During the open infrastructure panel at the OpenVA conference in Virginia Beach this past Fall, Martha Burtis had a great little tear about how we should focus less on centrally integrated IT systems that hide complexity, and push towards loosely coupled systems that reflect more accurately how the web works. She went on to advocate that rather than endlessly pursuing the holy grail of single sign-on, institutions should we spend time showing their community how to use a password manager. It’s a great, provocative bit, and captures Martha acumen quite nicely:
It’s a moment I have thought about many times since, and while I was traveling during the second week of the Domain of One’s Own Faculty Initiative this spring, Martha sat in for me with my cohort. She introduced them all to the password management tool LastPass, and effectively changed their digital lives 🙂 I am only half kidding. If you have worked with faculty or students regularly, you quickly realize how difficult managing passwords is for most folks. I often tell #ds106 internauts that the biggest technical challenge they’ll face in the course is managing their various passwords, and it’s absolutely true.
Password management tools like LastPass (we use that to collectively manage our DTLT passwords thanks to Ryan Brazell) and 1Password (we use that for Reclaim Hosting thanks to Kin Lane) have increasingly become essential to my regular web workflow. With the advent of UMW Domains (not to mention all of our servers for Reclaim) I have as many as 25-30 different logins for work alone. Remembering them is impossible, and storing them locally on my browser or in my keychain is not only risky, but they don’t travel well (or at all) to other computers. Turns out learning a password management tool was one of the most useful lessons for me this year, and that was also the case for several UMW Domains faculty in my cohort, thanks to Martha.
I’m starting to think password management should be ground zero for literacy when it comes to managing your online world. It was immediately apparent how big an impact it made on faculty in the cohort. That might be why Kin Lane suggests your first step to reclaiming your online world is taking inventory of all your online services (as well as the logins and passwords) so you can actually begin to understand how extensive your online world is, and how much you need to start managing that presence. The lesson is both practical and conceptual all at once, it’s a great way to start any conversation around managing one’s identity online.
The degree of usefulness for identity management as a service really varies on the context/environment in which you are planning to use it. For students in an open course/experimental/undergraduate course environment, it makes absolute sense to steer them toward something like LastPass, but eventually you get to a scale where the value of IDaaS outweighs the sort of “identity anarchy” that comes with DIY.
When you agree to get on-board the IDaaS train, what you are really agreeing to is a capital-f Federation of systems that, without Federation, are indeed loosely coupled, but with Federation are not. When your systems don’t agree to be part of the Federation, backfilling that capability using a technology like SAML stops being practical pretty quickly. In my environment, the services we use all the time are well-federated and IDaaS was a natural fit and provided a host of other benefits related to Active Directory that are not worth going into here. FWIW, we just signed on with Okta.
My point is that while I agree that the way ds106, etc, is doing identity management is correct, students should be aware that “in the real world” their online identity will very likely be, at least in part, managed for them, and that this is OK and even very useful as long as they are aware of what having a managed identity means in the professional sense. AKA, “password management is foundational to understanding one’s own identity online, but…”
Joe
Central IT called, they want their comment back 🙂
Here is that proper link – http://kinlane.reclaimyourdomain.org/2014/04/12/downloading-1password-from-agilebits/ sorry for trouble. Great post! so true!!
Kin,
Thanks for that. I just updated the post. Ruling.
It isn’t a one or the other thing, imho. Identity and access management is critical on our campuses, but I believe one of the keys to securing our institutions is educating the campus wrt passwords. I’d like us to look at password management like we do with both virus protection and office productivity applications — license them centrally and give it away for free.
I use 1 Password and would be dead without it. I am also all about small pieces and exposing the realities of the open web as Martha describes. I’d like to see a larger awareness on these tools as a critical step to keeping our campuses safe and less frustrating. Unfortunately we typically go to great lengths to do things further down in the stack to secure campus resources and ignore the simple stuff at the user level.
A very smart conversation.
Cole,
I have to say that one of the things we provide campuses with Reclaim Hosting is CAS integration with Single Sign-On, and as much as password management is crucial, we would be dead with out some basic integration across campus systems. If not for just how clunky some of them are in the end. I do think it’s a healthy mix of both, but the password management conversation is almost essential now given how much of our identity beyond the campus is linked to a wide variety of logins.