Moreover, in numerous scenarios a full-blown federated deployment would be overkill; here, user-centric systems are proving more than worthwhile. For example, you may want to set up partner relationships that have lower-value and, hence, reduced authentication requirements. User-centric technologies can provide a low-cost, low-overhead solution. What's more, they provide sought-after flexibility, allowing the identity system to grow as the business relationship evolves.

In fact, one of the goals of the user-centric technology is to provide an identity metasystem that functions independently of individual applications.

“We need to be able to escalate from low-value to high-value authentication decisions without having to rip out one piece of software and install another,” says Kim Cameron, chief identity architect at Microsoft, and author of the Seven Laws of Identity, a primer for user-centric identity technologies. “Different roles in an application can have authentication regimes of differing strengths and yet retain a consistent user experience.”

Thus, one of the interesting, early uses of user-centric tools is to provide UI elements to existing federations. “These technologies can provide an easier user interface for partner federations that already exist,” Neuenschwander says.

Privacy and security
Perhaps against the grain of suspicion, user-centric technologies hold promise in providing increased privacy and security, simply because of how they are built. CardSpace, for example, enables selective disclosure of user attributes, making it possible to avoid revealing personal details irrelevant to a given transaction. OpenID does not yet offer user-attribute functionality.

Any system that allows users to present a single set of credentials to multiple Web sites, however, runs the risk of user activity on those sites being correlated in some way. With OpenID, for example, the identity provider knows every Web site you show your credentials to. As with other Web technologies, convenience can come at the cost of privacy.

As for providing security assurance, CardSpace is built on standards such as WS-Trust, Secure Token Service, and WS-Security. As a result, CardSpace benefits from the public security reviews of these standards. And because both CardSpace and OpenID are open architectures, thorough security reviews of each are possible.

The biggest threat to individuals is the so-called “social engineering” that any identity system allows. Of these, phishing poses the biggest threat at present, and OpenID, like any Web-based authentication scheme, is especially vulnerable. CardSpace’s identity selector was invented specifically to foil phishing and related attacks. Moreover, CardSpace’s rigid insistence on a consistent user experience reduces the diverse authentication contexts users face when tapping Web-based authentication technologies, thereby increasing the likelihood that they will recognize something out of the ordinary when asked for credentials.

Crossing the identity chasm
User-centric technologies have already demonstrated that they can solve many of identity's most difficult problems. Yet user-centric identity currently stands overlooking Geoffrey Moore's product adoption chasm, having won over enthusiasts and visionaries, but awaiting widespread adoption from the more pragmatic early majority on the other side. To cross that chasm, user-centric technologies will have to pass several milestones in the next 12 to 24 months.

First, user-centric identity will need to be incorporated into more of the products enterprise users buy. “The challenge is that the pieces aren’t there for organizations to deploy,” Sxip’s Hardt says. “If CA ships it with SiteMinder, then it’s a configuration decision. When Microsoft ships ActiveDirectory with CardSpace built in, issuing managed cards will be easy.”