Federated identity has long been a goal of many IT organizations. One look at the promise of federation, and it is easy to see why. After all, empowering one organization to serve as an identity provider for another frees IT from having to manage the identities of partnering organizations' employees and customers, thereby facilitating the pursuit of competitive-advantage projects. In this era of increasing enterprise decentralization, thanks in large part to the Web, establishing a federated identity framework is fast proving as essential as it is hard to pull off.
[Podcasts: Listen to Microsoft's Kim Cameron and Burton Group's Mike Neuenschwander discuss federation and user-centric identity]
Suppose your company federates identities with a 401k provider. Which organization is liable in the event of fraud connected with the federation? Hammering out agreements regarding such questions can keep attorneys occupied for weeks. Privacy concerns on the part of users remain another sticking point. What’s more, in many places -- such as your company Web site -- federation just isn’t possible using traditional methods.
Enter “user-centric identity,” a new approach to federation that has gained momentum as of late.
The key to this burgeoning revolution in identity is the fact that the technology places employees, clients, partners, and customers in the driver’s seat when it comes to relaying their identity. In fact, the technologies are designed in such a way that sharing data requires user consent.
Implemented prudently and with purpose, user-centric identity may provide hope for those organizations seeking to capitalize on federation, as the technologies can free them from having to hammer out identity agreements, thereby cutting through the Gordian knot of governance while opening enterprise outlets to the promise of federated identity where traditional modes of federation just can't be applied.
Two technologies in particular have emerged to catch the attention of organizations looking to accelerate their federation efforts: CardSpace, a standard developed by Microsoft to provide a comprehensive solution to user-centric identity problems; and OpenID, a lightweight standard that’s the result of the work of multiple companies to create identities based on URLs.
[For a look at how these technologies work, see "Understanding OpenID and CardSpace"]
User-centric identity comes of age
For many, the thought of employing a fledgling technology as part of an identity initiative is tantamount to writing a resignation. Yet proponents, such as Sxip Identity CEO Dick Hardt, believe the groundswell of vendor support will soon make user-centric federation a viable enterprise play.
“I’d give the industry an A,” Hardt says. “Unlike previous identity technologies, almost every major vendor is participating in user-centric technology in some way.”
As with any technology, user-centric federation faces an uphill battle in terms of gaining widespread enterprise support. More than a matter of industry consolidation and standards development, a technology’s enterprise hope hinges on thorough interoperability testing, trustworthy libraries and tools, and most importantly, products that bring the technology's promise to life.
CardSpace and OpenID have certainly come a long way during the past few years. Yet important steps must be completed before organizations can put them to widespread use. Despite well-baked standards, CardSpace comes up short on functionality such as mobile credentials. More glaringly, OpenID has serious holes that proposed standards aim to fix, but there has been little traction in getting those standards approved.
That is not to say vendors are at a standstill. In fact, interoperability testing is a bright point for both technologies, with interop events taking place multiple times per year to the tune of deep participation from players large and small. Moreover, tools and libraries abound. For enterprises, however, adoption often depends on product selection. Thus, with only a handful of solutions available with CardSpace or OpenID baked in, deployment has been slow.
“There aren’t a lot of pieces you can buy off the shelf. We've done well on [tools for the] identity selector, but tools for identity providers and relying parties are still lagging,” Hardt says.
Motivating change
Technology, of course, is one thing, but buy-in depends largely on winning over top-line minds. Here is where the particular intricacies of identity play a heavy hand in the fate of user-centric federation in the enterprise.
“Identity is a difficult challenge when you consider that a large organization has so many different kinds of relationships -- employees, contractors, partners, and customers -- all spread across regions and geographies,” says Mike Neuenschwander, vice president and research director at Burton Group. “On top of this is the problem of policy -- expressing what the organization requires or expects in each situation.”
“We need to be able to escalate from low-value to high-value authentication decisions without having to rip out one piece of software and install another,” says Kim Cameron, chief identity architect at Microsoft, and author of the Seven Laws of Identity, a primer for user-centric identity technologies. “Different roles in an application can have authentication regimes of differing strengths and yet retain a consistent user experience.”
Thus, one of the interesting, early uses of user-centric tools is to provide UI elements to existing federations. “These technologies can provide an easier user interface for partner federations that already exist,” Neuenschwander says.
Privacy and security
Perhaps against the grain of suspicion, user-centric technologies hold promise in providing increased privacy and security, simply because of how they are built. CardSpace, for example, enables selective disclosure of user attributes, making it possible to avoid revealing personal details irrelevant to a given transaction. OpenID does not yet offer user-attribute functionality.
Any system that allows users to present a single set of credentials to multiple Web sites, however, runs the risk of user activity on those sites being correlated in some way. With OpenID, for example, the identity provider knows every Web site you show your credentials to. As with other Web technologies, convenience can come at the cost of privacy.
As for providing security assurance, CardSpace is built on standards such as WS-Trust, Secure Token Service, and WS-Security. As a result, CardSpace benefits from the public security reviews of these standards. And because both CardSpace and OpenID are open architectures, thorough security reviews of each are possible.
The biggest threat to individuals is the so-called “social engineering” that any identity system allows. Of these, phishing poses the biggest threat at present, and OpenID, like any Web-based authentication scheme, is especially vulnerable. CardSpace’s identity selector was invented specifically to foil phishing and related attacks. Moreover, CardSpace’s rigid insistence on a consistent user experience reduces the diverse authentication contexts users face when tapping Web-based authentication technologies, thereby increasing the likelihood that they will recognize something out of the ordinary when asked for credentials.
Crossing the identity chasm
User-centric technologies have already demonstrated that they can solve many of identity's most difficult problems. Yet user-centric identity currently stands overlooking Geoffrey Moore's product adoption chasm, having won over enthusiasts and visionaries, but awaiting widespread adoption from the more pragmatic early majority on the other side. To cross that chasm, user-centric technologies will have to pass several milestones in the next 12 to 24 months.
First, user-centric identity will need to be incorporated into more of the products enterprise users buy. “The challenge is that the pieces aren’t there for organizations to deploy,” Sxip’s Hardt says. “If CA ships it with SiteMinder, then it’s a configuration decision. When Microsoft ships ActiveDirectory with CardSpace built in, issuing managed cards will be easy.”
Burton Group’s Neuenschwander agrees. “On their own, they’re not likely to be deployed. Enterprises will deploy OpenID and CardSpace through a federation or ESSO [enterprise single sign-on] product. That will be a safer and more functional way for enterprises to acquire and deploy these technologies,” he says.
As for the likelihood of either technology gaining widespread vendor acceptance over the short term, Neuenschwander adds, “Most of the federation vendors are going to support interaction with CardSpace. For one thing, it will get them single sign-on capabilities with Microsoft environments like SharePoint and Exchange. That’s all rolling out over the next year.”
A related component is the identity selector itself. Microsoft has included it in Vista, but getting the identity selector anywhere else requires downloading and installing it. Incorporating identity selectors into the OS without a separate download will increase penetration and will eliminate one side of the chicken-and-egg problem that enterprises face with CardSpace in b-to-c scenarios.
On the standards front, OpenID 2.0, with standards for user-attribute exchange, is an important milestone. For CardSpace, watch for the ability to synchronize claims among multiple machines, including mobile claims functionality.
Early adopters
Although there’s still much to be done before most organizations will embrace these technologies wholeheartedly, some deployments are already under way.
Product managers are one group likely to embrace user-centric identity early because they are being driven to understand and serve customers in innovative ways. Two examples: AOL and France Telecom have both deployed OpenID. “As b-to-c, consumer-facing companies, AOL and France Telecom will view user-centric identity as a competitive advantage,” says Ping Identity’s Durand.
The governments of British Columbia and Singapore have announced plans to roll out identity cards based on CardSpace for citizens. Federation does not scale for many government uses because in most cases governments can’t dictate architecture the way powerful business partners can. That said, governments has long served as a foundational role for identity in society, and these early steps may in fact help businesses see the benefits of user-centric identity systems, especially as they expand the technology’s user base.
Distributed organizations, such as universities, will also be early adopters because of their need to allow developers outside the traditional IT trust circle to authenticate users and retrieve attributes appropriately. In fact, authentication systems built for use in higher education, such as CAP (Common Authentication Project), are already being retrofitted with OpenID and CardSpace.