Motivating change

Technology, of course, is one thing, but buy-in depends largely on winning over top-line minds. Here is where the particular intricacies of identity play a heavy hand in the fate of user-centric federation in the enterprise.

"Identity is a difficult challenge when you consider that a large organization has so many different kinds of relationships -- employees, contractors, partners, and customers -- all spread across regions and geographies," says Mike Neuenschwander, vice president and research director at Burton Group. "On top of this is the problem of policy -- expressing what the organization requires or expects in each situation."

To date, much of the motivation behind identity deployments has centered on the bottom line. "Reduced help-desk costs and increased security are driving consciousness around ID in the enterprise," says Andre Durand, CEO of Ping Identity (Full disclosure: I am on Ping Identity's advisory board).

But as organizations gain experience with user-centric identity, primary considerations such as reducing customer friction and building brand become important.

To date, much of the federation work has been done in the b-to-b realm, where strong ROI arguments can be made for federating with partners. But in the b-to-c space user-centric identity systems really shine, since enforcing any kind of technology in a b-to-c environment significantly increases the friction of the transaction. Having an identity system that customers are comfortable using is a big win. What's more, with users in control of their identity credentials, user-centric identity can save you the hassle of password reset and account management in many cases.

As said before, the big problem facing any federated identity deployment -- b-to-b or b-to-c -- is the time it takes to set up connections with the myriad organizations involved. User-centric solutions provide a quick and easy way to knock these connections out and scale as you go.

"If you have to hit a lab with one of these things, you've set an upper bound on how many you can do," Burton Group's Neuenschwander says, noting that traditional modes of federation necessitate copious lab testing time before rollout.

Moreover, in numerous scenarios a full-blown federated deployment would be overkill; here, user-centric systems are proving more than worthwhile. For example, you may want to set up partner relationships that have lower-value and, hence, reduced authentication requirements. User-centric technologies can provide a low-cost, low-overhead solution. What's more, they provide sought-after flexibility, allowing the identity system to grow as the business relationship evolves.

In fact, one of the goals of the user-centric technology is to provide an identity metasystem that functions independently of individual applications.

"We need to be able to escalate from low-value to high-value authentication decisions without having to rip out one piece of software and install another," says Kim Cameron, chief identity architect at Microsoft, and author of the Seven Laws of Identity, a primer for user-centric identity technologies. "Different roles in an application can have authentication regimes of differing strengths and yet retain a consistent user experience."

Thus, one of the interesting, early uses of user-centric tools is to provide UI elements to existing federations. "These technologies can provide an easier user interface for partner federations that already exist," Neuenschwander says.

Privacy and security

Perhaps against the grain of suspicion, user-centric technologies hold promise in providing increased privacy and security, simply because of how they are built. CardSpace, for example, enables selective disclosure of user attributes, making it possible to avoid revealing personal details irrelevant to a given transaction. OpenID does not yet offer user-attribute functionality.

Any system that allows users to present a single set of credentials to multiple Web sites, however, runs the risk of user activity on those sites being correlated in some way. With OpenID, for example, the identity provider knows every Web site you show your credentials to. As with other Web technologies, convenience can come at the cost of privacy.