December 2nd, 2013

How I Lost Weight & Learned About APIs

How I Lost Weight with APIsTrying to stay in shape is one of those never-ending life battles that I’ve come to expect as I get older. I’ve bounced between being a healthy shape and a not-so-healthy one for years and I’ve managed to live life just outside the edge of ideal fitness. A few months back, I reached an apex point and dedicated myself to losing a few pounds (again) and set off on a journey to change my life (yet again). Little did I know I’d learn something about APIs along the way.

Everyone has their own way of losing weight but I’ve always preferred a measurable, rationalist approach: I count the calories I consume, I subtract the calories I burn and I budget accordingly. The nice thing is that this method forces me to think about what I’m consuming and what I’m doing. The massive downside is that keeping track of all of the data is a monotonous and soul-destroying effort that often leads to me giving up.

Of course, there is an app for everything now and I started using  a tool to keep a log of foods that I ate along with their associated caloric burdens. One problem with this type of tool is that, while it’s easy to log consumption of food using features like bar code scanners and crowd-based data, the process of logging exercise and calorie expenditure is entirely manual. This can make fitness goals harder to achieve as users like me end up either under or over estimating their daily calorie burn.

Thankfully, devices to monitor your physical exertion do exist and they are reasonably affordable. These are wearable devices that provide a tally of steps taken, stairs climbed and physical exertion throughout the day, providing a wealth of personal data to mine. To be honest, I’d always viewed these devices in the same category as things like Google Glass – really cool pieces of technology that bleeding-edge enthusiasts wear publicly at the cost of their own dignity. But something changed for me when I realized that I’d be able to connect the calorie-counting app I was using with the wearable fitness device. So, I made a purchase.

By connecting the food-tracking application with the activity-tracking device, I was able to get a much more accurate picture of my caloric budget for the day. The systems integrated remarkably well and the quantification of remaining calories along with a few gamification features provided extra incentive for me to keep moving and eat less.

In the end, this behavioral conditioning of triggers, alerts and feedback loops worked well for me and I was able to drop a few pounds. Of course, I lost the tracker on an airplane about a month in and I’m currently racing back towards a pear shape but that isn’t the point. What is more interesting is what we can learn about integration from my journey:

1.  An API is a Great Way to Extend Customer Reach to Platforms
When we think about building APIs, we usually think about extending out to mobile devices or social platforms. But organizations should consider how their products can be extended to niche and non-traditional platforms that their target user base actively uses. If the wearable tracker I purchased didn’t work with the calorie-counting application I was already using, I never would have considered buying the tracker in the first place. But thanks to the API-based integration, I could visualize myself using it and this was the trigger that resulted in a purchase decision.

2.  Integration is Becoming a Core Requirement Instead of a Feature
Something I noticed when scanning the forums on the tracker device’s Web site was the number of posts related to integration with other exercise platforms. For this user base, integration with their favourite run-tracking, calorie-counting or fitness-gamification tools isn’t just a nice-to-have – it is the minimum expectation. It seems that end users are increasingly expecting product vendors to support their platforms of choice and want the freedom to make their own decisions. In other words,  users don’t want to be punished for choosing a less popular tracking tool or a mobile phone operating system that has less market share.

3.  Integration with Potential Competitors can Pay Off
What I didn’t mention in my story was that the fitness tracker I purchased did come with a calorie-consumption-tracking feature. In fact, part of the revenue stream for this product is the sale of subscriptions to the manufacturer’s fitness portal, as part of an end-to-end fitness management program. This means that supporting out-of-the box integration with other fitness trackers actually comes at a potential revenue cost for the tracker vendor. But I would imagine that the overall revenue benefit from attracting customers like myself outweighs the revenue lost from users who choose not to subscribe to the portal. Integrating with competitive products can be a risky proposition but a smart gamble can really pay off.

As interest in the Internet of Things (IoT) continues to increase, I expect to see an increasing variety of interesting device-to-platform integration stories. Businesses will need to have coherent business strategies for extending to this new world, with APIs as an important supporting action.

Also, if you happen to see me in person, don’t forget to tell me how great I’m looking nowadays.

September 19th, 2013

Did Apple Just Kill the Password?

Written by
 

Password KillerOn the surface, Apple’s recent iPhone 5S announcement seemed just that: all surface, no substance. But as many reviewers have pointed out, the true star of the new model may not be its shimmering gold sheen but instead the finger sensor built into its home button.

Using a fingerprint to prove you are who you claim to be is not new. But building it into a phone is. And as your mobile phone becomes your carrier of content (like photos), currency (like digital wallet) and identity (like keychain) as well as your route to all manner of digital services, proving who you are will become essential for mobile everything.

Before mobile, Web security rooted itself in the username/password paradigm. Your username and password defined the identity you used to authenticate yourself to PayPal, Amazon, Google, Facebook and everything in between. There are stronger ways to secure access to Web sites but written passwords predominate because they are personal and easy to type on a PC, where all Web pursuits took place – until the arrival of the smartphone, that is.

The smartphone and its similarly keyboard-deprived cousin, the tablet, increasingly represent the jumping off point for the Internet. Sometimes, it may start with a browser. Many times it begins with an app. In either case, passwords are no fun when you move to a mobile device. They are cumbersome to type and annoying when you have to type them repeatedly across multiple sites, services and apps. So, anything that diminishes the burden of typing passwords on a mobile device is a good thing.

Apple is not alone in identifying that end users want ways to eliminate passwords on mobile. Our company, CA Technologies, has a sizeable franchise in Single Sign-On (SSO) and strong authentication technologies, which – when applied to mobile – can significantly reduce the burden of recalling multiple passwords across different sites, apps and services. In fact, CA Layer 7 hosted a webinar on this very topic this morning. But what Apple has achieved is significant because it substitutes a highly-personalized biometric for a password. This has the power to streamline mobile commerce, mobile payments and every other kind of mobile-centered interaction or transaction.

Many commentators have rightfully pointed out that biometrics do not offer a panacea. If your fingerprint gets hacked, for instance, it’s hacked permanently. But there are easy ways of augmenting biometrics to make them stronger. Biometrics can be combined with over-the-air tokens like one-time password or supplemented with context-aware server-side challenges that increase their requirements based on risk. But it’s what they achieve when compared with the alternative that makes fingerprint readers so powerful.

The 5S simplifies authentication for the average user, which encourages security use and acceptance. It also eliminates bad mobile habits like using short, easily memorable, easy-to-type passwords that scream insecurity. Apple is not the first vendor to realize consumers don’t like passwords on mobile devices. But by bringing an alternative to the mass market, it is helping to draw attention to the need and the opportunity: killing the password may open mobile to a whole host of novel security-dependent Internet services.

September 17th, 2013

Mobile SSO: Give App Users a Break from Typing Passwords

Written by
 

Mobile SSOJust a reminder – on Thursday, I’ll be presenting a webinar alongside Tyson Whitten, Director of Solutions Marketing at CA Technologies. We will be talking about CA/Layer 7’s new Mobile Access Gateway 2.0 release and how it addresses two important questions associated with enterprise-level mobile app development, including business-to-consumer apps and internal/BYOD apps:

  • How do you establish security for mobile apps that consume backend APIs?
  • How can you create a Single Sign-On (SSO) session for multiple apps?

Tyson and I will also be discussing how you can use the Mobile Access Gateway to manage the relationships between users, apps and devices by leveraging standards like OpenID Connect, OAuth and PKI. The Gateway makes it possible to maintain mappings between the different token artifacts so that IT security can set fine-grained access policies for securing the backend APIs the apps use.

Mobile Relationships

If you have already deployed CA SiteMinder or a mobile device management (MDM) solution, you should consider deploying the Mobile Access Gateway to get your infrastructure ready for the app revolution.

If you haven’t already signed up to webinar, you can do it here:

May 16th, 2013

Are APIs Making the Biz Dev Role Obsolete?

Business Development AndroidThe role of the business developer has traditionally been to initiate partnerships and follow through by ensuring some sort of integration is implemented.  As enterprises become more software-driven, integration itself increasingly comes through APIs.  This may mean that the implementation of API-driven “partner portals” is replacing traditional business development practices.  A recent article from Wired claimed that 70% of all jobs will be replaced by robots by the end of this century. Are APIs and partner portals the robots that will replace manual business development processes?

Here’s an example of how a business partnership might come about these days. Interaction with an online API partner portal will act as the initial “conversation” that leads to the partnership. If you want to integrate with Salesforce.com, you go to the Salesforce partner portal, figure out the relevant SDK/API, build an app and then submit it to the Salesforce AppExchange.  You don’t ever need to actually talk with anyone at Salesforce to become a business partner with the company.

Another example is the way many companies now enable access to their Web sites via Facebook Connect, Google+ Login or Twitter Login. This represents the first step towards establishing a business partnership with Facebook, Google or Twitter. It’s not new in the Web world and has been discussed for years. What makes it relevant to this discussion is the way it’s being applied to out-dated business processes and practices.

Great platform companies have realized this, “robotized” their business development processes and rationalized their business development teams. As robots are to manufacturing, APIs are to business development. Better technology means that we can focus our human resources on more valuable activities, since handshakes are now being made over OAuth instead of costly dinners and drinks.

February 25th, 2013

SSO & OAuth for Mobile Apps – Live Discussion, Feb 26

OAuth SSO Tech TalkIn case you haven’t heard, we are living in the age of mobile applications and the APIs that power them. Sometimes it’s called the API economy.

Smart phones are ubiquitous, social networks are the norm and we are connected to applications on our devices all the time. We love applications like Instagram, Twitter, Evertnote and Snapchat. But we don’t like signing in and out of each of these applications across networks or devices. It’s awkward and cumbersome and we’re often doing it while on the go or commuting, with only one hand to use while tapping in our passwords. Besides, who wants to remember all those passwords anyway? And it’s not safe to use the same one for every application.

This is the major downside of using all these great new mobile applications. Most of us would gladly invite a scenario where we’d only need to log in once to access multiple applications. There’s social login – but is it safe and is our privacy secure? Remember what happened to Burger King’s Twitter account? Enter Single-Sign-On & OAuth for Mobile Applications.

On Tuesday Feb 26, we’ll be hosting a live interactive Tech Talk on security and Single Sign-On (SSO) for mobile applications. And I’m excited to welcome back Layer 7′s Chief Architect and resident OAuth expert Francois Lascelles. He’ll discuss how to provide SSO for mobile applications, without compromising the security of the apps or the APIs that power them. Francois will also be taking your questions throughout the Tech Talk. So, this will be a great opportunity to get answers to your questions about your own applications and the security that surrounds them.

Click here to get the event details and a reminder in your calendar.

On the day of the event, click here to join:

Submit your questions: