IdP: when user imports card

CardSpace Security

Thoughts on cardspace

Advantages: paper on User-Centric Identity.

Replace login ids & passwords with cryptographically strong tokens containing identity claims

Consistent login and registration

Centers around a simple to use Identity Selector

Digital identities represented by cards

Multi-factor authentication

Helps avoid phishing

Users in control


Not a single sign-in solution


Identity portability


Thoughts on CardSpace

Higgins project
Higgins Project paper on User-Centric Identity.

  • Higgins provides the same user experience as CardSpace

  • It functions with the same card metaphor, but extends the types of cards

  • However, Higgins is a framework to provide interoperability between different identity systems

    • An abstraction layer for identity and social networking services

  • Allows plug-ins from different contexts

Higgins framework

Web Services paper on User-Centric Identity.

Eclipse Rich Client Platforms

Browser extensions

Information Card Selector

End User Applications

Interoperability Framework

Identity Selector Service (ISS)

Relying Party Policy/Tags

Higgins Browser

Extension (HBX)





Context Providers




Application Programming Interface (API)

Context Data Sources: LDAP AD Files Directories Social Networks Databases

Identity Attribute Service (IdAS)

Context Provider Interface (CPI)

Higgins Framework

Identity attribute service idas
Identity Attribute Service (IdAS) paper on User-Centric Identity.

  • Aggregate and federate identity information

  • Uses the Higgins Data Model

    • Represents an identity and its attributes in a context

  • The plug-ins enable the IdAS to read and data from the contexts and map the data to the Higgins Data model

  • Each context can may have its own ontology defined using higgins.owl

Interoperability paper on User-Centric Identity.

Requirements for interoperability

Common data model

API abstraction/framework

Schema mapping

#1 addressed by Higgins

#2 can be addressed using the Higgins Identity Attribute Service (aka IdAS)

#3 addressed by industry collaborations within Identity Commons and other groups


Digital subjects and their attributes

Digital Subject paper on User-Centric Identity.

Relation attribute

“Normal” attributes (e.g. String, number, boolean, etc.)

A profile

Correlation attribute (a specialization of relation)

= Digital Subject that represent entity #1 (e.g. you)

= Digital Subject that represents some entity other than #1 (e.g. someone other than you)

Digital Subjects and their attributes

  • Digital Subjects are representations of entities (e.g. real world people, groups, organizations, etc.)

  • Digital Subjects are sets of identity, profile andrelationship attributes

I cards

Personal i-card paper on User-Centric Identity.

Hank Mauldin


  • Store credentials, profiles, personal data, and social networks –not just for sign-in!

  • New types of i-cards defined

    • r-cards (relationship cards)

    • data partially owned by both entities

    • s-cards (SAML cards)

    • for interoperability with SAML 2.0

    • z-cards (zero-knowledge cards)

    • selectively disclosure of claims

    • zero-knowledge proofs

    • sole authority over claim values

    • IBM to deliver based on their idemix technology

Hank Mauldin

Bandit card selector showing claims
Bandit Card Selector showing claims paper on User-Centric Identity.

Higgins software project status

Higgins 1.0 Development done by 12/31 paper on User-Centric Identity.

Supports the self-issued and managed cards

Ongoing series of multi-company (Microsoft, etc.) interoperability events for the past year and ongoing

IBM and Novell have announced they will ship Higgins based products

Parity is offering to host Higgins based services

Higgins software project status


Thoughts on higgins
Thoughts on Higgins paper on User-Centric Identity.

  • In general, I believe the card metaphor will succeed in the market place

  • Higgins has already shown it can interoperate with CardSpace

  • Several influential vendors (IBM, Novell) are committed to delivering Higgins implementations

  • A large challenge to meet their goals for the framework, especially around the data model and schemas

Do these technologies address user issues

Do these technologies address user issues? paper on User-Centric Identity.

Diagram by Francis Shanahan

Credential management
Credential Management paper on User-Centric Identity.

  • Both OpenID and Information Cards provide a solution to the issue of too many passwords to remember

  • Both help with registration at web sites rather than just form filling

  • OpenID provides SSO, but uses a single identifier

  • Information Cards do not provide SSO, but provides better privacy by using a different personal id per site

Ease of use
Ease of Use paper on User-Centric Identity.

  • OpenID requires a user to type in an URI

    • Common complaint is that is a little geeky

    • Current browsers do not store URI as they do usernames

    • My belief is OpenID community will move towards using information card as optional front-end in certain situations

  • Information Cards provide a metaphor that most people grasp instantly

    • Seems to me to be useful on the mobile devices (smartphones)

    • Importing the managed cards is not as simple as it could be

    • Recovery from PC crash or loss not well defined (problem similar to losing one’s wallet)

User control over their personal info
User Control over their personal info paper on User-Centric Identity.

  • OpenID with attribute exchange supports user control

  • OpenID with delegation can only give “full delegation” so can not provide only certain services - a security risk

  • OAuth is being used due to this restriction in OpenID

  • Information Cards allow user to review, edit and decide which claims to release prior to being sent

    • Does keep track of which attributes have been sent to a site, so user has a record of which attributes have been released to which relying parties

Phishing paper on User-Centric Identity.

  • OpenID has a perceived problem with phishing

    • Some discussion about using Information Cards to authenticate at IdP to help avoid phishing

  • Information Cards are phishing resistent

    • Selector keeps track of which card has been used at a site

    • User receives a visual indication when not a proper site

  • EV SSL certificates helps with this problem when widely deployed and browsers updated

Vetting of users
Vetting of Users paper on User-Centric Identity.

  • Not really a technical issue, but is becoming a legal issue due to identity theft and an organizational issue

    • Banks are being sued by their clients for identity fraud

    • New employees already have “identities” and may want to use those versus getting a new company identity.

  • I believe an individual’s reputation is becoming one of the most valuable assets; therefore protecting one’s own reputation from abuse by others will become an important issue

What impact on cisco

What impact on Cisco? paper on User-Centric Identity.

Diagram by Francis Shanahan

Cisco can be a player
Cisco can be a player paper on User-Centric Identity.

Cisco is moving up the stack

across the stack

Infrastructure changes to occur

CMSG paper on User-Centric Identity.

  • There is a web portal project that front-ends a media solution

    • Using OpenID as user authentication method

    • User’s login id is transformed to URL and sent to back-end OpenID provider service

    • It is a closed system, and not accepting other OpenID users

    • Use of OpenID is invisible to user

  • Moving into social networking (Eos) that is consumer facing, Cisco will need to make choices about authentication methods as we have been discussing

Linksys paper on User-Centric Identity.

  • Have been in discussions regarding a Linksys portal that is consumer facing (loosely coupled with Connected Home)

    • Provides access to content in “cloud”

    • Provide access to home network

  • Discussion of identity in home network for devices and users

  • Need to be aware trends in consumer authentication space

Service node project
Service Node project paper on User-Centric Identity.

  • Developing a media content delivery system using peer-to-peer technology

  • There is again a consumer facing portal

  • Had a brief discussion regarding more advanced future solutions around social networking

    • Interested in learning about user-centric systems

Enterprise paper on User-Centric Identity.

  • Many enterprises have consumer facing web sites

    • Use of EV SSL certificates recommended

    • Can see value in relationship i-cards for customers

  • Some IdM vendors have announced support for OpenID and CardSpace

  • Sun employees use OpenIDs

  • In the future for internal employees, managed information cards could replace username and passwords - pin protected of course

    • No longer reset of passwords or change every 6 months

  • Federation between partners still satisfied by SAML or WS-* solutions

Yankee group released a report on openid and enterprises
Yankee Group released a Report on OpenID and Enterprises paper on User-Centric Identity.

  • “OpenID is a disuptive technology that allows web sites to share identity information and streamline authentication processes. Enterprises with a significant online presence can increase contact with their customers by adopting OpenID.”

    • By Andrew Jaquith, Program Manager at Yankee Group

  • By 2010, Yankee Group expects that a differentiated, stratified ecosystem of OpenID-Plus identity providers will emerge to make OpenID useful enough for businesses to adopt en masse.

Actions moving forward
Actions Moving Forward paper on User-Centric Identity.

  • Become more involved with Higgins Project

    • Cost - $150k/year to be on board and set direction

    • $30k/year to suggest new work groups

    • $5k/year to participate as a member

    • Join as a member at the $5k level

  • Create a cross functional team to work with Higgins

  • Cisco should consider using EV SSL certificates for CCO

  • Consider using SAML 2.0 assertions as the encapsulation for moving identity claims around

  • Investigate the gap between network and application identities

Next steps
Next Steps paper on User-Centric Identity.

  • Continue discussion with known internal groups

  • Do deeper dives into OpenID, CardSpace and Higgins

    • Set up IdP, and RPs for the different systems in lab

    • Get some practical experience with the systems

    • Provide recommendations

  • Look at how Cisco might work with IdM vendors to find a way to leverage the network authentications and posture information with application space

    • Solution requires Cisco to be retaining state for authentications

    • (Some work is going on here by Vinnie Gupta, SA and Brian Ford, CE)

    • 3 possible approaches:

      • Create an API (no standard exists)

      • Develop an Higgins plug-in

      • Virtual directory

  • Complete the research and white paper

Discussion paper on User-Centric Identity.